All news in category "Incidents and Data Breaches"

RomCom Uses SocGholish to Deliver Mythic Agent to US Firms

🔒 Arctic Wolf Labs observed a targeted September 2025 campaign in which the Russia-aligned RomCom group used fake browser-update prompts to deliver the Mythic Agent implant via a classic SocGholish chain. Researchers say this is the first observed instance of RomCom pairing SocGholish initial access with a Mythic C2-based loader. The intrusion was stopped before impact, and Arctic Wolf published IOCs and mitigation guidance.

Scattered Lapsus$ Hunters Target Zendesk with Fake Domains

🔒 ReliaQuest researchers discovered that a group calling itself Scattered Lapsus$ Hunters registered more than 40 fake domains over six months to impersonate Zendesk, host fraudulent login pages, and push malware. Domains such as znedesk.com and vpn-zendesk.com used realistic sign-in screens while other URLs embedded company names to build trust. Attackers also submitted bogus support tickets to real Zendesk portals to trick help-desk staff into surrendering credentials or installing malware. ReliaQuest noted registry patterns tied to NiceNic and Cloudflare-masked nameservers and shared findings with Zendesk.

French Football Federation Data Exposure Affects Millions

🔒 The French Football Federation (FFF) reported unauthorized access to the centralized software used by licensed clubs to manage player registrations, an intrusion it believes occurred on 20 November. Exposed fields include names, genders, dates and places of birth, nationalities, postal and email addresses, phone numbers and football license ID numbers. The FFF says it deactivated the compromised account, reset all user passwords, filed a complaint with authorities and notified CNIL and ANSSI. It will inform affected individuals with known emails and urged license holders to remain vigilant against phishing and scam attempts.

Bloody Wolf Expands Java-Based NetSupport Campaign Regionally

🐺 Group-IB and Ukuk report that the actor known as Bloody Wolf has conducted spear-phishing campaigns since June 2025 targeting Kyrgyzstan and, by October 2025, expanded into Uzbekistan to deliver NetSupport RAT. Attackers impersonate government ministries using malicious PDFs that host Java Archive (JAR) loaders built for Java 8, instructing victims to install Java so the loader can execute. The loader fetches the NetSupport payload and establishes persistence via scheduled tasks, registry entries, and a startup batch script in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.

FCC Warns: Hackers Hijack Radio Gear to Air False Alerts

🔔 The FCC has warned that attackers have been hijacking US radio transmission equipment to broadcast false Emergency Alert System tones and obscene material, exploiting unsecured Barix network audio devices. Intruders reconfigured devices to pull attacker-controlled streams, causing stations in Texas and Virginia to air unauthorized Attention Signals layered with offensive language. The FCC urged broadcasters to apply vendor patches, change default credentials, isolate EAS and Barix devices behind firewalls or VPNs, monitor logs, and report incidents to manufacturers, the FCC Operations Center and IC3.

Bloody Wolf APT Expands NetSupport Campaign in Central Asia

🔎 Researchers at Group-IB and UKUK have identified a widening campaign by the Bloody Wolf APT that uses streamlined Java-based loaders to deliver NetSupport remote administration software to government targets. The operation, active since late 2023 and observed in Kyrgyzstan from at least June 2025 before spreading to Uzbekistan in early October, relies on convincing PDF lures, spoofed domains and geofenced infrastructure. Simple Java 8 loaders fetch NetSupport over HTTP, add persistence via autorun entries and scheduled tasks, display fake error messages, and include a launch-limit counter to limit execution and avoid detection. The group has shifted from using STRRAT to deploying an older 2013 build of NetSupport Manager and uses a custom JAR generator to mass-produce variants.

