Found 192 bookmarks
Custom sorting
ShinyHunters launches Salesforce data leak site to extort 39 victims
ShinyHunters launches Salesforce data leak site to extort 39 victims
bleepingcomputer.com By Sergiu Gatlan October 3, 2025 An extortion group has launched a new data leak site to publicly extort dozens of companies impacted by a wave of Salesforce breaches, leaking samples of data stolen in the attacks. The threat actors responsible for these attacks claim to be part of the ShinyHunters, Scattered Spider, and Lapsus$ groups, collectively referring to themselves as "Scattered Lapsus$ Hunters." Today, they launched a new data leak site containing 39 companies impacted by the attacks. Each entry includes samples of data allegedly stolen from victims' Salesforce instances, and warns the victims to reach out to "prevent public disclosure" of their data before the October 10 deadline is reached. The companies being extorted on the data leak site include well-known brands and organizations, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA. "All of them have been contacted long ago, they saw the email because I saw them download the samples multiple times. Most of them chose to not disclose and ignore," ShinyHunters told BleepingComputer. "We highly advise you proceed into the right decision, your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always. We highly recommend a decision-maker to get involved as we are presenting a clear and mutually beneficial opportunity to resolve this matter," they warned on the leak site. The threat actors also added a separate entry requesting that Salesforce pay a ransom to prevent all impacted customers' data (approximately 1 billion records containing personal information) from being leaked. "Should you comply, we will withdraw from any active or pending negotiation indiviually from your customers. Your customers will not be attacked again nor will they face a ransom from us again, should you pay," they added. The extortion group also threatened the company, stating that it would help law firms pursue civil and commercial lawsuits against Salesforce following the data breaches and warned that the company had also failed to protect customers' data as required by the European General Data Protection Regulation (GDPR).
#bleepingcomputer.com#EN#2025#Breach#Data-Breach#Leak#Salesforce#Scattered-Lapsus$-Hunters#ShinyHunters
·bleepingcomputer.com·
ShinyHunters launches Salesforce data leak site to extort 39 victims
Iran-linked hacker group doxes journalists and amplifies leaked information through AI chatbots
Iran-linked hacker group doxes journalists and amplifies leaked information through AI chatbots
https://www.international.gc.ca Date modified: 2025-09-12 Summary Rapid Response Mechanism Canada (RRM Canada) has detected a “hack and leak” operation by Iran-linked hacker group, “Handala Hack Team” (Handala). The operation targeted five Iran International journalists, including one from Canada. RRM Canada assesses that the operation began on July 8, 2025. The hacked materials ranged from photos of government IDs to intimate content. They were first released via the Handala website, then further amplified via X, Facebook, Instagram, Telegram, and Iranian news websites. At the time of assessment, engagement with the hacked materials has varied from low to medium (between 0 to 2,200 interactions and 1 to 225,000 views), depending on the platform. The social media campaign appears to have stopped as of early August. Following the aftermath of the initial “hack and leak” operation, RRM Canada also detected amplification of the leaked information through multiple AI chatbots—ChatGPT, Gemini, Copilot, Claude, Grok, and DeepSeek. These platforms all outlined detailed information about the “hack and leak” operation, providing names of the affected individuals, the nature of the leaked information, and links to the released images. RRM Canada notes that some of these chatbots continue to surface the leaked images upon request. Many sources, including the Atlantic Council, have associated the Handala Hack group with Iran’s intelligence services. Footnote1 Targets and content Initial “hack and leak” operation On July 8, 2025, alleged “hacktivist” group “Handala Hack Team” claimed to have accessed the internal communication and server infrastructure of Iran International—a Farsi satellite television channel and internationally-based English, Arabic, and Farsi online news operation.Footnote2 The group released several uncensored photos of government IDs (including passports, permanent resident cards, and driver’s licences) of five Iran International staffers. In some instances, released content included email address passwords, along with intimate photos and videos. (See Annex A) RRM Canada detected the operation on July 9, 2025, following the release of the information on a Telegram channel associated with Handala. The group claimed to have acquired information of thousands of individuals linked to Iran International, including documents and intimate images of journalists who worked for the news agency.Footnote3 On July 11, 2025, RRM Canada detected further distribution of materials on X and Facebook. The information appears to focus on a Canadian resident employed by Iran International. The