All news in category "Incidents and Data Breaches"

Identifiable Discord User Data Exposed in Third-Party Breach

🔒 Hackers accessed a third-party customer service system used by Discord on September 20, stealing partial payment details and personally identifying information for a limited number of users who contacted support or Trust and Safety. The attackers appear financially motivated and demanded a ransom. Discord revoked the provider's access, engaged a computer forensics firm, launched an internal investigation, and notified law enforcement. Exposed data included real names, usernames, emails, IP addresses, support messages and attachments, photos of government IDs for a small subset, and partial billing details such as payment type and the last four card digits.

Discord discloses data breach after support-ticket hack

🔒 Discord disclosed that attackers accessed a third-party customer support system on September 20 and stole a limited set of user support tickets and associated data. Exposed information included names, usernames, email addresses, IP addresses, messages and attachments, photos of government-issued IDs for a small number of users, and partial billing details such as payment type and the last four card digits. Discord says it isolated the vendor, revoked access, launched an internal and forensics investigation, and engaged law enforcement. The threat actor demanded a ransom and a group claiming responsibility said the breach involved a Zendesk instance.

Extortion Gang Reveals Alleged Salesforce Victims List

🔓 The Scattered Lapsus$ Hunters gang opened a public data-leak site claiming it stole Salesforce data from dozens of global companies, including Salesforce, Toyota, FedEx, Disney/Hulu, Marriott and Google. The group set an Oct. 10 deadline for ransom payments and threatened to publish or even use stolen documents in legal actions if demands are not met. Salesforce says its investigation found no indication the platform itself was compromised and attributes the incidents to past or unsubstantiated claims. Researchers link many breaches to vishing that installs malicious connected apps and to compromised OAuth tokens in Salesloft Drift, underscoring a broader SaaS supply-chain risk.

New Chinese Group Hijacks IIS Servers for SEO Fraud

🔍 Cisco Talos warns a Chinese‑speaking threat group tracked as UAT-8099 is actively compromising misconfigured Microsoft IIS servers to run SEO fraud and harvest high-value data. The actors favor high-reputation domains in universities, technology firms, and telecom providers across India, Thailand, Vietnam, Canada and Brazil to reduce detection. They exploit unrestricted file uploads to install web shells, escalate a guest account to admin, enable RDP and deploy the BadIIS SEO malware, then persist with hidden accounts and VPN/backdoor tools. Talos has published indicators and mitigation guidance, including blocking script execution in upload folders, disabling RDP and enabling MFA.

Detour Dog Using DNS to Distribute Strela Stealer Campaigns

🛡️ Infoblox links a threat actor dubbed Detour Dog to campaigns distributing the Strela Stealer, using compromised WordPress sites to host first-stage backdoors such as StarFish. The actor leverages DNS TXT records and modified name servers to deliver Base64-encoded commands and delivery URLs, selectively triggering redirects or remote execution to minimize detection. Infoblox and Shadowserver sinkholed multiple C2 domains in July–August 2025.

Renault and Dacia UK Notify Customers of Data Breach

🔒 Renault and Dacia UK have informed customers that personal information was exposed following a cyberattack on an unnamed third‑party provider. The compromised data includes full name, gender, phone number, email and postal address, as well as Vehicle Identification Numbers (VINs) and vehicle registration numbers; banking data was not affected. Renault says the supplier isolated the incident and removed the threat, and the Information Commissioner’s Office (ICO) has been notified. Recipients are urged to remain vigilant against unsolicited calls and emails and to avoid sharing passwords.

Ransomware Halts Asahi Production, Japan Faces Shortage

🍺 A ransomware attack has forced Asahi Group Holdings to suspend production at nearly all of its 30 domestic breweries after ordering, delivery and call‑centre systems were disabled. The disruption has prompted the postponement of 12 new product launches and suspension of multiple beverage lines, with retailers warning that popular Asahi Super Dry could run out in days. Asahi reports no evidence so far of personal data leakage while investigations and recovery continue.

Chinese Cybercriminals Hijack IIS Servers for SEO Fraud

🔍 A Chinese-speaking cybercrime group tracked as UAT-8099 is hijacking trusted Microsoft IIS servers worldwide to run SEO scams that redirect users to unauthorized adverts and illegal gambling sites. According to Cisco Talos, attackers exploit server vulnerabilities, upload web shells, and conduct reconnaissance before enabling the guest account, escalating privileges and activating RDP. For persistence they deploy SoftEther VPN, EasyTier and the FRP reverse proxy and install the BadIIS malware variants designed to evade detection.

Asahi Confirms Ransomware Attack Disrupting Japan Operations

🔒 Asahi Group Holdings has confirmed a ransomware attack caused IT disruptions that forced shutdowns at its Japanese factories and prompted a switch to manual order and shipment processing. The company says investigations found evidence suggesting potential unauthorized data transfer from compromised devices. Asahi has established an Emergency Response Headquarters and is working with external cybersecurity experts; no cybercriminal group has publicly claimed responsibility.

ShinyHunters Leak Salesforce Data; Many Companies Exposed

🔓 An extortion group claiming affiliation with ShinyHunters, Scattered Spider, and Lapsus$ has launched a public data leak site listing 39 companies allegedly compromised via Salesforce breaches. The site publishes sample records and urges victims to pay before an October 10 deadline, while also demanding that Salesforce pay to prevent disclosure of roughly 1 billion records. The attackers say they used OAuth-based voice-phishing and stolen tokens to access customer data. Victims named include FedEx, Disney/Hulu, Google, Cisco, and many other major brands.