OpenAI Data Exposed After Mixpanel Phishing Incident

🔒 OpenAI confirmed a customer data exposure after its analytics partner Mixpanel suffered a smishing attack on November 8, which allowed attackers to access profile metadata tied to platform.openai.com accounts. Stolen fields included names, email addresses, approximate location, OS/browser details, referrers, and organization or user IDs. OpenAI says ChatGPT and core systems were not breached and that no API keys, passwords, payment data, or model payloads were exposed. The company has terminated its use of Mixpanel and is notifying impacted customers directly.

OpenAI Vendor Mixpanel Breach Exposes API User Data

🔒 According to an OpenAI statement, cybercriminals accessed analytics provider Mixpanel's systems in early November, and data tied to some API users may have been exposed. Potentially affected fields include account names, associated email addresses, approximate browser-derived location (city, state, country), operating system and browser details, referring websites, and organization or user IDs. OpenAI said its own systems and products such as ChatGPT were not impacted, that sensitive items like chat histories, API requests, API usage data, passwords, credentials, API keys, payment details, and government IDs were not compromised, and that it has removed Mixpanel from its systems while working with the vendor to investigate.

Asahi breach: personal data of nearly two million exposed

🔒 Asahi Group Holdings has confirmed that personal data for approximately 1.914 million people, including 1.525 million customers, may have been exposed after a September ransomware incident that forced temporary suspension of operations. The company spent two months on containment, integrity checks and system restoration, and says credit card details were not affected. Qilin has claimed responsibility; Asahi warns customers to monitor for unsolicited communications and anticipates ongoing operational impacts.

ToddyCat toolkit pivots to Outlook and Microsoft tokens

🔒 Kaspersky researchers report that ToddyCat updated its toolkit in late 2024 and early 2025 to target Outlook email data and Microsoft 365 access via OAuth 2.0 tokens. Previously known for compromising internet-facing Microsoft Exchange servers, the group now uses a C++ utility, TCSectorCopy, to copy OST files and parses them with XstReader to read full email archives. When browser-based token extraction was blocked, attackers deployed ProcDump to dump tokens from Outlook memory. Kaspersky released IOCs and technical details to support detection and response.

OpenAI API customer data exposed in Mixpanel breach

🔒 OpenAI has notified some ChatGPT API customers that limited identifying information was exposed following a breach at its third‑party analytics vendor, Mixpanel. Mixpanel says the incident resulted from a smishing campaign detected on November 8, and OpenAI received details of the affected dataset on November 25. Exposed fields may include names, emails, coarse location, device and browser metadata, referring websites, and account IDs, but OpenAI says no chats, API requests, usage data, passwords, API keys, payment details, or government IDs were exposed. OpenAI has removed Mixpanel from production, begun notifying affected parties, and is warning users to watch for phishing attempts and enable 2FA.

OpenAI Alerts API Users to Mixpanel Data Exposure Incident

⚠️ OpenAI has warned that some data from users of its platform.openai.com API may have been exposed after an attacker gained unauthorized access to part of analytics vendor Mixpanel and exported a dataset. The incident began on November 9 and Mixpanel shared the dataset with OpenAI on November 25. Potentially affected fields include account names, email addresses, coarse location, browser/OS, referrers and organization or user IDs. OpenAI says its systems, chats, API keys, credentials, payment details and chat content were not compromised, and it has removed Mixpanel from production while notifying affected users and expanding vendor security reviews.

Scattered Lapsus$ Hunters Target Zendesk Support Users

🚨 ReliaQuest has uncovered a campaign attributed to the Scattered Lapsus$ Hunters that leverages more than 40 typosquatted domains impersonating Zendesk portals, including deceptive SSO pages designed to harvest credentials. The actors have also been observed submitting fraudulent helpdesk tickets to target support staff, aiming to deploy remote access trojans and other malware. Organizations are advised to enforce MFA with hardware keys, implement IP allowlisting and session timeouts, monitor domains and DNS, and harden chat controls and content filtering to mitigate the risk.

