All news in category "Incidents and Data Breaches"

Operation Heracles: Takedown of Fraudulent Crypto Sites

🔒 German authorities, working with BaFin, Europol and Bulgarian law enforcement, seized 1,406 fraudulent crypto and investment domains in Operation Heracles on October 3, 2025. The seized sites, which targeted German-speaking users, now display warning banners after roughly 866,000 access attempts were recorded in the first ten days. Authorities warn these professional-looking platforms often use AI-generated content, mobile apps and call centres to defraud victims.

US Q3 Report: Over 23 Million Data Breach Victims This Year

📊 The Identity Theft Resource Center (ITRC)'s Q3 2025 analysis found 835 publicly reported corporate data compromises in the United States, resulting in approximately 23 million victim notifications. That follows 1,732 incidents in H1 2025 and brings the year-to-date total to nearly 202 million victims. The report attributes 83% of breaches to cyber-attacks, highlights a rise in physical attacks, and criticizes the increasing frequency of notices that omit details about the cause. Major victims this quarter included Anne Arundel Dermatology, DaVita, TransUnion and several large healthcare providers.

Nation-state Breach Exposes F5 BIG-IP Source Code

⚠️ F5 has confirmed a nation-state actor maintained persistent access to its development systems, including the BIG-IP product development environment and engineering knowledge management platforms, with discovery in August and customer notification on October 15. The breach included stolen files containing BIG-IP source code and information on undisclosed vulnerabilities. While F5 reports no known active exploitation, it and CISA have urged immediate patching and mitigations, and the US government delayed public disclosure in September after a Justice Department order.

Critical Infrastructure Hack, Burnout, and Music Discussion

🔐 In episode 439 of Smashing Security, Graham Cluley and guest Annabel Berry examine a reported critical infrastructure hack that allegedly exploited default passwords and featured perpetrators boasting on Telegram. They probe how basic misconfigurations can cascade into major incidents and spotlight the human cost of defending organisations — stress, burnout, and leadership failures. The show pairs this sober analysis with lighter cultural asides, including music and media reflections.

Capita fined £14M for 2023 breach exposing 6.6M people

🔒 The ICO fined Capita £14 million after a March 2023 cyberattack that exposed personal information for 6.6 million people and hundreds of clients, including 325 pension providers. Attackers—claiming responsibility as Black Basta—gained access via a malicious file, remained in systems for 58 hours, exfiltrated almost 1TB, and deployed ransomware. The fine was reduced from an initial £45 million after Capita accepted liability and implemented remediation measures, including enhanced access controls and customer protections.

F5 Confirms Source Code, Vulnerability Data Exfiltration

🔒 F5 Networks acknowledged that a highly sophisticated threat actor exfiltrated portions of BIG-IP source code, information about undisclosed vulnerabilities, and configuration data for a small percentage of customers. The company says there is no evidence of modification to its build pipelines or active exploitation of undisclosed critical vulnerabilities. F5 has released security updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG‑IQ, and APM clients and urges customers to apply them immediately. CISA has directed federal agencies to assess internet-exposed BIG-IP devices, and F5 will provide eligible customers a free subscription to CrowdStrike Falcon EDR.

PowerSchool Hacker Sentenced to Four Years in Prison

🔒 Nineteen‑year‑old college student Matthew D. Lane was sentenced to four years in prison and ordered to pay $14 million in restitution and a $25,000 fine after pleading guilty for his role in a December 19, 2024 breach of PowerSchool. Authorities say Lane and accomplices used credentials stolen from a subcontractor to access the PowerSource support portal and download databases containing personal records for millions of students and staff. Attackers demanded Bitcoin ransoms and attempted to extort individual districts; PowerSchool paid a ransom before the full scope was disclosed.

Phishing Campaign Uses Fake LastPass/Bitwarden Breach Alerts

⚠ The phishing campaign impersonates LastPass and Bitwarden, sending convincing emails claiming breaches and urging users to install a 'more secure' desktop app. The distributed binary installs the legitimate Syncro MSP agent, which then deploys ScreenConnect remote-access software to give attackers persistent control. Cloudflare is blocking the malicious landing pages, and vendors confirm no breaches occurred.

Jewelbug Expands Operations into Russia, Symantec Finds

🔎 Symantec attributes a five‑month intrusion (Jan–May 2025) against a Russian IT service provider to a China‑linked group tracked as Jewelbug, connecting it with clusters CL‑STA‑0049/REF7707 and Earth Alux. Attackers accessed code repositories and build systems and exfiltrated data to Yandex Cloud, creating supply‑chain concerns. The campaign used a renamed cdb.exe to run shellcode, bypass allowlisting, dump credentials, establish persistence, and clear event logs. Symantec also ties Jewelbug to recent intrusions in South America, South Asia, and Taiwan that leverage cloud services, DLL side‑loading, ShadowPad, BYOVD techniques, and novel OneDrive/Graph API C2.

F5 Breach Exposes BIG-IP Source Code, Nation-State Actor

🔒 F5 disclosed that unidentified threat actors accessed its systems and exfiltrated files including portions of BIG-IP source code and documentation on undisclosed product vulnerabilities. The company attributed the intrusion to a highly sophisticated nation-state threat actor, reported detection on August 9, 2025, and said it has contained the activity. F5 engaged Google Mandiant and CrowdStrike, rotated credentials, strengthened controls, and advised customers to apply updates to BIG-IP, F5OS, BIG-IQ, and APM clients.