Rhadamanthys 0.9.2 Stealer Introduces New Evasion Techniques

🔒 Check Point Research details the release of Rhadamanthys 0.9.2, a new build of a widely used information stealer that introduces multiple evasion and delivery changes. The update replaces previous loaders with a PNG-based payload delivery, updates encryption, refines sandbox checks, adds configurable process injection, and expands targeting to include Ledger Live crypto wallets. Operators have rebranded as RHAD Security / Mythical Origin Labs and launched a professional site, while CPR supplies updated signatures and tools to help defenders adapt.

Oracle Links Clop Extortion to July EBS Vulnerabilities

🔒 Oracle said some customers received extortion emails tied to its E-Business Suite and linked the campaign to vulnerabilities patched in the July 2025 Critical Patch Update. While Oracle did not attribute the activity to a specific ransomware group, its investigation found potential use of previously identified EBS flaws, including three that were remotely exploitable. Security firms reported executives began receiving ransom demands on or before September 29, 2025. Oracle urged customers to apply the latest patches and contact support if they need assistance.

WhatsApp-Based Self-Spreading Malware Hits Brazil Nationwide

⚠️ Trend Micro has uncovered a self-propagating malware campaign named SORVEPOTEL that primarily targets Brazilian Windows users via WhatsApp. The attack is delivered through convincing phishing messages with malicious ZIP attachments that contain LNK shortcuts which trigger PowerShell to download a batch payload. The payload establishes persistence by copying itself to the Windows Startup folder and contacts a command-and-control server, and if WhatsApp Web is active the malware automatically forwards the infected ZIP to contacts and groups, causing rapid spread and frequent account bans. Researchers report no evidence of data exfiltration or file encryption so far.

Cavalry Werewolf Targets Russian Public Sector with RATs

🚨 BI.ZONE warns of a campaign dubbed Cavalry Werewolf that has targeted Russian state agencies and critical industrial sectors using FoalShell and StallionRAT. Attackers used spear-phishing with spoofed Kyrgyz government emails and RAR attachments to deploy lightweight reverse shells and a RAT that exfiltrates data via a Telegram bot. Observed tooling and Telegram commands indicate organized post-compromise operations and use of socks proxies for lateral movement. BI.ZONE links the activity to groups including Tomiris and YoroTrooper, suggesting possible Kazakhstan ties.

WestJet Data Breach Affects 1.2 Million Customers Update

🛫 WestJet has confirmed a data breach affecting 1.2 million customers following a June 13, 2025 intrusion, and notified authorities on September 29. The airline says a "sophisticated, criminal third party" accessed names, contact details, reservation documents and other relationship data; WestJet Rewards members may have had IDs and points balances exposed, though account passwords were not accessed. WestJet states that credit card numbers, expiry dates and CVVs were not compromised, systems are secure, affected customers are being contacted, and identity protection is being offered where appropriate.

Cl0p-linked Extortion Targets Oracle E-Business Suite

🔒 Researchers at Halcyon, Google, and Mandiant report an extortion campaign attributed to actors likely affiliated with the Cl0p gang, targeting Oracle E‑Business Suite (EBS) via exposed local login pages. Attackers allegedly abused the AppsLocalLogin.jsp password‑reset workflow to obtain local credentials that bypass SSO and often lack MFA, then sent executive extortion demands with proof samples. Demands range into seven and eight figures, reportedly up to $50 million; defenders are advised to restrict public EBS access, enforce MFA, and review logs immediately.

Chinese-speaking Group UAT-8099 Targets IIS Servers

🔐 Cisco Talos recently disclosed activity by a Chinese-speaking cybercrime group tracked as UAT-8099 that compromises legitimate Internet Information Services (IIS) web servers across several countries. The actors use automation, custom malware and persistence techniques to manipulate search results for profit and to exfiltrate sensitive data such as credentials and certificates. Talos notes the group maintains long-term access and actively protects compromised hosts from rival attackers. Organizations should hunt for signs of BadIIS, unauthorized web shells and anomalous RDP/VPN activity and share IOCs promptly.

Extortion Emails Target Executives Claiming Clop Ties

📧 An individual or group claiming to work with the Clop ransomware gang has been sending extortion emails to executives at multiple organizations since September 29, according to Google. Researchers at Mandiant and the Google Threat Intelligence Group are investigating and report a high-volume campaign launched from hundreds of compromised accounts, with at least one account previously linked to FIN11. The messages include contact information that matches addresses on the Clop data leak site, suggesting the actor may be leveraging Clop's brand; however, investigators emphasize this does not prove direct Clop involvement and advise targeted organizations to search for indicators of compromise.

Confucius Targets Pakistan with WooperStealer and Anondoor

🔒 Fortinet researchers attribute a renewed phishing campaign to Confucius, which has repeatedly targeted Pakistani government, military, and defense industry recipients using spear‑phishing and malicious documents. Attack chains observed from December 2024 through August 2025 delivered WooperStealer via DLL side‑loading using .PPSX and .LNK lures, and later introduced a Python implant, Anondoor. The group layered obfuscation and swapped tools and infrastructure to sustain credential theft, screenshot capture, file enumeration, and persistent exfiltration while evading detection.

Malicious PyPI soopsocks package abused to install backdoor

⚠️ Cybersecurity researchers flagged a malicious PyPI package named soopsocks that claimed to provide a SOCKS5 proxy while delivering stealthy backdoor functionality on Windows. The package, uploaded by user 'soodalpie' on September 26, 2025, had 2,653 downloads before removal and used VBScript or an executable (_AUTORUN.VBS/_AUTORUN.EXE) to bootstrap additional payloads. Analysts at JFrog reported the executable is a compiled Go binary that runs PowerShell, adjusts firewall rules, elevates privileges, performs reconnaissance and exfiltrates data to a hard-coded Discord webhook.