All news in category “Incidents and Data Breaches”

🔒 A 19-year-old allegedly tied to Scattered Spider was arrested in Helsinki and is facing U.S. extradition on counts including wire fraud, conspiracy, and computer intrusion. Prosecutors say he participated in multiple social-engineering intrusions from March 2023 through 2025 that used help-desk impersonation to reset MFA and exfiltrate data. Court filings and social-media posts reportedly tied the suspect to luxurious spending and to taunting law enforcement, underscoring how poor operational security and public boasting can accelerate investigations. The case highlights the ongoing threat of phone-based account takeover and the need for stronger, phishing-resistant controls.

⚠ Polymarket, a platform for betting on real-world events, faces serious integrity problems. Participants have attempted to manipulate outcome verification — including threats to a journalist whose reporting served as an adjudicating source and physical tampering with weather sensors (using hair dryers) to rig weather markets. The site also suffers widespread insider trading, creating legal and ethical exposure. These dynamics undermine trust and the reliability of event-based markets.

🔒 A previously unknown actor exploited CVE-2026-41940, a critical authentication-bypass in cPanel/WHM, to target government and military domains in Southeast Asia and a smaller cluster of MSPs and hosting providers worldwide. The activity, observed by Ctrl-Alt-Intel on May 2, 2026, originated from IP 95.111.250[.]175 and used public proof-of-concepts alongside a separate custom exploit chain against an Indonesian defense portal. The attacker abused hard-coded credentials and a CAPTCHA bypass to perform authenticated SQL injection and RCE, then deployed AdapdixC2, OpenVPN, Ligolo and systemd-based persistence to pivot and exfiltrate sensitive documents. Researchers report rapid, widespread weaponization of the vulnerability by multiple third parties, including Mirai variants and a ransomware strain.

🔒 A coordinated international operation led by Dubai Police alongside the FBI and China's Ministry of Public Security arrested 276 suspects, shut nine crypto scam centers, and restrained more than $701 million in cryptocurrency tied to investment fraud. The schemes employed pig butchering and romance-baiting lures and relied on trafficked workers forced to run scam compounds. Authorities seized hundreds of fraudulent domains and a Telegram recruitment channel, sanctioned Cambodian actors, flagged an Android Malware-as-a-Service, and credited Operation Level Up with notifying nearly 9,000 victims and saving about $562 million.

🔒 Instructure confirmed a cybersecurity incident that exposed personal information after the extortion group ShinyHunters posted claims of a large data theft. Company updates indicate affected data may include names, email addresses, student ID numbers, and private messages, while no evidence so far points to leaked passwords, dates of birth, government identifiers, or financial data. Instructure says it has patched the reported vulnerability, rotated application keys, increased monitoring, and requires customers to re-authorize API access as part of its response while third-party experts and law enforcement investigate.

⚠️ Researchers uncovered a large-scale fraud operation leveraging Telegram Mini Apps to run crypto scams and distribute Android malware. The infrastructure, identified by the FEMITBOT API string, uses Telegram bots to launch embedded Mini Apps that present phishing pages inside the app's WebView and impersonate well-known brands. Campaigns display fake dashboards, countdowns, and withdrawal prompts that demand deposits or referrals, and some prompt users to download APKs hosted on the same domains to avoid mixed-content warnings; Android users should not sideload APKs and should be cautious with bots asking for funds or app installs.

🚨 An emergency update for cPanel and WHM addresses a critical authentication bypass (CVE-2026-41940) that has been actively exploited to access control panels. Security researchers report attackers have breached thousands of servers and deployed a Go-based Linux encryptor tied to the "Sorry" ransomware, which appends the .sorry extension. The encryptor uses ChaCha20 for file encryption with the symmetric key protected by an embedded RSA-2048 public key, and victims receive a README.md ransom note directing contact via a fixed Tox ID. Administrators should install the update and verify backups immediately.

🔐 Trellix has confirmed an incident that allowed unauthorized access to a portion of its source code repository. The company said it recently identified the compromise, engaged leading forensic experts, and notified law enforcement while pursuing an internal investigation. Trellix did not disclose the specific data accessed or an attribution, but stated there is currently no evidence that its source code was released, distributed, or exploited. Additional information will be shared as the investigation progresses.

🔐 Instructure has disclosed a cybersecurity incident and says it is actively investigating the impact with outside forensics experts. The company, best known for the Canvas learning platform, indicated some services have been under maintenance since May 1 and customers may experience issues with tools that rely on API keys. Instructure said it is working to understand the extent of the incident, minimize impact, and will provide updates as they become available.

🔐 A Vietnamese-linked operation used a Google AppSheet address as a phishing relay to distribute credential-harvesting pages and compromise roughly 30,000 Facebook accounts. Guardio, calling the scheme AccountDumpling, says stolen accounts are resold via an illicit storefront after exfiltration to Telegram channels. Lures hosted on Netlify, Vercel and Google Drive, plus Canva-generated PDFs, were used to harvest passwords, 2FA codes, IDs and business data, leaving many victims locked out.

