All news with #data leak tag

Qilin Ransomware: Attack Methods and TTPs Exposed Globally

🔍 Cisco Talos details widespread Qilin ransomware operations observed in late 2025, highlighting persistent leak-site activity and sustained victim publication. The analysis links many intrusions to exposed administrative credentials and unprotected remote access, with manufacturing, professional services, and wholesale trade heavily affected. Talos documents abuse of open-source exfiltration tools (notably Cyberduck), dual-encryptor deployment patterns, credential harvesting with mimikatz and SharpDecryptPwd, and numerous defense-evasion techniques, recommending layered controls such as MFA, credential monitoring, and hardened backups.

Ransomware recovery falters: 40% of paying victims lose data

🔒 Two in five companies that pay ransomware attackers still fail to recover their data, according to a Hiscox survey of thousands of SMEs. The study found 27% of businesses were hit in the past year and 80% of affected firms paid a ransom, yet only 60% recovered all or part of their data. Experts blame flawed encryptors, corrupted or compromised backups, and complex double- or triple-extortion tactics. Organisations are urged to maintain tested recovery plans, forensic validation, and incident response retainers rather than rely on payment.

Toys R Us Canada confirms customer data leak; regulators

🔔 Toys R Us Canada has notified customers that a threat actor leaked records taken from its database after a posting on the dark web on July 30, 2025. An investigation with third-party cybersecurity experts confirmed the data's authenticity and found exposed fields may include full name, physical address, email, and phone number, while passwords and payment card details were not exposed. The retailer says it has strengthened IT security, is notifying Canadian privacy regulators, and warns customers to beware of phishing attempts.

Threat Source: SharePoint Exploits and Patch Urgency

⚠ Cisco Talos reports a sharp increase in attacks against public-facing applications, with the ToolShell chain exploiting unpatched Microsoft SharePoint servers rising to over 60% of IR cases this quarter. Ransomware-related incidents fell to about 20% but show evolving tactics, including leveraging legitimate tools and compromised internal accounts for persistence and phishing. Organizations are urged to prioritize rapid patching, robust network segmentation, centralized logging, MFA, and user education to reduce exposure.

ThreatsDay: Widespread Attacks Exploit Trusted Systems

🔒 This ThreatsDay bulletin highlights a series of recent incidents where attackers favored the easiest paths in: tricking users, abusing trusted services, and exploiting stale or misconfigured components. Notable items include a malicious npm package with a post-install backdoor, a CA$176M FINTRAC penalty for missed crypto reporting, session hijacking via MCP (CVE-2025-6515), and OAuth-based persistent backdoors. Practical defenses emphasized are rapid patching, disabling risky install hooks, auditing OAuth apps and advertisers, and hardening agent and deserialization boundaries.

Serious F5 Breach: Build System and BIG-IP Code Compromised

⚠️ F5 disclosed a major intrusion in which a sophisticated, likely nation-state threat actor maintained long-term access to its internal network. During the compromise the attackers gained control of the build and distribution environment for BIG-IP updates and exfiltrated proprietary source code, documentation of unpatched vulnerabilities, and customer configuration files. F5 warned this data could enable widespread supply-chain and targeted attacks against many sensitive networks.

Prison kiosk hack and new PCI DSS limits on Magecart

🔐 In episode 440 Graham Cluley and guest Scott Helme examine an unusual insider exploitation where Romanian prison self‑service web kiosks let inmates access and alter records. They also explore the growing threat of third‑party JavaScript on checkout pages and how the updated PCI DSS aims to curb Magecart‑style skimmers. Plus, the hosts cover automation with Keyboard Maestro and video creation using Screen Studio.

Ransomware Attack Disrupts IT at Nickelhütte Aue Company

🔒 A ransomware attack on Nickelhütte Aue's office IT encrypted data and caused disruptions across multiple back-office systems, with HR, accounting, finance, purchasing and sales identified as affected. A company spokesperson told CSO that production remained unaffected and management established a crisis organisation after the incident was discovered on Saturday, October 18. The attackers left an extortion note threatening to publish stolen files; investigations by IT forensics teams and authorities are ongoing while the firm consults on how to respond to the ransom demand. The company says it is cleaning infected devices and making steady progress, but the timeframe to fully rebuild IT systems remains unclear.

Scattered LAPSUS$ Hunters Shift to Extortion-as-Service

🔍 Palo Alto Networks' Unit 42 reports monitoring a Scattered LAPSUS$ Hunters Telegram channel since early October 2025, noting a tactical shift toward an extortion-as-a-service (EaaS) offering that omits file encryption. Researchers also observed posts mentioning a potential new ransomware, SHINYSP1D3R, though its development and the profitability of EaaS remain uncertain. Unit 42 found the group's data leak site apparently defaced and confirmed leaked records tied to at least six firms; the actors had set an Oct 10 ransom deadline but later stated on Oct 11 that "nothing else will be leaked."

Dreamforce Highlights Salesforce Amid OAuth Security Storm

🛡️ At Dreamforce, Salesforce emphasized shared responsibility for securing customer environments and introduced new AI agents for security and privacy. The conference largely avoided discussion of recent OAuth-based supply-chain breaches that exposed data from hundreds of companies and led to extensive litigation. Analysts warn the incidents — driven by compromised tokens from third-party apps like Salesloft Drift and spoofed tools such as malicious Data Loader instances — underscore systemic risks as AI integrations demand broader data access. Recommended mitigations include IP whitelisting, DPoP or mTLS, and tighter vendor governance.

