Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
Data Breach
CrowdStrike data breach cyber attack Cybernews Data Breach

CrowdStrike Fires Insider Who Leaked Internal Screenshots to Hacker Groups, Says no Customer Data was Breached

 

American cybersecurity company CrowdStrike has confirmed that screenshots taken from its internal systems were shared with hacker groups by a now-terminated employee. 

The disclosure follows the appearance of the screenshots on Telegram, posted by the cybercrime collective known as Scattered Lapsus$ Hunters. 

In a statement to BleepingComputer, a CrowdStrike spokesperson said the company’s security was not compromised as a result of the insider activity and that customers remained fully protected. According to the spokesperson, the employee in question was identified during an internal investigation last month. 

The individual was later terminated and the matter has been reported to law enforcement. CrowdStrike did not clarify which threat group was behind the leak or what drove the employee to share sensitive images. 

However, the company offered the statement after BleepingComputer reached out regarding screenshots of CrowdStrike systems circulating on Telegram. Those screenshots were posted by members of ShinyHunters, Scattered Spider, and the Lapsus$ group, who now operate collectively under the name Scattered Lapsus$ Hunters. ShinyHunters told BleepingComputer that they allegedly paid the insider 25,000 dollars for access to CrowdStrike’s network. 

The threat actors claimed they received SSO authentication cookies, but CrowdStrike had already detected the suspicious activity and revoked the employee’s access. 

The group also claimed it attempted to buy internal CrowdStrike reports on ShinyHunters and Scattered Spider but never received them. 

Scattered Lapsus$ Hunters have been responsible for a large-scale extortion campaign against companies using Salesforce. Since the beginning of the year, the group has launched voice phishing attacks to breach Salesforce customers. Their list of known or claimed victims includes Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, Workday, and luxury brands under LVMH such as Dior, Louis Vuitton, and Tiffany & Co. 

They have also attempted to extort numerous high-profile organizations including FedEx, Disney, McDonald’s, Marriott, Home Depot, UPS, Chanel, and IKEA. 

The group has previously claimed responsibility for a major breach at Jaguar Land Rover that exposed sensitive data and disrupted operations, resulting in losses estimated at more than 196 million pounds. 

Most recently, ShinyHunters asserted that over 280 companies were affected in a new wave of Salesforce-related data theft. Among the names mentioned were LinkedIn, GitLab, Atlassian, Verizon, and DocuSign. 

Though, DocuSign has denied being breached, stating that internal investigations have shown no evidence of compromise.
Read more »
Ransomware Breach
Critical Systems Security Cybersecurity Threats Dark Web Claims Data Breach Digital Risk Management Gaming Infrastructure IGT Cyberattack Lottery Technology Ransomware Breach

IGT Responds to Reports of Significant Ransomware Intrusion

 


An investigation by the Russian-linked ransomware group Qilin has raised fresh concerns within the global gaming and gambling industry after they claimed responsibility for the cyber intrusion that targeted global gambling giant IGT in recent weeks. 

A dark-web leak site that listed the company on Wednesday stated that it had exfiltrated ten gigabytes of data, or more than two thousand files, which is an amount that would equal around ten gigabytes of internal data. The posting itself didn’t provide many details about this. 

As can be seen by the entry stamped in bright green with the word “Publicated”, IGT does not appear to have communicated with Qilin or they refuse to accept ransom demands from him. IGT offers a complete suite of products and services to casinos, retailers, and online operators worldwide that range from gaming machines to lottery technology to PlaySports betting platforms to iGaming systems. 

Through its suite of products, IGT supports millions of players every day. This recent breach has prompted increased scrutiny of a leading technology provider’s security posture, and raised questions about the potential impact on operations and the broader gaming infrastructure of this company. According to a recent filing submitted to the Securities and Exchange Commission, International Game Technology (IGT) has acknowledge that it is in the middle of managing a major cyber incident. 

In the filing, IGT confirmed an unauthorized attempt to access portions of its internal IT system on November 17 was detected. There is a note in the disclosure that indicates that the company's incident response procedures were immediately activated after the intrusion. 

These procedures included a number of steps commonly associated with attempts to contain suspected ransomware activities, including taking certain systems offline and engaging external forensic specialists to assist in the investigation. 

In the midst of it assessing the extent of the disruption, the notorious ransomware group Qilin also has mentioned IGT, claiming that around 10GB of data, or over 21,000 files, has been stolen from its dark-web leak portal. Despite the fact that Qilin has not yet provided proof of compromise samples, the group has labeled the archive as published, a term criminals frequently use to indicate that exfiltrated data is now circulating beyond the victim's control. This adds further urgency to IGT's efforts to contain and remediate the data in question.

A report from Cybernews claims that Qilin's leak page also offers a link to an FTP file believed to contain a complete cache of allegedly stolen information, but no verification has been made and the amount of information available is limited at this point. To date, IGT has not either confirmed or denied the gang's assertions and has not responded to media inquiries seeking clarification. 

As one of the world's biggest gaming companies, GTECH offers a range of lottery technology products across more than 100 jurisdictions, including electronic gaming machines, iLottery systems, and sports betting platforms. Its headquarters are in London, with major operations centers in Las Vegas, Rome, and Providence. IGT is the primary technology partner for 26 U.S. lotteries and casinos, serving dozens of lottery operators and casino operators across the country. 

The entire lottery industry has been facing increasing cyber threats; earlier this year, the Ohio Lottery suffered a ransomware attack that disrupted jackpot information, delayed prize claim processing, and exposed sensitive consumer and retailer information. 

With such a backdrop in mind, IGT’s statement to the SEC underscored the company’s commitment to minimizing operational disruptions while restoring systems and maintaining transparency with its customers. In order to ensure service stability while forensic specialists continue their assessment, the company has deployed contingency solutions under its business continuity framework. 

It is vital that IGT maintains trust among lottery operators, casino customers and millions of daily users as it navigates the aftermath of the breach. IGT continues to work to secure that trust as the recovery proceeds. In light of the ongoing investigation, this incident underscores the widening threat landscape that operators of high-value digital games and lotteries face.

In order to achieve the best results for IGT, it is imperative that they reinforce cyber-resilience, accelerate security modernization, and strengthen partnerships with regulators and industry partners. It is widely believed that maintaining transparency, rapid threat intelligence sharing, and investing in robust incident response capabilities will be crucial not only for restoring confidence, but also for safeguarding interconnected gaming ecosystems from increasingly sophisticated ransomware actors who are eager to exploit any vulnerabilities that may arise.
Read more »
Personal Data
CyberCrime Data Breach Data Leak Data Privacy Concerns Data Safety User Data data security Personal Data

WhatsApp Enumeration Flaw Exposes Data of 3.5 Billion Users in Massive Scraping Incident

 

Security researchers in Austria uncovered a significant privacy vulnerability in WhatsApp that enabled them to collect the personal details of more than 3.5 billion registered users, an exposure they believe may be the largest publicly documented data leak to date. The issue stems from a long-standing feature that allows users to search WhatsApp accounts by entering phone numbers. While meant for convenience, the function can be exploited to automatically compile profiles at scale. 

