CySecurity News - Latest Information Security and Hacking Incidents: Data Leak

AI tools Data Breach Data Leak Digital Personal Data Protection Gemini AI Gemini Flaw Gemini vulnerability Google Gemini Google security

Google Gemini Calendar Flaw Allows Meeting Invites to Leak Private Data

Though built to make life easier, artificial intelligence helpers sometimes carry hidden risks. A recent study reveals that everyday features - such as scheduling meetings - can become pathways for privacy breaches. Instead of protecting data, certain functions may unknowingly expose it. Experts from Miggo Security identified a flaw in Google Gemini’s connection to Google Calendar. Their findings show how an ordinary invite might secretly gather private details. What looks innocent on the surface could serve another purpose beneath.

A fresh look at Gemini shows it helps people by understanding everyday speech and pulling details from tools like calendars. Because the system responds to words instead of rigid programming rules, security experts from Miggo discovered a gap in its design. Using just text that seems normal, hackers might steer the AI off course. These insights, delivered openly to Hackread.com, reveal subtle risks hidden in seemingly harmless interactions.

A single calendar entry is enough to trigger the exploit - no clicking, no downloads, no obvious red flags. Hidden inside what looks like normal event details sits coded directions meant for machines, not people. Rather than arriving through email attachments or shady websites, the payload comes disguised as routine scheduling data. The wording blends in visually, yet when processed by Gemini, it shifts into operational mode. Instructions buried in plain sight tell the system to act without signaling intent to the recipient.

A single harmful invitation sits quietly once added to the calendar. Only after the user poses a routine inquiry - like asking about free time on Saturday - is anything set in motion. When Gemini checks the agenda, it reads the tainted event along with everything else. Within that entry lies a concealed instruction: gather sensitive calendar data and compile a report. Using built-in features of Google Calendar, the system generates a fresh event containing those extracted details.

Without any sign, personal timing information ends up embedded within a new appointment. What makes the threat hard to spot is its invisible nature. Though responses appear normal, hidden processes run without alerting the person using the system. Instead of bugs in software, experts point to how artificial intelligence understands words as the real weak point. The concern grows as behavior - rather than broken code - becomes the source of danger. Not seeing anything wrong does not mean everything is fine.

Back in December 2025, problems weren’t new for Google’s AI tools when it came to handling sneaky language tricks. A team at Noma Security found a gap called GeminiJack around that time. Hidden directions inside files and messages could trigger leaks of company secrets through the system. Experts pointed out flaws deep within how these smart tools interpret context across linked platforms. The design itself seemed to play a role in the vulnerability. Following the discovery by Miggo Security, Google fixed the reported flaw.

Still, specialists note similar dangers remain possible. Most current protection systems look for suspicious code or URLs - rarely do they catch damaging word patterns hidden within regular messages. When AI helpers get built into daily software and given freedom to respond independently, some fear misuse may grow. Unexpected uses of helpful features could lead to serious consequences, researchers say.

Korean Air Employee Data Exposed in Cl0p Ransomware Supply-Chain Attack



 

Vulnerabilities and Exploits

Cl0p Ransomware Data Leak Korean Air Supply-Chain Attack Vulnerabilities and Exploits

Korean Air Employee Data Exposed in Cl0p Ransomware Supply-Chain Attack

Korean Air has acknowledged the theft of sensitive data belonging to 30,000 current and former employees in a serious data breach. The breach occurred via a supply-chain compromise at KC&D Service, the airline's former catering subsidiary. Hackers exploited a critical flaw in Oracle E-Business Suite, tracked as CVE-2025-61882, that enabled code execution remotely without requiring any user interaction or authentication to login. Cl0p ransomware operators claimed responsibility for the attack, and after ransom demands were apparently ignored, they dumped almost 500 GB of stolen archives on their dark web site.

The intrusion occurred at KC&D, which, though it was sold to Hahn & Company in 2020, was still handling in-flight meals and duty-free services. Korean Air continues to own a 20% stake and has continued sharing employee data through KC&D's ERP server. The attackers targeted Oracle EBS versions 12.2.3 through 12.2.14 to bypass authentication and reach sensitive systems. The vulnerability was publicly disclosed in early October 2025, after initial exploitation that started in August. Although Oracle promptly released patches, the combination of late detection and widespread exposure caused data exfiltration to spread across many victims.

The stolen information includes full names and bank account numbers, which increases the risk of identity theft, financial fraud and phishing attacks for those whose information was compromised. Importantly, no customer data, including flight records or payment information, was compromised, preventing wider impact on operations. Korean Air on Dec. 29, 2025, advised the employees to be cautious of scams and took emergency security measures, disconnecting the KC&D servers and filing a report with the Korea Internet and Security Agency (KISA).

This attack is reminiscent of the 2023 MOVEit Transfer breach conducted by Cl0p, a similar file-transfer exploit that resulted in the compromise of millions of records from hundreds of companies. Dozens of EBS victims have surfaced, including Envoy Air, Harvard University, Schneider Electric, Emerson, Cox Enterprises, Logitech, and Barts Health NHS Trust, underscoring the campaign's global scale. Cl0p, a Russia-nexus extortion group linked to FIN11, prioritizes data theft over encryption for high-value targets.

The incident emphasizes enduring supply-chain risk in aviation and enterprise software, underscoring the importance of timely patching, third-party risk assessments, and zero-trust architectures. Korean Air Vice Chairman Woo Kee-hong confirmed full dedication to breach scoping and support for its employees in the midst of South Korea's wave of cyberattacks, which also targeted Coupang and SK Telecom in recent days. Organizations around the globe need to review their Oracle EBS exposures and keep an eye on Cl0p leak sites in order to reduce risk.

