All news with #breach tag

🔍 Canadian and U.S. authorities arrested 23-year-old Jacob Butler (aka "Dort") in Ottawa under an extradition warrant after unsealing a criminal complaint in the District of Alaska linking him to the KimWolf DDoS botnet. Investigators tied Butler to the botnet through IP address logs, transaction records, and online messages, and he now faces a charge of aiding and abetting computer intrusions with a potential 10-year sentence. KimWolf operated as a DDoS-for-hire service that enslaved nearly two million devices and powered attacks up to nearly 30 Tbps, causing substantial global disruption and financial losses.

⚠ GitHub confirmed attackers exfiltrated code from roughly 3,800 internal repositories after a compromised employee device and a poisoned VS Code extension were used to gain access. The company detected and contained the compromise on May 19, removed the malicious extension, isolated the endpoint, and began incident response. A threat actor calling itself TeamPCP posted lists of stolen repos and claimed responsibility, threatening to leak the data if not sold. GitHub is rotating secrets, analyzing logs, and said it will publish a full incident report when investigations conclude.

🔐 Grafana confirmed its recent data breach stemmed from a single missed GitHub workflow token that was exfiltrated after malicious TanStack npm packages executed in its CI/CD environment. The company detected the intrusion on May 1, rotated most tokens, and launched its incident response, but one token was overlooked and allowed attackers repository access. Grafana says source code wasn't altered and no customer production systems were impacted.

⚠️ The FBI's IC3 issued an advisory on 15 May 2026 about the ShinyHunters extortion gang breaching an online learning management system used by US educational institutions. Although the advisory avoided naming the vendor, reporting and Instructure's confirmation made clear Canvas was affected and the company reportedly paid a ransom after receiving alleged 'shred logs'. The FBI warns victims not to engage with extortionists, enable multi‑factor authentication, and remain vigilant against phishing, harassment, and swatting; students and staff should assume their data may be exposed and await official guidance.

📌 Grafana Labs says attackers used a stolen GitHub access token to access and download parts of its internal source code repository. The intrusion was claimed by the extortion group CoinbaseCartel, which added Grafana to its data leak site, though no customer data has been published. Grafana reports forensic analysis found no evidence of exposed customer or personal data and that customer systems were unaffected. The company invalidated the compromised credentials, refused the extortion demand, and will publish a detailed post-incident report after completing its investigation.

🔒 Grafana disclosed that an unauthorized party obtained a token that allowed access to its GitHub environment and the download of parts of its codebase. The company says no customer data or personal information were accessed and that it launched a forensic investigation, invalidated the compromised credentials, and implemented additional security controls. The attacker attempted to extort Grafana, demanding payment to avoid publishing stolen material, but the company declined to pay following FBI guidance. Reports link the claim to CoinbaseCartel, a recent data‑extortion group.

⚠️ Researchers from Socket and StepSecurity warn that recently published versions of node-ipc (9.1.6, 9.2.3 and 12.0.1) contain an obfuscated stealer/backdoor triggered at runtime. The payload is appended as an IIFE to node-ipc.cjs, causing execution on every require('node-ipc') and avoiding npm lifecycle hooks. It fingerprints hosts, harvests up to 90 credential categories, compresses data, and exfiltrates via HTTPS to sh.azurestaticprovider[.]net and via DNS TXT records after overriding the resolver. The malicious builds were published by an unrelated maintainer account, prompting removal and secret rotation recommendations.

🔒 Škoda Auto has disclosed a data breach after attackers exploited a vulnerability in its online shop software, gaining unauthorized access to customer records. The automaker said the issue was detected via technical security monitoring, the flaw was fixed, and the incident was reported to authorities. Stolen data included names, addresses, contact details, order information, and login credentials (email and hashed passwords), while full credit card data was not stored on the compromised system. Škoda has engaged IT forensics, warned customers about potential phishing and credential reuse, and urged vigilance.

🔒 Checkmarx confirmed a modified Jenkins AST plugin was published to the Jenkins Marketplace after attackers used stolen credentials to push malicious code. The company released v2.0.13-848.v76e89de8a_053 on GitHub and the Marketplace and says this release addresses the incident. It advised users to ensure they run 2.0.13-829.vc72453fa_1c16 (published Dec 17, 2025) or later. Researchers attribute the activity to TeamPCP.

🔒 NVIDIA confirmed that GeForce NOW user information was exposed in a breach limited to Armenia after a regional partner's infrastructure was compromised. The company said its own network and NVIDIA-operated services were not affected and it is assisting the partner. Regional operator GFN.am said the incident occurred March 20–26 and that impacted users will be notified. Exposed fields reportedly include names, emails, phone numbers, dates of birth and usernames; no passwords were exposed.

