All news in category "Incidents and Data Breaches"

Hackers Steal Customer Data from Spanish Retailer Mango

🔒An external marketing service provider detected unauthorized access to customer personal data for the Spanish fashion company Mango. The attackers obtained first name, country, postal code, email address and telephone number for some customers, while last names, bank details and passwords were not accessed. Mango says its own systems remain secure and has notified the Spanish data protection authority (AEPD). Customers are urged to remain vigilant for phishing attempts via email, SMS or phone.

Microsoft Revokes 200+ Fraudulent Code-Signing Certificates

🔒 Microsoft disclosed it revoked more than 200 certificates after a threat actor tracked as Vanilla Tempest used them to fraudulently sign malicious binaries, including fake Microsoft Teams installers that delivered the Oyster backdoor and led to Rhysida ransomware deployments. The activity was detected in late September 2025 and disrupted earlier this month, and Microsoft has updated security solutions to flag the associated signatures. The actor abused SEO poisoning and bogus download domains impersonating Teams to distribute trojanized installers. Users are advised to download software only from verified sources and to avoid suspicious links or ads.

Nation-State Actor Steals F5 BIG-IP Source Code Exposed

🔒 On Oct. 15, 2025, F5 disclosed a nation-state compromise that exfiltrated source code and undisclosed vulnerability information from the BIG-IP product development and engineering knowledge platforms. F5 reports no evidence of modification to its software supply chain or access to CRM, financial, support case management, iHealth, NGINX or distributed cloud products. Unit 42 warns the theft could accelerate exploit development and recommends immediate patching, hardening, and targeted threat hunting for anomalous admin activity and configuration changes.

Sotheby's Data Breach Exposes Customer Financial Records

🔒 Sotheby's has notified customers that an intrusion detected on July 24 resulted in removal of sensitive data from its systems. After a two-month investigation the company determined exposed information includes full names, Social Security numbers and financial account details. Impacted individuals are being offered 12 months of free identity protection and credit monitoring through TransUnion while Sotheby's continues to assess the scope.

Sotheby's Breach Exposes Employee Financial Data Records

🔐 Sotheby's disclosed a cybersecurity incident first detected on July 24, 2025, after threat actors removed data from its environment. A two-month investigation found exposed information included full names, Social Security numbers and financial account details. The company notified impacted individuals and offered 12 months of identity protection and credit monitoring through TransUnion. An October update clarified the breach involved employees, not customers.

Have I Been Pwned Flags Prosper Breach Affecting 17.6M

🔐Prosper, a peer-to-peer lending marketplace, disclosed a security incident detected on September 2 that resulted in unauthorized access to company databases and the theft of customer and applicant data. While Prosper says it has found no evidence that attackers accessed customer accounts or funds, investigators report that Social Security numbers and other sensitive fields may have been exposed. Breach notification service Have I Been Pwned published that 17.6 million unique email addresses were impacted, though Prosper says it cannot yet validate that figure and is still determining which data elements were affected. The company has notified authorities and says it will offer free credit monitoring as appropriate.

Ransomware Victim Responses and Human Impact Analysis

🔒 Ransomware attacks inflict both operational and deep personal harm, often devastating small businesses lacking cash reserves and cybersecurity expertise. Research underscores lasting trauma, exhaustion, and financial ruin that can outlast technical recovery. Organizations should pair an incident response plan with compassionate leadership and employee support. Cisco Talos also warns of evolving supply‑chain campaigns targeting developers and job seekers, reinforcing the need for layered defenses.

Microsoft Disrupts Rhysida Ransomware Targeting Teams

🔒 Microsoft disrupted a campaign by the financially motivated group Vanilla Tempest (also tracked as VICE SPIDER/Vice Society) after revoking over 200 code signing certificates used to sign malicious Microsoft Teams installers. The attackers used malvertising and SEO-poisoned domains mimicking Teams to distribute fake MSTeamsSetup.exe files that deployed the Oyster backdoor. The intervention curtailed a wave of Rhysida ransomware launches.

North Korean Group Adopts EtherHiding for Malware Campaign

🔐 Google Threat Intelligence has linked a campaign to UNC5342, a cluster tied to North Korea, that now uses EtherHiding to distribute malware via smart contracts on public blockchains such as BNB Smart Chain and Ethereum. The attackers lure developers through LinkedIn recruitment ruses, move conversations to Telegram or Discord, and deliver npm-package downloaders that chain into BeaverTail, JADESNOW, and the Python backdoor InvisibleFerret. By embedding payloads in on-chain contracts, the group turns blockchains into tamper-resistant dead-drops that are hard to takedown and easy to update, enabling sustained cryptocurrency theft and long-term espionage.

Smart Contracts Abused to Serve Malware on WordPress

🪙 Google Threat Intelligence Group links a financially motivated actor, UNC5142, to widespread compromises of WordPress sites that leverage EtherHiding and on-chain smart contracts to distribute information stealers such as Atomic, Lumma, Rhadamanthys and Vidar. The campaign injects a multi-stage JavaScript downloader (CLEARSHORT) into plugins, themes and databases to query malicious BNB Smart Chain contracts, which return encrypted landing pages that use ClickFix social engineering to trick Windows and macOS users into executing stealer payloads. Google flagged roughly 14,000 infected pages through June 2025, and observed a move to a three-contract proxy-like architecture since November 2024 that improves agility and resistance to takedown.