leak included several photos of the individual’s ID, including their provincial driver’s licence, permanent resident card, and Iranian passport, and other personal photos and videos. Three other internationally based staff of the news agency were targeted in a similar fashion, with the release of government-issued ID on Handala’s website and then distributed online. It is believed that more journalists have been affected by the hack, and there are suggestions that the group is also using the hacked intimate images as a source of revenue by implementing pay-for-play access to some images. Information amplified through AI chatbots RRM Canada tested six popular AI chatbots—ChatGPT, Gemini, Copilot, Claude, Grok, and DeepSeek—to assess whether the platforms would retrieve and share the information leaked by Handala. While the required prompts varied, all tested chatbots outlined detailed information about the operation, providing the names of the individuals implicated in the lead in addition to the nature of information. (See Annex B) In addition to providing information, links, and, in some cases, images related to the leak, the chatbots provided citations that included links to unreliable or state-linked sources or repeated unverified accusations against Iran International regarding its credibility from Handala. Tactics, techniques and procedures “Hack and leak” operations are a type of cyber-enabled influence campaign where malicious actors hack into a target’s systems or accounts to steal sensitive or private information and then leak the information publicly. Operations are often implemented with the intent to damage reputations, influence public opinion, disrupt political processes, and even put personal safety at risk. These operations are often associated with state-sponsored actors, hacktivist groups, or cybercriminals. Links to Iranian intelligence Handala established their web presence in December 2023. The group has limited social media presence, likely resulting from frequent violations of the platforms’ terms of service. Atlantic Council and several threat intelligence firms (including Recorded Future, Trellix, and others) report that Handala has connections or is affiliated with other Iranian intelligence-linked groups such as Storm-842 (also known as Red Sandstorm, Dune, Void Manticore, or Banished Kitten).Footnote4 Iran International asserts that Handala and Storm-842 are the same group operating as a cyber unit within Iran’s Ministry of Intelligence.Footnote5 Implications The leak of personal information increases the risk to the personal safety of the affected Iran International staff. The ease of access to the information resulting from search engine algorithms and availability on AI chatbots further increases this risk. Such operations are used as a form of digital transnational repression (DTNR), which is leveraged to coerce, harass, silence, and intimidate those who speak against foreign actors or against their interests. Annex A: Sample images of leaked information Image 1 Image 1: Government-issued ID and personal photos of a Canadian resident working for Iran International. Image 2 Image 2: post likely from Handala Hack Team associates amplifying leaked materials. Annex B: Large language model outputs Image 3 Image 3: Web version of ChatGPT producing leaked images. Image 4 Image 4: Google’s Gemini reproducing images of the leak. Image 5 Image 5: Grok showing X posts that include leaked information. Image 6 Image 6: Claude generating responses with a citation linking directly to Handala's website. Image 7 Image 7: DeepSeek generating responses with a citation linking directly to Handala’s website.
#www.international.gc.ca#EN#2025#Iran#Canad#chat#AI#journalists#Hack-and-leak#dox#leak
·international.gc.ca·
Iran-linked hacker group doxes journalists and amplifies leaked information through AI chatbots
The ChatGPT confession files
The ChatGPT confession files
www.digitaldigging.org - Digital Digging investigation: how your AI conversation could end your career Corporate executives, government employees, and professionals are confessing to crimes, exposing trade secrets, and documenting career-ending admissions in ChatGPT conversations visible to anyone on the internet. A Digital Digging investigation analyzed 512 publicly shared ChatGPT conversations using targeted keyword searches, uncovering a trove of self-incrimination and leaked confidential data. The shared chats include apparent insider trading schemes, detailed corporate financials, fraud admissions, and evidence of regulatory violations—all preserved as permanently searchable public records. Among the discoveries is a conversation where a CEO revealed this to ChatGPT: Confidential Financial Data: About an upcoming settlement Non-Public Revenue Projections: Specific forecasts showing revenue doubling Merger intelligence: Detailed valuations NDA-Protected Partnerships: Information about Asian customers The person also revealed internal conflict and criticizing executives by name. Our method reveals an ironic truth: AI itself can expose these vulnerabilities. After discussing the dangers of making chats public, we asked Claude, another AI chatbot, to suggest Google search formulas that might uncover sensitive ChatGPT conversations.
