All news in category “Incidents and Data Breaches”

🔒 University of Phoenix disclosed a breach affecting 3,489,274 individuals after attackers accessed its systems in August and stole sensitive personal and financial data. Investigators say the intrusion targeted the Oracle E-Business Suite, exploiting a zero-day tracked as CVE-2025-61882, active August 13–22 and detected November 21. The university is offering 12 months of credit and dark web monitoring, identity recovery and a $1m fraud reimbursement. The incident is linked to Clop and forms part of a wider campaign that has hit more than 100 organizations.

⚠️ Security researchers discovered two malicious Google Chrome extensions named Phantom Shuttle that intercept and exfiltrate credentials and session data from more than 170 targeted domains. After users pay for a subscription the add-ons enable a proxy 'smarty' mode, inject hard-coded proxy credentials, and route selected traffic through attacker-controlled proxies to establish a persistent Man‑in‑the‑Middle position. A recurring heartbeat to a command-and-control server forwards VIP emails, plaintext passwords and version details, enabling continuous monitoring and credential theft.

🛡️ Amazon's chief security officer Stephen Schmidt says the company has blocked more than 1,800 job applications since April 2024 that are suspected to originate from North Korean agents, with linked submissions increasing roughly 27% per quarter in 2025. Amazon combines AI-based analysis with manual review—searching for links to at-risk institutions, application anomalies, and geographic inconsistencies—and verifies identities via background checks, references, and structured interviews. Recurring trends include increasingly sophisticated identity theft, hijacked LinkedIn profiles, fake U.S. educational credentials, and the use of "laptop farms" to simulate local presence; even phone numbers formatted with a country code of "1" can be a red flag. Amazon says the purpose appears to be securing remote employment to funnel income to North Korea's weapons program and urges industry peers to tighten identity verification and report suspicious activity to authorities such as the FBI.

⚠️ France’s national postal service, La Poste, experienced a widespread network outage lasting more than twelve hours that affected its website, mobile app, digital document service Digiposte, and a digital ID service. Counter services remained operational, but the banking arm, Banque Postale, saw its app and online services go offline. Payments and SMS verification reportedly continued to function. Officials have not confirmed a cause; Le Monde Informatique has cited a suspected DDoS attack.

🔒 Two Chrome extensions in the Web Store, both published as Phantom Shuttle, are malicious plugins that hijack browser traffic and have been active since at least 2017, researchers report. Targeting users in China, the extensions pose as proxy and network-speed tools and prepend obfuscated code to the jQuery library to route requests through attacker-controlled proxies using hardcoded credentials and a PAC script. The plugins dynamically reconfigure Chrome proxy settings and route traffic for over 170 high-value domains, intercepting HTTP authentication challenges to capture form credentials, session cookies and API tokens while excluding local networks and the command-and-control domain to limit detection. At the time of reporting the extensions remained in Chrome's official marketplace; users are advised to install only extensions from reputable publishers and review requested permissions carefully.

🔒 Security firm Proofpoint reports attackers are abusing the OAuth 2.0 device-code flow to bypass MFA. Scammers trick users into entering one-time device codes into malicious Microsoft authentication links, allowing the attackers to capture codes and gain full access to the victim's Microsoft 365 accounts and content. Proofpoint observed both Russian and Chinese threat actors using this technique.

🔒 Coupang disclosed a massive breach via a Form 8-K 28 days after discovering unauthorized access on Nov. 18, 2025, prompting a US securities class action that alleges the delay violated SEC rules requiring material incident disclosure within four business days. The complaint asserts CEO Bom Kim and CFO Gaurav Anand knew or recklessly disregarded inadequate cybersecurity controls that allowed a former employee to access customer data for nearly six months. Investigators found signing keys and authentication tokens were not revoked after the employee’s departure, exposing personal information from 33.7 million accounts and revealing systemic failures in key management. Coupang faces parallel scrutiny from South Korean authorities, potential fines, and ongoing litigation.

🚨 La Poste, France’s national postal service, reported a 'major network incident' that knocked its information systems offline and disrupted its website, mobile app, digital identity service and the Digiposte document platform. La Banque Postale said online and mobile banking were affected but core banking functions — ATM withdrawals, in-store card payments, interbank exchanges and WERO transfers — remained operational. French media cited a suspected DDoS attack; La Poste has not provided a restoration timeline.

🔒 The Danish Defence Intelligence Service (DDIS) publicly attributed two separate cyber operations to Russian-linked actors. It said a pro-Russian group known as Z-Pentest carried out a destructive intrusion against a Danish water utility in 2024, while NoName057(16), an actor with ties to the Russian state, mounted disruptive DDoS attacks against Danish websites ahead of municipal and regional elections in November. Danish authorities characterized the incidents as part of a broader pattern of state-aligned cyber coercion and disruption.

