All news in category “Incidents and Data Breaches”

🛢️ Petróleos de Venezuela (PDVSA) reported a weekend cyberattack it says was restricted to administrative systems and did not affect operational areas, asserting continuity via secure protocols. Despite that assertion, internal memos and multiple sources cited by Bloomberg and Reuters indicate staff were ordered to disconnect and that systems managing the main crude terminal remained offline. PDVSA publicly blamed the United States and domestic conspirators for the incident.

🛡️ Amazon's threat intelligence team disclosed a years-long campaign tied with high confidence to the GRU-affiliated APT44 (also tracked as FROZENBARENTS/Sandworm), which targeted Western critical infrastructure from 2021–2025. The actor shifted from zero-day exploitation to abusing misconfigured customer network edge devices and exposed management interfaces on AWS-hosted instances, enabling packet capture, credential harvesting, and credential replay against energy, telecom, and cloud providers. Amazon observed exploitation of WatchGuard (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532), notified affected customers, disrupted active operations, and recommended audits, stronger authentication, and monitoring for unexpected access and credential replay.

⚠️The temporary, widespread outage of the German Bundestag's IT systems was reportedly not caused by a cyberattack. A letter to MPs and parliamentary IT officers says the immediate trigger was an overload between two data centers, and the Federal Office for Information Security (BSI) has been involved with no findings of an attack so far. The precise technical fault is still under investigation.

🛡️ Check Point Research reveals that Ink Dragon, a Chinese espionage group, has broadened operations from Asia and South America into European government networks, turning compromised servers into relay nodes to route commands and obscure activity. Updated toolsets — including a new FinalDraft variant — let attackers mimic Microsoft cloud traffic and maintain long-term access. Multiple actors, notably RudePanda, exploited the same public-facing flaw, underscoring how a single vulnerability can attract several advanced groups.

⚠️ Security researchers found that Urban VPN Proxy, a free browser extension with millions of installs, injected hidden scripts to capture full AI chat conversations from users’ browsers. The extension targeted multiple platforms including ChatGPT, Claude, Gemini and Perplexity, overriding browser network APIs to intercept prompts and responses. Captured data was packaged and sent to the extension operator’s backend even when VPN features were disabled. The extension marketed an “AI protection” feature that did not prevent this collection.

🚨 European and Ukrainian authorities dismantled a large fraud ring operating call centers in Dnipro, Ivano-Frankivsk and Kyiv, arresting 12 suspects and seizing vehicles, weapons, a polygraph machine, computers, cash, and forged IDs after 72 coordinated searches on December 9. The network, which employed about 100 people from across Europe, scammed over 400 victims and stole more than €10 million using impersonation, remote-access tools and in-person cash pickups. The multi-country operation was led by investigators from the Czech Republic, Latvia, Lithuania and Ukraine with support from Eurojust.

🔒 700Credit, a Michigan fintech serving more than 20,000 car dealerships, disclosed a breach affecting 5.8 million customers. The company said a misconfigured API allowed unauthorized copying of records between May and October, exposing names, addresses and Social Security numbers. Discovered on October 25, 700Credit engaged cybersecurity experts who found activity limited to the 700Dealer.com application layer and reported no evidence of identity theft. Affected individuals are being offered 12 months of TransUnion identity protection and credit monitoring at no cost.

🔒 SoundCloud confirmed a security breach that triggered recent outages and prevented many users from accessing the site via VPN, producing 403 "forbidden" errors. The company says a threat actor accessed an ancillary service dashboard and stole a database containing limited data—primarily email addresses and information already visible on public profiles—and that no passwords or financial data were taken. SoundCloud says it has blocked unauthorized access, engaged outside security experts, and implemented additional controls; however, a configuration change disrupted VPN connectivity and the platform also experienced denial-of-service attacks during the response.

🔒 Askul Corporation confirmed that the RansomHouse extortion group stole approximately 740,000 customer and partner records during an October ransomware incident. Compromised data types include business and individual customer service records, partner data, and employee information. Askul says attackers likely used compromised administrator credentials for an outsourced partner that lacked MFA, disabled EDR, moved laterally, deployed multiple ransomware variants, and wiped backups. The company has isolated affected networks, enforced MFA, reset admin passwords, begun individual notifications and established long-term monitoring.

🔓 PornHub says it is being extorted after threat actors claiming to be ShinyHunters said they stole analytics records from vendor Mixpanel, which suffered a smishing-driven breach on November 8, 2025. PornHub stated the incident affects only select Premium users and emphasized that passwords and payment details were not exposed. The company also said it has not worked with Mixpanel since 2021, indicating the records are historical analytics data.

