All news with #data breach tag

📧 The FBI confirmed that the Iran-linked Handala group breached the personal Gmail account of Director Kash Patel and published watermarked photos, documents, and email correspondence. The bureau said the material appears historical, is not recent, and does not include government information. The FBI added it has taken precautions to mitigate potential fallout. Handala claimed the attack was retaliation after domain seizures and a $10 million reward.

🔒 Threat actors linked to Iran's MOIS claimed they breached the personal email account of FBI Director Kash Patel and published a cache of photos and historical emails. The FBI confirmed Patel's emails were targeted, said necessary mitigations were enacted, and characterized the released material as historical and not government information. Security firms attribute the campaign to the Handala Hack persona, which relies on compromised VPN accounts, RDP lateral movement, and destructive wipers, prompting Microsoft and CISA guidance to harden Intune and enforce phishing‑resistant MFA.

🔒 The European Commission is investigating a cyberattack on its Europa.eu platform after a threat actor claimed to have exfiltrated more than 350GB of data from compromised AWS accounts. The attacker told a security reporter they intend to publish the stolen files rather than extort the Commission. The Commission said public websites remain available, internal systems were unaffected, and containment and mitigation measures were implemented while inquiries continue.

🔓 Lloyds Banking Group has disclosed a software glitch that briefly allowed some mobile app users to see other customers' transactions. The bank told the UK Parliament’s Treasury Committee the problem followed an overnight IT change and a defect in the design of the code used to update the API behind the app. Of 21.6 million app users, 447,936 may have been shown another user's transactions and 114,182 may have viewed transaction details during the incident. Lloyds said no full account access or customer losses were identified and that it notified regulators, including the ICO.

🔒 The European Commission is investigating a security breach after a threat actor gained access to an Amazon cloud account used to manage Commission infrastructure. The actor claims to have exfiltrated over 350 GB of data, including multiple databases, and provided screenshots as proof while stating they will not extort the Commission but may leak the data later. The Commission's cybersecurity incident response team detected the incident quickly and is investigating; the case follows a January MDM compromise linked to other EU institution attacks.

🔒 The European Commission is investigating a security breach after a threat actor accessed an Amazon cloud account used to manage Commission infrastructure. Sources say the intrusion was quickly detected and that the Commission's cybersecurity incident response team is now probing the incident. The actor claims to have stolen 350 GB of data, including multiple databases, and provided screenshots showing access to employee information and an internal email server. The actor says they will not extort the Commission but may leak the data later.

🚨 The UK has imposed sanctions on the China-based cryptocurrency marketplace Xinbi, accusing it of enabling large-scale scam operations across Southeast Asia and facilitating crypto laundering. Authorities say Xinbi, which reportedly handled over $19.7 billion of inflows, sold victim data and traded satellite internet equipment used to contact targets. The action targets Xinbi and related firms and individuals linked to the Prince Group and #8 Park, and includes plans to freeze London properties.

🔒 The Dutch National Police disclosed a security breach stemming from a successful phishing attack, saying the incident was detected quickly and access was blocked by its Security Operations Center. Officials describe the impact as limited and state that citizens' data and investigative information were not accessed. A criminal investigation and an internal probe into affected systems are ongoing.

🔒 Ajax Amsterdam disclosed that a hacker exploited vulnerabilities in its IT systems, allowing access to some fan data and control over ticket transfers. The club said only email addresses for a few hundred people were viewed and that fewer than 20 stadium-banned individuals had names, emails and dates of birth exposed. RTL journalists, tipped by the attacker, independently verified the flaws and demonstrated the ability to transfer season tickets, modify stadium bans and access broad fan data via APIs and shared keys. Ajax has engaged external experts, patched the vulnerabilities, notified authorities and advised fans to remain vigilant for impersonation attempts.

🚫 The UK’s Foreign, Commonwealth and Development Office has sanctioned Xinbi, a Chinese-language marketplace accused of selling stolen personal data and satellite internet equipment to Southeast Asian scam networks and assisting North Korean actors with cryptocurrency laundering. Chainalysis links Xinbi to over $19.9 billion in transactions from 2021–2025. The measures also target #8 Park and operator Legend Innovation Co, aiming to sever Xinbi from legitimate crypto services and disrupt payments to scam centers.

