All news with #data leak tag

Oracle patches critical EBS zero-day used by Clop gang

⚠️ Oracle has released an emergency update addressing CVE-2025-61882, a critical unauthenticated remote code execution flaw in Oracle E-Business Suite (Concurrent Processing / BI Publisher Integration). The vulnerability affects versions 12.2.3–12.2.14 and carries a CVSS base score of 9.8. Customers must first install the October 2023 Critical Patch Update before applying the new fix. Intelligence firms say the Clop extortion gang actively used the bug in August 2025 to steal data.

ParkMobile settlement: $1 credits for 2021 breach victims

🔒 ParkMobile has settled a class action tied to its 2021 data breach, offering affected users a $1 in-app credit as part of a $32.8 million resolution. Threat actors leaked a 4.5 GB CSV exposing nearly 22 million customers' names, contact details, bcrypt-hashed passwords, mailing addresses, license plates and vehicle information. Claimants must manually apply promo code P@rkMobile-$1 (most codes expire Oct 8, 2026; California codes do not), and the company warns of continuing SMS phishing campaigns targeting users.

Identifiable Discord User Data Exposed in Third-Party Breach

🔒 Hackers accessed a third-party customer service system used by Discord on September 20, stealing partial payment details and personally identifying information for a limited number of users who contacted support or Trust and Safety. The attackers appear financially motivated and demanded a ransom. Discord revoked the provider's access, engaged a computer forensics firm, launched an internal investigation, and notified law enforcement. Exposed data included real names, usernames, emails, IP addresses, support messages and attachments, photos of government IDs for a small subset, and partial billing details such as payment type and the last four card digits.

Discord discloses data breach after support-ticket hack

🔒 Discord disclosed that attackers accessed a third-party customer support system on September 20 and stole a limited set of user support tickets and associated data. Exposed information included names, usernames, email addresses, IP addresses, messages and attachments, photos of government-issued IDs for a small number of users, and partial billing details such as payment type and the last four card digits. Discord says it isolated the vendor, revoked access, launched an internal and forensics investigation, and engaged law enforcement. The threat actor demanded a ransom and a group claiming responsibility said the breach involved a Zendesk instance.

Extortion Gang Reveals Alleged Salesforce Victims List

🔓 The Scattered Lapsus$ Hunters gang opened a public data-leak site claiming it stole Salesforce data from dozens of global companies, including Salesforce, Toyota, FedEx, Disney/Hulu, Marriott and Google. The group set an Oct. 10 deadline for ransom payments and threatened to publish or even use stolen documents in legal actions if demands are not met. Salesforce says its investigation found no indication the platform itself was compromised and attributes the incidents to past or unsubstantiated claims. Researchers link many breaches to vishing that installs malicious connected apps and to compromised OAuth tokens in Salesloft Drift, underscoring a broader SaaS supply-chain risk.

New Chinese Group Hijacks IIS Servers for SEO Fraud

🔍 Cisco Talos warns a Chinese‑speaking threat group tracked as UAT-8099 is actively compromising misconfigured Microsoft IIS servers to run SEO fraud and harvest high-value data. The actors favor high-reputation domains in universities, technology firms, and telecom providers across India, Thailand, Vietnam, Canada and Brazil to reduce detection. They exploit unrestricted file uploads to install web shells, escalate a guest account to admin, enable RDP and deploy the BadIIS SEO malware, then persist with hidden accounts and VPN/backdoor tools. Talos has published indicators and mitigation guidance, including blocking script execution in upload folders, disabling RDP and enabling MFA.

Asahi Confirms Ransomware Attack Disrupting Japan Operations

🔒 Asahi Group Holdings has confirmed a ransomware attack caused IT disruptions that forced shutdowns at its Japanese factories and prompted a switch to manual order and shipment processing. The company says investigations found evidence suggesting potential unauthorized data transfer from compromised devices. Asahi has established an Emergency Response Headquarters and is working with external cybersecurity experts; no cybercriminal group has publicly claimed responsibility.

ShinyHunters Leak Salesforce Data; Many Companies Exposed

🔓 An extortion group claiming affiliation with ShinyHunters, Scattered Spider, and Lapsus$ has launched a public data leak site listing 39 companies allegedly compromised via Salesforce breaches. The site publishes sample records and urges victims to pay before an October 10 deadline, while also demanding that Salesforce pay to prevent disclosure of roughly 1 billion records. The attackers say they used OAuth-based voice-phishing and stolen tokens to access customer data. Victims named include FedEx, Disney/Hulu, Google, Cisco, and many other major brands.

Rhadamanthys 0.9.2 Stealer Introduces New Evasion Techniques

🔒 Check Point Research details the release of Rhadamanthys 0.9.2, a new build of a widely used information stealer that introduces multiple evasion and delivery changes. The update replaces previous loaders with a PNG-based payload delivery, updates encryption, refines sandbox checks, adds configurable process injection, and expands targeting to include Ledger Live crypto wallets. Operators have rebranded as RHAD Security / Mythical Origin Labs and launched a professional site, while CPR supplies updated signatures and tools to help defenders adapt.

Oracle Links Clop Extortion to July EBS Vulnerabilities

🔒 Oracle said some customers received extortion emails tied to its E-Business Suite and linked the campaign to vulnerabilities patched in the July 2025 Critical Patch Update. While Oracle did not attribute the activity to a specific ransomware group, its investigation found potential use of previously identified EBS flaws, including three that were remotely exploitable. Security firms reported executives began receiving ransom demands on or before September 29, 2025. Oracle urged customers to apply the latest patches and contact support if they need assistance.