Instagram Refutes Breach Allegations After Claims of 17 Million User Records Circulating Online



 

Personal Information

2FA API Data Breach Data Leak Instagram Meta Personal Information

Instagram Refutes Breach Allegations After Claims of 17 Million User Records Circulating Online

Instagram has firmly denied claims of a new data breach following reports that personal details linked to more than 17 million accounts are being shared across online forums. The company stated that its internal systems were not compromised and that user accounts remain secure.

The clarification comes after concerns emerged around a technical flaw that allowed unknown actors to repeatedly trigger password reset emails for Instagram users. Meta, Instagram’s parent company, confirmed that this issue has been fixed. According to the company, the flaw did not provide access to accounts or expose passwords. Users who received unexpected reset emails were advised to ignore them, as no action is required.

Public attention intensified after cybersecurity alerts suggested that a large dataset allegedly connected to Instagram accounts had been released online. The data, which was reportedly shared without charge on several hacking forums, was claimed to have been collected through an unverified Instagram API vulnerability dating back to 2024.

The dataset is said to include information from over 17 million profiles. The exposed details reportedly vary by record and include usernames, internal account IDs, names, email addresses, phone numbers, and, in some cases, physical addresses. Analysis of the data shows that not all records contain complete personal details, with some entries listing only basic identifiers such as a username and account ID.

Researchers discussing the incident on social media platforms have suggested that the data may not be recent. Some claim it could originate from an older scraping incident, possibly dating back to 2022. However, no technical evidence has been publicly provided to support these claims. Meta has also stated that it has no record of Instagram API breaches occurring in either 2022 or 2024.

Instagram has previously dealt with scraping-related incidents. In one earlier case, a vulnerability allowed attackers to collect and sell personal information associated with millions of accounts. Due to this history, cybersecurity experts believe the newly surfaced dataset could be a collection of older information gathered from multiple sources over several years, rather than the result of a newly discovered vulnerability.

Attempts to verify the origin of the data have so far been unsuccessful. The individual responsible for releasing the dataset did not respond to requests seeking clarification on when or how the information was obtained.

At present, there is no confirmation that this situation represents a new breach of Instagram’s systems. No evidence has been provided to demonstrate that the data was extracted through a recently exploited flaw, and Meta maintains that there has been no unauthorized access to its infrastructure.

While passwords are not included in the leaked information, users are still urged to remain cautious. Such datasets are often used in phishing emails, scam messages, and social engineering attacks designed to trick individuals into revealing additional information.

Users who receive password reset emails or login codes they did not request should delete them and take no further action. Enabling two-factor authentication is fiercely recommended, as it provides an added layer of security against unauthorized access attempts.

University of Phoenix Data Breach Exposes Records of Nearly 3.5 Million Individuals



 

Oracle E-Business Suite

Clop Ransomware Clop Ransomware Gang customer data leak Data Breach Data Leak Data protection data security Oracle E-Business Suite

University of Phoenix Data Breach Exposes Records of Nearly 3.5 Million Individuals

The University of Phoenix has confirmed a major cybersecurity incident that exposed the financial and personal information of nearly 3.5 million current and former students, employees, faculty members, and suppliers. The breach is believed to be linked to the Clop ransomware group, a cybercriminal organization known for large-scale data theft and extortion. The incident adds to a growing number of significant cyberattacks reported in 2025.

Clop is known for exploiting weaknesses in widely used enterprise software rather than locking systems. Instead, the group steals sensitive data and threatens to publish it unless victims pay a ransom. In this case, attackers took advantage of a previously unknown vulnerability in Oracle Corporation’s E-Business Suite software, which allowed them to access internal systems.

The breach was discovered on November 21 after the University of Phoenix appeared on Clop’s dark web leak site. Further investigation revealed that unauthorized access may have occurred as early as August 2025. The attackers used the Oracle E-Business Suite flaw to move through university systems and reach databases containing highly sensitive financial and personal records.

The vulnerability used in the attack became publicly known in November, after reports showed Clop-linked actors had been exploiting it since at least September. During that time, organizations began receiving extortion emails claiming financial and operational data had been stolen from Oracle EBS environments. This closely mirrors the methods used in the University of Phoenix breach.

The stolen data includes names, contact details, dates of birth, Social Security numbers, and bank account and routing numbers. While the university has not formally named Clop as the attacker, cybersecurity experts believe the group is responsible due to its public claims and known use of Oracle EBS vulnerabilities.

Paul Bischoff, a consumer privacy advocate at Comparitech, said the incident reflects a broader trend in which Clop has aggressively targeted flaws in enterprise software throughout the year. In response, the University of Phoenix has begun notifying affected individuals and is offering 12 months of free identity protection services, including credit monitoring, dark web surveillance, and up to $1 million in fraud reimbursement.

The breach ranks among the largest cyber incidents of 2025. Rebecca Moody, head of data research at Comparitech, said it highlights the continued risks organizations face from third-party software vulnerabilities. Security experts say the incident underscores the need for timely patching, proactive monitoring, and stronger defenses, especially in education institutions that handle large volumes of sensitive data.

700Credit Data Breach Exposes Personal Information of Over 5.6 Million Consumers



 

personal data security

700Credit data breach Cyberattacks Data Breach Data Leak Data protection data security Personal Data Breach personal data security

700Credit Data Breach Exposes Personal Information of Over 5.6 Million Consumers

A massive breach at the credit reporting firm 700Credit has led to the leakage of private details of over 5.6 million people, throwing a new set of concerns on the risk of third-party security in the financial services value chain. The firm has admitted that the breach was a result of a supply chain attack on one of its third-party integration partners and did not originate from an internal breach.

