All news with #breach tag

BreachForums Admin Resentenced to Three Years Prison

🔒 Conor Brian Fitzpatrick, 22, who operated the BreachForums hacking forum under the alias Pompompurin, was resentenced to three years in prison after the U.S. Court of Appeals vacated his earlier sentence of time served and 20 years of supervised release. Fitzpatrick pleaded guilty in July 2023 to conspiracy to commit access device fraud, solicitation to offer access, and possession of child sexual abuse material (CSAM). Prosecutors say he violated pretrial release by using VPNs and unauthorized, unmonitored devices to conceal internet activity. BreachForums, created in 2022, rapidly grew to over 330,000 members and facilitated the sale and leakage of stolen data and access to corporate networks.

ShinyHunters Breach Hits Gucci, McQueen and Balenciaga

🔒 Luxury fashion groups Gucci, Alexander McQueen and Balenciaga have had customer data exposed in an attack linked to the ShinyHunters group. A sample of files shared with the BBC reportedly included thousands of genuine customer records and spending details, and the group claims data on 7.4 million email addresses. Kering confirmed temporary unauthorized access in June but said no financial information or government identifiers were involved. Security experts warn the data could fuel follow-on fraud, especially if sold on criminal forums.

Kering Confirms Customer Data Theft at Gucci and Balenciaga

🔒 Kering has confirmed that an unauthorised third party accessed limited customer data from several of its luxury brands, including Gucci, Balenciaga, and Alexander McQueen. The exposed information may include names, dates of birth, phone numbers, email addresses, and store purchase histories, while payment card and financial data do not appear to have been compromised. Reports link the incident to the ShinyHunters group and to earlier 2024 breaches and alleged Salesforce CRM access; chat logs indicated ransom discussions, and police later arrested suspects tied to underground leak site BreachForums. Customers have been notified and should be vigilant for phishing, SMS scams, and suspicious calls.

Jaguar Land Rover Extends Production Pause After Cyberattack

🔒 Jaguar Land Rover has extended a pause in production for another week as it continues a forensic investigation into a severe cyberattack disclosed on 2 September 2025. The automaker said operations will remain suspended until Wednesday 24th September 2025 while it prepares a controlled global restart. JLR confirmed some data was stolen but has not attributed the breach to a known group. A group calling itself Scattered Lapsus$ Hunters posted screenshots and claimed to have deployed ransomware.

JLR Extends Production Halt After Cyber Attack, Suppliers

🔒 Jaguar Land Rover (JLR) has extended its production pause until at least 24 September after a cyber-attack earlier this month. The outage is causing cascading disruption across its supply chain, with some third-party workers reportedly laid off while JLR employees are not facing job losses. Unite has called for government-backed furloughs for affected contractors. A group using the name Scattered Lapsus$ Hunters has claimed responsibility and JLR confirmed some data were affected and regulators have been informed.

FinWise Bank warns of insider data breach affecting 689K

🔒 FinWise Bank notified customers that a former employee accessed customer data after their employment ended, with the incident occurring on May 31, 2024 and discovered on June 18, 2025. The breach affected 689,000 FinWise and American First Finance (AFF) customers, and the bank confirmed that customers' full names were exposed. FinWise engaged external cybersecurity experts, offered 12 months of free credit monitoring and identity-theft protection, and advised customers to place fraud alerts or security freezes and to monitor credit reports and account statements.

Google: Fraudulent Account Created in Law Enforcement Portal

🔒 Google confirmed that a fraudulent account was created in its Law Enforcement Request System (LERS) portal and has been disabled. The company said no requests were made with the account and no data was accessed. The claim follows posts by a group calling itself "Scattered Lapsus$ Hunters", which also asserted access to the FBI's eCheck system. The actors have previously targeted Salesforce-related infrastructure and taunted security teams.

FinWise Insider Data Breach Affects 689K AFF Customers

🔒 FinWise Bank says a former employee accessed sensitive files after their employment ended, in a data security incident identified on May 31, 2024. The bank notified corporate partner American First Finance (AFF), which reported that data for 689,000 customers was affected. FinWise launched an external investigation, strengthened internal controls, and is offering 12 months of credit monitoring and identity theft protection to impacted individuals.

Beaches and Breaches: Shifts in Supply Chain and Identity

🌊 Returning from vacation, the author notes headlines shifted away from AI and ransomware toward breaches tied to compromised OAuth tokens and integrations like Salesloft/Drift. The piece emphasizes two converging trends: supply chain risk that now includes datapaths where information is processed, and identity attacks that increasingly target interconnected applications. It highlights Cisco Talos’ CTI-CMM as a practical maturity framework to assess gaps, prioritize investments, and build a roadmap for continuous improvement.

Wyden Urges FTC Probe of Microsoft After Ascension Hack

🛡️ US Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft following the 2024 ransomware attack on healthcare operator Ascension, which exposed data for 5.6 million patients after a contractor clicked a malicious Bing search result. Wyden says default Microsoft settings and support for the outdated RC4 standard enabled a Kerberoasting technique that granted administrative access. He notes Microsoft was warned in July 2024 and posted a blog in October announcing a planned update, but nearly a year later no update has been issued nor direct customer outreach made. The letter frames Microsoft’s control over default configurations as a systemic national security risk.

