< ciso
brief />
Incidents and Data Breaches Banner

All news in category “Incidents and Data Breaches

3000 articles · page 9 of 150

iRhythm confirms patient data breach after extortion

🔒 iRhythm Holdings disclosed a data breach after threat actors accessed patient personal and health information stored on third-party business applications. The company detected the incident on June 10, 2026, after receiving a ransom demand the prior week and launched an investigation with external cybersecurity experts. iRhythm said the breach involved data exfiltration via social engineering but did not affect its clinical devices, manufacturing, or financial systems. The firm has not confirmed the exact number of affected individuals.
read more →

DOJ seizes deepfake nude sites under new law

🔒 The U.S. Department of Justice seized CFAKE.com and SOCFAKE.com after finding they hosted nonconsensual AI-generated nude images and videos, marking the first publicly announced domain seizures under the TAKE IT DOWN Act. The sites allegedly displayed sexually explicit deepfakes of politicians, celebrities, athletes, and others. The action followed a multinational probe involving Italy and France and led to an arrest in Nice and seizure of related cryptocurrency. The law, enacted in May 2025, criminalizes publishing intimate altered images without consent and requires prompt takedowns.
read more →

Supply-chain Attack Compromises Popular WordPress Plugins

🛡️ Dutch researcher Sansec revealed a supply-chain attack that tampered with JavaScript for three plugins from Awesome Motive — OptinMonster, TrustPulse and PushEngage. The malicious payload created rogue administrator accounts and installed a stealth backdoor plugin after detecting a logged-in admin, sending credentials to a lookalike service. Sansec observed brief exposure windows for some tampered scripts and urged site owners to check for unfamiliar admins and traffic to tidio[.]cc.
read more →

Council of Europe Probes ShinyHunters Breach Claims

🔎 The Council of Europe is investigating claims by the ShinyHunters extortion group that it exfiltrated hundreds of thousands of HR and payroll records. The organization, representing 46 member states, said it is assessing the situation and cannot provide further comment. ShinyHunters posted on a dark web leak site, threatening to publish alleged files containing extensive personal and financial data if demands are not met.
read more →

Anubis Ransomware Targets Adriatic Port Authority

🔒 New analysis from Resecurity details a ransomware attack by the Anubis group that targeted the Adriatic Port Authority, operator of Ancona port. The breach, traced to December 11, 2025 and publicly claimed by Anubis in January 2026, reportedly affected about 2% of the authority's data while backups preserved most records. Resecurity says the incident disrupted operations, forced vessel rerouting, and involved a reported $10m Bitcoin ransom demand, with sensitive safety and security plans among the stolen files.
read more →

FBI warns couriers used in crypto investment scams

🛡️ The FBI warned that criminals are using couriers to collect cash from victims of cryptocurrency investment scams, often after banks block suspicious transfers. Scammers build trust through social media or dating platforms, then instruct victims to hand over money to couriers who authenticate with passwords or dollar bill serial numbers. Victims are then shown fake wallet increases and pressured for more funds for alleged taxes or penalties. The FBI urges due diligence on crypto platforms, avoiding cash deliveries, and immediate reporting of incidents.
read more →

China-linked actors breach REDCap servers, steal research

🔒 Google Threat Intelligence Group attributes a long-running espionage campaign to UNC6508, a China-linked actor, which exploited exposed REDCap servers to deploy the custom Infinitered malware and exfiltrate sensitive medical research. The intrusion began in September 2023 and persisted through November 2025, with attackers harvesting credentials, maintaining persistent backdoors, and using enterprise email compliance rules to siphon data. Administrators are urged to update REDCap, enable MFA/2SV, and apply provided YARA rules and IoCs to detect infections.
read more →

Langflow path traversal allows remote code execution

🚨 Enterprises using the open-source AI orchestration platform Langflow are urged to apply a patch for a high-severity path traversal flaw that enables arbitrary file writes and, in some environments, remote code execution. The vulnerability stems from improper handling of uploaded filenames at the /api/v2/files endpoint and was fixed in version 1.9.0, though exploitation has been observed in the wild. Public proof-of-concept code and exposed instances increase risk for unpatched deployments.
read more →

Infinite Campus Salesforce Breach Exposes Staff Data

🔒 Infinite Campus disclosed a Salesforce data theft in March that exposed personal information for school staff across its K‑12 customer base. The attacker, linked to groups known for targeting Salesforce instances, allegedly leaked a 1.2GB archive. Have I Been Pwned found data from 137,100 accounts, including names, emails, job titles and contact details. Infinite Campus said most exposed items appear to be directory information commonly published by schools.
read more →

152 Chrome wallpaper extensions found distributing PUPs

🔎 Cybersecurity researchers uncovered 152 Chrome wallpaper extensions that distribute a potentially unwanted program (PUP) family across 38 publisher accounts and three brand backends, collectively installed 105,000 times. Each listing claims not to collect data, but linked privacy policies admit logging IPs, ISPs, clicks, and referrers, shared with Google AdSense, DoubleClick, and third-party partners. Some extensions hard-code install and uninstall URLs to fake organic Google search referrals and include dormant code to enumerate and delete IndexedDB databases. Socket assesses the cluster as a financially motivated adware and traffic-fraud affiliate operation with possible ties to Turkey.
read more →

