All news in category “Incidents and Data Breaches”

⚠️ The European Space Agency (ESA) has suffered a further significant cybersecurity breach after a December incident, with the Scattered Lapsus$ Hunters group claiming to exfiltrate roughly 500GB of additional data. The stolen material reportedly includes operational procedures, spacecraft and mission documentation, and proprietary contractor data from partners such as SpaceX, Airbus Group, and Thales Alenia Space. ESA has confirmed a criminal investigation is underway amid concerns about systemic security weaknesses.

🔒 Arctic Wolf warns of a new cluster of automated malicious activity that began on January 15, 2026, involving unauthorized configuration changes to Fortinet FortiGate devices. Attackers exploited SAML-related weaknesses (CVE-2025-59718, CVE-2025-59719) to bypass FortiCloud SSO, create generic admin accounts such as cloud-init@mail.io and names like secadmin or itadmin, and export firewall configurations to external IPs. Administrators are advised to disable the admin-forticloud-sso-login setting until mitigations are confirmed.

🔒 Microsoft Defender researchers uncovered a multi‑stage AiTM phishing and BEC campaign that abused SharePoint file‑sharing to deliver credential‑harvesting traps and maintain persistence by creating malicious inbox rules. Attackers used trusted vendor‑style lures and legitimate SharePoint redirects to capture session cookies or credentials, then expanded the campaign across energy sector organizations by sending more than 600 phishing messages from compromised accounts. Defender XDR and Office 365 detections exposed session cookie theft, replay attempts, and malicious inbox rules — remediation requires revoking session cookies, deleting attacker‑created inbox rules, and restoring MFA controls in addition to password resets.

🔒 In episode 451 of Smashing Security, host Graham Cluley and guest Ray Redacted explore a prolific intruder who claims to have compromised the U.S. Supreme Court, Veterans Affairs, AmeriCorps and other organisations, posting screenshots and even a victim’s blood type under the account I hacked the government. They also examine research revealing flaws in wireless headphone pairing — notably in Google’s Fast Pair ecosystem — that let attackers hijack earbuds, inject audio and eavesdrop without obvious signs. The episode mixes incident reporting, legal context and consumer privacy implications.

📧 Attackers abused unverified ticket submission on Zendesk to trigger automated confirmation emails to thousands of addresses worldwide, producing a massive spam wave that began on January 18. The messages — often bizarre, alarming, or rendered with decorative Unicode — originated from legitimate company support systems, allowing them to bypass spam filters. Affected vendors such as Discord, Tinder, and Dropbox confirmed the incident and advised recipients to ignore the emails while platforms implement mitigations.

🔒 New research from Pentera Labs shows that internal testing, demo, and training applications left in default or misconfigured states are being used as entry points into enterprise cloud environments. The team found popular vulnerable apps such as Hackazon, DVWA, and OWASP Juice Shop exposed on major cloud platforms and sometimes tied to overly permissive IAM roles. Attackers have leveraged these exposures to deploy crypto miners, webshells, and persistence mechanisms; Pentera recommends inventorying assets, enforcing least privilege, isolating labs from production, and expiring temporary test environments.

🤖 Researchers at Doctor Web discovered an Android click‑fraud trojan family that leverages TensorFlow.js to visually detect and interact with advertisement elements inside a hidden WebView. In a 'phantom' mode the malware renders a virtual screen, captures screenshots, and feeds them to an ML model to identify and tap the correct UI element, avoiding DOM-based click routines. A separate 'signalling' mode streams the virtual browser to attackers via WebRTC, permitting real-time tapping, scrolling, and text entry. Infected apps were distributed through Xiaomi's GetApps, third‑party APK sites, and messaging channels.

🔒 PcComponentes says it found no evidence of unauthorized access after investigating claims that a threat actor leaked a 16.3 million‑record customer dataset, but confirmed its platform was targeted in a credential stuffing campaign. The actor posted a 500,000‑record sample and offered the remainder for sale. The company asserts no payment details or passwords are stored and that only a small number of accounts showed exposure of personal data. PcComponentes has deployed CAPTCHA, mandated two‑factor authentication and invalidated active sessions.

🔓 In July 2025, Ingram Micro confirmed a ransomware incident that resulted in the exposure of data for more than 42,000 people. The company told US regulators that attackers accessed records for current and former employees and job applicants, including names, contact details, birth dates, ID numbers and Social Security numbers, plus application materials and employee evaluations. The gang Safepay, active since September 2024, claimed to have stolen about 3.5 terabytes of files. The attack also paralyzed logistics for a week at the global IT distributor, which employs roughly 23,500 people.

🔍 Recorded Future's Insikt Group attributes a widespread North Korean campaign, dubbed PurpleBravo, with targeting of 3,136 individual IP addresses via fraudulent job interviews that prompted candidates to run malicious code. The activity, observed from August 2024 to September 2025, affected 20 organizations across AI, crypto, finance, IT services, marketing, and software development in Europe, South Asia, the Middle East, and Central America. Security firms including Jamf Threat Labs reported abuse of VS Code projects, malicious GitHub repos and fake LinkedIn personas to deliver malware such as BeaverTail and a Go-based backdoor, increasing supply-chain and corporate-device risks.