WestJet Data Breach Affects 1.2 Million Customers Update

🛫 WestJet has confirmed a data breach affecting 1.2 million customers following a June 13, 2025 intrusion, and notified authorities on September 29. The airline says a "sophisticated, criminal third party" accessed names, contact details, reservation documents and other relationship data; WestJet Rewards members may have had IDs and points balances exposed, though account passwords were not accessed. WestJet states that credit card numbers, expiry dates and CVVs were not compromised, systems are secure, affected customers are being contacted, and identity protection is being offered where appropriate.

Cl0p-linked Extortion Targets Oracle E-Business Suite

🔒 Researchers at Halcyon, Google, and Mandiant report an extortion campaign attributed to actors likely affiliated with the Cl0p gang, targeting Oracle E‑Business Suite (EBS) via exposed local login pages. Attackers allegedly abused the AppsLocalLogin.jsp password‑reset workflow to obtain local credentials that bypass SSO and often lack MFA, then sent executive extortion demands with proof samples. Demands range into seven and eight figures, reportedly up to $50 million; defenders are advised to restrict public EBS access, enforce MFA, and review logs immediately.

Extortion Emails Target Executives Claiming Clop Ties

📧 An individual or group claiming to work with the Clop ransomware gang has been sending extortion emails to executives at multiple organizations since September 29, according to Google. Researchers at Mandiant and the Google Threat Intelligence Group are investigating and report a high-volume campaign launched from hundreds of compromised accounts, with at least one account previously linked to FIN11. The messages include contact information that matches addresses on the Clop data leak site, suggesting the actor may be leveraging Clop's brand; however, investigators emphasize this does not prove direct Clop involvement and advise targeted organizations to search for indicators of compromise.

Study Finds Major Security Flaws in Popular Free VPN Apps

🔍 Zimperium zLabs’ analysis of 800 Android and iOS free VPN apps found widespread privacy and security weaknesses, including outdated libraries, weak encryption, and misleading privacy disclosures. The report highlights concrete failures such as vulnerable OpenSSL builds (including Heartbleed-era versions), roughly 1% of apps permitting Man-in-the-Middle decryption, and about 25% of iOS apps lacking valid privacy manifests. Researchers warn excessive permission requests and private entitlements increase risk, especially in BYOD and remote-work environments, and recommend stronger security models, endpoint visibility and zero-trust approaches.

Raise3D Pro2 Series Authentication Bypass Advisory

⚠️ CISA warns of a high-severity authentication bypass in Raise3D Pro2 Series 3D printers caused by an unauthenticated debug port that can expose the device file system. The flaw, CVE-2025-10653, has a CVSS v4 score of 8.8 and is remotely exploitable with low complexity when developer mode is enabled. Raise3D is developing firmware fixes; users should disable developer mode and limit network access until patched.

Google, Mandiant Probe Extortion Claims Targeting Oracle EBS

📧 Google Mandiant and the Google Threat Intelligence Group report a new high-volume extortion campaign that claims stolen data from Oracle E-Business Suite. The operation began on or before September 29, 2025, uses hundreds of compromised accounts, and includes contact addresses verified on the Cl0p data leak site. Mandiant notes at least one sending account has ties to FIN11, a TA505 subset. Investigations are ongoing and organizations are urged to inspect for compromise.

Red Hat Confirms GitLab Breach Affecting Consulting

🔒 Red Hat confirmed a security incident after an extortion group calling itself the Crimson Collective claimed to have stolen nearly 570GB of compressed data from roughly 28,000 internal repositories in a GitLab instance used solely for consulting engagements. The group alleges the haul includes about 800 Customer Engagement Reports (CERs) that may contain infrastructure details, authentication tokens, and database URIs. Red Hat says it is remediating the issue, has not verified the attackers' specific claims, and believes its software supply chain and other services remain unaffected.

Red Hat Confirms Security Incident After GitHub Claims

🔒 An extortion group calling itself Crimson Collective claims to have exfiltrated nearly 570GB of compressed data from about 28,000 private GitHub repositories, including roughly 800 Customer Engagement Reports (CERs). Red Hat confirmed a security incident tied to its consulting business but would not validate the attackers’ specific claims, saying it has initiated remediation and sees no indication the issue affects its products or software supply chain. The group published directory listings and alleges finding authentication tokens and full database URIs that could be used to access downstream customer infrastructure.

Clop-Linked Extortion Emails Claim Oracle E-Business Theft

📧 Mandiant and Google are tracking a high-volume extortion email campaign that began on or before September 29, 2025, in which executives received messages claiming sensitive data was stolen from Oracle E-Business Suite systems. The emails are being sent from hundreds of compromised accounts and include contact addresses tied to the Clop data leak site, indicating a potential connection to the Clop/FIN11 extortion operation. Investigators caution there is not yet sufficient evidence to confirm actual data theft and recommend organizations check their Oracle environments for unusual access or compromise.

Ransomware Incident at Dealer Software Vendor Exposes Data

🔒 A ransomware attack on Motility Software Solutions on August 19, 2025, encrypted portions of its systems and may have exposed personal information for approximately 766,000 customers. The DMS vendor supports about 7,000 dealerships and stores data including names, emails, phone numbers, dates of birth, Social Security numbers, and driver’s license numbers. Motility restored systems from backups, implemented additional security measures, and is offering one year of identity monitoring through LifeLock to affected individuals.