MANGO reports marketing vendor breach exposing contacts

🔒 MANGO has notified customers that an external marketing service suffered unauthorized access, resulting in exposure of certain personal contact information. The retailer said the compromised fields included first name, country, postal code, email address, and telephone number, while last names, payment card details, IDs and account credentials were not affected. MANGO confirmed its corporate systems remain secure, authorities have been informed, and a dedicated email and hotline are available for concerned customers.

Over 100 VS Code Extensions Leaked Access Tokens Exposed

🔒 Wiz researchers found that publishers of over 100 Visual Studio Code extensions leaked personal access tokens and other secrets that could allow attackers to push malicious extension updates across large install bases. The team validated more than 550 secrets across 500+ extensions spanning 67 types, including AI provider keys, cloud credentials, database and payment secrets. Over 100 extensions exposed Marketplace PATs (≈85,000 installs) and ~30 exposed Open VSX tokens (≈100,000 installs); many flagged packages were themes and hard-coded secrets in .vsix files were often discoverable. Microsoft revoked leaked tokens after disclosure and is adding secret-scanning; users and organizations were advised to limit extensions, vet packages, maintain inventories, and consider centralized allowlists.

Nation-State Hackers Breach F5, Steal BIG-IP Source Code

🔒 F5 disclosed that nation-state attackers breached its systems and exfiltrated portions of BIG-IP source code and information about undisclosed vulnerabilities after gaining persistent access to product development and engineering knowledge platforms. The company says it first detected the intrusion on August 9, 2025, and has found no evidence the stolen data has been exploited or publicly disclosed. F5 reports that its software supply chain was not compromised and no suspicious code modifications were observed, while it continues identifying customers whose configuration or implementation details may have been taken.

Flax Typhoon Abused ArcGIS SOE to Maintain Long-Term Access

🔒 Researchers at ReliaQuest found China-linked APT Flax Typhoon modified an ArcGIS Server Object Extension (SOE) into a persistent web shell that executed base64-encoded commands via standard ArcGIS operations. The actor used a hardcoded key, staged tools in a hidden C:\Windows\System32\Bridge directory, and renamed a SoftEther VPN binary to bridge.exe to maintain covert connectivity. The malicious SOE was replicated into backups and golden images, allowing access to survive system recovery while attackers performed discovery, credential harvesting, lateral movement, and covert VPN-based persistence.

TigerJack's Malicious VSCode Extensions Steal and Mine

⚠️ Koi Security disclosed a coordinated campaign by a group dubbed TigerJack that published malicious extensions to the Visual Studio Code Marketplace and the OpenVSX registry to exfiltrate source code, deploy cryptominers, and maintain remote access. Two popular packages — C++ Payground and HTTP Format — accumulated over 17,000 downloads before removal from Microsoft's store, yet variants remain active on OpenVSX. Researchers warn that the most advanced builds fetch and execute remote JavaScript, allowing attackers to push new payloads without republishing and evading static scanners.

MANGO customer data exposed via third-party marketing

🔒 Spanish fashion retailer MANGO has alerted customers to a data breach that originated at an external marketing service, not within the company's own systems. The exposed fields include first names, countries, postal codes, email addresses and phone numbers. The company is notifying affected individuals and appears to be reviewing the vendor relationship and communications. Some recipients report receiving the notice in Spanish despite not being customers.

Capita Fined £14m Over 2023 Data Breach Failings, Remediated

🔒 The Information Commissioner’s Office (ICO) confirmed Capita will not appeal a £14m penalty for security failings that led to a March 2023 breach affecting nearly seven million people. The fine was reduced from an initial £45m after the ICO considered post-incident remediation, support to affected individuals and engagement with the NCSC. The regulator cited delayed SOC response, absence of a tiered privileged-access model and siloed pen testing that allowed a threat actor linked to Black Basta to escalate privileges and deploy ransomware.

Pro‑Russian DDoS Disrupts German Federal Procurement Portal

🛡️ The German federal procurement portal was rendered inaccessible for almost a week by a sustained DDoS campaign; the service was restored Tuesday afternoon. Security analysts attribute the disruption to the pro‑Russian hacker group NoName057(16), which has previously targeted critical infrastructure, authorities and companies in Western countries. The attacks, confirmed as DDoS by observers, overwhelmed servers with a flood of requests. The Federal Office for Information Security (BSI) said it was informed of the incident. The portal, dtvp.de, is a central nationwide platform for electronic Q&A and bid submissions in public tenders.

Anatomy of a BlackSuit Ransomware Blitz at Manufacturer

🔐 Unit 42 responded to a significant BlackSuit ransomware campaign after attackers obtained VPN credentials via a vishing call and immediately escalated privileges. The adversary executed DCSync, moved laterally with RDP/SMB using tools like Advanced IP Scanner and SMBExec, established persistence with AnyDesk and a custom RAT, and exfiltrated over 400 GB before deploying BlackSuit across ~60 ESXi hosts. Unit 42 expanded Cortex XDR visibility from 250 to over 17,000 endpoints and used Cortex XSOAR to automate containment while delivering prioritized remediation guidance.

Malicious VSCode Extensions Resurface on OpenVSX Registry

⚠️ Researchers at Koi Security warn that a threat actor known as TigerJack is distributing malicious Visual Studio Code extensions on both the official marketplace and the community-maintained OpenVSX registry. Two extensions, C++ Playground and HTTP Format, were removed from the VSCode marketplace after roughly 17,000 downloads but remain available on OpenVSX, and the actor repeatedly republishes variants under new accounts. The malicious code exfiltrates source code, deploys a CoinIMP cryptominer with no resource limits, or fetches remote JavaScript to enable arbitrary code execution, creating significant risks to developer machines and corporate networks.