Using phone numbers generated with a custom tool built on Google’s libphonenumber system, the research team was able to query account details at an astonishing rate—more than 100 million accounts per hour. They reported exceeding 7,000 automated lookups per second without facing IP bans or meaningful rate-limiting measures. Their findings indicate that WhatsApp’s registered user base is larger than previously disclosed, contradicting the platform’s statement that it serves “over two billion” users globally. 

The scraped records included phone numbers, account names, profile photos, and, in some cases, personal text attached to accounts. Over half of the identified users had public profile images, and a substantial portion contained identifiable human faces. About 29 percent included text descriptions, which researchers noted could reveal sensitive personal information such as sexuality, political affiliation, drug use, professional identities, or links to other platforms—including LinkedIn and dating apps.  
The study also revealed that millions of accounts belonged to phone numbers registered in countries where WhatsApp is restricted or banned, including China, Myanmar, and North Korea. Researchers warn that such exposure could put users in those regions at risk of government monitoring, penalties, or arrest. 

Beyond state-level dangers, experts stress that the harvested dataset could be misused by cybercriminals conducting targeted phishing campaigns, fraudulent messaging schemes, robocalling, and identity-based scams. The team emphasized that the persistence of phone numbers poses an ongoing risk: half of the numbers leaked during Facebook’s large-scale 2021 data scraping incident were still active in WhatsApp’s ecosystem. 

Meta confirmed receiving the researchers’ disclosure through its bug bounty process. The company stated that it has since deployed updated anti-scraping defenses and thanked the researchers for responsibly deleting collected data. According to WhatsApp engineering leadership, the vulnerability did not expose private messages or encrypted content. 

The researchers validated Meta’s claim, noting that the original enumeration method is now blocked. However, they highlighted that verifying security completeness remains difficult and emphasized the nearly year-long delay between initial reporting and effective remediation.  
Whether this incident triggers systemic scrutiny or remains an isolated cautionary case, it underscores a critical reality: even services built around encryption can expose sensitive user metadata, creating new avenues for surveillance and exploitation.
Read more »
User Privacy
Data Breach Data Leak Gainsight Salesforce User Privacy

Salesforce Probes Gainsight Breach Exposing Customer Data

 

Salesforce has disclosed that some of its customers' data was accessed following a breach of Gainsight, a platform used by businesses to manage customer relationships. The breach specifically affected Gainsight-published applications that were connected to Salesforce, with these apps being installed and managed directly by customers. 

Salesforce emphasized that the breach did not stem from vulnerabilities in its own platform, but rather from Gainsight's external connection to Salesforce. The company is actively investigating the incident and directed further inquiries to its dedicated incident response page.

Gainsight confirmed it was investigating a Salesforce connection issue, but did not explicitly acknowledge a breach, stating that its internal investigation was ongoing. Notable companies using Gainsight's services include Airtable, Notion, and GitLab. GitLab confirmed that its security team is investigating and will share more details as they become available.

The hacking group ShinyHunters claimed responsibility for the breach, stating that if Salesforce does not negotiate with them, they will set up a new website to advertise the stolen data—a common tactic for cybercriminals seeking financial gain. The group reportedly stole data from nearly a thousand companies, including details from Salesloft and GainSight campaigns. 

This breach mirrors a previous incident in August, where ShinyHunters exploited vulnerabilities in AI marketing chatbot maker Salesloft, compromising numerous customers' Salesforce instances and accessing sensitive information such as access tokens.

In the earlier Salesloft breach, victims included major organizations like Allianz Life, Bugcrowd, Cloudflare, Google, Kering, Proofpoint, Qantas, Stellantis, TransUnion, and Workday. The hackers subsequently launched a website to extort victims, threatening to release over a billion records. Gainsight was among those affected in the Salesloft-linked breaches, but it remains unclear if the latest wave of attacks originated from the same compromise or a separate incident.

Overall, this incident highlights the risks associated with third-party integrations in major cloud platforms and the growing sophistication of financially-motivated cybercriminals targeting customer data through supply chain vulnerabilities. Both Salesforce and Gainsight are continuing their investigations, with cybersecurity teams across affected organizations actively working to assess the extent of the breach and mitigate potential damage.
Read more »
ransomware data leak
Almaviva cyberattack Data Breach FS Italiane Italian IT provider breach Italy railway hack ransomware data leak

Massive Data Breach Hits Italy’s FS Italiane After Cyberattack on IT Provider Almaviva

 

Data belonging to Italy’s state-owned railway operator, the FS Italiane Group, has been exposed after a cybercriminal infiltrated the systems of its IT partner, Almaviva.

The attacker claims to have exfiltrated a massive 2.3 terabytes of information, later publishing the stolen files on a dark web forum. The individual behind the breach alleges that the dump contains confidential records and sensitive corporate material.

Almaviva, a major global IT and digital services company, provides solutions ranging from software development and systems integration to consulting and CRM platforms. According to Andrea Draghetti, Head of Cyber Threat Intelligence at D3Lab, the compromised data appears to be recent and includes documents dating back to the third quarter of 2025. He dismissed speculation that the files originated from the 2022 Hive ransomware incident.

"The threat actor claims the material includes internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and even complete datasets from several FS Group companies," Draghetti says.
"The structure of the dump, organized into compressed archives by department/company, is fully consistent with the modus operandi of ransomware groups and data brokers active in 2024–2025," he added.

Almaviva employs more than 41,000 people across nearly 80 global locations and reported $1.4 billion in revenue last year. FS Italiane, entirely owned by the Italian government, is among the nation’s largest industrial enterprises, generating over $18 billion annually through its rail, transport, and logistics services.

Although initial press queries from BleepingComputer went unanswered, Almaviva later confirmed the breach in statements provided to local outlets.

“In recent weeks, the services dedicated to security monitoring identified and subsequently isolated a cyberattack that affected our corporate systems, resulting in the theft of some data,” Almaviva said.

“Almaviva immediately activated security and counter-response procedures through its specialized team for this type of incident, ensuring the protection and full operability of critical services.”

The company added that it has notified relevant authorities, including law enforcement, Italy’s national cybersecurity agency, and the data protection authority. Government bodies are currently assisting with the ongoing investigation.

Almaviva has committed to sharing further updates as more findings become available.

It remains unknown whether any passenger information was included in the stolen data or if the breach has affected additional Almaviva clients. BleepingComputer has sent follow-up questions, but no response had been received as of publication.

In another public communication, Almaviva reiterated that it had isolated the cyberattack, stating that it resulted in “the theft of some data.”

