< ciso
brief />
Incidents and Data Breaches Banner

All news in category “Incidents and Data Breaches

2998 articles · page 5 of 150

Fraudulent OpenAI organization invites target security firms

🔔 Push Security discovered a campaign where attackers create fraudulent OpenAI tenants impersonating real companies and send legitimate-looking invites to employees. The invites originate from OpenAI notification addresses, pass authentication checks, and assign recipients Owner privileges within the fake organization. Attackers used Gmail accounts to pose as company executives and even attached a billing card to the tenant, likely to reduce suspicion. Push Security warns employees could be tricked into submitting sensitive data into the workspace and advises verification and monitoring of SaaS memberships.
read more →

Shai Hulud CI/CD to Redshift breach analysis

🔍 This FortiGuard Labs analysis examines the Shai Hulud supply chain worm that poisoned CI/CD dependencies to harvest Jenkins credentials and pivot into AWS. The report outlines a mid‑May 2026 incident where FortiCNAPP traced external use of a Jenkins instance role, IAM escalation to a cloudops-monitor identity, and subsequent Redshift data extraction. It highlights detection signals, MITRE mappings, and recommended containment actions.
read more →

One Million Passports Exposed in Data Leak

🔐 A database containing nearly one million passport records from multiple countries was leaked online. The incident highlights how high-value credentials like passports can be compromised when reused within lower-security systems; in this case, an ID verification service used by cannabis dispensaries was breached. The exposure demonstrates the cascading risk when sensitive identity documents are trusted by ancillary services with weaker protections.
read more →

CMC analysis of Canvas incident impacts education

🔍 The UK Cyber Monitoring Centre (CMC) has published its review of the Canvas incident affecting Instructure’s Learning Management System, finding ~160 UK higher education institutions impacted and around 9,000 worldwide. The analysis highlights that financial losses arose mainly from response, recovery and risk management rather than prolonged outage. The CMC reinforced best-practice recommendations for the sector, including MFA enforcement, separation of application and data layers, careful third‑party control and clearer vendor communication.
read more →

Poland Busts SIM-Swapping Gang Linked to Crypto Theft

🔎 Polish authorities arrested four suspects accused of orchestrating SIM-swapping attacks after breaching telecommunications partners and hijacking email accounts. The operation, led by the Polish Cybercrime Bureau (CBZC) with assistance from the FBI and HSI, uncovered sophisticated intrusions used to intercept SMS and email communications and seize crypto exchange accounts. Investigators estimate the group laundered millions via distributed financial networks and multiple bank accounts. The suspects face charges including organized crime, hacking, and money laundering, with potential sentences up to 25 years.
read more →

Shop app abused to deliver callback phishing scams

🛒 Researchers warn that threat actors are abusing Shop, Shopify’s order-tracking app, by adding fake purchase receipts to users' histories to trick them into calling scam phone numbers. Fraudulent receipts impersonate brands like Apple, PayPal, Norton, and McAfee, and aim to collect credentials, payment details, OTPs, or persuade victims to install remote access software. Users are advised to verify charges with their bank rather than call numbers on suspicious receipts.
read more →

macOS 'Gaslight' malware targets AI analysis tools

🛡️ Researchers uncovered a macOS malware family named macOS.Gaslight that embeds fabricated error messages and debugging data inside a Rust binary to mislead AI-assisted analysis tools. The 3.5 KB payload contains 38 fake system messages — including memory dumps, token-expiration warnings, and build errors — designed to appear as legitimate developer logs. SentinelOne attributes the sample with high confidence to a North Korean-linked actor and notes the strings aim to prompt-inject LLM pipelines, causing them to abort or distrust their session. The malware retains standard backdoor and data-stealing capabilities alongside the deceptive messaging tactic.
read more →

PirloTV sports piracy network disrupted in domain seizure

🔎 PirloTV, a network of sites embedding unauthorized live sports streams, has had 44 domains seized in a coordinated action. The Alliance for Creativity and Entertainment (ACE), UEFA, UC3, and Mexican authorities targeted domains that generated over 950 million visits annually, with heavy traffic from Mexico and Colombia. The takedown occurred ahead of the UEFA Champions League final and may affect piracy during the ongoing FIFA World Cup. Despite the seizures, some domains remain indexed and the network can quickly migrate to new domains.
read more →

Threat Actor Exploited Cisco SD‑WAN Zero‑Day

🔒 A Google (Mandiant) report warns that a threat actor exploited a severe Cisco SD‑WAN vulnerability (CVE-2026-20245) at least two months before disclosure. The flaw, a high-severity (CVSS 7.8) privilege escalation in the CLI of Cisco Catalyst SD-WAN Controller, allowed authenticated local attackers to upload crafted files and execute commands as root. Cisco disclosed the issue on June 4 and began releasing fixes on June 10, while Mandiant detailed related unauthorized peering and credential-theft activity stretching back to late 2025.
read more →

High‑Install Chrome Extension Enables Remote Script Injection

🛡️ An analysis of a widely installed Google Chrome extension, Adblock for YouTube (10M+ installs), revealed it can execute arbitrary JavaScript across websites. Researchers found a dormant, server‑controlled injection capability that could create elements without an extension update or store review. Although no evidence of active abuse was reported, the combination of all‑site access, prior ad‑injection SDKs, and related removed extensions raises significant privacy and security concerns.
read more →

