All news with #data leak tag

Post Office Avoids £1.1m Fine for Leak of 502 Postmasters

🔒 The Information Commissioner's Office found that an unredacted settlement document related to the long-running Horizon scandal exposed the names, home addresses and postmaster status of 502 litigants on the Post Office website between 25 April and 19 June 2024. The ICO considered a fine just under £1.1m but issued a reprimand under its public sector approach after concluding the breach was not 'egregious'. The regulator criticised the Post Office for lacking documented publishing policies, quality assurance and sufficient staff training; the organisation has offered compensation and 24 months of identity protection and taken steps to remove cached copies and strengthen controls.

Smashing Security Ep. 446: Doxxing and SE-as-a-Service

🔐 In episode 446 of the Smashing Security podcast, Graham Cluley and guest Rik Ferguson discuss a teenage cybercriminal who inadvertently doxxed himself by mocking a sextortion scammer. They examine how stolen data has become the jet fuel of cybercrime and consider worrying trends for 2026. Plus, Graham rants about intrusive recipe sites and shares musical notes about Lily Allen.

Leroy Merlin Notifies French Customers of Data Breach

🔔 French home improvement retailer Leroy Merlin has notified customers in France that certain personal data may have been exposed in a cyberattack, including full names, phone numbers, email and postal addresses, dates of birth and loyalty program details. The company says no banking data or account passwords were involved and that it moved quickly to block unauthorized access and contain the incident. The notice warns customers to be vigilant against phishing and impersonation attempts; BleepingComputer confirmed the notification is genuine and has sought further details. No ransomware group had claimed responsibility at the time of reporting.

Freedom Mobile Breach Exposes Customer Personal Data

🔒 Freedom Mobile detected a breach of its customer account management platform on October 23 after a third party used the account of a subcontractor to access customer records. The carrier says it blocked suspicious accounts and IP addresses and implemented corrective measures and security enhancements. Exposed data include first and last names, home addresses, dates of birth, phone numbers, and Freedom account numbers. Freedom reports no evidence so far of misuse and has urged customers to watch for phishing and check accounts for unusual activity.

Malicious Chrome and Edge Extensions Abused by ShadyPanda

🛡️Researchers at Koi Security uncovered a multi-year campaign by an actor dubbed ShadyPanda that abused trusted Chrome and Edge extensions to harvest browsing data, manipulate search results and traffic, and install a backdoor. The group amassed roughly 4.3 million infected browser instances by publishing legitimate-looking add-ons and later pushing malicious updates. Although many extensions have been removed from stores, infected browsers remain at risk because extensions auto-update and marketplaces generally review only at submission.

University of Phoenix Discloses Data Breach After Oracle Hack

🔒The University of Phoenix disclosed a data breach tied to a zero-day flaw in Oracle E-Business Suite, saying it detected the incident on November 21 after the extortion group posted the university to its leak site. Phoenix Education Partners filed an SEC 8-K announcing the incident and an ongoing review. The university said attackers accessed names, contact details, dates of birth, Social Security numbers, and bank account and routing numbers for current and former students, employees, faculty and suppliers. Affected individuals will receive mailed notifications with next steps.

Korea Arrests Suspects Selling Footage from Hacked Cameras

🚨The Korean National Police arrested four suspects accused of hacking over 120,000 IP cameras in homes and businesses and selling stolen intimate footage on an overseas illegal adult website. Authorities say the suspects uploaded large volumes of voyeuristic content, identified dozens of victims, and have already arrested some buyers. Police are working with foreign investigators to locate site operators, notify victims, and pursue takedown and remedial actions. Victims were urged to reset passwords, disable unneeded remote access, and apply firmware updates to prevent further compromise.

Shai-Hulud 2.0 NPM malware exposed 400,000 developer secrets

🔒 Wiz researchers say the second Shai-Hulud NPM malware wave infected hundreds of packages and exposed roughly 400,000 raw secrets across some 30,000 GitHub repositories. Although TruffleHog verified about 10,000 secrets, Wiz found over 60% of leaked NPM tokens still valid as of Dec 1, leaving active credentials at risk. The payload propagated via the preinstall event (node setup_bun.js), affected over 800 package versions, and included a conditional destructive home-directory wipe. A small number of packages — notably @postman/tunnel-agent@0.6.7 and @asyncapi/specs@6.8.3 — represented the bulk of infections, indicating targeted mitigation could have sharply reduced impact.

Asahi Ransomware Attack Leads to Massive Data Breach

🔒 Asahi Group Holdings confirmed that a ransomware attack on 29 September, attributed to the Qilin group, resulted in a major data breach affecting over 1.5 million customers and roughly 275,000 employees and family members. The incident disrupted ordering, shipping and production systems across Japan and caused widespread product shortages. Asahi says it did not pay a ransom, has found no evidence the data has been posted publicly, and is strengthening its cybersecurity while notifying those impacted.

ShadyPanda Browser Extension Campaign Hits 4.3M Users

🛡️ A seven-year browser extension campaign attributed to the actor known as ShadyPanda has infected 4.3 million Chrome and Edge users by operating legitimately for years and then pushing malicious updates. A Koi Security report describes a remote code execution backdoor that affected roughly 300,000 users across five extensions, including Clean Master, and a parallel spyware push via Edge extensions such as WeTab. Malicious updates enabled hourly downloads of arbitrary JavaScript, extensive logging of site visits, exfiltration of encrypted browsing histories, and comprehensive browser fingerprinting.