#www.digitaldigging.org#EN#2025#Investigation#ChatGPT#leak#shared#prompts
·digitaldigging.org·
The ChatGPT confession files
Iran-linked hackers threaten to release Trump aides' emails
Iran-linked hackers threaten to release Trump aides' emails
  • Hackers say they might try to sell emails from Trump aides Group leaked documents from Republican president's campaign last year US has said group known as Robert works for Iran's Revolutionary Guards WASHINGTON, June 30 (Reuters) - Iran-linked hackers have threatened to disclose more emails stolen from U.S. President Donald Trump's circle, after distributing a prior batch to the media ahead of the 2024 U.S. election. In online chats with Reuters on Sunday and Monday, the hackers, who go by the pseudonym Robert, said they had roughly 100 gigabytes of emails from the accounts of White House Chief of Staff Susie Wiles, Trump lawyer Lindsey Halligan, Trump adviser Roger Stone and porn star-turned-Trump antagonist Stormy Daniels.
#reuters#EN#2025#Iran#US#Trump#leak#threaten#emails
·reuters.com·
Iran-linked hackers threaten to release Trump aides' emails
Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto
Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto
On May 7, 2025, the LockBit admin panel was hacked by an anonymous actor who replaced their TOR website with the text ‘Don’t do crime CRIME IS BAD xoxo from Prague’ and shared a SQL dump of their admin panel database in an archived file ‘paneldb_dump.zip’: There is not much information available regarding the individual identified as 'xoxo from Prague' whose objective seems to be the apprehension of malicious ransomware threat actors. It is uncommon for a major ransomware organization's website to be defaced; more so for its administrative panel to be compromised. This leaked SQL database dump is significant as it offers insight into the operational methods of LockBit affiliates and the negotiation tactics they employ to secure ransom payments from their victims. Trellix Advanced Research Center’s investigations into the leaked SQL database confirmed with high confidence that the database originates from LockBit's affiliates admin panel. This panel allows the generation of ransomware builds for victims, utilizing LockBit Black 4.0 and LockBit Green 4.0, compatible with Linux, Windows and ESXi systems, and provides access to victim negotiation chats. The leaked SQL database dump encompasses data from December 18, 2024 to April 29, 2025, including details pertaining to LockBit adverts (aka ransomware affiliates), victim organizations, chat logs, cryptocurrency wallets and ransomware build configurations.
#trellix#EN#2025#LockBit#Leak#Affiliates#Crypto#research
·trellix.com·
Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto
Massive leak exposes Russian nuclear facilities
Massive leak exposes Russian nuclear facilities
Detailed blueprints of Russia’s modernized nuclear weapon sites, including missile silos, were found leaking in public procurement database. Russia is modernizing its nuclear weapon sites, including underground missile silos and support infrastructure. Data, including building plans, diagrams, equipment, and other schematics, is accessible to anyone in the public procurement database. Journalists from Danwatch and Der Spiegel scraped and analyzed over two million documents from the public procurement database, which exposed Russian nuclear facilities, including their layout, in great detail. The investigation unveils that European companies participate in modernizing them. According to the exclusive Der Spiegel report, Russian procurement documents expose some of the world’s most secret construction sites. “It even contains floor plans and infrastructure details for nuclear weapons silos,” the report reads. German building materials and construction system giant Knauf and numerous other European companies were found to be indirectly supplying the modernization through small local companies and subsidiaries. Knauf condemned the Russian invasion of Ukraine and announced its intention to withdraw from its Russian business in 2024. Knauf told Der Spiegel that it only trades with independent dealers and cannot control who ultimately uses its materials in Russia. Danwatch jointly reports that “hundreds of detailed blueprints” of Russian nuclear facilities, exposed in procurement databases, make them vulnerable to attacks. “An enormous Russian security breach has exposed the innermost parts of Russia’s nuclear modernization,” the article reads. “It’s completely unprecedented.” The journalists used proxy servers in Russia, Kazakhstan, and Belarus to circumvent network restrictions and access the documents. The rich multimedia in the report details the inner structure of bunkers and missile silos.
