All news in category “Incidents and Data Breaches”

🔒 A former Coinbase customer support agent was arrested in Hyderabad after investigators linked the individual to a scheme that helped hackers access a company database earlier this year. Coinbase CEO Brian Armstrong said additional arrests are expected. The incident, tied to outsourced agents at TaskUs, affected about 69,500 customers and involved a $20 million ransom demand.

🔓 Korean Air warned employees that personal information, including names and bank account numbers, was compromised after its former in-flight catering supplier, Korean Air Catering & Duty-Free (KC&D), notified the carrier it had been hacked. Local outlets report about 30,000 records were exfiltrated, and the Clop ransomware gang has claimed responsibility and posted the alleged data on its leak site. Korean Air reported the incident to authorities, is investigating the scope, and urged staff to remain vigilant for phishing and impersonation attempts.

🔒 Cybersecurity researchers detailed a five-month, targeted spear-phishing campaign that published 27 malicious npm packages across six aliases to repurpose package CDNs as resilient hosting for browser‑run credential‑harvesting lures. The embedded HTML/JavaScript mimicked document‑sharing portals and Microsoft sign‑in, pre-filling victim emails and using bot/sandbox checks, honeypot fields and heavy obfuscation to evade detection. Socket links the domains to Evilginx-style AitM infrastructure and urges phishing‑resistant MFA, strict dependency verification, CDN request logging, and monitoring for suspicious post‑auth activity.

🔓 A threat actor using the handle 'Lovely' claims to have leaked an alleged WIRED subscriber database containing 2,366,576 records and offered access on hacking forums for roughly $2.30 in site credits. BleepingComputer validated multiple records and security researchers, including Alon Gal, corroborated the dataset via infostealer logs. The dataset includes email addresses, optional PII (names, addresses, birthdays, phone numbers), account timestamps spanning 1996–2025, and has been added to Have I Been Pwned for user checks.

🚨 Ubisoft's Rainbow Six Siege suffered an in‑game abuse incident that allowed attackers to ban and unban players, display fake ban messages, and grant approximately 2 billion R6 Credits and Renown to accounts worldwide. Ubisoft confirmed the issue at 9:10 AM Saturday, intentionally shut down Siege and its Marketplace while teams investigated, and said transactions since 11:00 UTC will be rolled back. The company stated players will not be punished for spending the granted credits.

💰Fraudulent emails appearing to come from a Grubhub subdomain promised a tenfold bitcoin payout to recipients who transferred funds to a specified wallet, urging action within a 30-minute window. Messages were sent from addresses on b.grubhub.com and in some cases included recipients' names, increasing their apparent legitimacy. Grubhub says it isolated the issue, investigated the incident, and is taking steps to prevent recurrence while technical details remain undisclosed.

⚠️ Trust Wallet is urging Chrome extension users to update to version 2.69 after a security incident tied to extension v2.68 that resulted in roughly $7 million in stolen cryptocurrency. Security researchers at SlowMist say malicious code in the extension exfiltrated decrypted mnemonic phrases to an attacker-controlled domain by abusing the posthog-js analytics integration. The company has confirmed the impact, pledged refunds, and warned users to avoid unofficial communications; mobile and other browser versions are not affected.

🐼 Kaspersky attributes a targeted espionage campaign to the China-linked APT cluster tracked as Evasive Panda, which used DNS cache and response poisoning between November 2022 and November 2024 to deliver the MgBot backdoor to victims in Türkiye, China, and India. The intrusions relied on multi-stage AitM techniques, trojanized updates, and per-victim encrypted payloads fetched via legitimate domains to maintain stealth. Kaspersky highlights the actor's long-term refinement of these methods to evade detection.

🚢 A reported compromise affected an Italian ferry; investigators say the malware appears to have been installed physically on board rather than via a remote intrusion. Operators are assessing systems and safety impacts. Details remain limited while authorities investigate.

🔒 Several users reported funds drained from the Trust Wallet Chrome extension after a compromised update (v2.68.0) released on December 24. Researchers found malicious, obfuscated code in a bundled file (4482.js) that exfiltrated seed phrases to api.metrics-trustwallet[.]com, and attackers also deployed a phishing site (fix-trustwallet[.]com) soliciting recovery seeds. Trust Wallet published a patched v2.69, urged users to disable or update the extension, and advised anyone with exposed seeds to move assets to new wallets and contact support.

🚨 Trust Wallet confirmed a compromised Chrome extension update released on December 24 led to about $7 million in stolen cryptocurrency after users reported wallets drained. Binance founder Changpeng 'CZ' Zhao said Trust Wallet will cover losses and described affected funds as 'SAFU' while an investigation proceeds. Researchers found malicious code (4482.js) in version 2.68.0 that appeared to exfiltrate seed phrases to an external endpoint; users were urged to disable the extension and upgrade to version 2.69.