🔒 Russian police in the Rostov region arrested a Taganrog resident accused of owning and administering the cybercrime forum LeakBase. The forum, launched in 2021 and linked to the ARES threat group, grew to over 142,000 members and was used to trade stolen databases, exploits, and illicit services. In March 2026 authorities from the FBI and 14 other countries dismantled the site during Operation Leak, seizing the domain and preserving the forum database and logs as evidence.

🔒 Russian authorities have arrested the alleged administrator of LeakBase, a major cybercrime forum accused of trading stolen personal databases since 2021. The suspect, reported to be a resident of Taganrog, was detained and technical equipment seized during a search. Officials say the platform hosted hundreds of millions of accounts, bank details and corporate documents and had over 147,000 registered users. The site was dismantled earlier this month and its content preserved for evidentiary purposes.

🔒 The LiteLLM PyPI package was compromised by the TeamPCP group, which pushed malicious releases (1.82.7 and 1.82.8) that execute a hidden payload on import. Version 1.82.8 also installed a litellm_init.pth so the code runs at Python interpreter startup. The payload deploys a credential stealer, establishes persistence, and exfiltrates encrypted archives to attacker infrastructure. Users should immediately check installations and rotate secrets.

🔒 HackerOne is notifying employees that their personal data was exposed after a compromise of benefits administrator Navia. The company reported a Broken Object Level Authorization (BOLA) vulnerability allowed an unknown actor to access Navia records between December 22, 2025 and January 15, 2026, affecting 287 employees. Exposed fields include Social Security numbers, names, contact details, dates of birth, and plan enrollment information. HackerOne advised monitoring accounts, changing passwords tied to exposed data, and using the 12‑month identity protection and credit monitoring Navia is offering.

🔒 Infinite Campus warned customers of a data breach following an extortion claim from a threat actor who said they accessed an employee's Salesforce account. The company says the exposed information appears to be primarily public directory data for school staff and that no customer databases were accessed. Infinite Campus declined to engage with the attacker and has disabled certain customer-facing services while scanning potentially affected records and notifying impacted districts.

🛡️ The Dutch Ministry of Finance confirmed unauthorized access to some of its systems after being notified by a third party on March 19. ICT security detected the intrusion and access to affected systems has been blocked while an investigation is ongoing. The incident disrupted work for a portion of employees but, the ministry says, did not affect systems that manage tax collection, customs, or income-linked subsidies. Officials have not disclosed the number of employees impacted, whether data was stolen, or an attribution for the attack.

🔒 Mazda Motor Corporation disclosed unauthorized access to a warehouse management system used for parts procured from Thailand, affecting 692 records containing employee and business partner information. The exposed data types included user IDs, full names, email addresses, company names and business partner IDs, and Mazda says no customer data was involved. The company reported the incident to the Personal Information Protection Commission and implemented security patches, reduced internet exposure, increased monitoring and stricter access controls while investigating with external specialists.

🔒 Crunchyroll is investigating claims that attackers stole personal data for roughly 6.8 million users after compromising a support agent's Okta SSO credentials. The actor says they accessed multiple applications — including Zendesk, Slack and Google Workspace — and downloaded about 8 million support tickets containing names, emails, IPs, locations and ticket contents. Intrusive payment details were reportedly present only when customers shared them in tickets. The attacker demanded $5 million in extortion but, according to the actor, received no response.

🔒 A North Carolina contractor, 27-year-old Cameron Curry (aka "Loot"), was convicted for extorting his employer, Brightly Software, after stealing payroll and corporate data during a six-month contract that ran through December 2023. Curry sent more than 60 threatening emails from lootsoftware@outlook.com demanding $2.5 million and attached screenshots of employee PII. Brightly paid $7,540 in Bitcoin, the FBI seized devices following a January 24, 2024 search, and Curry now faces up to 12 years in prison.

🔒 Navia Benefit Solutions says an unauthorized actor accessed its systems between December 22, 2025 and January 15, 2026, potentially exposing records for nearly 2.7 million people. The company discovered the activity on January 23, 2026 and launched an investigation, which found the actor acquired names, dates of birth, Social Security numbers, phone numbers, email addresses, plus HRA, FSA and COBRA enrollment details. Navia says claims and financial account information were not exposed. Affected individuals are being offered 12 months of identity protection and credit monitoring through Kroll, and federal law enforcement has been notified; no ransomware group has claimed responsibility.