🔐 Security researchers uncovered 'lotusbail,' a malicious npm package that impersonates the legitimate @whiskeysockets/baileys WhatsApp Web client while quietly exfiltrating messages, credentials, and contact data from developer environments. The trojanized wrapper amassed over 56,000 downloads and operated for roughly six months before Koi Security flagged its behavior. Stolen information was encrypted and layered with multiple obfuscation techniques, and the malware leveraged WhatsApp multi-device pairing to keep an attacker device linked even after the package was removed.

🛡️ INTERPOL coordinated Operation Sentinel between Oct. 27 and Nov. 27, 2025, recovering $3 million and prompting the arrest of 574 suspects across 19 African countries. The campaign targeted business email compromise, digital extortion and ransomware, taking down over 6,000 malicious links and decrypting six ransomware variants. Authorities disrupted fraud rings that stole more than $400,000 and seized devices and servers. Separately, a Ukrainian national pleaded guilty for his role as a Nefilim ransomware affiliate.

🔓 Nissan has disclosed that a third-party breach at Red Hat in September led to the exposure of about 21,000 customer records tied to its Fukuoka sales unit. The carmaker said it was notified by Red Hat on October 3 and has informed the Personal Information Protection Commission while contacting affected individuals. Exposed fields include names, addresses, phone numbers and partial email addresses, but not payment card data. Nissan warned customers to be vigilant for suspicious calls or mail while investigations continue.

🔒 Baker University disclosed a 2024 data breach after attackers accessed its network in December 2024 and exfiltrated records for 53,624 individuals. The compromised information potentially included names, dates of birth, Social Security numbers, driver’s license and passport numbers, financial account details, and medical and insurance information. The university is offering free credit monitoring and says it has engaged external cybersecurity experts and rebuilt a primary compromised platform.

🔍 Operation Sentinel, coordinated by Interpol, resulted in 574 arrests across Africa during the month-long campaign from 27 October to 27 November. Authorities recovered $3m in alleged cybercrime proceeds, decrypted six ransomware variants and removed around 6,000 malicious links and domains. Key interventions included halting a $7.9m fraudulent wire transfer in Senegal and recovering 30TB of data encrypted in an attack on a Ghanaian financial institution. The operation involved national forces and industry partners such as Team Cymru and Trend Micro.

🔒 The U.S. Department of Justice announced it seized the domain web3adspanels.org and an associated database used as a backend panel to store and manipulate illegally harvested bank login credentials. Authorities say the group delivered fraudulent search ads that redirected victims to counterfeit banking sites containing malicious code that harvested credentials. The scheme affected 19 U.S. victims, causing attempted losses of about $28 million and actual losses of approximately $14.6 million.

🔓 Nissan confirmed that personal data for about 21,000 customers who purchased vehicles or received services at Nissan Fukuoka was exposed after a September breach of Red Hat's development environment. Leaked fields include full names, physical addresses, phone numbers, email addresses and sales-related customer data; no financial or credit card data were affected. Nissan says it has no evidence the data have been misused.

🔐 Interpol-led Operation Sentinel, run from October 27 to November 27 across 19 countries, resulted in 574 arrests and the recovery of $3 million tied to business email compromise, extortion, and ransomware. Investigators decrypted six ransomware strains and removed more than 6,000 malicious links. Private-sector partners such as Trend Micro, TRM Labs and Team Cymru supported attribution, takedowns and freezing of proceeds. Multiple country-level seizures and arrests targeted prolific scam infrastructures in West and Central Africa.

🔒 Koi Security disclosed a malicious npm package, lotusbail, masquerading as a WhatsApp API and designed to intercept authentication tokens, messages, contacts and media. Uploaded in May 2025 by the account "seiren_primrose", it has been downloaded over 56,000 times and remained available at the time of reporting. The library wraps the WebSocket client and contains a hard-coded pairing code that links the attacker's device to a victim's WhatsApp account, creating a persistent backdoor even after uninstallation. It also implements anti-debugging traps to freeze execution and hinder analysis.

🔒 A malicious NPM package published as lotusbail and masquerading as a WhatsApp Web API library was found to exfiltrate authentication tokens, session keys, messages, contacts and media. Researchers at Koi Security report the package wraps the legitimate WebSocket client from the Baileys project so all traffic is intercepted and recorded. The malware encrypts captured data with layered obfuscation (Unicode tricks, LZString, AES and custom RSA) and establishes persistent access by pairing the attacker’s device to victims' WhatsApp accounts. Developers should remove the package, inspect linked devices, and monitor runtime behavior for unexpected outbound connections.

🎵 Spotify is investigating claims by a collective of pirate activists who say they accessed 256 million rows of metadata and 86 million audio files — roughly 300 terabytes in total. The activists report that metadata, but not audio files, was made publicly available via Anna’s Archive, which frames the release as cultural preservation. Spotify has confirmed a probe into an incident in which a third party allegedly scraped public metadata and bypassed DRM protections to access certain audio files.