"Almaviva immediately activated safety and response procedures through its specialized team for this type of incident, ensuring the protection and full operation of critical services," the company stated, emphasizing that business continuity plans prevented disruptions to its operations.
Read more »
Third-Party Vulnerabilities
Banking Cyberattack Cyber Intrusion Investigation Data Breach Digital Supply Chain Risk Financial Security Infrastructure Security Mortgage Data Leak Third-Party Vulnerabilities

Growing Concern as Authorities Assess Cyber Incident at Real Estate Finance Firm

 


An extreme cyber intrusion which led to considerable concern among U.S. financial institutions over the weekend has been hailed by leading American banks and mortgage lenders as a major development that must be addressed urgently in order to reduce their exposure to various cyber threats. 

According to a statement issued by StatusAMC Group Holdings, LP on November 12, the back-office software provider for hundreds of mortgage origination, servicing, and payments operations for hundreds of institutions was breached. It was possible for unknown actors to gain access to sensitive client information, including accounting files, legal agreements, and possibly extensive personal data from loan applications, by hacking into their systems. 

However, while the company claims its operations remain fully operational, and that the incident has been contained without using any encryption malware, the extent to which the data was compromised has raised the alarm on Wall Street, since firms such as JPMorgan, Citi, and Morgan Stanley are highly reliant on the vendor's infrastructure for their daily operations. 

The company has been providing clients with near-daily updates while collaborating with federal law enforcement and outside forensic experts to determine exactly what was taken after the millions of records may have been stolen. This reflects a growing sense of unease within an industry where third-party vulnerabilities are posing some of the most significant cyber risks to date. 

New York-based StatusAMC provides mortgage services to more than 1,500 clients across residential and commercial markets. This breach has been discovered by the company on November 12, and it has confirmed that portions of the company's corporate data, including accounting records and legal agreements, have been accessed during this intrusion, which occurred on November 12. 

There are no clear indications as yet as to whether the attackers exfiltrated certain data tied to customers of the company's financial-sector clients, or if they simply viewed that information. However, it acknowledges that data tied to customers of its financial-sector clients may also have been compromised. 

There is no doubt that the company is a major processor of mortgage applications, and they handle highly sensitive personal information, ranging from Social Security numbers to passport information to employment histories. However, after recent reports suggested that certain information related to residential loan files was compromised, further concerns were raised. 

A report by the New York Times reported that JPMorgan Chase, Citi, and Morgan Stanley may have been affected by the breach; JPMorgan said that its own banking systems were not directly compromised, but Citi declined to comment and Morgan Stanley refused to answer questions. It has already been reported that the FBI has opened a probe, and SitusAMC has already begun contacting impacted customers as it continues the investigation. As a result, the federal investigators are now taking an increasingly active role in investigating the breach. 

The FBI announced in a press release that they are working closely with SitusAMC and the affected institutions to determine the full extent of the breach. According to Director Kash Patel, no operational disruptions have yet been identified to banking services. He added that the bureau continues to focus on tracing the perpetrators and strengthening security measures for critical infrastructure systems. 

A longstanding vulnerability in the financial sector despite its reputation for strong cybersecurity defenses has been heightened by the incident, as a result of systemic risks associated with third-party technology providers. Despite being essential to the banking industry, SitusAMC is often overlooked outside of industry circles, and the company receives far less oversight than the major banks it supports, which can lead to the exposure of millions of records. 

As the investigation continues, neither JPMorgan Chase nor Morgan Stanley indicated what they experienced regarding the investigation. Additionally, SitusAMC's chief executive officer, Michael Franco, declined to respond to inquiries regarding the investigation, leaving many questions unanswered. 

Despite the fact that large banks invest hundreds of millions of dollars in cybersecurity each year and are widely regarded as the best-protected institutions in the private sector, experts warn that even though the banking industry is under constant pressure from increasingly sophisticated cyber threats, it is still highly vulnerable to these threats. In spite of the fact that lenders, data processors, and software providers are connected through a dense network of relationships, it is quite possible for those institutions that appear the most secure to introduce weaknesses inadvertently. 

The breach has underscored the fact that deeply embedded vulnerabilities can emerge in the most unexpected places when they are deeply embedded, as Muish Walther-Puri, head of critical digital infrastructure at TPO Group, said. The failure of a single trusted vendor can be very detrimental to the entire financial ecosystem, exposing the "unseen" risks woven into its operations, he added. He emphasized that true resilience cannot just be achieved by internal defenses alone, but also through the collective vigilance of the entire supply chain as well. 

Several industry experts are predicting that as the investigation continues, the incident will serve as a catalyst for deeper scrutiny of digital supply chains as well as a more rigorous oversight of the vendors that power critical financial operations. 

The argument goes that even if banks and lenders have formidable defenses, they still need to set higher security expectations for third parties, demanding a greater level of transparency, continuous monitoring, and greater accountability as part of their security practices. 

Having been exposed to the security breach, many people in the sector have taken note that the development of resilience these days is reliant not only on advanced technology, but also on a shared commitment to safeguard the interconnected systems that are vital to keeping the nation's financial machinery afloat.
Read more »
Synthient
Credential Stuffing Cyber Security Data Breach exposed emails Have I Been Pwned password leak Synthient

Massive Leak Exposes 1.3 Billion Passwords and 2 Billion Emails — Check If Your Credentials Are at Risk

 

If you haven’t recently checked whether your login details are floating around online, now is the time. A staggering 1.3 billion unique passwords and 2 billion unique email addresses have surfaced publicly — and not due to a fresh corporate breach.

Instead, this massive cache was uncovered after threat-intelligence firm Synthient combed through both the open web and the dark web for leaked credentials. You may recognize the company, as they previously discovered 183 million compromised email accounts.

Much of this enormous collection is made up of credential-stuffing lists, which bundle together login details stolen from various older breaches. Cybercriminals typically buy and trade these lists to attempt unauthorized logins across multiple platforms.

This time, Synthient pulled together all 2 billion emails and 1.3 billion passwords, and with help from Troy Hunt and Have I Been Pwned (HIBP), the entire dataset can now be searched so users can determine if their personal information is exposed.

The compilation was created by Synthient founder Benjamin Brundage, who spent months gathering leaked credentials from countless sources across hacker forums and malware dumps. The dataset includes both older breach data and newly stolen information harvested through info-stealing malware, which quietly extracts passwords from infected devices.

According to Troy Hunt, Brundage provided the raw data while Hunt independently verified its authenticity.

To test its validity, Hunt used one of his old email addresses — one he already knew had appeared in past credential lists. As expected, that address and several associated passwords were included in the dataset.

After that, Hunt contacted a group of HIBP subscribers for verification. By choosing some users whose data had never appeared in a breach and others with previously exposed data, he confirmed that the new dataset wasn’t just recycled information — fresh, previously unseen credentials were indeed present.

HIBP has since integrated the exposed passwords into its Pwned Passwords service. Importantly, this database never links email addresses to passwords, maintaining privacy while still allowing users to check if their passwords are compromised.

To see if any of your current passwords have been leaked, visit the Pwned Passwords page and enter them. Your passwords are never sent to a server — the entire check is processed locally in your browser through an anonymity-preserving method.