LinkPro Rootkit Uses eBPF and Magic TCP Packets to Hide

🔒 An AWS-hosted compromise revealed a new GNU/Linux rootkit dubbed LinkPro, discovered by Synacktiv. Attackers leveraged an exposed Jenkins server vulnerable to CVE-2024-23897 and deployed a malicious Docker image (kvlnt/vv) to Kubernetes clusters, delivering a VPN/proxy (vnt), a Rust downloader (vGet) and vShell backdoors. LinkPro relies on two eBPF modules—Hide and Knock—to conceal processes and activate via a magic TCP packet, with a user-space fallback via /etc/ld.so.preload when kernel support is missing.

DPRK Hackers Adopt EtherHiding to Conceal Malware Campaigns

🔒 Google Threat Intelligence Group (GTIG) reports that a DPRK-aligned threat actor tracked as UNC5342 has employed EtherHiding since February to host and deliver malware via smart contracts on Ethereum and the BNB Smart Chain. Campaigns begin with fake technical interviews that trick developers into running a JavaScript downloader named JADESNOW, which fetches a JavaScript build of InvisibleFerret for in-memory espionage and credential theft. The method offers anonymity, takedown resistance, and low-cost, stealthy payload updates.

DPRK Actor UNC5342 Employs EtherHiding for Crypto Theft

🧩 GTIG reports that DPRK-linked UNC5342 has adopted EtherHiding, using smart contracts on public blockchains to store and deliver malicious JavaScript payloads. The actor leverages social engineering—fake recruiter lures and technical interviews—to deploy the JADESNOW downloader, which fetches and decrypts on-chain payloads and stages the Python backdoor INVISIBLEFERRET. Google recommends enterprise controls and Chrome management policies to disrupt this resilient, decentralized C2 method.

LastPass: Phishing campaign impersonates product, warns users

🔒 LastPass has confirmed it was not breached after detecting a targeted phishing campaign that mimicked its branding. The emails used the subject line "We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security" and came from spoofed senders such as hello@lastpasspulse.blog and hello@lastpassgazette.blog. Links in the messages redirected recipients to phishing sites (lastpassdesktop.com and lastpassgazette.blog), and attackers have also registered lastpassdesktop.app for potential follow-ups. Cloudflare is displaying warnings and LastPass said it is working to have the malicious domains taken down.

Operation Heracles: Takedown of Fraudulent Crypto Sites

🔒 German authorities, working with BaFin, Europol and Bulgarian law enforcement, seized 1,406 fraudulent crypto and investment domains in Operation Heracles on October 3, 2025. The seized sites, which targeted German-speaking users, now display warning banners after roughly 866,000 access attempts were recorded in the first ten days. Authorities warn these professional-looking platforms often use AI-generated content, mobile apps and call centres to defraud victims.

US Q3 Report: Over 23 Million Data Breach Victims This Year

📊 The Identity Theft Resource Center (ITRC)'s Q3 2025 analysis found 835 publicly reported corporate data compromises in the United States, resulting in approximately 23 million victim notifications. That follows 1,732 incidents in H1 2025 and brings the year-to-date total to nearly 202 million victims. The report attributes 83% of breaches to cyber-attacks, highlights a rise in physical attacks, and criticizes the increasing frequency of notices that omit details about the cause. Major victims this quarter included Anne Arundel Dermatology, DaVita, TransUnion and several large healthcare providers.

Nation-state Breach Exposes F5 BIG-IP Source Code

⚠️ F5 has confirmed a nation-state actor maintained persistent access to its development systems, including the BIG-IP product development environment and engineering knowledge management platforms, with discovery in August and customer notification on October 15. The breach included stolen files containing BIG-IP source code and information on undisclosed vulnerabilities. While F5 reports no known active exploitation, it and CISA have urged immediate patching and mitigations, and the US government delayed public disclosure in September after a Justice Department order.

Critical Infrastructure Hack, Burnout, and Music Discussion

🔐 In episode 439 of Smashing Security, Graham Cluley and guest Annabel Berry examine a reported critical infrastructure hack that allegedly exploited default passwords and featured perpetrators boasting on Telegram. They probe how basic misconfigurations can cascade into major incidents and spotlight the human cost of defending organisations — stress, burnout, and leadership failures. The show pairs this sober analysis with lighter cultural asides, including music and media reflections.

Capita fined £14M for 2023 breach exposing 6.6M people

🔒 The ICO fined Capita £14 million after a March 2023 cyberattack that exposed personal information for 6.6 million people and hundreds of clients, including 325 pension providers. Attackers—claiming responsibility as Black Basta—gained access via a malicious file, remained in systems for 58 hours, exfiltrated almost 1TB, and deployed ransomware. The fine was reduced from an initial £45 million after Capita accepted liability and implemented remediation measures, including enhanced access controls and customer protections.

F5 Confirms Source Code, Vulnerability Data Exfiltration

🔒 F5 Networks acknowledged that a highly sophisticated threat actor exfiltrated portions of BIG-IP source code, information about undisclosed vulnerabilities, and configuration data for a small percentage of customers. The company says there is no evidence of modification to its build pipelines or active exploitation of undisclosed critical vulnerabilities. F5 has released security updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG‑IQ, and APM clients and urges customers to apply them immediately. CISA has directed federal agencies to assess internet-exposed BIG-IP devices, and F5 will provide eligible customers a free subscription to CrowdStrike Falcon EDR.