All news with #data leak tag

Chinese 'Salt Typhoon' Hackers Active in 80 Countries

🛡️ The FBI says the Chinese-linked hacker group Salt Typhoon has been observed operating in at least 80 countries, with activity reported across regions including the UK, Canada, Australia and New Zealand. U.S. authorities disclosed that the actors compromised U.S. telecommunications firms, exfiltrating more than one million connection records and targeting calls and SMS for over 100 Americans. A detailed technical analysis was published with international partners, including Germany's BSI, to help network defenders detect and remediate the intrusion, and U.S. officials now say the activity appears to have been contained.

Whistleblower: DOGE Placed SSA NUMIDENT on Insecure Cloud

⚠️A protected whistleblower alleges that the Department of Government Efficiency (DOGE) copied the Social Security Administration's NUMIDENT database to an unsecured Amazon Web Services test environment, bypassing mandated oversight and authorization. The complaint names several DOGE-affiliated hires and documents approvals and risk assessments dated June 12, June 25, and July 25, 2025. It alleges the move circumvented required FISMA authorization and NIST SP 800-53 controls, exposing sensitive personal data for more than 300 million people and potentially violating the Privacy Act and the CFAA.

Cephalus Ransomware: Emergence and Threat Profile

🚨 Cephalus is a mid‑2025 ransomware operation that both encrypts systems and exfiltrates sensitive data for publication on a dark‑web leak site. The group commonly gains initial access via Remote Desktop Protocol (RDP) accounts lacking multi‑factor authentication and uses a DLL sideloading chain that abuses SentinelOne's SentinelBrowserNativeHost.exe to load a malicious DLL and execute the payload. Infected files are renamed with the .sss extension, Volume Shadow Copies are deleted, and Windows Defender is disabled. Organisations should prioritise MFA, timely patching, secure offline backups, network segmentation and staff training to reduce risk.

Anthropic Disrupts AI-Powered Data Theft and Extortion

🔒 Anthropic said it disrupted a sophisticated July 2025 operation that weaponized its AI chatbot Claude and the agentic tool Claude Code to automate large-scale theft and extortion targeting at least 17 organizations across healthcare, emergency services, government and religious institutions. The actor exfiltrated personal, financial and medical records and issued tailored ransom demands in Bitcoin from $75,000 to over $500,000. Anthropic reported building a custom classifier and sharing technical indicators with partners to mitigate similar abuses.

ShadowSilk Campaign Hits Central Asian Governments

🔍 Group-IB links a broad cyber-espionage campaign, active since 2023 and ongoing into mid‑2025, to the ShadowSilk cluster targeting Central Asian and Asia‑Pacific government organizations. The operation, which has compromised at least 35 government victims, primarily seeks data theft and distributes stolen material on dark web forums. ShadowSilk uses phishing with password‑protected archives, commodity web panels such as JRAT and Morf Project, and post‑compromise tools like Cobalt Strike and Metasploit. Researchers found indicators of both Russian‑ and Chinese‑language operators and advise stronger email defenses, strict application control, regular patching and proactive threat hunting.

Retail and Hospitality Data Heists: Digital Extortion Trends

🔒Unit 42 describes how financially motivated actors blend reconnaissance and social engineering to target high-end retailers and other sectors, stealing customer data for extortion. Attackers commonly use voice-based phishing and impersonation to harvest credentials or trick users into running a modified Data Loader for Salesforce, then search SharePoint, Microsoft 365 and Salesforce for PII. Because intrusions often avoid malware, forensic artifacts are minimal, complicating detection and response.

How to Remove Your Data from People-Search Brokers

🛡️ Data brokers compile extensive personal dossiers and sell them without consent. This guide explains the challenges of locating and removing your information, outlines typical data collected, and describes practical steps to submit opt-out or deletion requests. It recommends tracking requests in a spreadsheet, citing laws like CCPA or GDPR, and repeating removals every 3–6 months or using paid services.

Widespread Data Theft via Salesloft Drift Targets Salesforce

🔒 GTIG warns of a widespread data-theft campaign by UNC6395 that abused compromised OAuth tokens for the Salesloft Drift connected app to export data from multiple Salesforce customer instances between Aug. 8 and Aug. 18, 2025. The actor executed SOQL queries against objects including Accounts, Cases, Users, and Opportunities to harvest credentials and secrets—observed items include AWS access keys, Snowflake tokens, and passwords. Salesloft and Salesforce revoked tokens and removed the Drift app from the AppExchange; impacted organizations should search for exposed secrets, rotate credentials, review Event Monitoring logs, and tighten connected-app scopes and IP restrictions.

Alleged Mastermind Behind K-Pop Stock Heist Extradited

🔒 South Korean authorities have extradited a 34-year-old suspect from Thailand, accused of masterminding a coordinated campaign that siphoned millions in stocks from celebrities, including Jung Kook. Investigators say the group stole personal data from Korean telecom firms, used it to assume victims' identities and opened brokerage accounts between August 2023 and January 2024. With assistance from Interpol and Thai authorities, officials tracked and arrested the suspect, who has admitted some allegations while denying others.

Weekly Recap: Password Manager Clickjacking Flaws and Threats

🔒 This week's recap spotlights a DOM-based extension clickjacking technique disclosed by researcher Marek Tóth at DEF CON that affects popular browser password manager plugins. Vendors including Bitwarden, Dashlane, Enpass, KeePassXC-Browser, Keeper, LastPass, NordPass, ProtonPass, and RoboForm issued fixes by August 22. Other leading stories cover legacy Cisco devices exploited for persistent access, an actively exploited Apple 0-day in ImageIO, cloud intrusions leveraging trusted partner relationships, and several high-risk CVEs to prioritize.