University of Pennsylvania Confirms Oracle EBS Data Theft

🔒 The University of Pennsylvania disclosed that attackers exploited a previously unknown Oracle E-Business Suite zero-day in August to obtain files containing personal information. In a notification filed with Maine's Attorney General, Penn said at least 1,488 individuals had data taken and warned the overall total may be larger. The university reported no evidence so far that the stolen information has been misused or published and has not publicly attributed the intrusion; the incident aligns with a broader campaign linked to the Clop ransomware group.

UK and US Security Teams Fear State-Sponsored Cyberattacks

🔒 IO's State of Information Security Report 2025 finds most UK and US cybersecurity professionals fear state-sponsored cyber-attacks, with 23% citing lack of preparedness for geopolitical escalation as their top concern. Surveying 3,000 security managers, IO reports 33% believe governments are not doing enough and many organisations worry about data loss, reputational harm and supply chain disruption. In response, 74% are investing in resilience and 97% are tailoring incident response, beefing up threat intelligence and securing supply chains.

Coupang Data Breach Exposes 33.7 Million Customer Records

🔓 Coupang, South Korea's largest retailer, disclosed a data breach that exposed personal information for 33.7 million customer accounts. The company says the incident occurred on June 24, 2025, but was discovered and investigated beginning November 18, 2025. Exposed fields include full names, phone numbers, email and physical addresses, and order details; payment data and passwords were not affected. Coupang reported the incident to national authorities and warned customers to watch for impersonation attempts.

Coupang Confirms 33.7M Customer Records Exposed in Breach

⚠️ Coupang has confirmed unauthorized access to delivery-related personal information affecting an estimated 33.7 million customers, including names, email addresses and phone numbers. The company says payment details and login credentials were not accessed, and it has blocked the access route and strengthened internal monitoring. Seoul police have identified a suspect, believed to be a former employee who has left South Korea, and are analysing server logs while tracking an IP address tied to the incident.

Sha1-Hulud NPM Worm Returns, Broad Supply‑Chain Risk

🔐 A new wave of the self‑replicating npm worm, dubbed Sha1‑Hulud: The Second Coming, impacted over 800 packages and 27,000 GitHub repositories, targeting API keys, cloud credentials, and repo authentication data. The campaign backdoored packages, republished malicious installs, and created GitHub Actions workflows for command‑and‑control while dynamically installing Bun to evade Node.js defenses. GitGuardian reported hundreds of thousands of exposed secrets; PyPI was not affected.

Australian Man Jailed Seven Years for 'Evil Twin' Wi‑Fi

🔒 A 44-year-old man has been sentenced to seven years after pleading guilty to operating “evil twin” Wi‑Fi networks to harvest credentials and intimate images. AFP officers found a Wi‑Fi Pineapple, a laptop and a phone after airline staff reported a suspicious hotspot during a domestic flight. Forensic analysis recovered thousands of images and account credentials, and investigators linked malicious pages to airports and flights. Authorities advised users to disable automatic Wi‑Fi, use a reputable VPN, turn off file sharing and avoid sensitive transactions on public hotspots.

RBKC Cyberattack on IT Provider Disrupts Local Councils

🔒 The Royal Borough of Kensington and Chelsea (RBKC) has warned residents their data may have been compromised after unusual activity linked to a shared IT service provider was detected earlier this week. The council says it has evidence that some historical data was copied and removed and that the material could end up in the public domain. RBKC urged residents to be vigilant for phishing and social‑engineering attempts via email, text and phone while services are restored, and warned disruption could continue for at least two weeks as investigations and recovery proceed.

Asahi Data Breach Exposes Personal Details of 1.9M

🔒Asahi Group Holdings confirmed a ransomware-driven data breach discovered in September that affected up to 1.9 million people. The company says personal information including names, genders, addresses, phone numbers and email addresses was exfiltrated, and the Qilin ransomware group claimed responsibility and published sample files. Production and shipping were suspended during the incident and system restoration is ongoing. Asahi reports no payment card data was exposed and has opened a dedicated contact line for affected individuals.

Public GitLab Repositories Exposed 17,000+ Secrets

🔒 After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains. Using the open-source tool TruffleHog and an AWS-driven pipeline (SQS queue and Lambda workers), the researcher completed the scan in just over 24 hours at a cost of $770. Notifications were automated with Claude Sonnet 3.7 and scripts; affected parties revoked many credentials and the researcher collected $9,000 in bug bounties, though some secrets remain exposed.

French Football Federation Discloses Member Data Breach

⚽ The French Football Federation (FFF) disclosed a data breach after attackers used a compromised account to access administrative management software used by clubs. FFF detected the unauthorized access, disabled the compromised account, and reset all user passwords across the system. Before they were evicted, threat actors exfiltrated personal and contact information for members. The federation said it has filed a criminal complaint, notified regulators, and will directly inform affected individuals while urging vigilance against phishing attempts.