All news in category “Incidents and Data Breaches”

🚨 Deutsche Bahn reported that its information and booking services, including the DB Navigator app and the bahn.de website, were disrupted by a cyberattack. The operator characterized the incident as a DDoS attack that produced intermittent outages starting Tuesday afternoon and recurring on Wednesday morning. Services were restored to a "largely stable" state after defensive measures, though temporary restrictions persisted and the company provided no details about possible perpetrators or motives. Deutsche Bahn said the measures taken helped keep customer impact as low as possible.

🔒 Dutch police in The Netherlands arrested a 40-year-old man after officers inadvertently sent him a link that allowed downloading of internal documents rather than uploading images. The recipient downloaded confidential files, refused to delete them, and reportedly sought a 'reward,' prompting charges of computervredebreuk (unauthorised access). Authorities searched the suspect's home, seized devices, and reported a data breach while investigating how the error occurred.

⚖️ A Glendale man, 36-year-old Davit Avalyan, was sentenced to 57 months in federal prison after pleading guilty to one count of conspiracy to distribute narcotics for his role in a darknet trafficking operation that sold cocaine, methamphetamine, MDMA, and ketamine nationwide. Prosecutors say Avalyan and three co-conspirators operated multiple vendor storefronts — including JoyInc, PlanetHollywood, and LaFarmacia — from 2018 to 2025, shipping parcels via the U.S. Postal Service and accepting cryptocurrency. The FBI's JCODE task force led the investigation with support from USPS inspectors, the DEA, IRS-CI, and LAPD.

🔒 Notepad++ has released version 8.9.2 to remediate a hijacked update mechanism abused by an advanced China-linked actor to selectively deliver malware. The maintainer implemented a "double lock" design that verifies both the signed installer (added in 8.8.9+) and the signed XML returned by the update server. The WinGUp auto-updater was hardened by removing libcurl.dll, dropping insecure cURL SSL options, and restricting plugin-management execution to binaries signed with WinGUp's certificate. The update also fixes a high-severity Unsafe Search Path flaw (CVE-2026-25926); users should upgrade and download installers only from the official domain.

🔒 Security researchers report that a suspected Chinese state-backed actor, UNC6201, has been exploiting a critical hardcoded-credential vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since mid-2024. Dell says versions prior to 6.0.3.1 HF1 permit unauthenticated access that can lead to root-level persistence. The intruders deployed a new C# backdoor called Grimbolt and used stealthy VMware pivot techniques, including hidden "Ghost NICs." Customers should apply Dell's updates and mitigations immediately.

🔐 Notepad++ has implemented a double-lock update verification in version 8.9.2 to close recently exploited supply-chain gaps. The updater now validates both the signed installer from GitHub and a digitally signed XML (XMLDSig) served from the official notepad-plus-plus.org domain, and removes risky components such as libcurl.dll. Additional hardening removes insecure cURL SSL options and restricts plugin management execution to programs signed with the same certificate as WinGUp; users should upgrade to 8.9.2 or disable the auto-updater during installation.

🔒 Kaspersky researchers have identified a firmware-embedded backdoor named Keenadu that can run in the context of every Android app and grant remote control over infected tablets. The implant was discovered in Alldocube iPlay 50 mini Pro firmware dating to August 18, 2023, and the compromised images carried valid digital signatures. Kaspersky observed delivery via signed OTA updates, preinstalled system apps, and trojanized apps distributed through third-party stores and official marketplaces.

⚠️ Microsoft is investigating an outage affecting Microsoft Teams, with users in the United States and Europe reporting sign-in problems, failures joining meetings, and delays when sending or receiving chats that include inline media such as images, code snippets, and videos. The company classified the incident as a service degradation and said engineers were reviewing telemetry to isolate the root cause. Microsoft also addressed related issues that temporarily blocked the Join button and prevented some Copilot Studio agents from being added or updated.

🛡️ Keenadu is a sophisticated Android backdoor discovered embedded in device firmware and in apps distributed through Google Play and other channels. Kaspersky reports multiple distribution vectors — compromised OTA firmware, system apps, modified APKs and even Play Store apps — with the firmware-integrated variant being the most powerful. That variant can operate inside every installed app, silently install APKs with broad permissions, and exfiltrate media, messages, credentials and location data. Kaspersky has confirmed roughly 13,000 infected devices and warns that firmware-resident instances cannot be removed by standard Android tools; users should reflash clean firmware or replace affected devices.

🛡️Researchers at Straiker's AI Research (STAR) Labs disclosed a SmartLoader campaign that distributes a trojanized Oura Model Context Protocol (MCP) server to deploy the StealC infostealer. Attackers built a deceptive network of fake GitHub accounts and forks, added sham contributors, and submitted the malicious server to the MCP Market to exploit developer trust. The delivered ZIP runs an obfuscated Lua script that drops SmartLoader, which then installs StealC to exfiltrate credentials, browser passwords, and cryptocurrency wallet data. Organizations should inventory MCP servers, verify provenance before installation, and monitor for suspicious egress and persistence.