🔒 Pornhub says it is being extorted by the ShinyHunters gang after the group claimed to have stolen 201,211,943 historical analytics records tied to Premium members. The sample data reportedly includes email addresses, search and watch activity, video URLs, video names, keywords, locations and timestamps. Pornhub says passwords and payment details were not exposed and that it has not worked with Mixpanel since 2021. Mixpanel disputes that the files were taken during its November 2025 incident.

🔐 Amazon Threat Intelligence details a multi-year, state-sponsored Russian campaign—assessed as GRU-linked—that targeted Western critical infrastructure, especially the energy sector, from 2021 through 2025. The actor shifted from exploiting N-day/zero-day flaws to abusing misconfigured customer network edge devices (including EC2-hosted appliances) to intercept credentials and gain persistent access. Amazon observed packet-capture based credential harvesting and subsequent credential replay attempts, with infrastructure overlaps linked to clusters tracked as Curly COMrades and Sandworm. Recommended mitigations include auditing edge devices, enforcing strong authentication, monitoring for credential replay, and applying AWS-specific controls.

🔒 Users accessing SoundCloud through many VPN services are currently blocked and receive a 403 'forbidden' server response. The problem has persisted for four days and was independently confirmed after multiple Reddit reports. SoundCloud's senior director of communications said configuration changes caused temporary connectivity issues and the company is working on a fix with no timeline given. Some VPN providers or server locations continue to work for certain users.

🚨 A Google Chrome extension carrying a "Featured" badge, Urban VPN Proxy, has been found silently harvesting prompts and responses from major AI chat services and sending them to remote analytics servers. The extension — installed by roughly six million Chrome users and about 1.3 million Edge users — was updated on July 9, 2025 (v5.5.0) with AI capture enabled by default. Injected scripts override browser networking APIs to intercept chat data and exfiltrate conversation text, IDs, timestamps, session metadata, and model/platform information. The publisher's updated privacy policy admits collecting AI prompts and outputs for "Safe Browsing" and marketing while disclaiming a full guarantee of de-identification.

🔒 700Credit is notifying more than 5.8 million individuals after a threat actor exploited an exposed API to obtain customer records tied to dealership clients. The company detected suspicious activity on October 25 and, with third-party forensic assistance, confirmed unauthorized copying of web application records. Exposed data includes full names, addresses, dates of birth, and Social Security numbers. 700Credit is offering 12 months of complimentary identity protection through TransUnion and has filed breach notifications with the FTC and affected dealer clients.

🔒 Nathan Austad, 21, pleaded guilty to conspiring to commit computer intrusion after participating in a credential stuffing campaign that compromised more than 60,000 user accounts on a fantasy sports betting site in November 2022. Prosecutors say attackers added payment methods, drained balances and sold account access on online marketplaces; roughly $600,000 was stolen from about 1,600 victims. Investigators say Austad ran an online shop and controlled cryptocurrency wallets that received approximately $465,000 in proceeds. He acknowledged awareness of an active investigation and faces up to five years in prison, with sentencing scheduled for April 10, 2026.

📧 Seqrite Labs has uncovered a Russian-origin phishing campaign, tracked as Operation MoneyMount-ISO, that delivers the Phantom information stealer through a multi-stage attachment chain. Attackers distribute a ZIP containing an ISO that auto-mounts and displays a disguised executable; running it triggers a loader that decrypts a malicious DLL and injects the stealer into memory while performing extensive anti-analysis checks. The campaign targets Russian-speaking finance, procurement and HR roles, harvesting passwords, cookies, crypto wallets, keystrokes and Discord tokens, then exfiltrating data via Telegram bots, Discord webhooks and FTP.

🔒 Ideal Group has reported a cyberattack that forced several systems offline as a precaution, leaving business operations running in a limited capacity. The group's affiliate Ahorn AG is affected while subsidiary myLife Lebensversicherung reportedly remains unaffected. The ransomware group Akira is blamed; investigators and external specialists, together with law enforcement, are analysing the incident and currently report no indications of customer data misuse.

🔒 Google's Threat Intelligence Group linked five additional China-aligned cyber-espionage groups to active exploitation of the maximum-severity CVE-2025-55182 React2Shell remote code execution flaw affecting React and Next.js server components. Attackers are executing commands and exfiltrating AWS configuration files and credentials from vulnerable hosts; Palo Alto and AWS reported widespread breaches. Shadowserver and GreyNoise are tracking tens of thousands of exposed systems and hundreds of exploit attempts. Organizations should urgently patch affected React 19.0–19.2.0 releases and apply mitigations.

🔒 The ShadyPanda campaign hijacked thousands of legitimate Chrome and Edge extensions, converting them into spyware and RCE-enabled backdoors via silent updates. About 4.3 million users installed compromised add‑ons that could steal session cookies and impersonate SaaS accounts. Organizations should enforce extension allow lists, audit permissions, and treat extensions like OAuth apps. Platforms such as Reco can help bridge browser, endpoint, and SaaS visibility.