According to the revelations made, this breach has its roots going back to late October 2025, when 700Credit noticed some unusual traffic associated with an exposed API. The firm has more than 200 integration partners who are connected to consumers’ data through APIs. It has been found that one of these partners was compromised as early as July 2025, but this notification was not made to 700Credit, thus leaving an opportunity for hackers to gain unlawful access to an API used for fetching consumers’ credit details from this API connected environment.

700Credit called this attack a "sustained velocity attack" that began October 25 and continued for over two weeks before being completely contained. Although the company was able to disable their vulnerable API once aware of the attack, attackers had already harvested a large chunk of customer information by exploiting this security hole. The attack is estimated to have compromised 20 percent of available information that was accessed through this vulnerability.

The compromised information comprises highly sensitive personal information like names, physical addresses, dates of birth, as well as Social Security numbers. Although 700Credit asserted that their primary internal systems as well as login credentials as well as mode of payment are safe from any breach, security experts have indicated that the compromised information is sufficient for identity theft, financial fraud, as well as targeted phishing attacks. Consequently, individuals in the company’s database have been advised to exercise vigilance against any unsolicited messages, especially if they purportedly come from 700Credit or related entities.

The Attorney General, Dana Nessel, issued a consumer alert warning people not to brush off the notifications received when a breach has occurred, but to be proactive about protecting themselves against fraud using the services of freezing their credit or monitoring their profiles for unusual activity due to the large-scale release of sensitive data that has happened previously.

In reaction to the incident, 700Credit has already started notifying affected consumers of the breach as a gesture of goodwill, offering two years of complimentary credit monitoring service, as well as offering complimentary credit reports to affected consumers. The company has also partnered with the National Automobile Dealers Association to assist with breach notification with the Federal Trade Commission for a joint notification on affected dealerships.

Law enforcement agencies have been notified of the breach as part of the continued investigations. This vulnerability highlights the increasing danger of the supply chain vulnerability, especially in companies which have extensive networks in handling personal data of consumers.

Jaguar Land Rover Confirms Employee Data Theft After August 2025 Cyberattack



 

personal data leak

Cyber Attacks Data Leak data security Data Theft employee data exposed Jaguar Jaguar Land Rover cyberattack payroll security breach personal data leak

Jaguar Land Rover Confirms Employee Data Theft After August 2025 Cyberattack

British luxury carmaker Jaguar Land Rover has confirmed that a cyberattack uncovered in August 2025 led to the theft of payroll and personal data of thousands of current and former employees. After this disclosure, the company asked the affected people to remain alert about identity theft, phishing attempts, and financial fraud.

The breach represents the first official acknowledgement from JLR that employee personal information was compromised during the incident. Earlier statements had focused largely on the operational disruption caused by the attack, which forced the temporary shutdown of vehicle production across several manufacturing facilities for several weeks. The company employs more than 38,000 people worldwide. Records pertaining to former employees and contractors were also affected.

Internal communications shared with staff revealed that forensic investigations determined attackers took unauthorized access to payroll administration systems. These systems would include sensitive employment-related records, including data associated with salaries, pension contributions, employee benefits, and information about dependents. While JLR has stated that there is currently no evidence that the stolen information has been publicly leaked or actively misused, the nature of the exposed data creates a heightened risk profile.

Cybersecurity experts point out that payroll systems usually host very sensitive identifiers such as bank account details, national insurance numbers, tax information, residential addresses, and compensation records. Even partial data exposure could increase the chances of identity fraud, account takeover attempts, and targeted social engineering attacks by a great degree. In response, JLR has recommended that the affected keep themselves aware of unsolicited communications and enhance passwords related to personal and professional accounts.

For the sake of mitigation, the company has declared two years of free credit and identity monitoring services for its current and former affected employees. A dedicated helpline is also established for phone support, to assist with queries, advise on protective measures, and take reports of suspected fraudulent activity. This decision by JLR comes after forensic analysis had continued post-restoration of safe production operations.

The breach has been formally reported to the UK's Information Commissioner's Office (ICO), which has confirmed it is conducting enquiries into the incident. The regulator has asked for more information about the extent of the breach, what security controls were in place at the time of the attack, and what remedial action has been taken since the intrusion was detected. The after-effects of the cyberattack spilled over beyond JLR's workforce.

The disruption reportedly affected almost 5,000 supplier and partner organizations, reflecting the interconnected nature of modern manufacturing supply chains. Estimates place the overall economic impact of the incident at roughly ₹20,000 crore. Official figures suggest the disruption contributed to a measurable contraction in the UK economy during September 2025. JLR also announced that the attack resulted in the quarterly sales decline of an estimated ₹15,750 crore, along with a one-time recovery and remediation cost of around ₹2,060 crore.

The costs comprised restoration of systems, security controls enhancement, and incident response. The intrusion, which was earlier claimed by a hacking group named "Scattered Lapsus Hunters" that had earlier been involved with attacks on major retail organizations, has alleged that the organization also accessed customer data.

However, Jaguar Land Rover claims that evidence supporting those claims has not been found. Investigations are ongoing, and the firm has announced that it will keep informing employees, regulators, and other stakeholders as more information becomes available.