🛡️ Polish police have detained a 47-year-old suspect alleged to have ties to the Phobos ransomware group and seized computers and mobile phones containing credentials, credit card numbers, and server access data. The arrest in Małopolska was carried out by the Central Bureau of Cybercrime Control as part of Operation Aether, an international Europol-coordinated disruption. Authorities say the suspect used encrypted messaging to communicate with Phobos and now faces charges under Article 269b of Poland’s Criminal Code.

🔐 Security researchers have documented an infostealer attack that exposed sensitive files from local AI assistants, specifically OpenClaw. Hudson Rock reported the malware harvested configuration and key material—including openclaw.json, device.json, and agent memory files—allowing token theft, private key access, and capture of users' operational context. The incident underscores risks from plaintext secrets and permissive defaults in agentic tools.

🔒 Washington Hotel, a business brand of Fujita Kanko Inc., disclosed a ransomware infection after an intrusion on Friday, February 13, 2026 at 22:00 local time. The company says it immediately disconnected affected servers, formed an internal task force, and engaged external cybersecurity experts to assess impact and coordinate recovery; preliminary findings indicate attackers accessed various business data. Customer records are unlikely to have been exposed because those are held by a separate vendor, but some properties experienced operational effects such as temporarily unavailable credit-card terminals.

🔒 Eurail B.V. confirmed that customer data stolen in a breach earlier this year is now being offered for sale on the dark web, and a sample dataset was published on Telegram. The company says it is still determining which specific records and how many customers are affected, but reported compromised fields may include full names, passport and ID numbers, IBANs, health details, and contact information. GDPR-required notifications have been filed and non-EU authorities will be informed. Customers are urged to change reused passwords, monitor bank accounts closely, and contact privacyhelp@eurail.com for support and FAQs.

🔒 Dutch police arrested a 40-year-old man in Ridderkerk after he downloaded confidential documents that an officer mistakenly shared via a download link and then refused to delete them unless he received "something in return." Authorities detained him on suspicion of computer trespass, searched his home and seized storage devices to recover the files. Police reported the breach and are investigating, saying there is no indication the documents were distributed further.

🔓 Hudson Rock says an info‑stealer, likely a Vidar variant, exfiltrated an OpenClaw agent's configuration, including openclaw.json, device.json and soul.md. The files contain gateway tokens, cryptographic keys and the agent's operational 'soul,' which could let attackers impersonate the AI assistant or connect to local instances if exposed. The incident signals a shift from stealing credentials to harvesting AI agent identities, and vendors should expect targeted modules to follow.

🔐 Hudson Rock has observed information-stealing malware exfiltrating configuration and memory files from the OpenClaw agent framework, exposing API tokens, private keys, and persistent agent memory. The activity, attributed to a Vidar-like infostealer and recorded on 13 February 2026, captured openclaw.json, device.json, and agent 'soul' and memory files. With these items an attacker could impersonate the device, bypass Safe Device checks, access encrypted logs, or fully compromise a user's digital identity. Organizations should audit agent directories, apply vendor fixes, and enforce strict filesystem permissions immediately.

🔒 SOCRadar has uncovered a phishing campaign named Operation DoppelBrand that targeted Fortune 500 financial, insurance and technology firms between December 2025 and January 2026. The activity is attributed to financially motivated actor GS7 and relies on lookalike domains and cloned login portals to harvest credentials, which are forwarded to Telegram bots. Successful compromises often result in the deployment of legitimate remote access tools such as LogMeIn Resolve, delivered via MSI installers and supported by VBS loaders for privilege escalation and silent installation.

🔍 An estimated 37 million global installs of Chrome extensions have been found transmitting users’ browsing histories to external servers. Independent researcher 'Q Continuum' identified 287 extensions that sent data closely matching visited URLs during automated simulated browsing. Flagged add-ons spanned VPNs, productivity tools, shopping/coupon helpers and browser utilities, and many obfuscated outbound payloads using base64, ROT47, compression or strong encryption. The researcher warned such exfiltration could expose internal corporate URLs and, where cookies or session data are accessible, enable credential harvesting.

🔒 Odido, the largest mobile operator in the Netherlands, disclosed a data breach affecting its customer contact system and potentially impacting up to 6.2 million people. While the company says no passwords, call records or billing data were taken, exposed fields reportedly include names, home and email addresses, IBANs, dates of birth and passport/driver's license numbers. Odido has contained the intrusion, engaged external cybersecurity experts and will contact affected customers directly.