🔐 TRM Labs says encrypted vault backups stolen in the 2022 LastPass breach have been incrementally cracked by attackers exploiting weak master passwords, resulting in cryptocurrency drains as recently as late 2025. The firm traces over $35 million in siphoned assets, much of it laundered through CoinJoin and Russian-linked exchanges. TRM highlights how demixing and operational analysis linked activity to Russia-associated infrastructure and warns users who did not rotate credentials remain at risk.

⚠️A typosquatted domain impersonating the MAS Windows activation tool — get.activate.win instead of the legitimate get.activated.win — was used to serve malicious PowerShell scripts that deploy the Cosmali Loader. Victims reported intrusive pop-up warnings claiming a Cosmali infection after mistyping the domain while running activation commands. Researcher RussianPanda linked the loader to cryptomining utilities and the XWorm RAT. MAS maintainers urged users to verify commands, avoid retyping URLs, and test remote code in sandboxes before execution.

🔍 Group-IB has uncovered a coordinated campaign of professionally produced fake job ads targeting MENA remote workers, exploiting the region's shift to remote roles. Ads on Facebook, Instagram and TikTok impersonate banks, e-commerce platforms and government bodies, then move conversations to WhatsApp and Telegram to harvest personal and financial data. Scammers promise quick earnings, use localized language and currencies, and reuse scripts and fake sites to scale and evade detection. Individuals are advised to verify employers, avoid sharing sensitive information and report suspicious listings.

🔒 The FBI has seized the domain web3adspanels.org and the backend database used to host thousands of stolen U.S. bank login credentials collected via phishing ads on Google and Bing. Authorities report confirmed financial losses of about $14.6 million and attempted losses near $28 million, affecting at least 19 victims including two companies in the Northern District of Georgia. The seizure, conducted with help from Estonian and other international partners, removed a server that was active as recently as November; no arrests have been announced.

🔐 Small and medium-sized businesses became the primary target of data breaches in 2025, as attackers shifted focus from well-defended large enterprises to higher-volume attacks against smaller organizations. High-profile incidents at Tracelo, PhoneMondo, and SkilloVilla exposed millions of customer records—predominantly names and contact information—raising the risk of follow-on phishing and fraud. To reduce breach risk in 2026, adopt two-factor authentication, enforce the principle of least privilege for access control, and centralize credentials with a secure password manager. These steps are practical, cost-effective, and scalable for SMBs.

🐀 Attackers are hosting counterfeit proof-of-concept exploit repositories on GitHub to deliver the Webrat backdoor to unsuspecting users. Kaspersky analysts observed polished, likely machine-generated README files that mask a password-protected ZIP; the archive password is hidden in filenames and often missed. Inside are decoy DLLs, batch loaders and executables (e.g., rasmanesc.exe) that disable Windows Defender, escalate privileges, and fetch the real payload from hardcoded C2 servers. The campaign, active since at least September 2025, appears tuned to catch novice researchers and students who analyze PoCs outside isolated environments.

🔴 La Poste's main website and multiple digital services were taken offline by a major DDoS attack on Monday, and access remained impaired as of Wednesday morning. While email (laposte.net) and Digiposte reportedly stayed operational, online banking, the La Poste app and digital identity services were described as "temporarily inaccessible." The incident also disrupted physical operations, with some Paris post offices turning customers away. La Poste says teams are fully mobilized while analysts warn the timing suggests possible state-sponsored or hacktivist motives.

🔍 Interpol’s month-long Operation Sentinel targeted cybercriminal infrastructure across 19 African countries, producing 574 arrests, the decryption of six ransomware strains, and the takedown of roughly 6,000 malicious links. The sweep also uncovered a business email compromise (BEC) scheme that nearly cost a petroleum company $7.9 million and helped recover about $3 million. National law enforcement teams in Ghana, Benin and Cameroon executed targeted takedowns, recovered terabytes of data, and seized devices and servers with assistance from private cybersecurity organizations.

🛡️ Kaspersky researchers found WebRAT backdoor being distributed through GitHub repositories that posed as proof‑of‑concept exploits for recently disclosed vulnerabilities. The malicious packages were delivered as password‑protected ZIPs containing a corrupted decoy DLL, a batch script, and a main dropper named rasmanesc.exe that elevates privileges, disables Defender, and downloads WebRAT. All identified repositories have been removed, but developers are urged to verify PoC sources and test untrusted code in isolated environments.