All news in category “Incidents and Data Breaches”

🔓 A leaked MySQL archive containing 323,986 BreachForums user records surfaced in January, revealing hashed passwords, private messages, forum posts, and registration metadata. Security firm Resecurity reported the leak also included a password-protected PGP private key and a 4,400-word manifesto titled 'Doomsday' attributed to an individual calling themselves James. Have I Been Pwned traced the breach to August, months before multiple law enforcement takedowns and arrests weakened the platform's ecosystem. Observers say the exposure further erodes trust in large public crime forums and may push sophisticated actors to smaller, invite-only communities.

🔒 Kaspersky researchers have detected a new wave of malicious emails targeting Russian private-sector organizations that aim to deploy an infostealer. The attackers use executable files disguised as PDFs (examples include "УВЕДОМЛЕНИЕ о возбуждении исполнительного производства" and "Дополнительные выплаты") which launch a .NET downloader. That downloader fetches a secondary loader that installs as NetworkDiagnostic.exe and creates a persistent Network Diagnostic Service, pulling encrypted payloads from a command-and-control server hosted on a lookalike domain (gossuslugi.com). The final payload collects system details, screenshots and document files and exfiltrates data to a separate server; Kaspersky recommends using reliable endpoint security and corporate email-gateway protections to block such threats.

🎮 Players of Apex Legends faced in-match disruptions over the weekend as external actors reportedly took control of characters, forced disconnects, and changed player nicknames. Respawn acknowledged "an active security incident" but said initial investigation found no evidence of an RCE or malware infection. The publisher reported the issue was resolved within hours and suggested cheating tools were involved while the investigation continues.

🔒 The University of Hawaii System says a ransomware gang breached a single research project at the UH Cancer Center on August 31, 2025, and exfiltrated study data that included historical files containing Social Security numbers. Upon discovery, affected systems were disconnected, external cybersecurity experts were engaged, and the university said it negotiated with the threat actors to secure a decryption tool. UH reported arranging for the secure destruction of the illegally obtained data and said it will notify individuals once contact information is confirmed. The institution has installed endpoint protection, replaced compromised systems, reset credentials, updated firewall software, and initiated third-party security audits.

🔒 Target is investigating claims that an unknown threat actor published samples of internal source code on public Gitea repositories and is advertising a larger dataset for sale. The posted sample included a SALE.MD index listing roughly 57,000 lines and an estimated archive size of ~860 GB. After BleepingComputer alerted Target, the sample repos were removed and the retailer's developer Git server at git.target.com became inaccessible externally. Commit metadata and repository structure suggest the material may have originated from private internal infrastructure.

🔒 Researchers found eight malicious npm packages impersonating n8n community nodes that were designed to steal developers' OAuth credentials. The packages mimicked legitimate integrations (for example, Google Ads), saved encrypted OAuth tokens to n8n's credential store, then used the instance master key at runtime to decrypt and exfiltrate tokens to attacker-controlled servers. Analysts urge disabling community nodes and auditing packages before installation.

🔒 Spanish energy provider Endesa and its operator Energía XXI disclosed unauthorized access to their commercial platform that exposed customer contract-related data. The company says the intruder accessed basic identification, contact details, national ID numbers (DNI), contract records, and payment information such as IBANs, while account passwords were not affected. Endesa says it blocked compromised internal accounts, preserved logs for forensic analysis, notified relevant authorities including the Spanish Data Protection Agency, and increased monitoring. Threat actors claim to be offering roughly 1TB of SQL data—allegedly ~20 million records—for sale; the investigation is ongoing and affected customers are being notified.

🔐 Endor Labs discovered malicious npm packages this week that impersonated community nodes for the n8n workflow automation platform, harvesting OAuth tokens and API keys when installed. The deceptive packages presented legitimate-looking configuration screens while executing code to decrypt credentials from n8n’s credential store and exfiltrate them to attacker-controlled C2 servers. Because n8n treats installed nodes as trusted code with full access to the workflow environment, these packages bypass typical supply-chain monitoring and can perform arbitrary network requests and host interactions. Endor recommends preferring built-in integrations, auditing package source and metadata, monitoring outbound traffic from automation hosts, and using isolated, least-privilege service accounts.

🔒 A new wave of GoBruteforcer attacks is targeting cryptocurrency and blockchain project databases by exploiting weak, reused credentials and exposed services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux hosts. Check Point Research reports the Golang-based botnet deploys obfuscated IRC bots and web shells, leverages XAMPP FTP as an initial vector, and uses brute-force modules to expand, host payloads, and act as backup C2.

🔒 CloudSEK reports that Iran-linked APT MuddyWater has deployed a Rust-based implant dubbed RustyWater in a spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities across Israel and the Middle East. The campaign relies on icon-spoofed executables delivered in ZIP archives that display decoy PDFs while executing loaders which establish persistence and fetch the Rust payload. RustyWater implements anti-analysis checks, string obfuscation, randomized callbacks and standard RAT functions including file enumeration, command execution and data exfiltration, while using C2 domains that mimic legitimate services.

