All news with #data exfiltration tag

🔒 A phishing campaign impersonating Google directs victims to a malicious PWA on google-prism[.]com that harvests contacts, clipboard contents, GPS data, and one-time passcodes. The PWA leverages a service worker, Periodic Background Sync, and the WebOTP API while checking an /api/heartbeat endpoint for commands. It can act as an HTTP proxy via a WebSocket relay and uses push notifications to prompt users to reopen the app so it can access data. An optional Android APK escalates access with dozens of permissions and persistence mechanisms.

🔓 Google Cloud API keys that were once treated as non-sensitive can now authenticate to the Gemini generative AI assistant, creating a new attack path where keys embedded in client-side JavaScript expose private assistant data. TruffleSecurity discovered nearly 2,800 live, publicly accessible keys across sectors — including financial firms and a Google product — by scanning the November 2025 Common Crawl. Attackers who copy exposed keys can call Gemini endpoints to retrieve data or generate costly API usage; developers should audit projects for the Generative Language API, rotate exposed keys immediately, and use detection tools to prevent abuse.

🛡️ Google disrupted a China-linked espionage group that repurposed Google Sheets as a covert command-and-control channel to manage a custom backdoor tracked as UNC2814 and named GRIDTIDE. The backdoor abused legitimate Sheets API calls to send commands, retrieve stolen data, poll spreadsheets frequently, and wipe rows to erase traces. Mandiant flagged unusual activity on a CentOS server, leading to discovery of intrusions at 53 organizations across 42 countries focused on telecoms and government systems. Google terminated attacker Cloud projects, revoked API access, sinkholed domains, and published IOCs.

🔒 UFP Technologies disclosed a cybersecurity incident detected on February 14 that compromised portions of its IT environment and resulted in data theft. The company says it isolated affected systems, engaged external cybersecurity advisors, and believes the intruder has been removed with access restored in all material respects. Some functions such as billing and label making were impacted, and the firm is investigating whether personal information was exfiltrated.

🔓 The extortion group ShinyHunters published a 6.1GB archive on February 21 containing 12.4 million records it alleges were stolen from CarGurus. Have I Been Pwned (HIBP) has added the dataset and reports compromised data types including email addresses, IPs, full names, phone numbers, physical addresses, account IDs, finance application data, dealer details, and subscription information. CarGurus has not confirmed the breach or replied to requests for comment. HIBP says about 70% of the records were already known, leaving roughly 3.7 million newly exposed entries that could be abused for phishing and other scams.

🔒 Three former Google engineers and one spouse were indicted in U.S. federal court for allegedly stealing trade secrets and transferring sensitive files, including materials related to Google's Tensor processor, to unauthorized locations reportedly including Iran. The defendants — Samaneh Ghandali, Mohammadjavad Khosravi and Soroor Ghandali — are accused of exfiltrating documents to third‑party channels, copying files to personal and employer devices, and concealing their actions. They were arrested in San Jose after Google detected suspicious activity and notified law enforcement; the indictment carries multiple counts with significant prison and fine exposures.

🔒 Researchers at OX Security discovered four vulnerabilities in popular IDE extensions that enable local file access, arbitrary code execution and data exfiltration. Affected platforms include Microsoft Visual Studio Code and forks Cursor and Windsurf, with the vulnerable extensions collectively downloaded over 128 million times. Three of the issues were assigned CVEs after disclosure; one Live Preview flaw was quietly fixed by Microsoft.

🔍 A security researcher using the pseudonym Q Continuum discovered 287 Chrome extensions that send users' browsing history and related metadata to remote servers. The investigator ran an automated pipeline that launched Chrome in Docker, installed extensions, visited test sites, and captured outgoing traffic to reveal risky behavior across VPNs, proxy tools, coupon and PDF add‑ons, and browser utilities. Many extensions request broad cross‑site host permissions and transmit data in obfuscated or encrypted formats (Base64, ROT47, LZ‑String, even AES‑256 wrapped in RSA‑OAEP), which makes detection harder and can enable corporate espionage or credential harvesting when cookies are included.

🔒 Eurail B.V. confirmed that customer data stolen in a breach earlier this year is now being offered for sale on the dark web, and a sample dataset was published on Telegram. The company says it is still determining which specific records and how many customers are affected, but reported compromised fields may include full names, passport and ID numbers, IBANs, health details, and contact information. GDPR-required notifications have been filed and non-EU authorities will be informed. Customers are urged to change reused passwords, monitor bank accounts closely, and contact privacyhelp@eurail.com for support and FAQs.

🔍 An estimated 37 million global installs of Chrome extensions have been found transmitting users’ browsing histories to external servers. Independent researcher 'Q Continuum' identified 287 extensions that sent data closely matching visited URLs during automated simulated browsing. Flagged add-ons spanned VPNs, productivity tools, shopping/coupon helpers and browser utilities, and many obfuscated outbound payloads using base64, ROT47, compression or strong encryption. The researcher warned such exfiltration could expose internal corporate URLs and, where cookies or session data are accessible, enable credential harvesting.