If any password you use appears in the results, change it immediately. You can rely on a password manager to generate strong replacements, or use free password generators from tools like Bitwarden, LastPass, and ProtonPass.

The single most important cybersecurity rule remains the same: never reuse passwords. When criminals obtain one set of login credentials, they try them across other platforms — an attack method known as credential stuffing. Because so many people still repeat passwords, these attacks remain highly successful.

Make sure every account you own uses a strong, complex, and unique password. Password managers and built-in password generators are the easiest way to handle this.

Even the best password may not protect you if it’s stolen through a breach or malware. That’s why Two-Factor Authentication (2FA) is crucial. With a second verification step — such as an authenticator app or security key — criminals won’t be able to access your account even if they know the password.

You should also safeguard your devices against malware using reputable antivirus tools on Windows, Mac, and Android. Info-stealing malware, often spread through phishing attacks, remains one of the most common ways passwords are siphoned directly from user devices.

If you’re interested in going beyond passwords altogether, consider switching to passkeys. These use cryptographic key pairs rather than passwords, making them unguessable, non-reusable, and resistant to phishing attempts.

Think of your password as the lock on your home’s front door: the stronger it is, the harder it is for intruders to break in. But even with strong habits, your information can still be exposed through breaches outside your control — one reason many experts, including Hunt, see passkeys as the future.

While it’s easy to panic after reading about massive leaks like this, staying consistent with good digital hygiene and regularly checking your exposure will keep you one step ahead of cybercriminals.
Read more »
Ransomware attack
Adidas Data Breach Fulgar H&M RansomHouse Ransomware attack

RansomHouse Ransomware Hits Fulgar, Key Supplier to H&M and Adidas

 

Fulgar, a major supplier of synthetic yarns to global fashion brands such as H&M, Adidas, Wolford, and Calzedonia, has confirmed it suffered a ransomware attack linked to the notorious RansomHouse group. The attack, which was first noted on RansomHouse’s leak site on November 12, involved the publication of encrypted internal data stolen since October 31. 

Screenshots shared on the leak site displayed sensitive company documents, spreadsheets, communications, and financial records—including bank balances, invoices, and exchanges with external parties. These leaks present a significant risk for targeted phishing attacks, as attackers now possess insider information that can be leveraged to deceive staff and partners.

Fulgar, established in the late 1970s, is one of Europe’s largest spinning mills, producing polyamide 66 and covered elastomers used in hosiery, lingerie, activewear, and technical textiles. The company distributes key brands like Lycra and Elaspan and operates across Italy, Sri Lanka, and Turkey. Its client list includes several of the world’s most recognized fashion retailers. The breach highlights how even large suppliers are vulnerable to cyber threats, especially when a single ransomware group gains access to internal systems.

The RansomHouse group, active since 2021, has claimed more than one hundred victims and is known for encrypting data and demanding ransom payments. US cyber authorities have previously connected the group to Iranian affiliates, who provide encryption support in exchange for a share of the ransom proceeds.

In Fulgar’s case, the attackers issued a direct warning to management: “Dear management of Fulgar S.p.A., we are sure that you are not interested in your confidential data being leaked or sold to a third party. We highly advise you to start resolving that situation.” This underscores the urgency for organizations to respond swiftly to ransomware incidents and mitigate potential reputational and financial damage.

The breach is a stark reminder of the cascading risks posed by compromised supplier networks. Sensitive records exposed in such incidents can fuel targeted identity theft and social engineering attacks, increasing threats for employees and business partners. Experts advise that organizations implement robust cybersecurity measures, including the use of strong antivirus software and properly configured firewalls, to reduce the risk of follow-up intrusions. 

However, even with these precautions, leaked internal documents can still be used to craft highly persuasive phishing campaigns, posing broader risks across manufacturing and supply chain sectors. Overall, the Fulgar breach illustrates the escalating sophistication of ransomware attacks and the critical need for vigilance among global suppliers and their clients to protect sensitive data and prevent further compromise.
Read more »
personal data leak
Customer Data Customer Data Exposed Data Breach Data exposed data security leaked sensitive data personal data leak

DoorDash Data Breach Exposes Customer Information in October 2025 Incident

 

DoorDash has informed its customers that the company experienced a security incident in late October, marking yet another breach for the food delivery platform. According to details first reported by BleepingComputer, DoorDash has begun emailing users to disclose that on October 25, 2025, an unauthorized individual infiltrated parts of its internal systems and accessed selected customer contact information. The type of data exposed varied from person to person but involved key personal details. In its notification email, the company confirmed that names, physical addresses, phone numbers, and email addresses were among the information viewed by the intruder. While financial data does not appear to have been compromised, the collection of exposed fields still carries significant risk because such details can easily be reused in phishing, impersonation, and other forms of social engineering attacks. 

DoorDash stated that the root cause of the breach was a social engineering scam targeting an employee, which ultimately allowed the attacker to obtain credentials and slip past internal safeguards. As soon as the company recognized unusual activity, its security team revoked the unauthorized access, launched a broader investigation, and contacted law enforcement to support further review. However, the company did not specify how many individuals may have been affected. What is clear is that the impacted group includes customers, delivery drivers (known as Dashers), and merchants. Considering DoorDash reported roughly 7 million contractors in 2023, nearly 600,000 partner merchants in 2024, and more than 42 million active users, the number of people touched by the incident could be extensive. 

This latest breach adds to a concerning pattern for the company, which was previously affected by two significant incidents in 2019 and 2022. The 2019 attack exposed information belonging to approximately 5 million customers, Dashers, and merchants, while the 2022 event stemmed from the same campaign that targeted communications provider Twilio. These recurring issues highlight how attractive large consumer platforms remain to cybercriminals. 

For users, the most important step after any data exposure is to immediately update account passwords and ensure they are strong, unique, and not reused across services. A password manager can simplify this process and reduce risk over time. Enabling multi-factor authentication on DoorDash and other critical accounts adds an extra security barrier that often stops attackers even if credentials are stolen. Because personal details were accessed, users should stay alert for phishing messages that may imitate DoorDash or reference suspicious orders. These tactics are common after breaches and can easily lure people into clicking harmful links or providing additional sensitive information. 

Customers may also benefit from using reputable identity theft protection services that monitor financial activity and personal data for signs of misuse. While no single step can eliminate the consequences of a breach, proactive monitoring and cautious digital habits can significantly reduce the likelihood of further harm.
Read more »
Tech Firm
Checkout Data Breach Ransomware ShinyHunters Tech Firm

Checkout Refuses ShinyHunters Ransom, Donates Funds to Cybersecurity Research

 

Checkout, a UK-based financial tech firm, recently suffered a data breach orchestrated by the cybercriminal group ShinyHunters, who have demanded a ransom for stolen merchant data. In response, the company announced it would not pay the ransom but instead donate the equivalent amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to fund cybercrime research initiatives.

The breach occurred after ShinyHunters gained unauthorized access to a legacy third-party cloud storage system used by Checkout in 2020 and earlier. This system, which had not been properly decommissioned, contained internal operational documents, onboarding materials, and data from a significant portion of company’s merchant base, including past and current customers. The company estimates that less than 25% of its current merchant base was affected by the incident.