🔓 A leaked SQL database tied to the BreachForums dark-web forum was published by a site associated with the ShinyHunters collective, according to Resecurity. The archive reportedly contains meta-data for 323,986 MyBB users, including usernames and IP addresses, though some IPs appear sanitized or set to loopback values. Resecurity warns that copies from other sources may be booby-trapped and recommends obtaining the dataset from its site.

🔐 Meta says it patched a bug that allowed an external party to mass-request Instagram password reset emails and denies any systems breach after claims that data from more than 17 million accounts was posted online. Malwarebytes warned customers of a 17.5M-account dump containing phone numbers, emails, addresses and Instagram IDs, though not every record includes all fields. Meta told reporters it is not aware of an API incident in 2022 or 2024, and Instagram accounts remain secure. Users should ignore unsolicited reset emails, enable two-factor authentication, and stay alert to phishing and smishing attempts.

🔐 A backup of the BreachForums MyBB users table and an associated PGP key were published in a 7Zip archive, exposing 323,988 account records and administrator key material. The leaked archive includes a databoose.sql users table and a passphrase-protected PGP private key; without the passphrase the key cannot be used to sign messages. Analysis found most IPs were set to a local loopback (127.0.0.9), but roughly 70,296 records map to public IPs, creating OPSEC risks for affected users and potential intelligence value for law enforcement. The forum administrator acknowledged the leak, saying the files were temporarily left in an unsecured folder during recovery and recommending disposable email addresses for members.

🛡️ Spanish law enforcement arrested 34 individuals in a coordinated operation targeting a criminal network tied to the Black Axe syndicate, with assistance from the Bavarian State Criminal Police Office and Europol. Searches in Seville, Madrid, Malaga, and Barcelona yielded €66,400 in cash, electronic devices, vehicles, and frozen bank accounts totaling €119,350. Authorities say the group specialized in Man-in-the-Middle (MITM) frauds, notably Business Email Compromise, and caused more than $6 million in losses over 15 years, $3.5 million of which relate to this case. Four principal suspects are in pretrial detention and face charges including aggravated continuous fraud, money laundering, and document forgery.

🛡️ CloudSEK researchers report that the Iran-linked actor MuddyWater has distributed a new Rust-based remote access tool codenamed RustyWater via spear-phishing emails containing malicious Microsoft Word documents. The lure employs icon spoofing and a VBA macro that drops a Rust implant capable of asynchronous C2, anti-analysis, registry persistence, and modular expansion. Tracked also as Archer RAT or RUSTRIC, the implant contacts a hardcoded C2 (nomercys.it[.]com) to perform file operations and execute commands. Seqrite Labs linked RUSTRIC to recent activity against IT firms, MSPs and software companies in Israel.

⚠️ Ireland's Passport Office has recalled 12,904 passports issued between 23 December 2025 and 6 January 2026 after a software update caused a printing defect that may omit the IRL issuing-state code in the passport's machine-readable zone (MRZ). Affected holders are asked to return passport books (and cards where applicable) for free replacement, with new documents issued in approximately 10 working days. The Department issued a global alert via the International Civil Aviation Organization and advises travellers to contact the Passport Office for guidance.

🚨 Europol and the Spanish National Police announced the arrest of 34 suspected members of the Black Axe transnational crime group across Seville, Madrid, Málaga and Barcelona. Authorities froze €119,352 in bank accounts and seized €66,403 in cash during coordinated searches, while estimating fraud losses exceeding €5.93 million linked to the network. Investigators describe Black Axe as a hierarchical syndicate involved in cyber-enabled fraud, trafficking, kidnapping and other violent crimes with origins in Nigeria.

🔍 Huntress says Chinese-speaking threat actors used a compromised SonicWall VPN appliance in December 2025 to deploy a multi-stage exploit against VMware ESXi, leveraging three zero-day vulnerabilities disclosed by Broadcom in March 2025 (CVE-2025-22224/22225/22226). The toolkit includes an orchestrator dubbed MAESTRO, an unsigned kernel driver loaded via KDU, and a VSOCK-based ELF backdoor called VSOCKpuppet. The attack chain enabled VM-to-hypervisor escapes, remote control of ESXi hosts over VSOCK port 10000, and file transfer capabilities from guest VMs, all of which were halted by Huntress before a suspected ransomware stage could complete.

🔒 The Illinois Department of Human Services (IDHS) said that misconfigured privacy settings on a public mapping website exposed personal and health-related information for nearly 700,000 residents. Maps intended for internal resource planning were publicly accessible for years, revealing addresses, case numbers, demographics, and plan names for many Medicaid and Medicare Savings Program recipients, and additional identifying details for some rehabilitation services customers. IDHS restricted access, reviewed exposed maps, blocked future uploads of identifiable customer data to public mapping platforms, and has notified affected individuals and regulators.

🔒 Recorded Future links GRU-affiliated APT28 (aka BlueDelta) to targeted credential-harvesting campaigns in 2025 that hit staff at a Turkish energy and nuclear research agency, a European think tank, and entities in North Macedonia and Uzbekistan. The group used regionally tailored Turkish-language lures and legitimate PDF decoys, deployed spoofed OWA, Google and Sophos VPN pages hosted on services such as Webhook.site, InfinityFree, Byet and ngrok, exfiltrating credentials before redirecting victims to real sites to avoid detection.