Compromised JavaScript in Popular WordPress Plugins

🛡️ An attacker served tampered JavaScript used by PushEngage, OptinMonster, and TrustPulse, executing only when a logged-in WordPress administrator loaded the files. The malicious code created an attacker-controlled admin account, installed a hidden plugin backdoor providing remote code execution, and exfiltrated credentials to a fake tidio[.]cc domain. Sansec disclosed the campaign on June 13; PushEngage confirmed exposures that lasted longer than the brief windows seen for the other plugins. Site owners should treat any site that loaded the affected scripts during the window as compromised and perform server-side scans and credential rotations immediately.
read more →

Maine takes breach reporting portal offline after hoax

🔒 The state of Maine has temporarily taken its public-facing breach reporting database offline after two fraudulent reports impersonating VRChat and Discord were published. The Attorney General's office removed the fake submissions and said it is reviewing procedures to reduce such abuse while keeping legitimate reporting available. Historic notifications can be requested via the consumer protection division.
read more →

EvilTokens phishing abuses OAuth device code flow

🛡️ EvilTokens is a phishing-as-a-service kit that compromises Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow, tricking victims into authorizing attacker sessions via legitimate Microsoft login pages. Active since at least February 2026, the toolkit has been used in large account takeover and BEC campaigns, leveraging reconnaissance and decoy lures to obtain access and refresh tokens. Because victims complete real authentication — including 2FA — the attacks bypass traditional red flags like fake login pages. Organizations are advised to restrict device code flow, monitor unusual token activity, and update security awareness to address these modern phishing tactics.
read more →

Sniper Dz phishing scam targets MENA users

🛡️ Group-IB disclosed a large-scale fraud campaign using fake Facebook accounts to lure Middle East and North Africa users with offers like free mobile internet and government subsidies. Victims were routed via link-aggregation services to pages that abused browser notifications, back-button hijacks, and tab-under redirects to enroll users in a push-notification ecosystem. The operation monetized victims through premium SMS, premium-rate calls, investment scams, and ad fraud tied to a Sniper Dz PhaaS infrastructure.
read more →

Palo Alto Warns of Active Exploitation of PAN‑OS Bug

🔒 Palo Alto Networks has observed active exploitation of CVE-2026-0257, an authentication bypass in PAN-OS affecting GlobalProtect portal and gateway components that can enable unauthorized VPN connections. Initial in-the-wild activity was seen on May 17, 2026, though the threat actor remains unidentified. The company provided IoCs and urges customers to search GlobalProtect logs for gateway-connected events and specific client configuration indicators.
read more →

FBI disrupts large AI-driven Outsider phishing network

🔎 The FBI, collaborating with Google and Black Lotus Labs, dismantled a China-linked phishing-as-a-service operation called Outsider Enterprise that used AI and distributed phishing kits across thousands of fraudulent websites and over a million URLs. Authorities seized administrative servers, a Shopify storefront, testing accounts, and roughly $100,000 in USDT, while redirecting many malicious domains to an FBI splash page. Google reports hundreds of thousands of affected users and has filed a civil suit against the infrastructure while coordinating with carriers to block fraudulent SMS campaigns.
read more →

Former school IT worker jailed for prolonged hacks

🔒 A former senior IT support specialist for the Saydel Community School District in Iowa was sentenced to 21 months in prison for repeatedly accessing and sabotaging his former employer’s systems after his April 2023 departure. Prosecutors say he deleted the district’s Facebook page, stripped employees of access to educational platforms, and erased Apple School Manager and Gmail accounts, disrupting classes and causing tens of thousands in remediation costs. He pleaded guilty in January 2026 and must pay $59,668.81 in restitution and serve three years of supervised release with monitoring conditions.
read more →

Maine Shuts Public Breach Portal After Hoax Filings

🔒 Maine has taken its public data breach reporting portal offline after fraudulent disclosures impersonating Discord and VRChat were published. The Attorney General's Office confirmed the reports were hoaxes and removed them, stating there is no evidence of actual breaches by the named companies. Public access to the database is temporarily disabled while the office reviews procedures; companies may still submit notices but the public must request disclosures directly.
read more →

China-linked hackers backdoor Linux login components

🔒Sygnia reports a China-nexus group, tracked as Velvet Ant, backdoored Linux login components including PAM and OpenSSH, embedding long-term access where routine cleanup would not reach. The actor altered trusted login programs to capture credentials, record sessions, or allow secret logins, with traces dating back to 2016. Isolation was bypassed by staging through internet-facing systems and bridging into air-gapped segments.
read more →

French government’s Tchap messaging breach disclosed

🔒 The French government’s secure messaging platform, Tchap, was breached after an intruder took over a user account, according to DINUM. The agency blocked the compromised access and is investigating the extent of exposed information. While encryption was not broken, public chat rooms are unencrypted and the intruder reportedly accessed thousands of messages and files. DINUM reminded users that public rooms are visible to any account and should not contain sensitive content.
read more →