The tech firm provides payment processing services to major global brands such as eBay, Uber Eats, adidas, GE Healthcare, IKEA, Klarna, Pinterest, Alibaba, Shein, Sainsbury’s, Sony, DocuSign, Samsung, and HelloFresh, managing billions in merchandise revenue. The company’s systems include a unified payments API, hosted payment portals, mobile SDKs, and plugins for existing platforms, along with fraud detection, identity verification, and dispute management features.

ShinyHunters is an international threat group known for targeting large organizations, often leveraging phishing, OAuth attacks, and social engineering to infiltrate systems and extort ransom payments. The group has recently exploited the Oracle E-Business Suite zero-day vulnerability (CVE-2025-61884) and carried out attacks on Salesforce and Drift systems affecting multiple organizations earlier in the year.

Despite the pressure to pay a ransom to prevent the leaked data from being published, Checkout has refused and opted for a different strategy. The company will invest in strengthening its own security infrastructure and protecting its customers more effectively in the future. Additionally, the company has committed to supporting academic research in cybersecurity by channeling the intended ransom funds to prestigious universities.

Checkout has not disclosed the identity of the compromised third-party cloud file storage system or the specific breach method. The company continues to work on bolstering its defenses and has emphasized its commitment to transparency and customer protection. This decision sets a notable precedent for organizations facing ransomware demands, highlighting the importance of proactive security investment and responsible action in the face of cyber threats.
Read more »
Nation-State Attack
Chinese Firm Data Breach Data Leak Knownsec Nation-State Attack

Knownsec Breach Exposes Chinese State Cyber Weapons and Global Target List

 

A major data breach at the Chinese security firm Knownsec has exposed more than 12,000 classified documents, providing unprecedented insight into the deep connections between private companies and state-sponsored cyber operations in China. The leaked files reportedly detail a wide array of cyber capabilities, including the use of Remote Access Trojans (RATs) that are capable of infiltrating systems across Windows, Linux, macOS, iOS, and Android platforms.

This breach not only highlights technical vulnerabilities but also reveals how companies like Knownsec can be embedded in national level cyber programs, sometimes carrying out operations on behalf of government agencies. Among the most notable data included in the leak were records stolen from international sources: 95GB of immigration data from India's national databases, 3TB of call logs from South Korea’s LG U Plus, and 459GB of transportation data from Taiwan.

Experts investigating these materials discovered spreadsheets listing 80 foreign targets, including major critical infrastructure and telecommunications enterprises across more than twenty countries and regions, with Japan, Vietnam, India, Indonesia, Nigeria, and the UK among them. The files also described specialized malware for Android—capable of extracting information from popular Chinese messaging apps and Telegram—and referenced the use of hardware-based hacking devices, such as a malicious power bank designed to covertly upload data to victim systems.

Despite efforts to remove the leaked materials from platforms such as GitHub, the contents have already spread among researchers and intelligence circles, offering an unusual glimpse into China’s cyber ecosystem and the scale of its operations. The exposure demonstrates the breadth, organization, and sophistication of these campaigns, suggesting far more coordination between security firms and state entities than previously understood.

In response, Beijing has officially denied any knowledge of a Knownsec breach, reiterating its opposition to cyberattacks but stopping short of disavowing links between the state and private cyber intelligence actors. The researchers emphasize that standard antivirus and firewall protections alone are insufficient against such advanced threats and highlights the need for a multi-layered cyber defense strategy incorporating real-time monitoring, rigorous network segmentation, and AI-driven threat detection to adequately protect organizations from these sophisticated forms of infiltration.
Read more »
Vulnerability Exploit
Clop Group Cybersecurity Breach Data Breach Enterprise security GlobalLogic Incident response Oracle Zero-Day Ransomware attack SQL Threat Intelligence Vulnerability Exploit

GlobalLogic Moves to Protect Workforce After Oracle-related Data Theft

 


A new disclosure that underscores the increasing sophistication of enterprise-level cyberattacks underscores the need to take proactive measures against them. GlobalLogic has begun notifying more than ten thousand of its current and former employees that their personal information was compromised as a result of a security breach connected to an Oracle E-Business Suite zero-day flaw. 

An engineering services firm headquartered in the United States, owned by Hitachi, announced the breach to regulators after determining that an unknown attacker exploited an unpatched vulnerability in the Oracle platform, the core platform used to manage finance, human resources, and operational processes at the company, so that sensitive data belonging to 10,000 employees was stolen. 

The Maine Attorney General's office reported to the Maine State Attorney General that attackers had infiltrated GlobalLogic's environment with an advanced SQL-injection chain mapped to MITRE techniques T1190 and T1040, deploying a persistent backdoor through an Oracle Forms vulnerability, obtaining extensive employee data, including identification, contact information, passport information, tax and salary data, and bank account numbers, as well as extensive employee records. 

The signs of compromise point to a coordinated data-extortion campaign in which privilege-escalation events were used to maintain prolonged access to data. Indicators like malicious IP ranges and rogue domains indicate that the attack was coordinated. In the aftermath of Oracle's security patches being released, GlobalLogic announced that an immediate investigation had been conducted, and the company is now urging the rapid implementation of vendor updates, enhanced logging, and temporary hardening measures in order to mitigate further risk. 

With Hitachi's acquisition of the company in 2021, it has now served more than 600 enterprise clients around the world, and the company has officially reported the breach to California and Maine regulators, who confirmed that more than 10,500 current and former employees' personal information was exposed in the attack. 

During GlobalLogic's investigation, it was discovered that the intrusion was a part of a larger campaign that was coordinated by the Clop ransomware group, which has been exploiting a zero-day flaw in Oracle's E-Business Suite since at least July in order to snare huge amounts of corporate information. There have been reports that several companies have been caught in this wave of attacks, and many are only aware of their compromise after they receive extortion emails from extortionists. Analysts are claiming that dozens of companies have been compromised.

It is reported by GlobalLogic that the company discovered the breach on October 9 but it was later discovered that the attackers gained access to the server on July 10, with the most recent malicious activity occurring on August 20 according to GlobalLogic's filings. Despite the fact that the incident was contained to the Oracle platform, the sheer amount of sensitive and high-level data stolen—from contact information to internal identifiers to passports to tax records to salary information to bank account numbers—does not make it easy for the severity of the attack to be noted. 

A spokesperson for the company said that they immediately activated their incident response protocols, notified the law enforcement, and consulted external forensic experts after the zero-day exploit was discovered (CVE-2025-61882) was discovered, and that Oracle's patch for the vulnerability (CVE-2025-61882) was applied once it was released. 

Security researchers later confirmed that Clop hacked numerous victims over a period of several months by exploiting multiple vulnerabilities within the same platform, demanding ransoms that often reached eight-figure sums. It has been reported that nearly 30 organizations are currently listed on Clop's website after a breach of their systems was discovered last week. If these organizations do not pay the restitution, they will face public exposure. The kind of information exposed in the GlobalLogic breach highlights how sophisticated the attackers were. 