Yemen Cyber Army Hacker Jailed for Massive Data Theft

🔒 A 26-year-old man, Al-Tahery Al-Mashriky, has been jailed after UK National Crime Agency investigators linked him to the Yemen Cyber Army and uncovered evidence of widespread website breaches. Arrested in August 2022 in Rotherham, he defaced and compromised sites across North America, Yemen and Israel, including government and faith organisations. Forensically seized devices contained personal data, account credentials and other files that could facilitate fraud; he pleaded guilty and was sentenced to 20 months in prison.

postMessage Risks: Token Exposure and Trust Boundaries

🔒 MSRC presents a deep dive into misconfigured postMessage handlers across Microsoft services and the systemic risk posed by overly permissive trust models. The report, authored by Jhilakshi Sharma on August 25, 2025, documents token exfiltration, XSS, and cross-tenant impact in real-world case studies including Bing Travel, web.kusto.windows.net, and Teams apps. It summarizes mitigations such as removing vulnerable packages, tightening Teams app manifests, enforcing strict origin checks for postMessage, and applying CSP constraints to reduce attack surface.

INTERPOL Arrests 1,209 Cybercriminals in Africa Sweep

🔎 INTERPOL coordinated a multi-country crackdown that led to the arrest of 1,209 suspected cybercriminals across 18 African nations, targeting schemes that affected roughly 88,000 victims. The operation, the second phase of Operation Serengeti carried out between June and August 2025, recovered about $97.4 million and dismantled 11,432 malicious infrastructures. Private-sector partners including Group-IB and TRM Labs contributed intelligence on cryptocurrency fraud and ransomware links.

Blue Locker Ransomware Targets Critical Infrastructure

🔒 Pakistan Petroleum Limited (PPL) was struck by the Blue Locker ransomware, detected on 6 August, which appends a .blue extension to encrypted files and has reported deletion of backups and theft of some business and employee data. The incident encrypted servers and disrupted financial operations while recovery work proceeded in a phased manner. Pakistan's NCERT issued a high alert to 39 key ministries and institutions and warned of multiple distribution vectors. Organisations, especially critical infrastructure operators, are urged to verify and isolate backups, implement network segmentation and enhanced monitoring, and engage incident response and forensic teams as needed.

Microsoft restricts Chinese firms' early MAPP exploit access

🔒 Microsoft has restricted distribution of proof-of-concept exploit code to MAPP participants in countries where firms must report vulnerabilities to their governments, including China. Affected companies will receive a more general written description issued at the same time as patches rather than PoC code, Microsoft said. The change follows the late-July SharePoint zero-day attacks and concerns about a possible leak from the early-bug-notification program.

SIM-Swapper Scattered Spider Hacker Sentenced 10 Years

🔒 A 20-year-old Florida man, Noah Michael Urban, was sentenced to 10 years in federal prison and ordered to pay about $13 million in restitution after pleading guilty to wire fraud and conspiracy. Prosecutors say Urban acted with members of Scattered Spider, using SIM-swapping and SMS phishing to divert calls and one-time codes and to phish employees into fake Okta pages. The campaign compromised access at more than 130 firms and enabled thefts of proprietary data and millions in cryptocurrency.

Warlock Ransomware: Emerging Threat Targeting Services

⚠️ Warlock is a ransomware operation that emerged in 2025 and uses double extortion — encrypting systems and threatening to publish stolen data to coerce payment. The group has targeted government agencies and critical service providers across Europe, and on August 12 a cyber incident disrupted UK telecom Colt Technology Services, with an alleged auction of one million stolen documents. Security analysts link recent intrusions to exploitation of the SharePoint vulnerability CVE-2025-53770, which Microsoft says is actively exploited; Microsoft has published analysis and urges immediate patching. Recommended mitigations include enforcing multi‑factor authentication, keeping security tools and software patched, maintaining secure off‑site backups, reducing attack surface, encrypting sensitive data, and educating staff on phishing and social engineering.

Unexpected parcel scams: brushing, quishing, and more

📦 Delivery scams now include evolved brushing and QR-based "quishing" campaigns that use unsolicited packages or printed postcards to trick recipients into visiting malicious sites, paying fake fees, or installing malware. Scammers may include QR codes, phone numbers, or counterfeit tracking cards to extract payment data, one-time codes, or to prompt app installs. Never scan printed QR codes or call numbers on unexpected parcels; verify shipments via official courier channels and avoid connecting unknown USB devices. Enable two-factor authentication and report suspicious packages to the courier and police.

Analyzing organizational traffic to Leakzone forum

🔍 UpGuard examined a leaked Elastic index containing 22 million client requests to Leakzone.net covering 28 days in June–July 2025. By mapping source IP metadata to known organizations, investigators identified traffic originating from universities, government networks, and private companies, including security vendors and large technology firms. Traffic patterns ranged from steady, automated scanning from services like Censys and SEMRush to bursty, human-like spikes from university and government networks, but the logs do not include request content, so intent remains uncertain.

Muddled Libra Strike Teams: Collaborative Cybercrime

🧩 Muddled Libra is not a single organized group but a fluid collaboration of personas that form distinct strike teams with varying objectives and tradecraft. Unit 42 has identified patterns across at least seven teams, from crypto theft and extortion to IP theft and mass data harvesting. Defenders should prioritize protecting high-value data, tighten access controls, and assume evolving tactics rather than a fixed adversary profile.