AuraStealer Malware Uses Scam Yourself Tactics to Steal Sensitive Data



 

Personal Data

Cyber Scams Data Breach Data Leak data security Data Stealer data stealing Infostealer Malware Malwares Personal Data

AuraStealer Malware Uses Scam Yourself Tactics to Steal Sensitive Data

A recent investigation by Gen Digital’s Gen Threat Labs has brought attention to AuraStealer, a newly emerging malware-as-a-service offering that has begun circulating widely across underground cybercrime communities. First observed in mid-2025, the malware is being promoted as a powerful data-stealing tool capable of compromising a broad range of Windows operating systems. Despite its growing visibility, researchers caution that AuraStealer’s technical sophistication does not always match the claims made by its developers.

Unlike conventional malware campaigns that rely on covert infection techniques such as malicious email attachments or exploit kits, AuraStealer employs a strategy that places users at the center of their own compromise. This approach, described as “scam-yourself,” relies heavily on social engineering rather than stealth delivery. Threat actors distribute convincing video content on popular social platforms, particularly TikTok, presenting the malware execution process as a legitimate software activation tutorial.

These videos typically promise free access to paid software products. Viewers are guided through step-by-step instructions that require them to open an administrative PowerShell window and manually enter commands shown on screen. Instead of activating software, the commands quietly retrieve and execute AuraStealer, granting attackers access to the victim’s system without triggering traditional download-based defenses.

From an analysis perspective, AuraStealer incorporates multiple layers of obfuscation designed to complicate both manual and automated inspection. The malware disrupts straightforward code execution paths by dynamically calculating control flow at runtime, preventing analysts from easily tracing its behavior. It also leverages exception-based execution techniques, intentionally generating system errors that are intercepted by custom handlers to perform malicious actions. These tactics are intended to confuse security sandboxes and delay detection.

Functionally, AuraStealer targets a wide range of sensitive information. Researchers report that it is designed to harvest data from more than a hundred web browsers and dozens of desktop applications. Its focus includes credentials stored in both Chromium- and Gecko-based browsers, as well as data associated with cryptocurrency wallets maintained through browser extensions and standalone software.

One of the more concerning aspects of the malware is its attempt to circumvent modern browser protections such as Application-Bound Encryption. The malware tries to launch browser processes in a suspended state and inject code capable of extracting encryption keys. However, researchers observed that this technique is inconsistently implemented and fails across multiple environments, suggesting that the malware remains technically immature.

Despite being sold through subscription-based pricing that can reach several hundred dollars per month, AuraStealer contains notable weaknesses. Analysts found that its aggressive obfuscation introduces detectable patterns and that coding errors undermine its ability to remain stealthy. These shortcomings provide defenders with opportunities to identify and block infections before significant damage occurs.

While AuraStealer is actively evolving and backed by ongoing development, its emergence highlights a broader trend toward manipulation-driven cybercrime. Security professionals continue to emphasize that any online tutorial instructing users to paste commands into a system terminal in exchange for free software should be treated as a significant warning sign.

LinkedIn Profile Data Among Billions of Records Found in Exposed Online Database



 

profile

Data Breach Data Leak database Linkedin Personal Data profile

LinkedIn Profile Data Among Billions of Records Found in Exposed Online Database

Cybersecurity researchers recently identified a massive online database that was left publicly accessible without any security protections, exposing a vast collection of professional and personal information. The database contained more than 16 terabytes of data, representing over 4.3 billion individual records that could be accessed without authorization.

Researchers associated with Cybernews reported that the exposed dataset is among the largest lead-generation style databases ever discovered online. The information appears to be compiled from publicly available professional profiles, including data commonly found on LinkedIn, such as profile handles, URLs, and employment-related details.

The exposed records included extensive personal and professional information. This ranged from full names, job titles, employer names, and work histories to education records, degrees, certifications, skills, languages, and location data. In some cases, the datasets also contained phone numbers, email addresses, social media links, and profile images. Additional information related to corporate relationships and contract-linked data was also present, suggesting the dataset was built for commercial or business intelligence purposes.

Investigators believe the data was collected gradually over several years and across different geographic regions. The database was stored in a MongoDB instance, a system commonly used by organizations to manage large volumes of information efficiently. While MongoDB itself is widely used, leaving such databases unsecured can expose sensitive information at scale, which is what occurred in this incident.

The exposed database was discovered on November 23 and secured approximately two days later. However, researchers were unable to determine how long the data had been accessible before it was identified. The exposure is believed to have resulted from misconfiguration or human error rather than a deliberate cyberattack, a common issue in cloud-based data storage environments.

Researchers noted that the database was highly organized and structured, indicating the information was intentionally collected and maintained. Based on its format, the data also appears to be relatively current and accurate.

Such large datasets are particularly attractive to cybercriminals. When combined with automated tools or large language models, this information can be used to conduct large-scale phishing campaigns, generate fraudulent emails, or carry out targeted social engineering attacks against individuals and corporate employees.

Security experts recommend that individuals take precautionary measures following incidents like this. This includes updating passwords for professional networking accounts such as LinkedIn, email services, and any connected financial accounts. Users should also remain cautious of unexpected emails, messages, or phone calls that attempt to pressure them into sharing personal information or clicking unknown links.

Although collecting publicly available data is not illegal in many jurisdictions, failing to properly secure a database of this size may carry legal and regulatory consequences. At present, the ownership and purpose of the database remain unclear. Further updates are expected if more information becomes available or accountability is established.

Pierce County Library System Data Breach Exposes Information of Over 340,000 People



 

Personal Data Breach

Cyberattacks Data Breach Data breaches attacks Data Leak data security INC Ransom gang Inc ransomware Library Personal Data Breach

Pierce County Library System Data Breach Exposes Information of Over 340,000 People

A cyber attack on the Pierce County Library System in the state of Washington has led to the compromise of personal data of over 340,000 people, which is indicative of the rising threat of cybersecurity breaches being posed to public services. This attack has impacted library services in the entire county, along with library users and staff. The incident was made known to the public through breach notification letters published on the website of the Pierce County Library System.