According to the company's disclosure, the stolen data was representative of a wide range of personal information that is typically kept in human resources systems, such as names, home addresses, telephone numbers, addresses for emergency contacts, and identifiers for internal employees.

There were a variety of individuals whose exposure to cyber attacks was far more in-depth and involved email addresses, dates and countries of birth, nationalities, passports, tax and national identification numbers such as Social Security details, salary information, and full banking credentials for their online banking accounts. 

A ransomware group known as Clop has been associated with several high-profile Oracle EBS data theft operations, as well as adding major companies to its Tor-based leak site, including Harvard University, Envoy Air, and The Washington Post, whose stolen data is already available via torrent downloads from a number of sources. Despite the fact that GlobalLogic's information has not yet appeared on the leak portal, security analysts have said that the omission may be indicative of ongoing negotiations, or that a ransom has already been paid by the company. 

The company spokesperson refused to comment on whether any demands were being addressed, but confirmed Clop has publicly claimed responsibility for the breach. Now that the gang is being questioned more closely by the U.S. authorities after previously exploiting Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer in mass-scale data breaches, they are under greater scrutiny than ever before. 

According to the State Department, there is a reward for intelligence that can be provided tying the group's operations to a foreign government worth up to $10 million. In light of this incident, industry officials are calling for improved patch management, proactive threat hunting, and tighter oversight of third-party platforms supporting critical business operations that are used by critical business units. 

According to GlobalLogic's analyst, the company's experience shows just how quickly a single vulnerability can lead to widespread damage when exploited by highly coordinated ransomware groups, particularly if the vulnerability has not yet been patched. 

Despite continuing to investigate Clop's broader campaign, experts urge organizations to adopt continuous monitoring, strengthen vendor risk controls, and prepare for the likelihood that they will be the victim of future zero day exploits in the following years, as the modern enterprise threat landscape is now characterized by zero-day threats.
Read more »
privacy protection
Automotive Cyberattack Connected Car Security Cybersecurity Breach Data Breach Data Exposure Digital threats Hyundai AutoEver identity theft risk personal data safety privacy protection

Hyundai Faces Security Incident With Potential Data Exposure

 


In the past few months, Hyundai AutoEver America, a division of Hyundai Motor Group, has confirmed a recent data breach that exposed sensitive personal information after hackers infiltrated its internal IT environment earlier this year, revealing a recent data breach. 

A company spokesperson told me that unauthorized access to the company's computer systems began on February 22, 2025 and went undetected until March 2, giving intruders nine days to access confidential data. 

The early breach notices didn't specify how many people were affected, but according to state regulatory disclosures as well as a subsequent statement issued to Kelley Blue Book, approximately 2,000 people—out of the over 2.7 million users HAEA serves across Hyundai, Kia, and Genesis platforms—were impacted. There have been a number of compromises of the data, including names, Social Security numbers, and driving license information. 

In response to the suspicious activity, HAEA contacted an external cybersecurity expert who conducted an investigation, contained the intrusion, and informed law enforcement. As officials continue to assess the full scope of the incident, officials have begun issuing formal notices to those whose information was possibly exposed. 

It was only in the months that followed that it became increasingly clearer and more troubling just what the breach's consequences and the broader risks associated with connected vehicles were in the future. Even though Hyundai AutoEver America eventually acknowledged that the incident could have affected as many as 2.7 million Hyundai, Kia, and Genesis owners, internal assessments and state filings later narrowed the directly affected group to merely 2,000 individuals, yet the sensitive nature of the data involved makes even this smaller number quite significant. 

A nine-day intrusion that took place between February 22 and March 2, 2025, revealed the names, addresses, phone numbers, driver’s license numbers, and Social Security numbers of several automobile manufacturers, revealing to intruders a full range of data and details that underpinned core digital services across the automaker’s brands during that period. 

Among privacy experts, there is no doubt that what has caused concern is not just the scope of information but also that it has taken seven months for customers to be informed about the incident, a timeframe that gave the possibility for stolen identities to be misused or combined with other data circulating from other breaches.

Hyundai is also experiencing a growing pattern of security breaches since 2023, which reinforces concerns that these are not isolated incidents but rather signs of deeper structural problems. As the episode illustrates, modern cars—once purely mechanical devices—now act as sophisticated data hubs, collecting everything from passengers’ financial details to route histories, biometric inputs, driving behaviour, and even information synced from their mobile devices, which is not visible to the driver. 

Manufacturers are expanding their digital ecosystems and the breach has raised questions about the industry's ability to safeguard the vast and intimate data it collects on a regular basis. Immediately following the intrusion, Hyundai AutoEver America made an effort to reassure its customers by offering two years of complimentary identity theft and credit monitoring services through Epiq as a gesture of goodwill.

In spite of this, security analysts note that such measures are rarely sufficient to relieve customers after sensitive information has been stolen. Additionally, Hyundai Motor Europe’s disclosure also brought back memories of a similar experience it suffered just a year earlier when it was attacked by a ransomware gang called Black Basta, which claimed to have taken over 3TB of internal files before appearing dormant in early 2025, when the company lost control of its operations. 

All in all, these incidents emphasize one more uncomfortable reality: automakers now harvest and manage far greater amounts of personal information than most drivers are aware of. Besides the information required for financing or registration of vehicles, companies routinely collect (and in some cases monetize) data regarding the locations of their customers, their driving habits, the biometric patterns they use, and even behavioral patterns that can help them infer consumers' preferences with a remarkable degree of accuracy. 

Following a complaint made by General Motors that it had shared driver data with third-parties to the point of being able to obtain their information from them, the Federal Trade Commission issued a five-year ban on the practice. In July, a U.S. Senate inquiry raised concerns about other manufacturers continuing the same data-sharing practices. 

The HAEA notified the California Attorney General of the incident by notifying them that they had enlisted cybersecurity experts to determine the scope of the breach and confirm that the intrusion had been contained, even though investigators were unable to determine if the information was exfiltrated. Those affected customers have been given 90 days to enroll in monitoring services, and a hotline has also been established to assist customers. 

As Hyundai AutoEver asserts, only a small number of users have been directly impacted by this incident, but the incident has ignited a wider industry debate over precisely how well automakers secure the ever-increasing amount of personal data embedded in most connected vehicles today. After Hyundai AutoEver America found out that a wide range of sensitive data points had been exposed as part of this breach, including a number of customer names, government-issued identification numbers, and passwords, it confirmed that the investigation of the technical footprint was continuing. 

Among the records that were compromised, according to notification letters sent to the individuals affected, were Social Security numbers and driver's license information, with each recipient receiving a customized breakdown of which data elements applied to them in the initial notification. In order to conduct the analysis in a comprehensive way, extensive forensic work and collaboration with external cybersecurity specialists were necessary. 

