All news with #data leak tag

Zscaler ThreatLabz: Global Ransomware Surge 2024–2025

🔒 Zscaler's annual ThreatLabz Ransomware Report (April 2024–April 2025) warns of a marked rise in extortion-focused attacks: incidents increased 146% year-over-year while exfiltrated data grew 92%. The vendor attributes this to a strategic shift from pure encryption to data theft and public shaming, with criminals using stolen files as leverage. Researchers also report that generative AI is increasingly incorporated into attackers' playbooks to enable more targeted and efficient campaigns. The U.S. accounted for half of all recorded attacks, Germany saw a nearly 75% rise and is the EU's most affected country, and the most-targeted sectors were manufacturing, technology and healthcare.

Insight Partners Discloses 2024 Ransomware Breach Impacting

🔒 Insight Partners disclosed a ransomware attack that occurred around 25 October 2024 but was first detected on 16 January 2025. The firm says a sophisticated social engineering attack enabled a threat actor to exfiltrate data and encrypt servers before being expelled the same day. About 12,657 individuals may be affected; the firm offers free identity-theft protection and urges password resets and MFA.

Protecting SMBs From Ransomware: Trends and Defenses

🔒 Small and medium-sized businesses are increasingly targeted by ransomware gangs that exploit weak defenses, offer Ransomware-as-a-Service, and adapt tactics with AI-driven tools. RaaS industrialization and discoveries like ESET's PromptLock demonstrate how attackers can scale reconnaissance, exploitation and social engineering. SMBs face double-extortion, DDoS and coercive pressures while repeat payments remain an issue despite a decline in aggregate crypto payouts. Practical defenses—Zero Trust, timely patching, reliable backups, EDR/MDR and tested incident response—can materially reduce risk.

NCA to Lead Five Eyes Effort Against 'The Com' Networks

🔒 The UK's National Crime Agency will chair the Five Eyes Law Enforcement Group (FELEG) and concentrate on disrupting cybercrime, money laundering and online sexual abuse of children over the next two years. The NCA singled out loosely affiliated native-English networks known as 'The Com', which operate across messaging apps, gaming platforms and forums and share violent and child-abuse material. It also linked these groups to data-theft and extortion campaigns involving actors such as Scattered Spider, ShinyHunters and Lapsus$, citing incidents affecting retailers and luxury brands. FELEG has promoted the UK's Counter Terrorism Policing to full member status to strengthen responses to hybrid threats.

Pompompurin Resentenced: BreachForums Creator Jailed

🔒 Conor Brian Fitzpatrick, known online as "Pompompurin", has been resentenced to three years in prison after a U.S. appeals court overturned his earlier lenient term. He created and administered the notorious BreachForums, a marketplace for stolen data and hacking tools, and was arrested after the Department of Justice disrupted the site. Fitzpatrick had violated pretrial release conditions and pleaded guilty to hacking charges and possession of child sexual abuse material; the forum remains active under a new domain.

Brute-force Attacks Target SonicWall Cloud Backups

🔒 SonicWall warned that brute-force attacks against its firewall API used for cloud backups may have exposed preference files stored in customers' MySonicWall.com portals. The vendor has disabled the cloud backup capability and is urging admins to restrict or disable SSLVPN and Web/SSH management over the WAN, then reset passwords, keys, and secrets. Less than 5% of the install base had backups in the cloud, but that could still affect thousands of organizations. SonicWall has provided remediation guidance and will notify customers if their accounts show impacted serial numbers.

ShinyHunters Claims 1.5B Salesforce Records Stolen via Drift

🔒 The ShinyHunters extortion group claims they stole approximately 1.5 billion Salesforce records from 760 companies by abusing compromised Salesloft Drift and Drift Email OAuth tokens exposed in a Salesloft GitHub breach. The attackers reportedly accessed Account, Contact, Case, Opportunity, and User tables and searched exfiltrated data for secrets to pivot further. Google/Mandiant and the FBI are tracking the activity as UNC6040/UNC6395, and Salesforce urges customers to enable MFA, enforce least privilege, and manage connected apps carefully.

Shai-Hulud Worm: Large npm Supply Chain Compromise

🪱 Palo Alto Networks Unit 42 is investigating an active supply chain attack in the npm ecosystem driven by a novel self-replicating worm tracked as "Shai-Hulud." The malware has compromised more than 180 packages, including high-impact libraries such as @ctrl/tinycolor, and automates credential theft, repository creation, and propagation across maintainers' packages. Unit 42 assesses with moderate confidence that an LLM assisted in authoring the malicious bash payload. Customers are protected through Cortex Cloud, Prisma Cloud, Cortex XDR and Advanced WildFire, and Unit 42 recommends immediate credential rotation, dependency audits, and enforcement of MFA.

Companies Affected by the Shai-Hulud NPM Supply Chain

🔎 From Sept 14–16, more than 180 NPM packages were compromised in the Shai-Hulud worm. The malware propagated by pushing malicious changes to other packages and exfiltrated secrets by publishing data to public GitHub repositories. Using the GitHub Events Archive, UpGuard identified 207 affected repos (175 labeled "Shai-Hulud Migration", 33 "Shai-Hulud Repository"), mapping to 37 users and a set of corporate employers. Affected developers have removed leaked files, but organizations should still audit exposed repos and rotate secrets.

Insight Partners Notifies Thousands After Ransomware Breach

🔒 Insight Partners is notifying thousands of people after a ransomware incident in which a threat actor gained network access via a sophisticated social engineering attack. The attackers reportedly exfiltrated sensitive data — including banking and tax records, personal information of current and former employees, and details related to limited partners, funds, management companies, and portfolio companies — before encrypting servers on January 16, 2025. The firm says formal notification letters and complimentary credit or identity monitoring are being mailed; if you do not receive a letter by the end of September 2025, your personal data was determined not to be impacted. State filings indicate 12,657 individuals were affected, and no group has publicly claimed responsibility.

