All news with #data leak tag

Salesforce Flags Unauthorized Access via Gainsight OAuth

🔒 Salesforce reported detected 'unusual activity' involving Gainsight-published applications that used OAuth connections to its platform and said the activity may have enabled unauthorized access to some customers' Salesforce data. The company revoked all active access and refresh tokens for affected apps and temporarily removed those listings from the AppExchange while it investigates. Gainsight also pulled its app from the HubSpot Marketplace as a precaution. Security analysts have linked the activity to the ShinyHunters (UNC6240) group and are urging customers to review and revoke suspicious third-party integrations.

Hacker Claims Theft of 2.3TB from Almaviva Affecting FS

🔓 A threat actor claims to have stolen 2.3 terabytes of data from IT services provider Almaviva and posted the material on a dark web forum. The leak reportedly includes confidential documents and sensitive information related to FS Italiane Group, such as internal shares, technical documentation, contracts, HR and accounting archives. D3Lab's Andrea Draghetti says the files are recent (Q3 2025) and not recycled from a 2022 Hive incident. Almaviva confirmed a breach, says affected systems were isolated, and that authorities have been notified while an investigation continues.

Hacker Claims 2.3TB Theft from Italian Rail IT Provider

🔒 A threat actor claims to have stolen 2.3 terabytes of data from Almaviva, the IT services provider linked to Italy's state-owned rail operator, FS Italiane Group. The actor posted the alleged dump on a dark web forum and described the contents as confidential documents, technical files, contracts, HR and accounting archives. Almaviva confirmed a cyberattack affecting corporate systems, said some data were taken, and reported it to national authorities while an investigation is ongoing.

Salesforce Probes Customer Data Theft via Gainsight Apps

🔒 Salesforce says it revoked active access and refresh tokens tied to Gainsight-published applications after detecting unusual activity that may have enabled unauthorized access to some customers' CRM data. The company says the issue stems from the app's external connection rather than a vulnerability in Salesforce itself and temporarily removed those apps from the AppExchange. Affected customers have been notified and can contact Salesforce Help for assistance.

Smashing Security Ep 444: Honest Breach and Hotel Phish

📰 In episode 444 of the Smashing Security podcast Graham Cluley and guest Tricia Howard examine a refreshingly candid breach response where a company apologised and redirected a ransom payment to cybersecurity research, illustrating how legacy systems can still magnify risk. They unpack a sophisticated hotel-booking malware campaign that abuses trust in apps and CAPTCHAs to deliver PureRAT. The hosts also discuss the rise of autonomous pen testing, AI-turbocharged cybercrime, and practical questions CISOs should be asking on Monday morning, with a featured interview featuring Snehal Antani from Horizon3.ai.

WhatsApp flaw allowed discovery of 3.5B registered numbers

🔍 Researchers from the University of Vienna and SBA Research found a flaw in WhatsApp's contact discovery that let them enumerate valid numbers globally, confirming about 3.5 billion registered accounts. By abusing the lookup mechanism they could probe numbers across 245 countries at rates exceeding 100 million checks per hour from a single IP. The technique also exposed public (non-private) keys, timestamps, profile photos and About text, enabling inference of device OS, account age and linked secondary devices, prompting Meta to add rate limits and tighter visibility rules.

Data Breach at Eurofiber France Affects Ticketing Systems

🔐 Eurofiber Group said its French subsidiary, Eurofiber France, experienced a breach after attackers exploited a software vulnerability to access its ticket management system and exfiltrate data. The company stated that sensitive bank details and other critical data were not affected. The incident impacted the ATE cloud portal and regional sub-brands (Eurafibre, FullSave, Netiwan, Avelia). Eurofiber says it closed the vulnerability, strengthened controls and engaged cybersecurity experts to support customers.

French Pajemploi Reports Data Breach Affecting 1.2M

🔒 French social security service Pajemploi disclosed a data breach detected on November 14 that may have exposed personal information for up to 1.2 million registered home-based childcare workers and parents. Potentially exfiltrated data includes full names, place of birth, postal addresses, social security numbers, names of banking institutions, Pajemploi numbers, and accreditation numbers. The agency says IBANs, email addresses, phone numbers, and passwords were not accessed. Pajemploi notified CNIL and ANSSI, will inform affected individuals, and URSSAF warned of increased phishing and social engineering risks.

DoorDash Confirms October 2025 Customer Data Breach

🔒 DoorDash has confirmed a data breach in October 2025 that exposed customers' names, phone numbers, physical addresses and email addresses. The company said an employee was targeted in a social engineering scam that allowed unauthorized access, but there is currently no indication the data has been misused. DoorDash stated that sensitive identifiers and payment information were not accessed and that it has engaged an external firm, notified law enforcement, rolled out security enhancements and issued additional staff training.

Iranian-backed UNC1549 Deploys TWOSTROKE and DEEPROOT

🛡️ Mandiant has linked suspected Iranian espionage actors to a sustained campaign by UNC1549 that deployed backdoors such as TWOSTROKE and DEEPROOT against aerospace, aviation, and defense organizations in the Middle East. Operating from late 2023 through 2025, the group abused trusted third parties and VDI sessions to pivot into customer environments and leveraged highly targeted, role‑relevant phishing. Observed operations combined credential theft, lateral movement, custom tunnellers and credential‑stealing utilities to execute long‑term reconnaissance and data exfiltration.

