All news in category "Incidents and Data Breaches"

Iberia Notifies Customers of Vendor-Related Data Leak

🔔 Iberia has informed customers of a security incident after unauthorized access to a supplier's systems exposed limited customer information. The airline says affected fields may include full name, email address, and Iberia Club loyalty identification numbers, while login credentials and payment card data were not accessed. Iberia says it activated its security protocol, added verification codes for email changes, is monitoring systems, and has notified authorities as it works with the third-party vendor. Customers are urged to watch for suspicious messages and report anomalies to the airline.

WhatsApp API Flaw Enabled Scraping of 3.5B Accounts

🔍 Researchers from the University of Vienna and SBA Research compiled a list of 3.5 billion active WhatsApp mobile numbers and associated personal details by abusing a contact-discovery API that lacked rate limiting. Running from a single server with five authenticated sessions, they queried more than 100 million numbers per hour and tested a generated space of 63 billion potential numbers. The team responsibly reported the issue and WhatsApp has since added rate-limiting protections. Although the researchers did not publish the dataset, their findings illustrate how unprotected APIs enable large-scale scraping and privacy exposure.

China-linked APT31 Targets Russian IT with Stealth

🛡️ Positive Technologies links a prolonged 2024–2025 intrusion campaign in the Russian IT sector to China-linked APT31, reporting extended dwell times and stealthy command-and-control. The group relied on legitimate cloud platforms — notably Yandex Cloud and Microsoft OneDrive — and concealed encrypted payloads in social media profiles to blend with normal traffic. Observed techniques include spear-phishing RAR attachments containing LNK loaders that deploy the Cobalt Strike-based CloudyLoader, DLL side-loading, scheduled tasks that mimic legitimate apps, and a broad mix of public and custom tools to harvest credentials and exfiltrate data.

Cox Enterprises Discloses Oracle E-Business Suite Breach

🔒 Cox Enterprises says hackers accessed its network after exploiting a zero-day in Oracle E‑Business Suite, with activity occurring between Aug. 9–14 and detected on Sept. 29, 2025. The company notified 9,479 impacted individuals and is offering 12 months of credit monitoring and identity protection through IDX. The Cl0p ransomware gang has claimed responsibility and posted stolen files after Oracle issued a patch on Oct. 5. Cox did not specify the types of data exposed in the notice.

Qilin Ransomware Investigation: Huntress Forensics Analysis

🔍 Huntress Labs detailed a Qilin ransomware investigation in which visibility was constrained because their agent was installed after the compromise and only on a single endpoint. Analysts correlated managed antivirus alerts, Windows Event Logs, AmCache, PCA logs, and VirusTotal to reconstruct a timeline showing a rogue ScreenConnect RMM deployment, attempts to run infostealer binaries, tampering with Windows Defender, and likely ransomware execution from another host. The report stresses validating artifacts across multiple sources to avoid false assumptions and inform accurate remediation.

Matrix Push C2 Uses Browser Notifications for Phishing

🔔 Matrix Push C2 is a browser-native, fileless C2 platform that leverages web push notifications, fake alerts, and link redirects to distribute phishing links across operating systems. Attackers social-engineer users into allowing notifications on malicious or compromised sites, then send branded, OS-like alerts with action buttons that redirect victims to fraudulent landing pages. Sold as a MaaS kit via Telegram and cybercrime forums, it includes a web dashboard, analytics, URL shortening, configurable templates (e.g., MetaMask, Netflix, PayPal), and tiered crypto-paid subscriptions.

CrowdStrike Fires Insider Allegedly Sharing Internal Data

🔒 CrowdStrike said it fired a “suspicious insider” after screenshots of company resources—including an Okta dashboard for internal access—appeared in a public Telegram channel run by Scattered Lapsus$ Hunters. The hackers claimed the material came from a Salesforce-ecosystem breach involving vendor Gainsight, a claim CrowdStrike denied. The company told TechCrunch investigators the images were produced when an employee shared pictures of their screen externally, that its systems were not compromised, and that customers remained protected. CrowdStrike has referred the matter to law enforcement.

AI-generated fake sites deliver malicious Syncro builds

⚠️ Kaspersky describes a campaign in which attackers used the AI-powered web builder Lovable to mass-generate convincing fake vendor pages that host malicious installers. Those pages distribute a custom, attacker-signed build of the legitimate remote administration tool Syncro, which installs silently and grants full remote access. Because the payload is a legitimate admin tool altered for abuse, detection is difficult and victims risk data theft and loss of cryptocurrency funds.

CrowdStrike Insider Shared Screenshots with Hackers

🔒 CrowdStrike confirmed that an insider shared screenshots taken on internal systems with external threat actors but stressed that its systems were not breached and customer data remained protected. The company said it identified and terminated the suspicious employee after an internal investigation and has referred the matter to law enforcement. CrowdStrike declined to name the responsible group or the insider's motives, while screenshots surfaced on Telegram attributed to several extortion-focused collectives.

Scattered Spider Teens Plead Not Guilty in TfL Hack

🔒 Two British teenagers, identified by authorities as suspected members of the Scattered Spider collective, have pleaded not guilty to computer misuse and fraud-related charges at Southwark Crown Court. The charges stem from an August 2024 breach of Transport for London (TfL) that disrupted online services, caused millions in losses, and later was found to have exposed customer names, addresses, and contact details. Arrested in September 2024 by the NCA and City of London Police, the defendants face additional alleged conspiracies involving US healthcare networks and separate counts tied to seized passwords.

