All news with #data leak tag

Behind the Breaches: Case Studies of Modern Threat Actors

🔍 This analysis examines leaked communications and recent incidents to reveal how modern threat actors organize, adapt and blur the lines between criminal, contractor and researcher roles. Leaked BlackBasta chats show internal discord, leadership opacity, technical debt and disputes over revenue and workload. The EncryptHub case highlights a solo operator who both conducted malware and credited vulnerability disclosures to Microsoft, illustrating the growing hybridization of actor identities. Finally, BlackLock’s open recruitment for "traffers" demonstrates how the ransomware supply chain is becoming commoditized and industrialized.

HSE Offers €750 to Victims of 2021 Ransomware Attack

🔒 The Health Service Executive (HSE) has offered €750 to individuals whose personal data was exposed in the May 2021 Conti ransomware attack, plus an additional €650 toward legal costs. The intrusion began with a malicious Microsoft Excel file that bypassed outdated anti‑malware defenses, forcing a full IT shutdown and widespread disruption to hospital services. A later PwC review criticised the HSE's unpatched systems and frail infrastructure, while the organisation says it has found no evidence of fraud stemming from the breach after more than four years.

01flip: Rust-Based Multi-Platform Ransomware Targeting APAC

🔐 Unit 42 identified 01flip, a new Rust‑based ransomware family observed in June 2025 that targets both Windows and Linux via Rust cross‑compilation. The malware enumerates writable directories, drops RECOVER-YOUR-FILE.TXT ransom notes, renames files with a .01flip extension, and encrypts victims with AES‑128‑CBC while protecting session keys with an embedded RSA‑2048 public key. Observed victims are a limited set in the Asia‑Pacific region, and an alleged data dump appeared on a dark‑web forum after at least one infection.

Spain Arrests 19-Year-Old Suspect Over 64M Data Records

🔒 A 19-year-old suspect in Igualada, Barcelona, was arrested after authorities linked him to breaches at nine companies and the theft of 64 million private records. Police say the dataset included full names, home addresses, email addresses, phone numbers, DNI numbers and IBAN codes that the suspect attempted to sell on hacker forums using multiple accounts and pseudonyms. Officers seized computers and cryptocurrency wallets believed to hold proceeds from the sales; the investigation began in June. Separately, Ukrainian police arrested a 22-year-old who used custom malware and a 5,000-account bot farm to compromise and sell social media access.

Streamlit Exposes Shadow AI Risks and Data Leaks at Scale

⚠️ UpGuard's analysis of Streamlit-hosted applications uncovered thousands of publicly accessible data apps that expose sensitive business and personal information. In October 2025 scans identified 14,995 unique IPs running Streamlit; after accounting for instances with authentication or errors, over ten thousand apps remained accessible without login. The report documents exposed PII and business intelligence dashboards and recommends practical controls: maintain an inventory of user apps, move sensitive workloads off the Community Cloud, and enable authentication by default.

Gartner Urges Enterprises to Block AI Browsers Now

⚠️ Gartner has advised enterprises to block AI browsers until associated risks can be adequately managed. In its report Cybersecurity Must Block AI Browsers for Now, analysts warn that default settings prioritise user experience over security and list threats such as prompt injection, credential exposure and erroneous agent actions. Researchers and vendors have also flagged vulnerabilities and urged risk assessments and oversight.

Manufacturing Sees Fewer Encryptions but Ransom Risks

🔒 A recent Sophos study finds the manufacturing sector is blocking more ransomware before encryption, with only 40% of attacks resulting in data encryption this year versus 74% in 2024. Despite improved containment, data theft remains high (39% of encrypted cases) and more than half of affected firms paid ransoms; the median payment was about €861,000. Shortages of skilled staff, unknown vulnerabilities and inadequate protections are cited as root causes, and attacks are increasing stress and leadership pressures within IT teams.

Marquis Software Breach Impacts Over 780,000 Nationwide

🔒 Marquis Software Solutions confirmed a breach affecting more than 780,000 individuals after attackers exploited a SonicWall firewall vulnerability on 14 August. The company shut down affected systems and engaged external cybersecurity specialists; a late-October review found unauthorized actors copied files containing personal and financial data from certain business customers. Marquis is offering free credit monitoring and has implemented multiple security controls while its investigation continues, and it reports no evidence so far that the stolen data has been posted online.

Barts Health Seeks High Court Ban After Oracle EBS Breach

🔒Barts Health NHS Trust has applied to the High Court seeking an order to prevent the sharing, publication or use of data stolen from an Oracle E-business Suite database. A criminal group known as Cl0p posted compressed files on the dark web containing names, addresses and invoicing records relating to patients, suppliers and former staff. The trust says clinical systems and core IT infrastructure were unaffected and it is working with NHS England, the NCSC and law enforcement while notifying regulators.

Barts Health NHS Reports Data Theft via Oracle Zero-Day

🔒 Barts Health NHS Trust disclosed that the Cl0p ransomware group stole invoice data from an Oracle E-Business Suite database after exploiting a zero-day vulnerability (CVE-2025-61882). Stolen files include full names and addresses of payers, records of former employees with debts, supplier details, and accounting files relating to Barking, Havering and Redbridge University Hospitals. The trust says its electronic patient record and clinical systems were not affected, has notified the NCSC, Metropolitan Police and the ICO, and is seeking a High Court order while advising patients to check invoices and remain vigilant for suspicious communications.

Ransomware in Manufacturing: Lower Encryption, High Payouts

🔒 A Sophos study finds manufacturing firms are increasingly able to stop ransomware before encryption occurs, with only 40% of attacks leading to data encryption — the lowest rate in five years and down from 74% the prior year. Despite improved defenses, data theft remains a major concern: 39% of encrypted incidents resulted in data loss. More than half of affected companies still paid ransoms, with a median payment of about €861,000 versus median demands near €1 million. Respondents cited skills shortages, unknown vulnerabilities and missing protections as key contributors, and attacks continue to strain IT and leadership teams.