#cybernews.com#EN#2025#Massive#leak#Russia#nuclear#facilities#procurement#database#data-leak
·cybernews.com·
Massive leak exposes Russian nuclear facilities
On Lockbit's plaintext passwords
On Lockbit's plaintext passwords
Today it was discovered that an unknown actor had managed to exploit a vulnerability in Lockbit’s PHPMyAdmin instance (on their console onion site). Apparently they were running PHP 8.1.2 which is vulnerable to an RCE CVE-2024-4577. Which uhh… lol? It probably would have been prudent to do a post-paid penetration test on their own infrastructure at some point. Further compounding the unfortunate situation, the actor was able to dump their database. This contained, as stated by Bleeping Computer, a number of tables such as bitcoin addresses, data about their build system such as bespoke builds for affiliates, A ‘chats’ table containing negotiation messages, which we’ll go through in a later post. And finally, of interest today, the usernames and passwords of LockBit agents using the console. Of special importance, making our work markedly easier, these passwords were not hashed. Which sure is a choice, as an organization that performs ransomware attacks. The vast majority of the passwords in this table as reasonably secure; it’s not solely hilariously weak credentials, but there still are a number that display poor security hygiene. The weak passwords Before going into my standard analysis, I’ll list off all of the weak passwords in question, and then we’ll go through the statistics of the whole set. The fun to highlight passwords: Weekendlover69 CumGran0Salis Lockbit123 Lockbitproud321 * Lavidaloca18
#dak.lol#EN#2025#Lockbit#leak#passwords#complexity#PHPMyAdmin#analysis
·dak.lol·
On Lockbit's plaintext passwords
Cisco Says Ransomware Group’s Leak Related to Old Hack
Cisco Says Ransomware Group’s Leak Related to Old Hack
A fresh post on the Kraken ransomware group’s leak website refers to data stolen in a 2022 cyberattack, Cisco says. The data, a list of credentials apparently exfiltrated from Cisco’s systems, appeared over the weekend on a new data leak site operated by the Kraken ransomware group. “Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time,” a Cisco spokesperson said, responding to a SecurityWeek inquiry.
#securityweek#EN#Cisco#Ransomware#Leak#Old
·securityweek.com·
Cisco Says Ransomware Group’s Leak Related to Old Hack
stardom dreams, stalking devices and the secret conglomerate selling both
stardom dreams, stalking devices and the secret conglomerate selling both
people frequently reach out to me with companies to look into. usually it takes me about 10 minutes before i move on for one reason or another—it's not interesting for a story or has good security, for example. i didnt expect anything different when an acquaintance told me about Tracki, a self-proclaimed "world leader in GPS tracking" that they suspected could be used nefariously. at first glance, Tracki appeared to be a serious company, maybe even one that cared about security. we could never have guessed what was about to unfold before us. half a year into our investigation, we'd found it all: a hidden conglomerate posing as five independent companies, masked from governments and customers alike through the use of dozens of false identities, US letterbox companies, and an undeclared owner. a 90s phone sex scheme that, through targeting by one of hollywood's most notorious fixers, spiraled into a collection of almost a hundred domains advertising everything from online dating to sore throat remedies. a slew of device-assisted murder cases, on top of potential data breaches affecting almost 12 million users, ranging from federal government officials to literal infants. and most importantly, a little-known Snoop Dogg song. how in the world did we get here? starting our descent
#maia.crimew.gay#EN#2024#Tracki#shady#business#investigation#stalkerware#security#analysis#sqli#leak#exploit#nyancrimew#maia-arson-crimew#switzerland#hacktivism#developer
·maia.crimew.gay·
stardom dreams, stalking devices and the secret conglomerate selling both
Microsoft employee accidentally publishes PlayReady code
Microsoft employee accidentally publishes PlayReady code
[German]A Microsoft software developer has accidentally shared internal PlayReady source code with the public (a developer forum). The data leak of 4 GByte is sufficient to compile the required DLL from the source code. This could be a real boon for people who want to reverse engineering or crack PlayReady. What is PlayReady? PlayReady is...