Checkout.com Apologizes After Breach, Donates Ransom

🔒 Checkout.com publicly disclosed a breach after the ShinyHunters group accessed data from a legacy third‑party cloud storage system used prior to 2020, and issued an apology taking responsibility for the error. The company said fewer than 25% of current merchants were affected, confirmed no payment card data was taken, and refused the ransom demand. Instead of paying, it donated the ransom amount to Carnegie Mellon University and the University of Oxford Security Center to support research into cybercrime.

Half a Million FTSE 100 Credentials Discovered Online

🔒 Security researchers from Socura and Flare found around 460,000 compromised credentials tied to FTSE 100 domains across clear- and dark-web crime communities, including 28,000 entries from infostealer logs. The report notes many companies had thousands of leaks and that password hygiene remains poor, with 59% having at least one user using 'password'. It recommends MFA, passkeys, password managers, conditional access and proactive leak monitoring.

Eurofiber France reports ticketing-system data breach

🔒 Eurofiber France disclosed a cybersecurity incident after attackers exploited a vulnerability in its ticket management system and exfiltrated information. The company said the impact is limited to its French division, including the ATE portal and several regional sub-brands, and that banking details and other critical data on separate systems were not affected. Authorities (CNIL, ANSSI) were notified and an extortion report has been filed while investigations continue.

Princeton discloses data breach affecting donors, alumni

🔒 Princeton University disclosed a November 10 cyberattack in which threat actors phished an employee and accessed a database used for fundraising and alumni engagement. The attackers exfiltrated biographical information such as names, email addresses, telephone numbers, and home and business addresses for alumni, donors, faculty, staff, and students. University officials say the compromised system did not contain financial data, passwords, or Social Security numbers, and they have blocked the intruders' access while investigating. Affected individuals are urged to verify any communications claiming to be from the university and to avoid sharing sensitive information.

EVALUSION ClickFix Campaign Delivers Amatera, NetSupport

🔒 Researchers identified a ClickFix-based EVALUSION campaign deploying Amatera Stealer and NetSupport RAT, observed in November 2025. The campaign abuses the Windows Run dialog and mshta.exe to launch a PowerShell script that downloads a .NET DLL hosted on MediaFire; the Amatera DLL, packed with PureCrypter, is injected into MSBuild.exe to exfiltrate data. eSentire highlights Amatera's WoW64 SysCalls evasion and conditional NetSupport deployment when domain membership or valuable files are detected.

Kraken Uses Benchmarking to Optimize Ransomware Attacks

🔒 Cisco Talos reported August 2025 activity by Kraken, a Russian‑speaking ransomware operation linked to the remnants of HelloKitty. The group exploits SMB flaws for initial access, uses Cloudflare for persistence and SSHFS to exfiltrate data, then deploys cross‑platform encryptors across Windows, Linux and VMware ESXi. Notably, Kraken benchmarks victim machines to tune encryption speed and reduce detection and instability. Victims span multiple countries and attackers operate a new leak forum called Last Haven Board.

Pennsylvania AG Data Breach After INC Ransom Attack

🔒 The Pennsylvania Office of the Attorney General (OAG) confirmed that files containing personal and medical information were accessed during an August 9 ransomware attack and that the office refused to pay the ransom. The incident encrypted systems and disrupted the OAG website, employee email accounts, and landline phones. Researcher Kevin Beaumont identified public-facing Citrix NetScaler appliances vulnerable to CVE-2025-5777 (Citrix Bleed 2) that may have been exploited. The threat actor INC Ransom later claimed responsibility and posted about 5.7TB of alleged stolen data.

Five Plead Guilty to Enabling DPRK Remote IT and Hacks

🔒 Five individuals have pleaded guilty to serving as facilitators for North Korean cyber operations, the US Department of Justice said. They used false or stolen identities and hosted employer laptops in US residences to create the appearance of domestic remote IT workers, aiding APT38-linked efforts. The DoJ said the activity impacted more than 136 US organizations, generated over $2.2m for Pyongyang and compromised the identities of 18 US residents, and authorities seized $15m in Tether tied to related heists.

When Romantic AI Chatbots Can't Keep Your Secrets Safe

🤖 AI companion apps can feel intimate and conversational, but many collect, retain, and sometimes inadvertently expose highly sensitive information. Recent breaches — including a misconfigured Kafka broker that leaked hundreds of thousands of photos and millions of private conversations — underline real dangers. Users should avoid sharing personal, financial or intimate material, enable two-factor authentication, review privacy policies, and opt out of data retention or training when possible. Parents should supervise teen use and insist on robust age verification and moderation.

Jaguar Land Rover Cyberattack Costs Company Over $220M

📰 Jaguar Land Rover reported a cyberattack cost of £196 million ($220 million) for the July–September quarter after the incident forced production shutdowns and staff to be sent home. The breach, announced on 2 September 2025, involved confirmed data theft and was claimed on Telegram by the group Scattered Lapsus$ Hunters. Following a UK government-backed £1.5 billion loan guarantee, JLR says operations, wholesale and supplier financing have been restored and production has resumed under a phased restart.