Inotiv Discloses August Ransomware Breach Affecting 9,542

🔒 Inotiv, an Indiana-based contract research organization, disclosed an August ransomware attack that disrupted operations after networks, databases, and internal applications were taken offline. The company says it has 'restored availability and access' to impacted systems and is notifying 9,542 individuals whose information was stolen. The incident, dated to approximately August 5–8, 2025, was claimed by the Qilin ransomware group, which published alleged samples and asserted it exfiltrated roughly 162,000 files totaling about 176 GB, though Inotiv has not confirmed the specific data types or publicly attributed the attack.

Intellexa Predator Leaks Reveal Zero-Days and Ad Abuse

🔎 Amnesty International reports a Pakistani human rights lawyer received a WhatsApp link tied to a Predator 1-click attempt, the first known targeting of Balochistan civil society by Intellexa's spyware. Jointly published leaks and vendor analyses show Predator (also marketed as Helios, Nova and Green Arrow) used messaging, ad-based and ISP-assisted vectors plus multiple zero-day exploits to install surveillance payloads. Google Threat Intelligence Group mapped numerous V8, WebKit, Android kernel and other CVEs to the campaign and documented a modular iOS exploitation framework named JSKit and a post-exploitation payload called PREYHUNTER. The disclosures raise urgent questions about exploit sourcing, customer access to logs, and human rights due diligence.

Intellexa's Predator Spyware Continues Despite Sanctions

📣 Leaked documents and coordinated technical reports indicate the Intellexa surveillance consortium continues to develop, sell and operate its Predator spyware despite multiple sanctions. Analyses from Google Threat Intelligence Group, Recorded Future and Amnesty’s Security Lab attribute numerous mobile browser zero-day exploits and new infection methods to the vendor. Amnesty disclosed a novel Aladdin zero-click vector that abuses the mobile advertising ecosystem to deliver malicious ads which infect devices on view, while Recorded Future and Google documented Intellexa’s outsized share of exploited zero-days. The combined findings point to active customers, new nexus entities and ongoing global operations.

SpyCloud: Phishing Targets Corporate Users 3x More

🔍 SpyCloud reported a 400% year‑over‑year increase in successfully phished identities, finding nearly 40% of more than 28 million recaptured phish records contained business email addresses—about three times the rate observed in recaptured malware. The company warns phishing has become the preferred gateway into enterprise environments and is fueling follow‑on attacks such as ransomware. SpyCloud urges organizations to adopt real‑time visibility and automated post‑compromise remediation across both personal and professional identities.

Coupang Exposes 33.7M Accounts Due to Key Mismanagement

🔒 Coupang disclosed an unauthorized exposure affecting approximately 33.7 million user accounts, an incident investigators trace to long‑neglected token signing keys in its authentication infrastructure. Leaked records reportedly included names, email addresses, shipping address lists and some order details; payment and login credentials were not exposed. Authorities and a joint public-private investigation are probing the breach and potential regulatory violations, and a former authentication engineer is the prime suspect.

Predator Spyware Uses Ad-Based Zero-Click Infection

📢 Researchers report that the Predator spyware operator Intellexa developed a zero-click delivery mechanism called Aladdin that can infect targets simply by serving a weaponized advertisement. The technique abuses commercial mobile advertising systems and Demand Side Platforms to force malicious ads to specific IPs and devices, with viewing alone triggering redirections to exploit servers. First deployed in 2024 and routed through shell companies across multiple countries, the campaign is corroborated by leaked Intellexa documents and technical analysis from Amnesty, Google, and Recorded Future. Analysts recommend blocking ads, hiding public IPs, and using platform protections, though leaked materials suggest operators can obtain subscriber IP/location data from local mobile operators.

Contractors Accused of Wiping 96 Government Databases

🧾 Two Virginia brothers, former federal contractors Muneeb and Sohaib Akhter, have been charged with conspiring to steal sensitive data and deleting roughly 96 government databases after being fired. Prosecutors allege the deletions occurred in February 2025 and that Muneeb also stole IRS and EEOC information for hundreds of individuals. One minute after deleting a DHS database he reportedly asked an AI tool how to clear system logs. Authorities say the pair wiped devices, destroyed evidence, and face multiple federal charges including computer fraud and aggravated identity theft.

ThreatsDay: Wi‑Fi Hack, npm Worm, DeFi Theft and More

🔒This week's ThreatsDay roundup highlights a string of high-impact incidents, from a $9 million DeFi drain and an npm-based self-replicating worm to airport Wi‑Fi evil‑twin attacks and mass camera compromises. Researchers and vendors including Fortinet, Microsoft, and TruffleHog disclosed evolving malware techniques, supply-chain abuse, and widespread credential exposure. Practical protections include minimizing long-lived secrets, enforcing CI/CD safeguards, updating detection for eBPF-based threats, and applying MFA and phishing-resistant controls.

Five Major Threats That Reshaped Web Security in 2025

🛡️ Web security in 2025 shifted rapidly as AI-enabled development and adversaries outpaced traditional controls. Natural-language "vibe coding" and compromised AI dev tools produced functional code with exploitable flaws, highlighted by the Base44 authentication bypass and multiple CVEs affecting popular assistants. At the same time, industrial-scale JavaScript injections, advanced Magecart e-skimming, and widespread privacy drift impacted hundreds of thousands of sites and thousands of financial sessions. Defenders moved toward security-first prompting, behavioral monitoring, continuous validation, and AI-aware controls to reduce exposure.