⚠️ LastPass is warning of a phishing campaign that impersonates maintenance notices and urges users to back up their vaults within 24 hours. The messages contain a 'Create Backup Now' button that redirects to a fraudulent site purporting to build an encrypted local backup, where attackers likely try to capture master passwords or hijack accounts. LastPass confirmed it will never ask for master passwords and advised recipients to report suspicious messages to abuse@lastpass.com. The company said the campaign began on January 19 and was timed to exploit a U.S. holiday weekend.

🔒 A large-scale phishing campaign in Peru has used polished fake loan applications to collect valid card numbers, online banking passwords and 6-digit PINs, according to Group-IB. Active since 2024, the operation leverages targeted social media ads and roughly 370 domains, including 16 impersonating a major Peruvian bank. The flow deliberately breaks facial verification so victims are steered toward card entry, and card numbers are filtered with the Luhn check to ensure usability. Group-IB urges stronger customer education, multi-factor authentication and cross-industry intelligence sharing to counter the threat.

⚠️ A recent Pentera investigation discovered nearly 2,000 intentionally vulnerable security-testing web applications (DVWA, OWASP Juice Shop, Hackazon, bWAPP) exposed on the public internet, often running from overly privileged cloud accounts on AWS, GCP and Azure. Attackers exploited these instances to deploy crypto miners, install webshells and create persistence mechanisms, then pivot to sensitive cloud resources. Affected vendors including Cloudflare, F5 and Palo Alto Networks were notified and remediated issues. Pentera recommends inventories, isolation of test systems, enforcement of least-privilege IAM, and elimination of default credentials.

⚠️ Threat actors tied to DPRK-backed Contagious Interview are weaponizing Visual Studio Code project configurations to execute malicious payloads when developers open and trust cloned repositories. Jamf Threat Labs observed attackers embedding commands in tasks.json that spawn shell processes to fetch and run obfuscated JavaScript via Node.js, establishing a persistent backdoor that can survive closing the IDE. Users should vet unfamiliar repos, inspect task and package files, and avoid running npm install without review.

🔒 In July 2025 a ransomware attack on distributor Ingram Micro disrupted the company's logistics for about a week, impacting its U.S. headquarters and a German site. The company notified U.S. authorities that more than 42,000 people—current and former employees and job applicants—had personal data stolen, including names, contact details, dates of birth, identity document numbers and Social Security numbers. Documents from hiring processes and employee performance reviews were also exfiltrated, and the ransomware group Safepay, active since September 2024, claimed roughly 3.5 terabytes of data.

⚠️ The UK's National Cyber Security Centre (NCSC) warns that pro‑Russian hacktivist groups are conducting distributed denial-of-service (DDoS) attacks against British organisations, particularly local government and critical infrastructure operators. These attacks are typically low in technical sophistication but can still deny access, disrupt services and impose substantial recovery costs. The NCSC advises organisations and OT owners to review and harden defences, work with ISPs and CDNs, design scalable services, retain administrative access during incidents, and regularly test mitigations.

🔔 LastPass is warning users about an active phishing campaign observed from around January 19, 2026, that impersonates the service and urges users to create local backups within 24 hours to harvest master passwords. The messages route recipients through a staged AWS S3 URL that then redirects to a fraudulent domain (mail-lastpass[.]com) and originate from several spoofed support addresses. LastPass said it will never ask for master passwords and is working with partners to take down the malicious infrastructure while urging users to report suspicious messages.

🚨 Jamf Threat Labs and other researchers observed DPRK-linked actors using malicious Visual Studio Code project repositories to deliver a multi-stage backdoor enabling remote code execution. The campaign abuses VS Code task configuration files (runOn: folderOpen) to fetch obfuscated JavaScript from Vercel and deploy implants named BeaverTail and InvisibleFerret. Targets are lured to clone and open repository-based job assessments, and on macOS the chain uses nohup/curl to run Node.js payloads that persist beyond the IDE.

🚨A new IoT botnet, Kimwolf, has infected more than two million devices and is being used for large-scale DDoS and to relay abusive traffic. Operators abuse commercial residential proxy services—most prominently IPIDEA—to reach proxy endpoints and scan local networks, enabling lateral infections of vulnerable devices, particularly unofficial Android TV boxes. Some proxy providers have begun blocking Kimwolf-related traffic, but millions of infected endpoints remain within corporate and government networks.

🔒 Researchers at Socket uncovered a coordinated campaign in which five Chrome extensions, marketed as productivity tools, clandestinely stole session authentication tokens and enabled full account takeover. More than 2,300 users installed the malicious add-ons, which targeted enterprise HR and ERP platforms such as Workday, NetSuite and SuccessFactors. Some extensions exfiltrated cookies every 60 seconds, while others blocked admin and security pages to prevent incident response. Removal requests have been filed with the Chrome Web Store security team.