CISA Warns: State-Backed Spyware Targeting Signal, WhatsApp

🛡️ CISA has warned that cybercriminals and state-backed actors are using spyware to target users of encrypted messaging apps including Signal, WhatsApp, and Telegram. Rather than breaking end-to-end encryption, attackers compromise devices to access messages, files, contacts, call history, and location data. Techniques include fake QR codes that link accounts to attacker-controlled devices, malicious updates, and zero-click exploits that trigger on receipt of a malformed image or file. Users are urged to keep devices and apps updated, avoid installing software from untrusted sources, and treat unexpected messages or files with suspicion.

Gainsight Expands Customer Impact After Salesforce Alert

🔒 Gainsight disclosed that suspicious activity affecting its Salesforce-connected applications has expanded beyond an initial three-customer list provided by Salesforce, with the company saying it presently knows of "only a handful" of customers whose data were affected. Salesforce revoked access and refreshed tokens for impacted Gainsight-published apps after detecting "unusual activity" claimed by the ShinyHunters group. Several vendors suspended integrations while investigations continue; Gainsight advised rotating credentials, resetting non‑SSO passwords, and reauthorizing connectors as preventive measures.

SonicWall Ransomware Incidents Highlight M&A Risk for CSOs

🛡️ A Reliaquest analysis of June–October incidents links multiple Akira ransomware intrusions to compromised SonicWall SSL VPNs that were inherited through acquisitions. In nearly every case, acquiring organizations did not know the devices remained on their networks and attackers leveraged legacy administrative credentials. The report warns that routine financial due diligence misses such cyber risks, and urges early security-led inventory, segmentation, and credential rotation during M&A onboarding.

Smashing Security #445: Broadcast Hacks and Insider Risk

🧟 In episode 445 of the Smashing Security podcast, Graham Cluley and guest Dan Raywood review a decade of insecure broadcast infrastructure that has allowed attackers to hijack TV and radio, issue fake emergency alerts, and even replace sermons with explicit content. They also examine an alleged insider leak at a cybersecurity firm that raises urgent questions about trusted access and internal controls. The discussion highlights persistent vulnerabilities in broadcast hardware and the broader implications for public safety and incident response.

ShadowV2 Mirai Botnet Tested During AWS Outage Activity

⚠️ Fortinet’s FortiGuard Labs identified a Mirai-based botnet called ShadowV2 that exploited known vulnerabilities in routers and other IoT devices from D-Link, TP-Link, DD-WRT and others during a major AWS outage, appearing active only for the outage window and possibly a test run. The malware is delivered via a downloader (binary.sh) that fetches payloads from 81[.]88[.]18[.]108 and uses XOR-encoded configuration and Mirai-style strings. ShadowV2 supports UDP, TCP and HTTP DDoS floods and receives commands from a C2 at 198[.]199[.]72[.]27. Fortinet published IoCs and emphasizes keeping firmware updated, noting many affected models are end-of-life and will not be patched.

Comcast to Pay $1.5M After Vendor Breach Affects 273,703

🔒 Comcast will pay $1.5 million to settle an FCC investigation after a February 2024 vendor breach at Financial Business and Consumer Solutions (FBCS) exposed the personal data of 273,703 current and former Xfinity customers. Under the consent decree Comcast must implement a compliance plan with enhanced vendor oversight, biennial risk assessments, and biannual reporting. Comcast says its network was not breached and has not conceded wrongdoing.

Shai-Hulud v2 Supply-Chain Campaign Hits Maven Central

⚠️ The second wave of the Shai-Hulud supply-chain attack has moved from npm into the Maven ecosystem after researchers found org.mvnpm:posthog-node:4.18.1 embedding the same setup_bun.js loader and bun_environment.js payload. The artifact was rebundled via an automated mvnpm process and was not published by PostHog; mirrored copies were purged from Maven Central on Nov 25, 2025. The campaign steals API keys, cloud credentials and npm/GitHub tokens by backdooring developer environments and injecting malicious GitHub workflows, affecting thousands of repositories.