All news with #data leak tag

November 2025 security roundup: leaks, ransomware, policing

🔍 In his November roundup, ESET Chief Security Evangelist Tony Anscombe highlights major cybersecurity developments that warrant attention. He draws attention to Wiz's finding that API keys, tokens and other sensitive credentials were exposed in repositories at several leading AI companies, and to a joint advisory revealing the Akira ransomware group's estimated $244 million takings. Tony also flags privacy concerns around X's new location feature, outlines how Australia intends to enforce a proposed under‑16 social media ban, and notes a Europol/Eurojust operation that disrupted malware families including Rhadamanthys.

Scattered Lapsus$ Hunters Target Zendesk with Fake Domains

🔒 ReliaQuest researchers discovered that a group calling itself Scattered Lapsus$ Hunters registered more than 40 fake domains over six months to impersonate Zendesk, host fraudulent login pages, and push malware. Domains such as znedesk.com and vpn-zendesk.com used realistic sign-in screens while other URLs embedded company names to build trust. Attackers also submitted bogus support tickets to real Zendesk portals to trick help-desk staff into surrendering credentials or installing malware. ReliaQuest noted registry patterns tied to NiceNic and Cloudflare-masked nameservers and shared findings with Zendesk.

French Football Federation Data Exposure Affects Millions

🔒 The French Football Federation (FFF) reported unauthorized access to the centralized software used by licensed clubs to manage player registrations, an intrusion it believes occurred on 20 November. Exposed fields include names, genders, dates and places of birth, nationalities, postal and email addresses, phone numbers and football license ID numbers. The FFF says it deactivated the compromised account, reset all user passwords, filed a complaint with authorities and notified CNIL and ANSSI. It will inform affected individuals with known emails and urged license holders to remain vigilant against phishing and scam attempts.

OpenAI Data Exposed After Mixpanel Phishing Incident

🔒 OpenAI confirmed a customer data exposure after its analytics partner Mixpanel suffered a smishing attack on November 8, which allowed attackers to access profile metadata tied to platform.openai.com accounts. Stolen fields included names, email addresses, approximate location, OS/browser details, referrers, and organization or user IDs. OpenAI says ChatGPT and core systems were not breached and that no API keys, passwords, payment data, or model payloads were exposed. The company has terminated its use of Mixpanel and is notifying impacted customers directly.

OpenAI Vendor Mixpanel Breach Exposes API User Data

🔒 According to an OpenAI statement, cybercriminals accessed analytics provider Mixpanel's systems in early November, and data tied to some API users may have been exposed. Potentially affected fields include account names, associated email addresses, approximate browser-derived location (city, state, country), operating system and browser details, referring websites, and organization or user IDs. OpenAI said its own systems and products such as ChatGPT were not impacted, that sensitive items like chat histories, API requests, API usage data, passwords, credentials, API keys, payment details, and government IDs were not compromised, and that it has removed Mixpanel from its systems while working with the vendor to investigate.

Asahi breach: personal data of nearly two million exposed

🔒 Asahi Group Holdings has confirmed that personal data for approximately 1.914 million people, including 1.525 million customers, may have been exposed after a September ransomware incident that forced temporary suspension of operations. The company spent two months on containment, integrity checks and system restoration, and says credit card details were not affected. Qilin has claimed responsibility; Asahi warns customers to monitor for unsolicited communications and anticipates ongoing operational impacts.

OpenAI API customer data exposed in Mixpanel breach

🔒 OpenAI has notified some ChatGPT API customers that limited identifying information was exposed following a breach at its third‑party analytics vendor, Mixpanel. Mixpanel says the incident resulted from a smishing campaign detected on November 8, and OpenAI received details of the affected dataset on November 25. Exposed fields may include names, emails, coarse location, device and browser metadata, referring websites, and account IDs, but OpenAI says no chats, API requests, usage data, passwords, API keys, payment details, or government IDs were exposed. OpenAI has removed Mixpanel from production, begun notifying affected parties, and is warning users to watch for phishing attempts and enable 2FA.

OpenAI Alerts API Users to Mixpanel Data Exposure Incident

⚠️ OpenAI has warned that some data from users of its platform.openai.com API may have been exposed after an attacker gained unauthorized access to part of analytics vendor Mixpanel and exported a dataset. The incident began on November 9 and Mixpanel shared the dataset with OpenAI on November 25. Potentially affected fields include account names, email addresses, coarse location, browser/OS, referrers and organization or user IDs. OpenAI says its systems, chats, API keys, credentials, payment details and chat content were not compromised, and it has removed Mixpanel from production while notifying affected users and expanding vendor security reviews.

Retailers Brace for Holiday Fraud, Not Major Breach Spike

🔒 Huntsman Security's analysis of ICO reports from Q3 2024 to Q2 2025 indicates the retail and manufacturing sector experienced only minor seasonal peaks, with 1,381 incidents overall and quarterly counts clustered in the mid-300s. The firm reported 618 breaches caused by brute force, misconfigurations, malware, phishing and ransomware, and urged a shift to continuous assurance so defenses do not drift into vulnerable states. Other vendors cautioned that more than half of recent ransomware incidents occurred on weekends or holidays, while researchers warned of AI-enabled fake e-commerce sites, typosquatted domains and package-tracking scams targeting shoppers.

How Parents Can Protect Children from Doxxing Online

🛡️ Doxxing is the deliberate public exposure of someone's personal information online, and for children it can cause serious emotional harm and physical safety risks. Parents should reduce the personal data their kids share, review privacy settings and disable geolocation. Protect accounts with unique passwords stored in a password manager and enable multifactor authentication. If doxxing occurs, document evidence, report to platforms and authorities, and provide calm, nonjudgmental support to your child.