💸 Chainalysis reports that cryptocurrency inflows linked to human trafficking surged 85% year-on-year, generating hundreds of millions in revenue. The analysis identifies four crypto-driven trafficking types—international escort services, labor placement agents, prostitution networks and CSAM vendors—often coordinated via Telegram and Chinese-language money laundering (CMLN) networks. Key indicators include large stablecoin conversions, cross-border transfers and concentrated fund flows to trafficking hubs.

🔒 Researchers uncovered multiple malicious Chrome extensions that exfiltrate sensitive data from business and social media accounts, including a Meta‑focused add‑on named CL Suite that steals TOTP seeds, one‑time codes and Business Manager exports. Other campaigns detailed include a large‑scale VK Styles hijack of VKontakte accounts and the AiFrame cluster of AI‑themed add‑ons that siphon emails and page content. A Q Continuum study also found hundreds of extensions leaking browsing history to data brokers. Experts recommend strict extension controls, frequent audits, and allowlisting to reduce risk.

🛡️ Over 260,000 Google Chrome users downloaded fake AI assistant extensions that delivered malicious functionality capable of harvesting credentials, monitoring Gmail and granting remote access to attackers. Researchers at LayerX identified more than 30 malicious extensions—collectively labeled AiFrame—many of which mimicked ChatGPT, Claude, Grok and Gemini and were even featured in the Chrome Web Store, increasing exposure. The campaign used "extension spraying" and a full‑screen iframe that loads remote content to evade detection and exfiltrate data; although many extensions have been removed, affected users remain at risk.

🔒Conpet S.A., Romania's national oil pipeline operator, confirmed that the Qilin ransomware gang exfiltrated company data following a breach of its corporate IT environment. The company said operational systems remained unaffected and it is cooperating with the Romanian National Cyber Security Directorate (DNSC) as investigators assess the incident. Qilin claims nearly 1TB of documents and published a proof sample of 16 images containing internal financial records and passport scans; some files are marked confidential and dated as recently as November 2025. Conpet warned that compromised data may be used for fraud and advised potentially impacted individuals to verify any urgent contact using official channels.

🦠 Picus Security's Red Report 2026 analyzed over 1.1 million malicious files and 15.5 million actions, finding attackers favor stealthy persistence and evasion to silently exfiltrate data for extortion. Process injection accounted for 30% of techniques, while adversaries routed C2 through high-reputation services like OpenAI and AWS and used stolen browser passwords to masquerade as users. The report warns that virtualization/sandbox evasion and increased technique counts make detection more challenging.

⚠️A new report alleges two popular AI coding assistants, together used by roughly 1.5 million developers, are quietly copying everything they ingest to servers in China. Security researchers say the extensions capture editor content, code snippets, and related telemetry without clear user disclosure. The behavior appears systematic and persistent rather than incidental. Until vendors provide transparent remediation, developers and organizations should avoid unvetted extensions and perform immediate audits and containment.

🔒 A former Google engineer, Linwei Ding, was convicted by a US federal jury on 14 counts, including economic espionage and theft of trade secrets, after allegedly exfiltrating over 2,000 pages of sensitive AI technical documents. Prosecutors say he copied data into Apple Notes, converted it to PDFs, and uploaded the materials to a personal Google Cloud account to evade DLP controls. The stolen IP involved custom TPU and GPU orchestration software and SmartNIC designs intended for AI supercomputers, and the DoJ alleges Ding planned to support Chinese state-affiliated entities.

🔒 A U.S. jury has convicted Linwei Ding, a former software engineer at Google, for stealing confidential AI supercomputer information and covertly sharing it with China-based technology firms. Prosecutors say Ding exfiltrated more than 2,000 pages of proprietary material — including details about TPU and GPU systems, orchestration software, and SmartNIC networking — by uploading files to his personal cloud account between May 2022 and April 2023. He later founded Shanghai Zhisuan Technology Co., sought government talent programs, and was convicted on multiple counts of economic espionage and trade secret theft after an 11-day San Francisco trial.

⚠️Researchers discovered a coordinated network of malicious Google Chrome extensions that inject attacker affiliate tags into e-commerce links, scrape product data, and exfiltrate OpenAI ChatGPT authentication tokens. A cluster of 29 add-ons (including Amazon Ads Blocker) targeted Amazon, AliExpress, Best Buy, Shein, Shopify and Walmart. Separate groups intercepted ChatGPT tokens or abused permissions to harvest cookies and clipboard data. Experts warn these behaviors violate Chrome Web Store policies and urge caution when installing extensions requesting broad permissions or combining unrelated features.

🔒Match Group confirmed a security incident after the ShinyHunters group leaked 1.7 GB of compressed files allegedly containing about 10 million records from Hinge, Match, and OkCupid, along with internal documents. The company says it terminated unauthorized access, is working with external experts, and believes a limited amount of user data was exposed with no indication that login credentials, financial information, or private communications were accessed. Match Group is notifying affected individuals as appropriate and continuing its investigation.