🔍 Cybersecurity researchers uncovered 28 fraudulent Android apps on the official Google Play Store that claimed to show call, SMS and WhatsApp histories for any number but instead pushed paid subscriptions that delivered fabricated, hard‑coded data. The apps, labeled CallPhantom by ESET, amassed over 7.3 million downloads—one exceeded 3 million—primarily targeting users in India and the Asia‑Pacific region before removal. Payments were processed via Google Play billing, UPI apps (including Google Pay, PhonePe and Paytm), or in‑app card forms, limiting refund options for non‑Play transactions. The apps requested few permissions, used simple UIs and even displayed deceptive notifications to coerce payments.

🔒 RansomHouse has claimed responsibility for last week's intrusion into Trellix's source code repository, publishing a small set of images as proof of access to the vendor's appliance management system. Trellix confirmed unauthorized access on May 1 and said it immediately engaged leading forensic experts and notified law enforcement. The company reported no evidence so far that its source code release or distribution process was affected and continues to investigate.

🔒 Instructure says it is investigating a breach after the extortion group ShinyHunters claimed to have stolen 280 million records tied to students, teachers, and staff across 8,809 colleges, school districts, and online education platforms. The actors allege they accessed names, email addresses, private messages and enrollment data by abusing Canvas export features such as DAP queries, provisioning reports and user APIs. Instructure has acknowledged the incident but has not provided detailed public answers; several universities have begun their own inquiries.

⚠️ DAEMON Tools installers hosted on the official site were trojanized beginning April 8, delivering a backdoor to thousands of systems worldwide. Compromised, digitally signed installers (versions 12.5.0.2421–12.5.0.2434) contained malicious code in binaries such as DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The initial payload is an information stealer used to profile victims; select hosts received a lightweight second-stage backdoor capable of executing commands and loading code in memory. In at least one targeted case researchers observed deployment of a more advanced QUIC RAT, and Kaspersky warns the campaign evaded detection for nearly a month.

🔒Trellix disclosed unauthorized access to a portion of its source code repository and says it is working with outside forensic experts to investigate the incident. The company reports it has found no evidence so far that the accessed code was altered, exploited, or that its release and distribution processes were affected, and it has notified law enforcement. Trellix intends to share further details as appropriate once the investigation concludes. Formed from McAfee Enterprise and FireEye, Trellix protects over 200 million endpoints and serves more than 50,000 customers, and this event follows recent breaches at other security vendors.

🔒 Two former employees of incident response firms Sygnia and DigitalMint were each sentenced to four years in prison after pleading guilty to conspiring to obstruct commerce by extortion for acting as affiliates of the BlackCat (ALPHV) ransomware group between May and November 2023. Prosecutors say they paid a 20% share for access to BlackCat's ransomware and extortion platform and breached multiple U.S. companies, including medical and manufacturing firms; one Tampa medical device company paid $1.27 million after a $10 million demand. DigitalMint said the individuals were immediately terminated and their conduct was condemned by the company.

🚨 Ukrainian police arrested three individuals accused of hacking and selling over 610,000 Roblox accounts, reportedly generating about $225,000 in proceeds. The Lviv authorities executed ten searches, seizing $35,000 in cash and multiple devices including 37 mobile phones, 11 desktop PCs, seven laptops, five tablets, and four USB drives. Prosecutors say the suspects — aged 19, 21, and 22 — used info‑stealing malware disguised as a game-enhancer, harvested credentials, categorized accounts by value, and sold high‑value profiles via a Russian website and closed online communities.

🔒 Vimeo says an unauthorized actor accessed certain user and customer data following the breach at Anodot. Initial findings indicate the impacted databases primarily contained technical data, video titles and metadata, and, in some cases, customer email addresses. Vimeo confirmed that uploaded video content, account credentials, and payment card information were not exposed, and that platform operations were unaffected. The company has disabled Anodot credentials, removed the integration, and engaged third-party security experts and law enforcement to investigate.

🔒 Itron, a global provider of utilities technology, disclosed an unauthorized third-party breach of its IT systems in an 8-K filed on April 24. The company immediately activated its cybersecurity response plan, engaged external advisors and notified law enforcement while launching a comprehensive investigation. Itron says it has remediated and removed the unauthorized activity, observed no further access, and found no intrusion in customer-hosted systems. It reports operations were not materially disrupted and expects insurers to cover a significant portion of direct costs while it evaluates required legal and regulatory notifications.

🔒 Medtronic disclosed a network intrusion after the ShinyHunters extortion group claimed to have stolen more than 9 million records and multiple terabytes of internal corporate data. The company said the incident affected "certain corporate IT systems" but has not impacted products, patient safety, manufacturing, or hospital customer networks, which it says are segregated. An investigation is underway to determine whether personal data was accessed, and Medtronic said it will notify affected individuals and provide support if exposure is confirmed.