Scattered Lapsus$ Hunters Target Zendesk Support Users

🚨 ReliaQuest has uncovered a campaign attributed to the Scattered Lapsus$ Hunters that leverages more than 40 typosquatted domains impersonating Zendesk portals, including deceptive SSO pages designed to harvest credentials. The actors have also been observed submitting fraudulent helpdesk tickets to target support staff, aiming to deploy remote access trojans and other malware. Organizations are advised to enforce MFA with hardware keys, implement IP allowlisting and session timeouts, monitor domains and DNS, and harden chat controls and content filtering to mitigate the risk.

Gainsight Expands Customer Impact After Salesforce Alert

🔒 Gainsight disclosed that suspicious activity affecting its Salesforce-connected applications has expanded beyond an initial three-customer list provided by Salesforce, with the company saying it presently knows of "only a handful" of customers whose data were affected. Salesforce revoked access and refreshed tokens for impacted Gainsight-published apps after detecting "unusual activity" claimed by the ShinyHunters group. Several vendors suspended integrations while investigations continue; Gainsight advised rotating credentials, resetting non‑SSO passwords, and reauthorizing connectors as preventive measures.

Smashing Security #445: Broadcast Hacks and Insider Risk

🧟 In episode 445 of the Smashing Security podcast, Graham Cluley and guest Dan Raywood review a decade of insecure broadcast infrastructure that has allowed attackers to hijack TV and radio, issue fake emergency alerts, and even replace sermons with explicit content. They also examine an alleged insider leak at a cybersecurity firm that raises urgent questions about trusted access and internal controls. The discussion highlights persistent vulnerabilities in broadcast hardware and the broader implications for public safety and incident response.

Comcast to Pay $1.5M After Vendor Breach Affects 273,703

🔒 Comcast will pay $1.5 million to settle an FCC investigation after a February 2024 vendor breach at Financial Business and Consumer Solutions (FBCS) exposed the personal data of 273,703 current and former Xfinity customers. Under the consent decree Comcast must implement a compliance plan with enhanced vendor oversight, biennial risk assessments, and biannual reporting. Comcast says its network was not breached and has not conceded wrongdoing.

Meet Rey, Admin of Scattered LAPSUS$ Hunters Exposed

🔍 A prolific operator known as "Rey," one of three administrators of the Scattered LAPSUS$ Hunters (SLSH) Telegram channel, has confirmed his real-world identity after investigative outreach. Rey is tied to the recent release of the group's new RaaS offering ShinySp1d3r, which he says is derived from Hellcat ransomware code modified with AI tools. Reporting shows Rey made multiple operational security mistakes that allowed analysts to link him to a shared family PC in Amman, Jordan, revealing his name as Saif Al‑Din Khader and that he is a mid‑teens minor who says he is cooperating with law enforcement.

Care That You Share: Holiday Risks and Mitigations

🛡️ This edition of Talos Threat Source urges a simple behavioral shift: practice care in what, how, and why you share information during the holiday season and beyond. The briefing highlights operational pressures as teams run lean and attackers intensify phishing and supply‑chain campaigns, and it outlines practical changes such as retiring obsolete ClamAV signatures and encouraging feature‑release container tags for better security maintenance. Thoughtful, timely sharing of tips, IOCs, and status updates can materially improve collective resilience when resources are constrained.

Cyberattack Disrupts OnSolve CodeRED Emergency Alerts

⚠️ A cyber-attack on the OnSolve CodeRED platform disrupted emergency alerts used by state and local agencies across the US and exposed user data. Crisis24 shut down the legacy environment and is rebuilding the system in a new, isolated infrastructure. Investigators confirmed data theft — including names, addresses, emails, phone numbers and passwords — though there is no evidence the data has been posted online. The threat actor INC Ransom claims responsibility and has published screenshots and is selling samples of the files.

Qilin Ransomware Targets South Korean MSP, Hits Finance

🛡️ South Korea's financial sector was struck by a coordinated supply-chain campaign that deployed Qilin ransomware via a compromised MSP, Bitdefender reports. The operation, self-styled as 'Korean Leaks', unfolded in three publication waves in September–October 2025 and resulted in the theft of over 1 million files (about 2 TB) from 28 victims. Analysis ties the clustered intrusions to a single upstream MSP compromise and notes possible involvement by North Korean-affiliated actors alongside Qilin affiliates operating under a RaaS model.

Gainsight Breach Impacts More Salesforce Customers

🔒Gainsight has confirmed the cyber‑attack tied to Salesforce affected more customers than initially reported, though the vendor says the number remains limited and affected customers were notified. As a precaution Gainsight temporarily disabled Salesforce read/write access for several products, including Customer Success (CS), Community (CC), Northpass (CE), Skilljar (SJ) and Staircase (ST). Other vendors such as Gong.io, Zendesk and HubSpot have also disabled their connectors. Gainsight engaged Mandiant for an independent forensic investigation and is advising customers to rotate credentials and S3 keys, reset NXT passwords where appropriate, re-authorize integrations, and follow proactive hardening guidance while the investigation continues.

SLSH Resurgence: ShinySp1d3r RaaS Ahead of Holidays

⚠️ Unit 42 documents a renewed campaign by the Scattered LAPSUS$ Hunters (SLSH) that combines a supply-chain driven data theft affecting Gainsight/Salesforce integrations with the emergence of a new Windows-focused ransomware-as-a-service, ShinySp1d3r. The actors publicly threatened mass ransomware deployment and set a leak deadline while also actively recruiting insiders and claiming hundreds of additional victim accesses. Organizations should prioritize rotating exposed tokens, enforcing strong insider controls, and engaging incident response if they suspect compromise.