SonicWall urges credential resets after MySonicWall breach

🔐 SonicWall says firewall configuration backup files in certain MySonicWall accounts were exposed in a security incident and is urging customers to reset credentials immediately. The company reports it cut off attacker access and is working with cybersecurity and law enforcement to investigate. SonicWall published an Essential Credential Reset checklist to help administrators update passwords, API keys, tokens and related secrets and to restrict WAN access before making changes.

TaskUs Employee Allegedly Central to Coinbase Breach

🔒 A US court filing identifies a TaskUs employee as a key conspirator in the December 2024 breach of Coinbase, a compromise publicly disclosed in May 2025. Prosecutors allege support agents were bribed and recruited to steal customer PII, impacting almost 70,000 users and facilitating social engineering and asset theft. The filing names employee Ashita Mishra, accuses her of stealing and photographing hundreds of records per day and selling data for $200 a record, and claims TaskUs tried to minimize and conceal its security failures. Plaintiffs seek monetary damages and court-ordered security reforms.

Cyberattack on HEM expert affects all ten southern stores

🔒 HEM expert has informed customers that a cyberattack on July 18, 2025 affected all ten of its branches in southern Germany. The retailer says business operations continued almost without disruption, but acknowledges that data was stolen and that customer and employee personal information — potentially including names, addresses, dates of birth, contact details and bank or credit card data — may have been compromised. The company is investigating the scope of the leak, working with data protection authorities, and notifying those potentially affected. Some customers complained about delayed notification; HEM expert says it will strengthen security and staff awareness.

Wormable npm campaign infects hundreds, steals secrets

🪱 Researchers have identified a self-propagating npm worm dubbed Shai-Hulud that injects a 3MB+ JavaScript bundle into packages published from compromised developer accounts. A postinstall action executes the bundle to harvest npm, GitHub, AWS and GCP tokens and to run TruffleHog for broader secret discovery. The worm creates public GitHub repositories to dump secrets, pushes malicious Actions to exfiltrate tokens, and has exposed at least 700 repositories; vendors urge rotation of affected tokens.

DoJ Resentences BreachForums Founder to Three Years

⚖️ The U.S. Department of Justice resentenced Conor Brian Fitzpatrick (aka Pompompurin) to three years in prison after vacating his prior 17‑day time‑served sentence for operating BreachForums and possessing child sexual abuse material. Fitzpatrick pleaded guilty in 2023 to access device conspiracy, access device solicitation, and CSAM possession and agreed to forfeit domains, devices, and cryptocurrency representing illicit proceeds. The resentencing followed a Fourth Circuit decision that remanded his case for a new term.

Identifying Companies Affected by Shai-Hulud NPM Attack

🛡️ This report analyzes the Sept 14–16 campaign that compromised over 180 NPM packages and propagated the self‑replicating Shai‑Hulud worm, which pushed malicious changes and exfiltrated secrets by publishing data.json files to public GitHub repositories. By parsing the GitHub events archive, researchers identified 207 affected repositories tied to 37 users and attributed those users to 17 employers. Several infected users were NPM maintainers who acted as “super spreaders.” Although exposed files were removed, archived events enable retrospective reconstruction and demand urgent auditing and remediation.

BreachForums Admin Resentenced to Three Years Prison

🔒 Conor Brian Fitzpatrick, 22, who operated the BreachForums hacking forum under the alias Pompompurin, was resentenced to three years in prison after the U.S. Court of Appeals vacated his earlier sentence of time served and 20 years of supervised release. Fitzpatrick pleaded guilty in July 2023 to conspiracy to commit access device fraud, solicitation to offer access, and possession of child sexual abuse material (CSAM). Prosecutors say he violated pretrial release by using VPNs and unauthorized, unmonitored devices to conceal internet activity. BreachForums, created in 2022, rapidly grew to over 330,000 members and facilitated the sale and leakage of stolen data and access to corporate networks.

Fifteen Ransomware Groups Announce Retirement Plans

🔒 Fifteen prominent ransomware groups, including Scattered Spider, ShinyHunters and Lapsus$, posted a collective statement on BreachForums announcing they are ceasing operations and entering a period of “silence.” The announcement framed their activity as exposing systemic vulnerabilities rather than pure extortion and said some members intend to retire on accumulated funds while others will continue studying systems quietly. Analysts and threat intelligence experts cautioned this could be a temporary PR move, noting past groups have rebranded or spawned successors rather than vanishing permanently.

ShinyHunters Breach Hits Gucci, McQueen and Balenciaga

🔒 Luxury fashion groups Gucci, Alexander McQueen and Balenciaga have had customer data exposed in an attack linked to the ShinyHunters group. A sample of files shared with the BBC reportedly included thousands of genuine customer records and spending details, and the group claims data on 7.4 million email addresses. Kering confirmed temporary unauthorized access in June but said no financial information or government identifiers were involved. Security experts warn the data could fuel follow-on fraud, especially if sold on criminal forums.

Self-Replicating Worm Infects Over 180 NPM Packages

🐛 A self-replicating worm dubbed Shai-Hulud has infected at least 187 NPM packages, stealing developer credentials and publishing them to public GitHub repositories that include the string 'Shai-Hulud'. The malware searches for NPM tokens, uses them to inject itself into the top 20 packages accessible to the token and auto-publishes new versions, and leverages tools such as TruffleHog to locate secrets. The campaign briefly affected multiple packages linked to CrowdStrike and was first observed being modified on Sept. 14.