All news with #data leak tag

Prison kiosk hack and new PCI DSS limits on Magecart

🔐 In episode 440 Graham Cluley and guest Scott Helme examine an unusual insider exploitation where Romanian prison self‑service web kiosks let inmates access and alter records. They also explore the growing threat of third‑party JavaScript on checkout pages and how the updated PCI DSS aims to curb Magecart‑style skimmers. Plus, the hosts cover automation with Keyboard Maestro and video creation using Screen Studio.

Ransomware Attack Disrupts IT at Nickelhütte Aue Company

🔒 A ransomware attack on Nickelhütte Aue's office IT encrypted data and caused disruptions across multiple back-office systems, with HR, accounting, finance, purchasing and sales identified as affected. A company spokesperson told CSO that production remained unaffected and management established a crisis organisation after the incident was discovered on Saturday, October 18. The attackers left an extortion note threatening to publish stolen files; investigations by IT forensics teams and authorities are ongoing while the firm consults on how to respond to the ransom demand. The company says it is cleaning infected devices and making steady progress, but the timeframe to fully rebuild IT systems remains unclear.

Scattered LAPSUS$ Hunters Shift to Extortion-as-Service

🔍 Palo Alto Networks' Unit 42 reports monitoring a Scattered LAPSUS$ Hunters Telegram channel since early October 2025, noting a tactical shift toward an extortion-as-a-service (EaaS) offering that omits file encryption. Researchers also observed posts mentioning a potential new ransomware, SHINYSP1D3R, though its development and the profitability of EaaS remain uncertain. Unit 42 found the group's data leak site apparently defaced and confirmed leaked records tied to at least six firms; the actors had set an Oct 10 ransom deadline but later stated on Oct 11 that "nothing else will be leaked."

Dreamforce Highlights Salesforce Amid OAuth Security Storm

🛡️ At Dreamforce, Salesforce emphasized shared responsibility for securing customer environments and introduced new AI agents for security and privacy. The conference largely avoided discussion of recent OAuth-based supply-chain breaches that exposed data from hundreds of companies and led to extensive litigation. Analysts warn the incidents — driven by compromised tokens from third-party apps like Salesloft Drift and spoofed tools such as malicious Data Loader instances — underscore systemic risks as AI integrations demand broader data access. Recommended mitigations include IP whitelisting, DPoP or mTLS, and tighter vendor governance.

UK Contractor Breach Exposes Sensitive RAF and Navy Sites

🔒 A ransomware attack on contractor Dodd Group reportedly allowed Russian-linked attackers to exfiltrate hundreds of sensitive Ministry of Defence documents, including details on RAF Lakenheath, RAF Portreath and RAF Predannack. The company confirmed an incident and said it contained access, while the MoD suspects the Lynx group is behind the intrusion. Leaked files published on the dark web allegedly include site plans and personnel data, and the case is now under investigation amid a wider rise in UK cyber incidents.

Ransomware Payouts Rise to $3.6M as Tactics Evolve

🔒 The average ransomware payment climbed to $3.6m in 2025, up from $2.5m in 2024, as attackers shift to fewer but more lucrative, targeted campaigns. ExtraHop's Global Threat Landscape Report found 70% of affected organisations paid ransoms, with healthcare and government incidents averaging nearly $7.5m each. The study highlights expanding risks from public cloud, third‑party integrations and generative AI, and urges organisations to map their attack surface, monitor internal traffic for lateral movement and prepare for AI‑enabled tactics.

John Bolton Charged Over Classified Emails Leak After Hack

🔒Former national security adviser John Bolton has been charged with mishandling classified information after prosecutors say he retained and transmitted sensitive documents via a personal AOL account that was later accessed by suspected Iranian hackers. The intruders allegedly downloaded the materials and sent extortion messages to Bolton. The case highlights questions about password strength, the use of two-step verification, and the risks of sending unencrypted, sensitive information to family members. Bolton has pleaded not guilty.

Developers of Lumma Stealer Doxxed in Rival Campaign

🔍Lumma Stealer operations have been disrupted after an underground doxxing campaign exposed personal and operational details of individuals allegedly tied to the malware’s development and administration. Trend Micro links the exposure to rival cybercriminal actors and reports that leaked data—shared on a site called Lumma Rats—included passports, bank details and contact information. The disclosures coincided with reduced C2 activity and the reported compromise of Telegram accounts, prompting many users to seek alternatives such as Vidar and StealC.

Ransomware Reality: High Confidence, Low Preparedness

⚠️ The CrowdStrike State of Ransomware Survey reveals a sizable gap between organizational confidence and actual ransomware readiness. Half of 1,100 security leaders say they are "very well prepared," yet 78% were attacked in the past year and fewer than 25% recovered within 24 hours. The report warns that AI-accelerated attacks deepen this gap and recommends AI-native detection and response such as Falcon to regain the advantage.

Scattered LAPSUS$ Hunters: Recent Activity and Risks

🚨 Unit 42 observed renewed activity from Scattered LAPSUS$ Hunters in early October 2025, including leaked data claims, a defaced clearnet leak site, and announcements of an extortion-as-a-service offering. The actors set a self-imposed ransom deadline of Oct. 10, 2025 and claimed to have released data allegedly from six victim companies across aviation, energy and retail. Unit 42 recommends organizations prepare EaaS incident playbooks and engage third-party responders.