UK Contractor Breach Exposes Sensitive RAF and Navy Sites

🔒 A ransomware attack on contractor Dodd Group reportedly allowed Russian-linked attackers to exfiltrate hundreds of sensitive Ministry of Defence documents, including details on RAF Lakenheath, RAF Portreath and RAF Predannack. The company confirmed an incident and said it contained access, while the MoD suspects the Lynx group is behind the intrusion. Leaked files published on the dark web allegedly include site plans and personnel data, and the case is now under investigation amid a wider rise in UK cyber incidents.

Ransomware Payouts Rise to $3.6M as Tactics Evolve

🔒 The average ransomware payment climbed to $3.6m in 2025, up from $2.5m in 2024, as attackers shift to fewer but more lucrative, targeted campaigns. ExtraHop's Global Threat Landscape Report found 70% of affected organisations paid ransoms, with healthcare and government incidents averaging nearly $7.5m each. The study highlights expanding risks from public cloud, third‑party integrations and generative AI, and urges organisations to map their attack surface, monitor internal traffic for lateral movement and prepare for AI‑enabled tactics.

John Bolton Charged Over Classified Emails Leak After Hack

🔒Former national security adviser John Bolton has been charged with mishandling classified information after prosecutors say he retained and transmitted sensitive documents via a personal AOL account that was later accessed by suspected Iranian hackers. The intruders allegedly downloaded the materials and sent extortion messages to Bolton. The case highlights questions about password strength, the use of two-step verification, and the risks of sending unencrypted, sensitive information to family members. Bolton has pleaded not guilty.

Developers of Lumma Stealer Doxxed in Rival Campaign

🔍Lumma Stealer operations have been disrupted after an underground doxxing campaign exposed personal and operational details of individuals allegedly tied to the malware’s development and administration. Trend Micro links the exposure to rival cybercriminal actors and reports that leaked data—shared on a site called Lumma Rats—included passports, bank details and contact information. The disclosures coincided with reduced C2 activity and the reported compromise of Telegram accounts, prompting many users to seek alternatives such as Vidar and StealC.

Ransomware Reality: High Confidence, Low Preparedness

⚠️ The CrowdStrike State of Ransomware Survey reveals a sizable gap between organizational confidence and actual ransomware readiness. Half of 1,100 security leaders say they are "very well prepared," yet 78% were attacked in the past year and fewer than 25% recovered within 24 hours. The report warns that AI-accelerated attacks deepen this gap and recommends AI-native detection and response such as Falcon to regain the advantage.

Scattered LAPSUS$ Hunters: Recent Activity and Risks

🚨 Unit 42 observed renewed activity from Scattered LAPSUS$ Hunters in early October 2025, including leaked data claims, a defaced clearnet leak site, and announcements of an extortion-as-a-service offering. The actors set a self-imposed ransom deadline of Oct. 10, 2025 and claimed to have released data allegedly from six victim companies across aviation, energy and retail. Unit 42 recommends organizations prepare EaaS incident playbooks and engage third-party responders.

Experian Fined €2.7m by Dutch Regulator for GDPR Breach

🔒 Experian Netherlands has been fined €2.7m by the Dutch Data Protection Authority for breaching GDPR requirements after collecting and processing personal data from public and private sources without proper notice or consent. The regulator found Experian compiled extensive databases using information from the Chamber of Commerce and data sold by telecom and energy firms, and that its credit scores influenced contract terms, deposits and denials. Experian acknowledged the violations, will not appeal, has ceased Dutch operations and plans to delete the database by year-end.

Rhysida Ransomware Group Lists German Manufacturer Geiger

🔒 On October 17, the ransomware group Rhysida posted the German machine manufacturer Geiger on a darknet victims list, claiming to offer data stolen from the company. The attackers set an asking price of 10 BTC (roughly €1 million) and indicated a sale deadline of October 24, 2025, without specifying the scope or types of data. Geiger has not publicly responded to the claim. Security researchers characterize Rhysida as financially motivated and likely operating from Russia or the CIS.

Developers leaking secrets via VSCode and OpenVSX extensions

🔒 Researchers at Wiz found that careless developers published Visual Studio extensions to the VSCode Marketplace and OpenVSX containing more than 550 validated secrets across over 500 extensions, including API keys and personal access tokens for providers such as OpenAI, AWS, GitHub, Azure DevOps, and multiple databases. The primary cause was bundled dotfiles (notably .env) and hardcoded credentials in source and config files, with AI-related configs and build manifests also contributing. Microsoft and OpenVSX collaborated with Wiz on coordinated remediation: notifying publishers, adding pre-publication secrets scanning, blocking verified secrets, and prefixing OVSX tokens to reduce abuse.

Hackers Leak Personal Data of Hundreds of US Agents

🔓 A hacking collective known as The Com has posted alleged personal details — names, addresses, and phone numbers — of hundreds of US government employees on private Telegram channels. Reporting by 404 Media indicates spreadsheets containing roughly 680 DHS entries, over 170 FBI email addresses, and more than 190 Department of Justice records were shared; the origin of the information is unclear. The group, which has ties to known ransomware and extortion actors, suggested further doxing and even solicited criminal collaboration, raising concerns about threats and physical safety for affected personnel and their families.