The incident, as revealed in the notification letters, occurred when the library system detected the incident on April 21 and decided to shut all library systems in an effort to control the breach. The library system conducted an investigation that confirmed the breach had taken place.

The library network was also able to identify that the exfiltration of data from individuals who utilized or were part of the institution was successful on May 12. It was established that the hackers had access to the network from April 15 to April 21. Access to sensitive information was gained and exfiltrated during this time. The level of information that was vulnerable varied depending on who was targeted.

The data that was breached for the benefit of the library patrons included names and dates of birth. Though very limited compared to the data for employees, this data is still significant for use in identity-related fraud. The breach had severe implications for current and former employees who worked within the library system. The data that was stolen for them included Social Security numbers, financial accounts, driver’s license numbers, credit card numbers, passports, health insurance, and certain data related to medical matters.

This particular ransomware assault would later be attributed to the INC ransomware gang, which has been responsible for a number of highly detrimental attacks on government bodies over 2025. The gang has previously conducted attacks on bodies such as the Office of the Attorney General of Pennsylvania and a countrywide emergency alert service used by local authority bodies. This type of situation is not the first that has occurred on the level of Pierce County.

In the year 2023, Pierce County was the victim of a ransomware attack on the public transit service that the community utilized heavily because the service was used by 18,000 riders on a daily basis. Public library networks have become a common target for ransomware attacks in recent years. This is because cybercriminals also perceive public libraries as high-stakes targets since community members depend on them for internet access to their catalogs and other digital services, creating a challenge where an organization may feel pressured into paying a ransom demand to resume operations. Such attacks also include national and city library networks in North America.

The current threat environment has led to calls for developing targeted programs within the government in the United States that would evaluate risks for libraries' cybersecurity environments. This involves enhancing data sharing related to cyber attacks and providing libraries with more support and advanced services from firewalls that target libraries specifically.

The increasing digitization efforts by libraries as government institutions further solidify that a breach such as that which Pierce County experienced is a reminder that a continued investment in cybersecurity measures is a necessity.

Online Retail Store Coupang Suffers South Korea's Worst Data Breach, Leak Linked to Former Employee



 

South Korea

AI Cloud Coupang Cyber Security Data Leak Retail Store South Korea

Online Retail Store Coupang Suffers South Korea's Worst Data Breach, Leak Linked to Former Employee

33.7 million customer data leaked

Data breach is an unfortunate attack that businesses often suffer. Failing to address these breaches is even worse as it costs businesses reputational and privacy damage.

A breach at Coupang that leaked the data of 33.7 million customers has been linked to a former employee who kept access to internal systems after leaving the organization.

About the incident

The news was reported by the Seoul Metropolitan Police Agency with news agencies after an inquiry that involved a raid on Coupang's offices recently. The firm is South Korea's biggest online retailer. It employs 95,000 people and generates an annual revenue of more than $30 billion.

Earlier in December, Coupang reported that it had been hit by a data breach that leaked the personal data of 33.7 million customers such as email IDs, names, order information, and addresses.

The incident happened in June, 2025, but the firm found it in November and launched an internal investigation immediately.

The measures

In December beginning, Coupang posted an update on the breach, assuring the customers that the leaked data had not been exposed anywhere online.

Even after all this, and Coupang's full cooperation with the authorities, the officials raided the firm's various offices on Tuesday to gather evidence for a detailed enquiry.

Recently, Coupang's CEO Park Dae-Jun gave his resignation and apologies to the public for not being able to stop what is now South Korea's worst cybersecurity breach in history.

Police investigation

In the second day of police investigation in Coupang's offices, the officials found that the main suspect was a 43-year old Chinese national who was an employee of the retail giant. The man is called JoongAng, who joined the firm in November 2022 and overlooked the authentication management system. He left the firm in 2024. JoongAng is suspected to have already left South Korea.

What next?

According to the police, although Coupang is considered the victim, the business and staff in charge of safeguarding client information may be held accountable if carelessness or other legal infractions are discovered.

Since the beginning of the month, the authorities have received hundreds of reports of Coupang impersonation. Meanwhile, the incident has caused a large amount of phishing activity in the country, affecting almost two-thirds of its population.

OpenAI Vendor Breach Exposes API User Data



 

Vendor Breach

Data Breach Data Leak Mixpanel OpenAI User Privacy Vendor Breach

OpenAI Vendor Breach Exposes API User Data

OpenAI revealed a security incident in late- November 2025 that allowed hackers to access data about users via its third-party analytics provider, Mixpanel. The breach, which took place on November 9, 2025, exposed a small amount of personally identifiable information for some OpenAI API users, although OpenAI stressed that its own systems had not been the target of the attack.

Breach details

The breach occurred completely within Mixpanel’s own infrastructure, when an attacker was able to gain access and exfiltrate a dataset containing customer data. Mixpanel became aware of the compromise on 9 November 2025, and following an investigation, shared the breached dataset with OpenAI on 25 November, allowing the technology firm to understand the extent of potential exposure.

The breach specifically affected users who accessed OpenAI's API via platform.openai.com, rather than regular ChatGPT users. The compromised data included several categories of user information collected through Mixpanel's analytics platform. Names provided to accounts on platform.openai.com were exposed, along with email addresses linked to API accounts.