Experian Fined €2.7m by Dutch Regulator for GDPR Breach

🔒 Experian Netherlands has been fined €2.7m by the Dutch Data Protection Authority for breaching GDPR requirements after collecting and processing personal data from public and private sources without proper notice or consent. The regulator found Experian compiled extensive databases using information from the Chamber of Commerce and data sold by telecom and energy firms, and that its credit scores influenced contract terms, deposits and denials. Experian acknowledged the violations, will not appeal, has ceased Dutch operations and plans to delete the database by year-end.

Rhysida Ransomware Group Lists German Manufacturer Geiger

🔒 On October 17, the ransomware group Rhysida posted the German machine manufacturer Geiger on a darknet victims list, claiming to offer data stolen from the company. The attackers set an asking price of 10 BTC (roughly €1 million) and indicated a sale deadline of October 24, 2025, without specifying the scope or types of data. Geiger has not publicly responded to the claim. Security researchers characterize Rhysida as financially motivated and likely operating from Russia or the CIS.

Developers leaking secrets via VSCode and OpenVSX extensions

🔒 Researchers at Wiz found that careless developers published Visual Studio extensions to the VSCode Marketplace and OpenVSX containing more than 550 validated secrets across over 500 extensions, including API keys and personal access tokens for providers such as OpenAI, AWS, GitHub, Azure DevOps, and multiple databases. The primary cause was bundled dotfiles (notably .env) and hardcoded credentials in source and config files, with AI-related configs and build manifests also contributing. Microsoft and OpenVSX collaborated with Wiz on coordinated remediation: notifying publishers, adding pre-publication secrets scanning, blocking verified secrets, and prefixing OVSX tokens to reduce abuse.

Hackers Leak Personal Data of Hundreds of US Agents

🔓 A hacking collective known as The Com has posted alleged personal details — names, addresses, and phone numbers — of hundreds of US government employees on private Telegram channels. Reporting by 404 Media indicates spreadsheets containing roughly 680 DHS entries, over 170 FBI email addresses, and more than 190 Department of Justice records were shared; the origin of the information is unclear. The group, which has ties to known ransomware and extortion actors, suggested further doxing and even solicited criminal collaboration, raising concerns about threats and physical safety for affected personnel and their families.

China Accuses NSA of Multi-Stage Attack on NTSC Systems

🕒 The Chinese Ministry of State Security (MSS) has accused the U.S. National Security Agency (NSA) of a "premeditated" multi-stage cyber intrusion targeting the National Time Service Center (NTSC), which manages Beijing Time. The MSS says the campaign began with SMS-based compromises of staff devices in March 2022 and escalated through credential reuse and a deployed "cyber warfare platform" between August 2023 and June 2024. According to the statement, the platform employed 42 specialized tools, forged digital certificates, and high-strength encryption while routing traffic through VPSes across the U.S., Europe, and Asia; Chinese agencies say they detected, neutralized the activity, and reinforced defenses.

2025 APJ eCrime Landscape: Emerging Threat Trends and Risks

🔒 The CrowdStrike 2025 APJ eCrime Landscape Report outlines a rapidly evolving criminal ecosystem across Asia Pacific and Japan, driven by regional marketplaces and increasingly automated ransomware. The report highlights active Chinese-language underground markets (Chang’an, FreeCity, Huione Guarantee) and the rise of AI-developed ransomware, with 763 APJ victims named on ransomware and dedicated leak sites between January 2024 and April 2025. It profiles local eCrime groups (the SPIDER cluster) and service providers such as Magical Cat and CDNCLOUD, and concludes with prioritized defenses for identity, cloud, and social-engineering resilience.

New .NET CAPI Backdoor Targets Russian Auto and E-commerce

🔒 Seqrite Labs uncovered a new .NET implant named CAPI Backdoor linked to a phishing campaign targeting Russian automobile and e-commerce organizations. The attack leverages a ZIP archive containing a decoy Russian tax notice and a Windows LNK that loads a malicious adobe.dll via the legitimate rundll32.exe. The backdoor gathers system and browser data, takes screenshots, and communicates with a remote C2 for commands and exfiltration. Persistence is achieved through scheduled tasks and a Startup LNK.

UK Weighed Destroying Data Hub After Decade-Long Intrusion

🔐 British officials briefly considered physically destroying a government data hub after uncovering a decade-long intrusion attributed to China-aligned actors. The breach reportedly exposed official-sensitive and secret material on government servers, though no top secret data was taken. Rather than demolish the facility, the government implemented alternative protections and commissioned a classified review. Cybersecurity experts say the episode underscores the critical need to secure supply chains and hunt long-term APT presence.

Envoy Air Confirms Oracle E-Business Suite Data Theft

🔒 Envoy Air confirmed that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its leak site. The carrier said it immediately launched an investigation, contacted law enforcement, and determined that no sensitive or customer data were affected, though limited business information and commercial contact details may have been exposed. The incident is tied to an August campaign by Clop, which exploited an E-Business Suite zero‑day (CVE‑2025‑61882) and is now publishing claimed stolen files.

Over 266,978 F5 BIG-IP Instances Exposed to Remote Attacks

⚠️ Shadowserver Foundation reports 266,978 internet-exposed F5 BIG-IP instances after F5 disclosed a breach in which nation-state actors stole source code and information on undisclosed BIG-IP flaws. F5 issued patches addressing 44 vulnerabilities and urged immediate updates for BIG-IP, F5OS, BIG-IQ, and related products. CISA issued an emergency directive requiring federal agencies to patch or mitigate affected devices by set deadlines. Nearly half of the detected instances are in the United States, with most others across Europe and Asia.