🔒 French authorities have detained a 15-year-old on suspicion of selling data stolen from France Titres (ANTS) after the agency detected suspicious activity on April 13 and alerted prosecutors on April 16. Investigators say a user going by the alias breach3d offered between 12 and 18 million records on a cybercriminal forum; ANTS later reported 11.7 million impacted accounts. Exposed fields include full names, email addresses, dates of birth, postal addresses, and phone numbers, although ANTS said the stolen data could not be used for unauthorized access. Prosecutors are seeking formal charges and judicial supervision; the alleged offenses carry up to seven years’ imprisonment and a €300,000 fine.

📝 BleepingComputer initially published a story reporting a new data breach at Instructure. Shortly after publication, the newsroom determined the information was incorrect and primarily based on outdated details from a prior incident. The article has been retracted and a retraction notice appended to the record; we regret the error. We are reviewing editorial processes to strengthen verification and prevent similar mistakes.

🔒 Cybercrime clusters Cordial Spider and Snarky Spider are executing fast, low-footprint extortion campaigns that rely on vishing and SSO adversary-in-the-middle pages to harvest credentials and MFA codes. After registering devices and suppressing notification emails, attackers pivot directly into SaaS platforms such as Google Workspace, HubSpot, SharePoint, and Salesforce to locate and exfiltrate high-value files. Researchers note heavy use of living-off-the-land techniques and residential proxies to minimize detection.

🔒 Trend Micro disclosed a China-aligned espionage campaign tracked as SHADOW-EARTH-053 that exploited N-day flaws in internet-facing Microsoft Exchange and IIS servers to deploy web shells (including Godzilla) and persistently stage the ShadowPad backdoor via DLL sideloading and AnyDesk. Targets spanned Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan and one NATO member, Poland. Citizen Lab separately reported two phishing clusters, GLITTER CARP and SEQUIN CARP, impersonating journalists and tech/security alerts to harvest credentials and OAuth tokens. Researchers recommend urgent patching, virtual patching with WAF/IPS, and heightened monitoring for tunneling tools, web shells, and lateral-movement artifacts.

🔒 Two American cybersecurity workers, Ryan Goldberg and Kevin Martin, were each sentenced to four years in prison for helping the BlackCat (ALPHV) ransomware gang carry out attacks in 2023, the US Department of Justice said. The pair — who pleaded guilty in December 2025 — worked with a former negotiator, Angelo Martino, and shared proceeds from ransoms, including a $1.2m Bitcoin payout. Prosecutors said they abused specialist cyber skills; the FBI tracked Goldberg across ten countries before his arrest.

⚖️ He pleaded guilty after secretly working for a ransomware gang while ostensibly negotiating payments for victims. The arrangement permitted a trusted intermediary to funnel information and influence negotiations in the gang’s favor, undermining client trust and incident response. Prosecutors say the conduct included clandestine communications that advantaged criminals and complicated recovery. The plea underscores risks in relying on third-party negotiators without robust oversight.

🔒 The U.S. Department of Justice has sentenced two cybersecurity professionals to four years in prison for their roles in deploying ALPHV/BlackCat ransomware against multiple U.S. victims between April and December 2023. Ryan Goldberg and Kevin Martin pleaded guilty in December 2025 after conspiring with Angelo Martino to gain access to the ransomware in exchange for a share of ransoms. Authorities say one extortion yielded approximately $1.2 million in Bitcoin, which the defendants laundered, and that the men abused their security expertise while employed by Sygnia and DigitalMint.

🔒 A new supply chain campaign used sleeper Ruby gems and Go modules published by BufferZoneCorp to deploy post-install payloads that harvest credentials and establish persistence. The malicious Ruby packages exfiltrated environment variables, SSH keys, AWS secrets, .npmrc/.netrc files and developer configuration during install. The Go modules tampered with GitHub Actions by installing fake go wrappers, intercepting builds, and adding a hard-coded SSH key to ~/.ssh/authorized_keys. Users should remove affected packages, rotate exposed credentials, and inspect systems and CI runners for unauthorized SSH entries and outbound connections.

🔒 Two former employees of incident response firms Sygnia and DigitalMint were each sentenced to four years in prison after pleading guilty to conspiring to obstruct commerce by extortion for acting as affiliates of the BlackCat (ALPHV) ransomware group between May and November 2023. Prosecutors say they paid a 20% share for access to BlackCat's ransomware and extortion platform and breached multiple U.S. companies, including medical and manufacturing firms; one Tampa medical device company paid $1.27 million after a $10 million demand. DigitalMint said the individuals were immediately terminated and their conduct was condemned by the company.

🚨 A Romanian national, Thomasz Szabo, was sentenced to four years in U.S. federal prison after pleading guilty to conspiracy and threats involving explosives. Extradited from Romania in November 2024, Szabo led an online swatting community that organized bomb threats and swatting calls beginning in late 2020 and targeting more than 75 public officials, journalists, and religious institutions. The court also ordered three years of supervised release.