Additionally, coarse approximate location data determined by IP addresses, operating system and browser types, referring websites, and organization and user IDs saved in API accounts were part of the breach. However, OpenAI confirmed that more sensitive information remained secure, including chat content, API requests, API usage data, passwords, credentials, API keys, payment details, and government IDs.

Following the incident, OpenAI took immediate action by removing Mixpanel from its services while conducting its investigation. The company notified affected users on November 26, 2025, right before Thanksgiving, providing details about the breach and emphasizing that it was not a compromise of OpenAI's own systems. OpenAI has suspended its integration with Mixpanel pending a thorough investigation of the incident.

Recommended measures

OpenAI also encouraged the affected users to stay on guard for potential second wave attacks using the stolen information. Users need to be especially vigilant for phishing and social engineer attacks that could be facilitated by the leaked information, such as names, e-mail addresses and company information. A class action has also been brought against OpenAI and Mixpanel, claiming the companies did nothing to stop the breach of data that revealed personally identifiable information for thousands of users.

Telecom Company Freedom Mobile Suffers Data Breach Resulting in Data Leak



 

telecoms

Cyber Attacks Data Leak Freedom Mobile Internet telecoms

Telecom Company Freedom Mobile Suffers Data Breach Resulting in Data Leak

About the incident

Freedom Mobile has revealed a data breach that leaked personal information belonging to a limited number of customers. This happened after illegal access to its internal systems in late October.

As per the notice sent to customers, the breach was found in late October, when the security team found illicit activity on its customer account management platform. "Our investigation revealed that a third party used the account of a subcontractor to gain access to the personal information of a limited number of our customers," the statement read.

Attack tactic

According to the investigation, a third-party got access via the account of a subcontractor. It means that a threat actor used genuine login credentials that belonged to an external partner, instead of directly breaking through technical defenses. After gaining access, the threat actors could view particular customer records. The exposed data consists home addresses, first and last names, contact numbers and Freedom Mobile account numbers.

Details such as account passwords, banking details, credit card were not hacked. The incident impacted only personal profile data, nof authentication secrets or financial data.

Once the intrusion was found, Freedom Mobile blocked malicious accounts and linked IP addresses, and deployed additional security measures on the platform.

These steps generally involve strict access permissions, which adds extra monitoring and reviewing login rules for subcontractor ms like implementation of strong passwords and two-factor authentication. No exposed information has been misused, the company has said.

Risks of stolen data

But the stolen data can be important for important social engineering and phishing attempts.

Threat actors may use these details to send scam messages on behalf of Freedom Mobile.

Freedom Mobile has requested customers to stay cautious of emails or texts that ask for personal information, or that redirect them to log in through links.

Freedom Mobile has emphasized that it never asks for credit card numbers, PINs by email, SMS, passwords, or other banking information. "We quickly identified the incident and implemented corrective measures and security enhancements, including blocking the suspicious accounts and corresponding IP addresses," the company said.

Customers have also been suggested to check their device for any suspicious activity to avoid downloading unexpected attachments or suspicious links. Meanwhile, the investigation is still continuing.

WhatsApp Enumeration Flaw Exposes Data of 3.5 Billion Users in Massive Scraping Incident



 

Personal Data

CyberCrime Data Breach Data Leak Data Privacy Concerns Data Safety User Data data security Personal Data

WhatsApp Enumeration Flaw Exposes Data of 3.5 Billion Users in Massive Scraping Incident

Security researchers in Austria uncovered a significant privacy vulnerability in WhatsApp that enabled them to collect the personal details of more than 3.5 billion registered users, an exposure they believe may be the largest publicly documented data leak to date. The issue stems from a long-standing feature that allows users to search WhatsApp accounts by entering phone numbers. While meant for convenience, the function can be exploited to automatically compile profiles at scale.

Using phone numbers generated with a custom tool built on Google’s libphonenumber system, the research team was able to query account details at an astonishing rate—more than 100 million accounts per hour. They reported exceeding 7,000 automated lookups per second without facing IP bans or meaningful rate-limiting measures. Their findings indicate that WhatsApp’s registered user base is larger than previously disclosed, contradicting the platform’s statement that it serves “over two billion” users globally.

The scraped records included phone numbers, account names, profile photos, and, in some cases, personal text attached to accounts. Over half of the identified users had public profile images, and a substantial portion contained identifiable human faces. About 29 percent included text descriptions, which researchers noted could reveal sensitive personal information such as sexuality, political affiliation, drug use, professional identities, or links to other platforms—including LinkedIn and dating apps.

The study also revealed that millions of accounts belonged to phone numbers registered in countries where WhatsApp is restricted or banned, including China, Myanmar, and North Korea. Researchers warn that such exposure could put users in those regions at risk of government monitoring, penalties, or arrest.

Beyond state-level dangers, experts stress that the harvested dataset could be misused by cybercriminals conducting targeted phishing campaigns, fraudulent messaging schemes, robocalling, and identity-based scams. The team emphasized that the persistence of phone numbers poses an ongoing risk: half of the numbers leaked during Facebook’s large-scale 2021 data scraping incident were still active in WhatsApp’s ecosystem.

Meta confirmed receiving the researchers’ disclosure through its bug bounty process. The company stated that it has since deployed updated anti-scraping defenses and thanked the researchers for responsibly deleting collected data. According to WhatsApp engineering leadership, the vulnerability did not expose private messages or encrypted content.

The researchers validated Meta’s claim, noting that the original enumeration method is now blocked. However, they highlighted that verifying security completeness remains difficult and emphasized the nearly year-long delay between initial reporting and effective remediation.

Whether this incident triggers systemic scrutiny or remains an isolated cautionary case, it underscores a critical reality: even services built around encryption can expose sensitive user metadata, creating new avenues for surveillance and exploitation.