These specialists helped Hyundai AutoEver reconstruct the intrusion, assess database exposure, and determine which users needed formal notification. Hyundai AutoEver said it immediately terminated the intruder's access and implemented additional safeguards and was continuing to implement a comprehensive remediation program that was intended to prevent similar incidents in the future. 

Consequently, Epiq Privacy Solutions has been contacted by the company to offer complimentary two-year credit monitoring and identity protection services to impacted customers, which will include three-bureau monitoring and fraud detection tools, as well as a 90-day enrollment period. It should be noted that these protections are only a layer of protection, however, according to security experts. 

As a precautionary measure, they advise their customers to review financial statements, to check their credit reports, and to place fraud alerts or credit freezes with the major credit bureaus to reduce the risk of unauthorized account openings. 

In addition, this incident has brought about renewed discussions about digital hygiene for vehicle owners, ranging from updating passwords and enabling multifactor authentication on connected car applications to avoiding stored payment information in the infotainment system.

There are a number of cybercrime analysts who note that incidents of this nature often open the door to secondary scams, as cybercriminals impersonate automakers' support teams in order to steal more personal information from car owners through pages pretending to be account verifications and security updates. 

These developments have been identified by industry observers as part of a dramatic shift in the way in which cars now collect far more information than most drivers are aware of. These include location histories, biometric identifiers, behavioral patterns, and synced mobile data, to name a few. 

The results of this study indicate that consumers should adopt strong cybersecurity practices, including using reputable antivirus software, staying current on device updates, and thinking about data-removal solutions that will reduce exposure to data-broker websites as a result of data misuse. Several automakers have been affected by this new trend; the Federal Trade Commission imposed a five-year ban on General Motors' ability to sell data on drivers earlier this year. 

Additionally, a Senate investigation has raised concerns about similar practices in other automakers, including Hyundai, as well. In spite of Hyundai AutoEver's assertion that only a relatively small number of its customers were directly affected by this breach, the incident has brought to light questions about the effectiveness with which carmakers are safeguarding the growing amounts of data embedded in connected cars, as well as what consumers should do in the rapidly growing digital world in order to protect themselves from the threat of fraud. 

It is clear from the Hyundai AutoEver breach that the automobile industry needs to rethink how it approaches data security in an increasingly interconnected digital age, where vehicles become increasingly interconnected digital ecosystems. It is important to note that meaningful protection depends both on stronger corporate safeguards as well as on proactive vigilance on the part of drivers in light of increased regulatory oversight and consumers' increasing awareness of how their information is being used.

It is vital that consumers play an important role in reducing future risks by practicing stricter digital hygiene, minimizing unnecessary data sharing, and demanding that automakers communicate their information more clearly, in order to ensure that the convenience of connected cars does not come at the expense of their individual privacy rights.
Read more »
Ransomware
Account security British transport Data Breach MFA Passwords Ransomware

When Weak Passwords Open The Door: Major Breaches That Began With Simple Logins

 



Cybersecurity incidents are often associated with sophisticated exploits, but many of the most damaging breaches across public institutions, private companies and individual accounts have originated from something far more basic: predictable passwords and neglected account controls. A review of several high-profile cases shows how easily attackers can bypass defences when organisations rely on outdated credentials, skip essential updates or fail to enforce multi-factor authentication.

One example resurfaced when an older assessment revealed that the server used to manage surveillance cameras at a prominent European museum operated with a password identical to the institution’s name. The report, which stresses on configuration weaknesses and poor access safeguards, has drawn renewed attention following recent thefts from the museum’s collection. The outdated credential underlined how critical systems often remain vulnerable because maintenance and password policies fall behind operational needs.

A similar pattern was seen in May 2021 when a major fuel pipeline in the United States halted operations after attackers used a compromised login associated with an inactive remote-access account. The credential was not protected by secondary verification, allowing the intruders to infiltrate the network. The temporary shutdown triggered widespread disruption, and the operator ultimately paid a substantial ransom before systems could be restored. Investigators later recovered part of the payment, but the event demonstrated how a single unsecured account can affect national infrastructure.

In the corporate sector, a British transport company with more than a century of operations collapsed after a ransomware group accessed its internal environment by correctly guessing an employee’s password. Once inside, the attackers encrypted operational data and locked critical systems, demanding a ransom the firm could not pay. With its files unrecoverable, the company ceased trading and hundreds of employees lost their jobs. The case illustrated how small oversights in password hygiene can destabilise even long-established businesses.

Weak or unchanged default codes have also enabled intrusions into personal communications. Years-long investigations into unlawful phone-hacking in the United Kingdom revealed that some voicemail systems were protected by factory-set PINs or extremely simple numerical combinations. These lax protections enabled unauthorized access to private messages belonging to public figures, eventually triggering criminal proceedings, regulatory inquiries and the shutdown of a national newspaper.

Historical oversight is not limited to consumer systems. Former personnel who worked with early nuclear command procedures in the United States have described past practices in which launch mechanisms relied on extremely simple numeric sequences. Although additional procedural safeguards existed, later reforms strengthened the technical requirements to ensure that no single point of failure or simplistic code could enable unauthorized action.

More recently, a national elections authority in the United Kingdom was reprimanded after attackers accessed servers containing voter registration data between 2021 and 2022. Regulators found that essential patches had not been applied and that many internal accounts continued to use passwords similar to those originally assigned at setup. By impersonating legitimate users, intruders were able to penetrate the system, though no evidence indicated that the data was subsequently misused.

These incidents reinforce a consistent conclusion. Passwords remain central to digital security, and organisations that fail to enforce strong credential policies, update software and enable multi-factor authentication expose themselves to avoidable breaches. Even basic improvements in password complexity and account management can prevent the kinds of failures that have repeatedly resulted in financial losses, service outages and large-scale investigations.


Read more »
Ransomware attack
Akira Ransomware Data Breach LG Energy Solution Ransomware attack

LG Energy Solution Hit by Akira Ransomware, Data Breach Confirmed

 

LG Energy Solution, a leading South Korean battery manufacturer with global operations, confirmed a significant ransomware incident affecting one of its overseas facilities in mid-November 2025. The company announced that only a "specific overseas facility" was targeted, emphasizing that its headquarters and other international sites remained unaffected. 

Rapid containment and recovery efforts returned the impacted facility to normal operations, and full-scale investigations involving internal and external cybersecurity teams were launched to trace the breach’s access points and bolster defenses against future attacks. The official disclosure followed public claims by the Akira ransomware gang, which took credit for the breach and threatened to release the stolen data if their demands weren’t met.

The Akira ransomware collective, flagged internationally for targeting high-value industrial companies, claimed it had exfiltrated around 1.67 terabytes of data from LG Energy Solution, including corporate documents, employee personal information (such as visas, passports, medical records, and ID cards), financial data, details about confidential projects, non-disclosure agreements, and contracts with clients and suppliers.

If verified, this data trove represents a severe threat, as it contains operational blueprints, intellectual property, and sensitive workforce details potentially enabling further cyberattacks or destructive phishing schemes. Akira’s own statements suggested that they might soon publish internal documents and SQL databases unless LG Energy Solution entered into negotiations.

