All news in category “Incidents and Data Breaches”

🔍Unit 42 links a modular malware suite dubbed Project AK47 to SharePoint exploitation activity observed alongside Microsoft’s ToolShell reporting. The toolset includes a dual-protocol backdoor (AK47C2 with dnsclient and httpclient), a ransomware family (AK47 / X2ANYLOCK), and DLL side‑loading loaders. Analysts found high-confidence overlaps with Microsoft’s Storm-2603 indicators, evidence of LockBit 3.0 artifacts in an evidence archive, and a matching Tox ID on a Warlock leak site. Recommended actions include applying patches for the referenced SharePoint CVEs and enabling updated protections from endpoint, URL, and DNS defenses.

🔍 Thousands of North Korean IT workers have used stolen and fabricated US identities to secure roles at Western companies, funneling hundreds of millions of dollars annually to Pyongyang’s military programs. They leverage AI for resumes and cultural coaching, faceswap and VPN tools for video calls, and remote-access setups tied to US-based "laptop farms" run by facilitators who launder paychecks and ship company-issued machines abroad. Recent DOJ raids and the 102-month sentence for Christina Marie Chapman highlight legal, financial and national security risks, including potential sanctions violations.

🔐 The UpGuard Cyber Risk Team discovered exposed repositories belonging to AggregateIQ that contained website code, backups, credentials and tokens associated with multiple Canadian political campaigns and parties. Exposed artifacts included Stripe secret keys, private SSL keys, NationBuilder/Helcim/SendGrid tokens, WordPress database credentials, and admin accounts tied to aggregateiq.com. The incident highlights third-party vendor risk and the need for tighter controls on credentials and repository configurations.

🔒 The UpGuard Cyber Risk Team discovered an unsecured AggregateIQ (AIQ) code repository containing site backups, API keys, SSL private keys, and other sensitive assets tied to multiple Canadian campaigns and parties. Exposed files included WordPress backups, donation processor keys (Stripe), NationBuilder tokens, and PEM private keys that could enable impersonation or account takeover. The findings illustrate significant third‑party vendor risk and raise regulatory and public‑interest concerns about how AggregateIQ managed client credentials and campaign tooling.

🔍 Fraudsters are promoting hundreds of polished fake gaming sites across Discord and other social platforms, falsely claiming partnerships with influencers and offering a $2,500 'promo code' to lure users. Visitors create free accounts to play sleek casino-style games (for example gamblerbeast[.]com's B-Ball Blitz), but cashouts are blocked and victims are prompted for a cryptocurrency 'verification deposit' and repeated payments. Investigators, including a Discord researcher and the threat-hunting firm Silent Push, linked a shared chat API key to at least 1,270 active domains and found centralized wallets, AI-assisted support, and network-wide tracking that make these scaled scams efficient and hard to report.

📂 UpGuard's analysis of exposed development repositories from AggregateIQ details source code, backups, and credentials tied to multiple pro-Brexit organizations. The findings show WordPress backups, API keys, Stripe secrets, and scripts used to build and contact supporter lists, with administrative accounts linking AIQ staff to sites such as Vote Leave, Change Britain, and the DUP. Misuse of the exposed assets could have allowed large-scale data access or payment compromise.

🔓 Medico Inc. left an Amazon S3 bucket publicly accessible, exposing nearly 14,000 documents (approximately 1.7GB) that included medical records, insurance claims, legal files, and internal business data. The UpGuard Data Breach Research Team discovered the bucket on June 20, 2019, and Medico closed it within hours after notification. The dataset contained unredacted PII such as SSNs, bank account numbers, and payment card data, and also included plaintext credentials that could enable further compromise.

🔓 UpGuard disclosed that an Amazon S3 bucket belonging to the Tea Party Patriots Citizens Fund (TPPCF) publicly exposed roughly 2GB of campaign materials and call lists. The files—largely PDFs and images from the 2016 election cycle—contained strategy documents, marketing assets, and call records listing full names, phone numbers and VoterIDs for about 527,000 individuals. Upon notification on October 1, 2018, TPPCF restricted bucket permissions within hours and removed access by October 5. The incident underscores how cloud misconfiguration can turn organizational data into a large-scale privacy breach with political implications.

🔒 The UpGuard Cyber Risk Team discovered a publicly exposed, misconfigured NAS belonging to the Maryland Joint Insurance Association (JIA) that contained backup customer and operational files. The repository included full Social Security numbers, bank account and check images, insurance policy data, and plaintext administrative credentials including remote access and third-party ISO ClaimSearch logins. UpGuard notified JIA on discovery; the exposure was secured and is no longer active.

🔓 UpGuard's Cyber Risk Team discovered an Amazon S3 bucket named "tigerswanresumes" that was publicly accessible, exposing 9,402 resumes and application documents submitted to TigerSwan. The files contained contact details, work histories, and sensitive identifiers — including passports, partial Social Security numbers, driver’s license numbers, and 295 resumes claiming Top Secret/SCI clearances. UpGuard notified TigerSwan and followed up repeatedly; the bucket remained accessible for roughly a month before it was secured. TigerSwan said the exposure resulted from a former recruiting vendor.