Salesforce Probes Gainsight Breach Exposing Customer Data



 

User Privacy

Data Breach Data Leak Gainsight Salesforce User Privacy

Salesforce Probes Gainsight Breach Exposing Customer Data

Salesforce has disclosed that some of its customers' data was accessed following a breach of Gainsight, a platform used by businesses to manage customer relationships. The breach specifically affected Gainsight-published applications that were connected to Salesforce, with these apps being installed and managed directly by customers.

Salesforce emphasized that the breach did not stem from vulnerabilities in its own platform, but rather from Gainsight's external connection to Salesforce. The company is actively investigating the incident and directed further inquiries to its dedicated incident response page.

Gainsight confirmed it was investigating a Salesforce connection issue, but did not explicitly acknowledge a breach, stating that its internal investigation was ongoing. Notable companies using Gainsight's services include Airtable, Notion, and GitLab. GitLab confirmed that its security team is investigating and will share more details as they become available.

The hacking group ShinyHunters claimed responsibility for the breach, stating that if Salesforce does not negotiate with them, they will set up a new website to advertise the stolen data—a common tactic for cybercriminals seeking financial gain. The group reportedly stole data from nearly a thousand companies, including details from Salesloft and GainSight campaigns.

This breach mirrors a previous incident in August, where ShinyHunters exploited vulnerabilities in AI marketing chatbot maker Salesloft, compromising numerous customers' Salesforce instances and accessing sensitive information such as access tokens.

In the earlier Salesloft breach, victims included major organizations like Allianz Life, Bugcrowd, Cloudflare, Google, Kering, Proofpoint, Qantas, Stellantis, TransUnion, and Workday. The hackers subsequently launched a website to extort victims, threatening to release over a billion records. Gainsight was among those affected in the Salesloft-linked breaches, but it remains unclear if the latest wave of attacks originated from the same compromise or a separate incident.

Overall, this incident highlights the risks associated with third-party integrations in major cloud platforms and the growing sophistication of financially-motivated cybercriminals targeting customer data through supply chain vulnerabilities. Both Salesforce and Gainsight are continuing their investigations, with cybersecurity teams across affected organizations actively working to assess the extent of the breach and mitigate potential damage.

Knownsec Breach Exposes Chinese State Cyber Weapons and Global Target List



 

Nation-State Attack

Chinese Firm Data Breach Data Leak Knownsec Nation-State Attack

Knownsec Breach Exposes Chinese State Cyber Weapons and Global Target List

A major data breach at the Chinese security firm Knownsec has exposed more than 12,000 classified documents, providing unprecedented insight into the deep connections between private companies and state-sponsored cyber operations in China. The leaked files reportedly detail a wide array of cyber capabilities, including the use of Remote Access Trojans (RATs) that are capable of infiltrating systems across Windows, Linux, macOS, iOS, and Android platforms.

This breach not only highlights technical vulnerabilities but also reveals how companies like Knownsec can be embedded in national level cyber programs, sometimes carrying out operations on behalf of government agencies. Among the most notable data included in the leak were records stolen from international sources: 95GB of immigration data from India's national databases, 3TB of call logs from South Korea’s LG U Plus, and 459GB of transportation data from Taiwan.

Experts investigating these materials discovered spreadsheets listing 80 foreign targets, including major critical infrastructure and telecommunications enterprises across more than twenty countries and regions, with Japan, Vietnam, India, Indonesia, Nigeria, and the UK among them. The files also described specialized malware for Android—capable of extracting information from popular Chinese messaging apps and Telegram—and referenced the use of hardware-based hacking devices, such as a malicious power bank designed to covertly upload data to victim systems.

Despite efforts to remove the leaked materials from platforms such as GitHub, the contents have already spread among researchers and intelligence circles, offering an unusual glimpse into China’s cyber ecosystem and the scale of its operations. The exposure demonstrates the breadth, organization, and sophistication of these campaigns, suggesting far more coordination between security firms and state entities than previously understood.

In response, Beijing has officially denied any knowledge of a Knownsec breach, reiterating its opposition to cyberattacks but stopping short of disavowing links between the state and private cyber intelligence actors. The researchers emphasize that standard antivirus and firewall protections alone are insufficient against such advanced threats and highlights the need for a multi-layered cyber defense strategy incorporating real-time monitoring, rigorous network segmentation, and AI-driven threat detection to adequately protect organizations from these sophisticated forms of infiltration.

Knownsec Data Leak Exposes Deep Cyber Links and Global Targeting Operations



 

data security

Chinese Chinese Hackers Cyber Security Data Breaches Data Leak Data protection data security

Knownsec Data Leak Exposes Deep Cyber Links and Global Targeting Operations

A recent leak involving Chinese cybersecurity company Knownsec has uncovered more than 12,000 internal documents, offering an unusually detailed picture of how deeply a private firm can be intertwined with state-linked cyber activities. The incident has raised widespread concern among researchers, as the exposed files reportedly include information on internal artificial intelligence tools, sophisticated cyber capabilities, and extensive international targeting efforts. Although the materials were quickly removed after surfacing briefly on GitHub, they have already circulated across the global security community, enabling analysts to examine the scale and structure of the operations.

The leaked data appears to illustrate connections between Knownsec and several government-aligned entities, giving researchers insight into China’s broader cyber ecosystem. According to those reviewing the documents, the files map out international targets across more than twenty countries and regions, including India, Japan, Vietnam, Indonesia, Nigeria, and the United Kingdom. Of particular concern are spreadsheets that allegedly outline attacks on around 80 foreign organizations, including critical infrastructure providers and major telecommunications companies. These insights suggest activity far more coordinated than previously understood, highlighting the growing sophistication of state-associated cyber programs.