#borncity.com#EN#2024#Microsoft#employee#PlayReady#leak
·borncity.com·
Microsoft employee accidentally publishes PlayReady code
Crooks threaten to leak 2.9B records of personal info
Crooks threaten to leak 2.9B records of personal info
Billions of records detailing people's personal information may soon be dumped online after being allegedly obtained from a Florida firm that handles background checks and other requests for folks' private info. A criminal gang that goes by the handle USDoD put the database up for sale for $3.5 million on an underworld forum in April, and rather incredibly claimed the trove included 2.9 billion records on all US, Canadian, and British citizens. It's believed one or more miscreants using the handle SXUL was responsible for the alleged exfiltration, who passed it onto USDoD, which is acting as a broker.
#theregister#EN#2024#USDoD#database#US#Florida#leak
·theregister.com·
Crooks threaten to leak 2.9B records of personal info
'I can fight with a keyboard': How one Ukrainian IT specialist exposed a notorious Russian ransomware gang
'I can fight with a keyboard': How one Ukrainian IT specialist exposed a notorious Russian ransomware gang
As Russian artillery began raining down on his homeland last month, one Ukrainian computer researcher decided to fight back the best way he knew how -- by sabotaging one of the most formidable ransomware gangs in Russia.
#CNN#EN#2022#Russia-Ukraine-war#Danylo#Conti#leak#hacker#FBI
·cnn.com·
'I can fight with a keyboard': How one Ukrainian IT specialist exposed a notorious Russian ransomware gang
Costa Rica declares national emergency after Conti ransomware attacks
Costa Rica declares national emergency after Conti ransomware attacks
The Costa Rican President Rodrigo Chaves has declared a national emergency following cyber attacks from Conti ransomware group on multiple government bodies. BleepingComputer also observed Conti published most of the 672 GB dump that appears to contain data belonging to the Costa Rican government agencies. The declaration was signed into law by Chaves on Sunday, May 8th, same day as the economist and former Minister of Finance effectively became the country's 49th and current president.
#bleepingcomputer#EN#2022#Conti#ransomware#leak#Costarica#emergency
·bleepingcomputer.com·
Costa Rica declares national emergency after Conti ransomware attacks
Aquarium Leaks. Inside the GRU’s Psychological Warfare Program
Aquarium Leaks. Inside the GRU’s Psychological Warfare Program
In this exclusive and groundbreaking report, Free Russia Foundation has translated and published five documents from the GRU, Russia’s military intelligence agency. The documents, obtained and analyzed by Free Russia Foundation’s Director of Special Investigations Michael Weiss, details the...
#4freerussia#EN#2022#GRU#Leak#report#Warfare#Aquarium#Program
·4freerussia.org·
Aquarium Leaks. Inside the GRU’s Psychological Warfare Program
[LEAK] Maze + Egregor + Sekhmet keys along with m0yv (expiro) source code
[LEAK] Maze + Egregor + Sekhmet keys along with m0yv (expiro) source code
Hello, Its developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families. also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with...
#leak#Maze#Egregor#Sekhmet#keys#decryptor#EN#forum#bleepingcomputer
·bleepingcomputer.com·
[LEAK] Maze + Egregor + Sekhmet keys along with m0yv (expiro) source code
PCTattletale leaks victims' screen recordings to entire Internet
PCTattletale leaks victims' screen recordings to entire Internet
PCTattletale is a simple stalkerware app. Rather than the sophisticated monitoring of many similarly insecure competitors it simply asks for permission to record the targeted device (Android and Windows are supported) on infection. Afterward the observer can log in to an online portal and activate recording, at which point a screen capture is taken on the device and played on the target's browser.
#ericdaigle#EN#2024#PCTattletale#analysis#stalkerware#screen#recordings#leak
·ericdaigle.ca·
PCTattletale leaks victims' screen recordings to entire Internet
Europol confirms web portal breach, says no operational data stolen
Europol confirms web portal breach, says no operational data stolen
Europol, the European Union's law enforcement agency, confirmed that its Europol Platform for Experts (EPE) portal was breached and is now investigating the incident after a threat actor claimed they stole For Official Use Only (FOUO) documents containing classified data. #Breach #Computer #Data #EPE #Europol #InfoSec #Leak #Security #Theft
#bleepingcomputer#EN#2024#Europol#Security#EPE#Theft#Leak#InfoSec#Data#Breach#Computer
·bleepingcomputer.com·
Europol confirms web portal breach, says no operational data stolen