Three French Regional Healthcare Agencies Hit by Attack

🔒 Three French regional healthcare agencies (ARS) have reported similar cyber-attacks that exposed patients’ personal data held on regional systems. Preliminary investigations, announced on September 8, indicate attackers gained access by impersonating healthcare professionals and used those accounts to reach GRADeS-managed services such as Normand'e-Santé. Reported exposed PII includes full names, ages, phone numbers and email addresses, while the agencies say no clinical health records appear to have been compromised. Compromised accounts were disabled, additional protections deployed, potentially affected patients will be notified and incidents have been reported to CNIL.

LNER Supply-Chain Breach Exposes Customer Contact Data

🔒 LNER has disclosed that an unauthorized third party accessed customer contact details and historical journey information via a compromised third-party supplier. No bank, payment card or password information was affected, the operator said, but warned that the data could be used in follow-on attacks. Security professionals advised customers to be cautious of unsolicited communications and recommended organisations strengthen third‑party data controls and identity protections.

Largest npm Supply Chain Attack Injects Crypto Malware

🛡️ On September 8, 2025, a sophisticated phishing campaign led to the compromise of a trusted maintainer account and the insertion of cryptocurrency-stealing malware into more than 18 foundational npm packages. The malicious versions collectively represented over 2 billion weekly downloads and affected millions of applications from personal projects to enterprise systems. The debug package was among those compromised and alone exceeds 357 million weekly downloads. npm has removed several malicious package versions and is coordinating ongoing remediation.

Chinese APT Uses EggStreme Fileless Framework in Espionage

🛡️ Bitdefender attributed a campaign against a Philippines-based military contractor to a China-linked APT that deployed a previously undocumented fileless framework named EggStreme. The multi-stage operation begins with EggStremeFuel (mscorsvc.dll), which profiles systems, opens a C2 channel, stages loaders, and triggers in-memory execution of the core backdoor via DLL sideloading. EggStremeAgent functions as a central backdoor, injecting a session-specific keylogger (EggStremeKeylogger), communicating over gRPC, and exposing a 58-command toolkit for discovery, lateral movement, privilege escalation and data theft. An auxiliary implant, EggStremeWizard (xwizards.dll), provides reverse-shell access and resilient C2 options; Bitdefender warned that fileless execution and heavy DLL sideloading make detection and forensics difficult.

Jaguar Land Rover Confirms Data Theft After Cyberattack

🔒 Jaguar Land Rover (JLR) confirmed that attackers stole "some data" during a recent cyberattack that forced system shutdowns and instructed staff not to report to work. The company disclosed the disruption on September 2 and says it is working with the U.K. National Cyber Security Centre and third‑party specialists to restart applications in a controlled manner. JLR has notified relevant regulators and said its forensic investigation is ongoing; it will contact individuals if their data is affected. No definitive attribution or confirmed ransomware claim has been announced.

SalesLoft Drift Breaches Expose Fourth-Party OAuth Risk

🔐 The SalesLoft acquisition of Drift exposed a hidden fourth‑party attack surface when legacy OAuth tokens—some dormant for 18 months—were abused to access customer Salesforce instances and a limited number of Google Workspace accounts. Attackers leveraged inherited tokens to enumerate and exfiltrate data, revealing how M&A can transfer persistent permissions outside visibility. The author calls for continuous, behavior‑based monitoring of every OAuth token and API call and recommends practical "OAuth archaeology" to inventory, rotate, or revoke legacy access.

Lovesac Discloses Customer Data Breach Linked to RansomHub

🔒 Lovesac has informed customers that an unauthorized actor accessed its systems between February 12 and March 3, 2025, copying certain files after the company detected suspicious activity at the end of February. The intrusion aligns with a March claim by RansomHub, which said it had stolen roughly 40 GB of data; the ransomware group's extortion portal later went offline in April. Lovesac says it has found no confirmed misuse of the stolen information, but is notifying affected customers, offering 24 months of complimentary credit monitoring through Experian (enrollment required and open until November 28, 2025), and urging vigilance for signs of identity theft and fraud.

Kosovo Hacker Pleads Guilty to Running BlackDB Market

🔒 Kosovo national Liridon Masurica has pleaded guilty to operating the cybercrime marketplace BlackDB.cc, which the Justice Department says sold compromised accounts, server credentials, stolen credit cards, and PII since 2018. Masurica was arrested in Kosovo in December 2024, extradited to the United States in May 2025, and is detained following a court appearance in Tampa. He faces federal charges that include five counts of fraudulent use of unauthorized access devices and a conspiracy count, carrying up to 55 years in prison. The FBI coordinated the investigation with Kosovo law enforcement and international partners.

Open Source Community Stops Large npm Supply-Chain Attack

🔒 A rapid open source response contained a supply-chain compromise after maintainer Josh Junon (known as 'qix') reported his npm account was hijacked on September 8. Malicious versions of widely used packages including chalk, strip-ansi and color-convert were published embedding an crypto-clipper that swaps wallet addresses and hijacks transactions. The community and npm removed tainted releases within hours, limiting financial impact and exposure.

Salesloft March GitHub Breach Led to Salesforce Data Theft

🔒 Salesloft says attackers first breached its GitHub account in March, enabling the theft of Drift OAuth tokens later abused to access customer systems. The stolen tokens were used in widespread Salesforce data-theft operations disclosed in August, affecting multiple enterprise customers. Salesloft engaged Mandiant, rotated credentials, isolated Drift infrastructure, and restored integrations after validating containment.