🔒 The UpGuard Cyber Risk team discovered a 73 GB dataset belonging to Washington ISP Pocket iNet publicly exposed in a misconfigured Amazon S3 bucket named pinapp2. The exposed files included plain text administrative passwords, AWS access keys, network diagrams, device configurations, inventories, and photographs of physical infrastructure. UpGuard notified Pocket iNet on discovery (October 11, 2018); the bucket remained exposed for seven days and was secured on October 19 after repeated contact. The incident highlights the dangers of storing secrets in public object storage and recommends using secrets managers, encryption, and hardened S3 ACLs.

🔓 UpGuard discovered an Amazon S3 repository owned by NICE Systems that left call-support logs for Verizon publicly accessible. The exposed files contained names, addresses, phone numbers, account details and many unmasked account PINs tied to phone numbers, creating a significant risk of account takeover. UpGuard notified Verizon and the bucket was secured; the incident highlights third-party cloud misconfiguration risk and the need for stronger vendor controls.

🔍 The UpGuard Cyber Risk Team discovered a publicly readable Amazon S3 bucket containing spreadsheets that appeared to describe GoDaddy infrastructure running in the AWS cloud. The largest file listed more than 24,000 hostnames and 41 configuration fields, including hostname, OS, workload, region, vCPU, memory and modeled cost data, plus apparent AWS discount information. While the files did not contain credentials or end-user data, they effectively mapped a large-scale cloud deployment and revealed sensitive pricing details. UpGuard notified GoDaddy, and the exposure was closed after coordination with the company.

⚠️ UpGuard disclosed a public data exposure affecting the Los Angeles County 211 helpline. An Amazon Web Services S3 bucket was configured for public access and contained database backups and CSV exports, including a 1.3GB t_contact export with records from 2010–2016. Exposed items included credentials (384 users, MD5-hashed passwords), contact lists, and over 200,000 detailed call notes describing abuse, suicidal ideation, addresses, phone numbers, and 33,000 Social Security numbers. After notification in March–April 2018 the bucket was secured within 24 hours, but the incident highlights critical cloud misconfiguration risks.

🔓 An UpGuard analyst discovered an unsecured Amazon S3 bucket belonging to Medcall Healthcare Advisors that publicly exposed roughly 7 GB of sensitive data. The datastore included intake PDFs, audio and video recordings of patient-operator-doctor calls, and CSV files containing full Social Security numbers and other PII. The bucket's ACL granted 'Everyone - Full Control', allowing anonymous read/write access and permission changes. Medcall closed the bucket after notification on August 31.

🔒 UpGuard’s Cyber Resilience Team discovered a publicly exposed Amazon S3 repository containing plaintext SSH keys and administrative credentials tied to a Booz Allen engineer and contractor metadata pointing to NGA‑related projects. After initial notification to Booz Allen, UpGuard escalated the issue to the NGA, which secured the repository within minutes. Booz Allen acknowledged the report later that day, and UpGuard preserved the downloaded dataset at the government’s request. The incident highlights the real‑world risk of simple misconfiguration and third‑party vendor security posture.

🔒 UpGuard's Cyber Risk Research team discovered and secured a public GitHub-based data exposure belonging to OneHalf, a business process outsourcing firm in the APAC region. The exposed repositories contained HR and medical databases with detailed personal records for hundreds of employees, plus banking account numbers for several corporate clients. UpGuard notified OneHalf and the repositories were taken private, likely preventing further exploitation of sensitive personal and business information.

🔓 UpGuard discovered a publicly accessible rsync repository exposing medical and personal data tied to Cohen Bergman Klepper Romano MDS PC, a Long Island practice. The repository contained over 42,000 patient records, more than three million medical notes, and physicians’ PII including Social Security numbers. A .pst backup and virtual disk revealed staff home addresses and family details. UpGuard’s notification led to the exposure being secured, underscoring the need for strong access controls and formal disclosure response procedures.

🔓 UpGuard disclosed that a large GitLab repository belonging to AggregateIQ was publicly accessible, exposing source code, configuration files, and numerous credentials. The leak included applications and tools — notably projects named Ripon_canvas and Ripon_dialer — designed to manage voter databases, microtargeting, canvassing, and automated outreach. Credentials for Facebook apps, Twilio, AWS, and other services were present, raising the risk of account takeover and large-scale data harvesting. UpGuard linked the repository to work for US campaigns and reported ties to Cambridge Analytica, with further technical analysis promised in subsequent reports.

🔓 During a routine data-leak investigation, UpGuard researchers discovered multiple publicly accessible HCL web pages that exposed employee records, plaintext passwords for new hires, and detailed project installation reports. The exposed assets spanned HR dashboards, a SmartManage reporting interface, and recruitment/admin panels across several subdomains. After notifying HCL’s Data Protection Officer, the researcher confirmed that the publicly accessible pages were secured. The incident highlights how inconsistent access controls across applications can cause significant risk.