Gaslight macOS implant uses AI prompt injection

🛡️ A new Rust-based macOS implant named Gaslight embeds a prompt-injection payload aimed at misleading AI-assisted analysis tools into aborting or refusing to analyze the sample. SentinelOne attributes the tool with high confidence to North Korea–aligned actors and notes its Telegram-based C2 implements an interactive shell with commands like shell, upload, and kill. The implant uses a LaunchAgent for persistence and includes a Base64-encoded Python stealer that harvests browser data, Terminal histories, Keychain contents, and system profiles before compressing and exfiltrating via Telegram.
read more →

Mistic backdoor linked to KongTuke access broker

🛡️ Broadcom, Symantec, and Carbon Black report a stealthy backdoor named Mistic (aka MLTBackdoor) deployed since April 2026 across insurance, education, IT, and professional services. The implant runs in memory via DLL side-loading of trusted tooling, includes a kill switch, and was dropped alongside ModeloRAT, a Python RAT tied to the KongTuke access broker. Analysts say the activity appears opportunistic and linked to ClickFix delivery chains and ransomware-related actors.
read more →

Mistic backdoor tied to initial access broker activity

🔍 Researchers have uncovered a backdoor named Mistic used in enterprise intrusions since April, linked to an initial access broker that sells footholds to ransomware gangs. The Windows DLL-sideloading malware executes in memory, reaches out to C2 servers, and can move, delete, and transfer files while also enabling credential theft. Symantec observed Mistic alongside ModeloRAT and social engineering chains using fake CAPTCHAs and malicious paste-and-run guidance.
read more →

DraftKings hacker 'Snoopy' sentenced to 18 months

🔒 A 21-year-old known as "Snoopy" was sentenced to 18 months in prison after pleading guilty to conspiracy to commit computer intrusion for his role in the November 2022 DraftKings account takeover. The attacker and co-conspirators compromised roughly 60,000 user accounts, added payment methods to 1,600 accounts, and stole $600,000. Authorities linked the scheme to online marketplaces and seller shops that trafficked access to stolen accounts.
read more →

Malicious Edge extension leverages native messaging

🛡️ A malicious Microsoft Edge extension named Edgecution was used to bypass the browser sandbox and deploy a Python-based backdoor by abusing the Chrome Native Messaging protocol. Attackers lured victims via fake Microsoft update pages and social engineering on Microsoft Teams, delivering a malformed ZIP with an embedded Python runtime and two components: a headless Edge extension and a native Python backdoor. Zscaler links the activity to an IAB associated with the Payouts Kings ransomware operation and provides IoCs and mitigation recommendations.
read more →

Two Scattered Spider members plead guilty in TfL hack

🔒 Two members of the Scattered Spider collective admitted launching a cyberattack against Transport for London that caused extensive disruption and financial losses. Thalha Jubair and Owen Flowers changed their pleas to guilty at Woolwich Crown Court, with sentencing set for July 22. The breach affected in-station systems and online services, forced password resets for 28,000 staff, and exposed millions of personal records. Investigations by the National Crime Agency and City of London Police linked seized devices and messaging evidence to the attack.
read more →

International takedown of Amadey and StealC networks

🛡️ A multinational law enforcement operation, coordinated with private-sector partners such as Bitdefender, ESET, and Microsoft, dismantled infrastructure powering the Amadey and StealC malware ecosystems. Authorities identified and restricted over $47 million in criminal cryptocurrency, recovered 27 million stolen credentials, and dismantled hundreds of servers and domains. The action disrupted loader-and-stealer chains used to fuel ransomware and fraud.
read more →

Law enforcement disrupts StealC and Amadey infostealers

🛡️ Operation Endgame participants executed a coordinated takedown of the StealC and Amadey infostealer infrastructures, seizing roughly 50 domains and nearly 200 active C2 IPs. The action was led by Germany’s Federal Criminal Police Office with coordination from Europol’s EC3 and support from partners including Microsoft, ESET and Proofpoint. Microsoft used AI to accelerate analysis and helped sever criminal control of over 18,000 victim devices. The broader operation seized crypto assets, recovered millions of credentials and dismantled hundreds of servers and domains.
read more →

Operation Endgame disrupts Amadey and StealC malware

🔎 Microsoft, Europol, and international partners executed Operation Endgame to disrupt infrastructure used by the Amadey and StealC malware families. The coordinated takedown targeted servers, domains, and related resources, seizing cryptocurrency and recovering millions of stolen credentials. Private-sector partners including Microsoft, ESET, Proofpoint, and IBM X-Force supported law enforcement actions across several countries. The effort also targeted SocGholish loaders and follows prior phases that disrupted other malware families.
read more →

macOS Gaslight backdoor uses prompt injection tactics

🛡️ SentinelLabs uncovered a North Korea-linked macOS backdoor, tracked as macOS.Gaslight, that embeds 38 fabricated system messages to manipulate AI-assisted malware triage. The Rust implant carries an infostealer and interactive backdoor that exfiltrates browser data, terminal histories and the macOS login keychain, using Telegram Bot API with certificate pinning for command and control. Researchers noted novel tradecraft including runtime staging of a standalone Python interpreter and self-scrubbing of the Telegram bot token from logs. SentinelLabs warned analysts to treat sample contents as adversarial input and to isolate hostile content from LLM-based tools.
read more →