Though the direct operational disruption at the overseas site proved temporary, the aftermath presents enduring risks. Ransomware gangs increasingly target manufacturers like LG, whose products are vital for industries such as electric vehicles and energy storage, causing ripple effects throughout global supply chains. The battery sector has seen a surge in attacks due to its strategic role, narrow recovery windows, and high-value data. 

LG Energy Solution’s breach underscores growing concerns about cyber extortion targeting energy and manufacturing sectors, especially as international regulatory pressures mount and law enforcement agencies heighten scrutiny of cybercriminal operations. Industry experts forecast more ransomware attempts on energy sector companies, with supply chain vulnerabilities and third-party vendor networks presenting further risks for cascading attacks.

As investigations continue, LG Energy Solution remains focused on remediation, securing network pathways, and working with authorities to mitigate long-term consequences. The incident’s true impact will also depend on whether stolen data is published, which could have severe repercussions for strategic relationships, business operations, and the wider EV battery supply chain.
Read more »
Redback IFV leak
Australia Hanwha Defense deal Cyber Toufan Data Breach Elbit Systems Israeli defense companies hack Redback IFV leak

Pro-Hamas Hackers Leak Alleged Redback IFV Plans and Israeli Defense Employee Data After Major Cyber Breach

A hacker collective aligned with Hamas has allegedly released sensitive information tied to Australia’s Redback next-generation infantry fighting vehicle program, along with hundreds of photographs of staff from Israeli defense companies.

The group, known as Cyber Toufan and widely believed to have links to Iran, posted detailed 3D schematics and technical files connected to the AUD $7 billion Redback project. The leak followed a series of cyberattacks on 17 Israeli defense contractors, carried out after infiltrating the systems of supply-chain partner MAYA Technologies, The Australian reported. According to the outlet, the hackers claimed they had “infiltrated the heart of Israel’s defense engineering operations” and began releasing information on 36 joint defense projects from October 22 onward.

They further asserted that they “have obtained tens of terabytes of personal data, administrative and technical documents, audio calls, and video recordings of these criminals… Some designed the rocket, the UAVs, and the tank, while others participated in making their parts and programming their systems, even transporting them to the battlefield.”

A report released in May by Israeli cybersecurity company OP Innovate noted that the group heavily targets organizations connected to Israel’s defense and economic sectors. The report highlighted that Cyber Toufan often exploits default or previously leaked credentials used by third-party security providers, enabling access “not by breaking in, but by walking through an unlocked door.”

Australia previously signed a deal with South Korea’s Hanwha Defense to purchase 127 Redback vehicles for AUD $7 billion. The platform incorporates several Israeli-made systems, including Elbit Systems’ advanced 30mm turret, COAPS gunner sight, a suite of sensors, the Iron Fist active protection system, the Iron-Vision helmet-mounted display, and a laser warning system.

What Was Exposed?

In addition to employee photos, Cyber Toufan published files relating to numerous defense programs. Among the disclosed items were materials tied to Elbit’s Iron-Vision helmet display, Rafael’s Iron Beam laser defense system, the Ice Breaker missile, Spike NLOS anti-tank missiles, Elbit’s Hermes 900 drone storage module, the ROEM self-propelled howitzer, and the Crossbow turreted mortar system.

The Australian also reported that internal considerations by the Australian Defence Force regarding the purchase of Rafael’s Spike NLOS missiles were revealed in the leak. However, Israeli defense industry officials told Defense and Tech by The Jerusalem Post that no classified data had been compromised.

The leak comes amid heightened political tension, as Australia has been outspoken in its criticism of Israel’s military actions in Gaza. Prime Minister Anthony Albanese has previously stated that Australia does “not sell arms to Israel,” though Defence Industry Minister Pat Conroy recently defended the continued use of Israeli technology within the Australian Defence Force.

“We make no apology for getting the best possible equipment for the Australian Defence Force,” he said at the Indo-Pacific Maritime Exposition.

Despite this stance, The Nightly reported that Australia has discreetly implemented new restrictions on defense-related exports to Israel. According to the outlet, permit holders governed under the Customs (Prohibited Exports) Regulations 1956 are now barred from exporting certain approved items to Israel. The Department of Defence reportedly declined to comment, citing national security and confidentiality obligations.

Cyber Toufan stated: “Through the systems, we have breached Elbit and Rafael’s through then [sic]. Their phones, printers, routers, and cameras as well,” the group said. “We have recorded your meetings with sound and video for over a year. This is just the beginning with Maya!”

In a statement to the publication, Rafael said:
“no Rafael classified networks, customer data, or operational systems were affected.”
“Rafael’s cybersecurity framework is among the most advanced in the industry, with continuous monitoring and protection applied across all digital environments. All projects, programs, and customer engagements remain fully secure and uninterrupted.”


Read more »
User Privacy
Data Breach Data Leak Hyundai AutoEver America IT Firm User Privacy

Hyundai AutoEver America Breach Exposes Employee SSNs and Driver’s License Data

 

Hyundai AutoEver America (HAEA), an IT services affiliate of Hyundai Motor Group, has confirmed a data breach that compromised sensitive personal information, including Social Security Numbers (SSNs) and driver’s licenses, of approximately 2,000 individuals, mostly current and former employees. The breach occurred between February 22 and March 2, 2025, with the company discovering the intrusion and launching an investigation on March 1.

HAEA specializes in providing IT consulting, managed services, and digital solutions for Hyundai and Kia affiliates, covering vehicle telematics, over-the-air updates, vehicle connectivity, and embedded systems, as well as business systems and digital manufacturing platforms. The company’s IT environment supports 2 million users and 2.7 million vehicles, with a workforce of 5,000 employees.

The notification to affected individuals revealed that the breach exposed names, while the Massachusetts government portal listed additional information such as SSNs and driver’s licenses. It is still unclear whether customers or users were affected besides employees, and the exact breakdown of impacted groups remains unspecified. The company worked with external cybersecurity experts and law enforcement to investigate the incident, confirm containment, and identify the potentially affected data.

At the time of the report, no ransomware groups had claimed responsibility for the attack, and the perpetrators are unknown. This incident adds to a series of cybersecurity challenges faced by Hyundai and its affiliates in recent years, including previous ransomware attacks and data breaches affecting operations in Europe and exposing owner data in Italy and France. 

Additionally, security researchers previously identified significant privacy and security issues with Hyundai’s companion app, which allowed unauthorized remote control of vehicles, and vulnerabilities in built-in anti-theft systems.

HAEA has not yet released a full public statement with details about the breach, mitigation steps, or future security improvements. The limited information available highlights the need for robust security protocols, especially for organizations handling large volumes of sensitive personal and automotive data. The breach serves as a reminder of the ongoing risks facing major automotive and IT service providers amid the growing threat landscape for digital infrastructure.
Read more »
Subscribe to: Comments (Atom)