OAuth Token Compromise Hits Salesforce Ecosystem Again

🔐 Salesforce disclosed unauthorized access tied to Gainsight-published apps using OAuth integrations, saying it revoked all active access and refresh tokens and temporarily removed those apps from the AppExchange while investigators continue their work. Gainsight confirmed the incident, has engaged Mandiant for forensics, and revoked related connector access across other marketplaces. Google Threat Intelligence linked the activity to actors associated with ShinyHunters, echoing prior token-abuse campaigns against Salesloft and Drift. The incident highlights supply-chain risks in SaaS OAuth integrations and reinforces urgent recommendations to audit and revoke suspicious tokens.

Music Store's Google Ads Account Hijacked, €4M Loss

🔒 The Google Ads account for Cologne-based retailer Music Store was reportedly taken over by attackers on 19 October 2025. Criminals have linked more than 2,500 foreign advertising accounts to the company’s payment profile and are running persistent campaigns promoting online casinos and crypto exchanges that administrators cannot remove. The assigned Google account manager has reportedly been unable to stop the activity, and formal attempts to get intervention via official channels have so far failed. Police cybercrime investigators and consumer protection authorities have been notified, and reported losses exceed €4 million.

APT24 Deploys BADAUDIO in Multi-Year Espionage Campaign

🛡️ APT24 has deployed a previously undocumented downloader called BADAUDIO to maintain persistent remote access in a nearly three-year campaign beginning November 2022. The highly obfuscated C++ downloader uses control-flow flattening and DLL search-order hijacking to fetch AES-encrypted payloads from hard-coded C2s; analysts observed Cobalt Strike delivered in at least one case. Operators distributed BADAUDIO via watering holes, supply-chain compromises, typosquatted CDNs and targeted phishing, employing FingerprintJS and encrypted cloud-hosted archives to selectively target victims and evade detection.

Gainsight Supply-Chain Hack Disrupts Salesforce Apps

⚠️ On November 20, customer support platform provider Gainsight reported connection failures after Salesforce revoked active access for the Gainsight SFDC Connector following detection of unusual activity. Salesforce temporarily removed all Gainsight-published apps from its AppExchange, citing potential unauthorized access via the app's external connection rather than a Salesforce platform vulnerability. Gainsight also disabled integrations with HubSpot and Zendesk, and engaged Mandiant to support forensic work. A criminal collective claiming affiliation with Lapsus$/Scattered Spider said it was responsible and threatened wider data leaks and a RaaS offering.

Salesforce Flags Unauthorized Access via Gainsight OAuth

🔒 Salesforce reported detected 'unusual activity' involving Gainsight-published applications that used OAuth connections to its platform and said the activity may have enabled unauthorized access to some customers' Salesforce data. The company revoked all active access and refresh tokens for affected apps and temporarily removed those listings from the AppExchange while it investigates. Gainsight also pulled its app from the HubSpot Marketplace as a precaution. Security analysts have linked the activity to the ShinyHunters (UNC6240) group and are urging customers to review and revoke suspicious third-party integrations.

Google Details BadAudio Malware Used by China APT24

🔐 Google Threat Intelligence Group (GTIG) disclosed a previously undocumented loader, BadAudio, used by China-linked APT24 in a multi-year espionage campaign that employed spearphishing, watering-hole infections, and supply-chain compromises. The loader is heavily obfuscated, leverages DLL search-order hijacking and control-flow flattening, and exfiltrates encrypted system data to hard-coded C2 servers. In at least one observed case it delivered an Cobalt Strike Beacon, and many samples remained undetected by most antivirus engines.

Hacker Claims Theft of 2.3TB from Almaviva Affecting FS

🔓 A threat actor claims to have stolen 2.3 terabytes of data from IT services provider Almaviva and posted the material on a dark web forum. The leak reportedly includes confidential documents and sensitive information related to FS Italiane Group, such as internal shares, technical documentation, contracts, HR and accounting archives. D3Lab's Andrea Draghetti says the files are recent (Q3 2025) and not recycled from a 2022 Hive incident. Almaviva confirmed a breach, says affected systems were isolated, and that authorities have been notified while an investigation continues.

Hacker Claims 2.3TB Theft from Italian Rail IT Provider

🔒 A threat actor claims to have stolen 2.3 terabytes of data from Almaviva, the IT services provider linked to Italy's state-owned rail operator, FS Italiane Group. The actor posted the alleged dump on a dark web forum and described the contents as confidential documents, technical files, contracts, HR and accounting archives. Almaviva confirmed a cyberattack affecting corporate systems, said some data were taken, and reported it to national authorities while an investigation is ongoing.

ShadowRay 2.0 Worm Uses Ray Flaw to Build Global Botnet

🪲 Oligo Security warns of an active campaign, codenamed ShadowRay 2.0, that exploits a two-year-old authentication flaw in the Ray AI framework (CVE-2023-48022, CVSS 9.8) to convert exposed clusters with NVIDIA GPUs into a self-replicating cryptomining botnet using XMRig. Operators submit malicious jobs to the unauthenticated Job Submission API (/api/jobs/), stage payloads on GitLab and GitHub, and abuse Ray’s orchestration to pivot laterally, establish persistence via cron jobs, and propagate to other dashboards. Oligo recommends restricting access, enabling authentication on the Ray Dashboard (default port 8265) and using Anyscale’s Ray Open Ports Checker plus firewall rules to reduce accidental exposure.

Tsundere Botnet Expands Using Game Lures and Node.js

🛡️ Kaspersky researcher Lisandro Ubiedo details an expanding Windows-focused botnet named Tsundere that retrieves and executes arbitrary JavaScript from remote command-and-control servers. The threat, active since mid‑2025, has been distributed via fake MSI installers and PowerShell scripts that deploy Node.js, install dependencies (ws, ethers, and pm2) and establish persistence. Operators fetch WebSocket C2 addresses from an Ethereum smart contract to rotate infrastructure, while a control panel enables artifact building, bot management, proxying, and an on-platform marketplace.