Among the most significant revelations is the volume of foreign data reportedly linked to prior breaches. Files attributed to the leaks include approximately 95GB of immigration information from India, 3TB of call logs taken from South Korea’s LG U Plus, and nearly 459GB of transportation records from Taiwan. Researchers also identified multiple Remote Access Trojans capable of infiltrating Windows, Linux, macOS, iOS, and Android systems. Android-based malware found in the leaked content reportedly has functionality allowing data extraction from widely used Chinese messaging applications and Telegram, further emphasizing the operational depth of the tools.

The documents also reference hardware-based hacking devices, including a malicious power bank engineered to clandestinely upload data into a victim’s system once connected. Such devices demonstrate that offensive cyber operations may extend beyond software to include physical infiltration tools designed for discreet, targeted attacks. Security analysts reviewing the information suggest that these capabilities indicate a more expansive and organized program than earlier assessments had captured.

Beijing has denied awareness of any breach involving Knownsec. A Foreign Ministry spokesperson reiterated that China opposes malicious cyber activities and enforces relevant laws, though the official statement did not directly address the alleged connections between the state and companies involved in intelligence-oriented work. While the government’s response distances itself from the incident, analysts note that the leaked documents will likely renew debates about the role of private firms in national cyber strategies.

Experts warn that traditional cybersecurity measures—including antivirus software and firewall defenses—are insufficient against the type of advanced tools referenced in the leak. Instead, organizations are encouraged to adopt more comprehensive protection strategies, such as real-time monitoring systems, strict network segmentation, and the responsible integration of AI-driven threat detection.

The Knownsec incident underscores that as adversaries continue to refine their methods, defensive systems must evolve accordingly to prevent large-scale breaches and safeguard sensitive data.

Hyundai AutoEver America Breach Exposes Employee SSNs and Driver’s License Data



 

User Privacy

Data Breach Data Leak Hyundai AutoEver America IT Firm User Privacy

Hyundai AutoEver America Breach Exposes Employee SSNs and Driver’s License Data

Hyundai AutoEver America (HAEA), an IT services affiliate of Hyundai Motor Group, has confirmed a data breach that compromised sensitive personal information, including Social Security Numbers (SSNs) and driver’s licenses, of approximately 2,000 individuals, mostly current and former employees. The breach occurred between February 22 and March 2, 2025, with the company discovering the intrusion and launching an investigation on March 1.

HAEA specializes in providing IT consulting, managed services, and digital solutions for Hyundai and Kia affiliates, covering vehicle telematics, over-the-air updates, vehicle connectivity, and embedded systems, as well as business systems and digital manufacturing platforms. The company’s IT environment supports 2 million users and 2.7 million vehicles, with a workforce of 5,000 employees.

The notification to affected individuals revealed that the breach exposed names, while the Massachusetts government portal listed additional information such as SSNs and driver’s licenses. It is still unclear whether customers or users were affected besides employees, and the exact breakdown of impacted groups remains unspecified. The company worked with external cybersecurity experts and law enforcement to investigate the incident, confirm containment, and identify the potentially affected data.

At the time of the report, no ransomware groups had claimed responsibility for the attack, and the perpetrators are unknown. This incident adds to a series of cybersecurity challenges faced by Hyundai and its affiliates in recent years, including previous ransomware attacks and data breaches affecting operations in Europe and exposing owner data in Italy and France.

Additionally, security researchers previously identified significant privacy and security issues with Hyundai’s companion app, which allowed unauthorized remote control of vehicles, and vulnerabilities in built-in anti-theft systems.

HAEA has not yet released a full public statement with details about the breach, mitigation steps, or future security improvements. The limited information available highlights the need for robust security protocols, especially for organizations handling large volumes of sensitive personal and automotive data. The breach serves as a reminder of the ongoing risks facing major automotive and IT service providers amid the growing threat landscape for digital infrastructure.

Digital Security Threat Escalates with Exposure of 1.3 Billion Passwords



 

Zero Trust

Credential Stuffing Cybersecurity Breach Data Leak Digital Risk Malware Logs Password Security Privacy Stolen Credentials Threat Intelligence Zero Trust

Digital Security Threat Escalates with Exposure of 1.3 Billion Passwords

One of the starkest reminders of just how easily and widely digital risks can spread is the discovery of an extensive cache of exposed credentials, underscoring the persistent dangers associated with password reuse and the many breaches that go unnoticed by the public. Having recently clarified the false claims of a large-scale Gmail compromise in the wake of Google’s recent clarification, the cybersecurity community is once again faced with vast, attention-grabbing figures which are likely to create another round of confusion.

Approximately 2 billion emails were included in the newly discovered dataset, along with 1.3 billion unique passwords that were found in the dataset, and 625 million of them were not previously reported to the public breach repository. It has been emphasised that Troy Hunt, the founder of Have I Been Pwned, should not use sensationalism when discussing this discovery, as he stresses the importance of the disclosure.

It is important to note that Hunt noted that he dislikes hyperbolic news headlines about data breaches, but he stressed that in this case, it does not require exaggeration since the data speaks for itself. Initially, the Synthient dataset was interpreted as a breach of Gmail before it was clarified to reveal that it was actually a comprehensive collection gathered from stealer logs and multiple past breaches spanning over 32 million unique email domains, and that it was a comprehensive collection.

There's no wonder why Gmail appears more often than other email providers, as it is the world's largest email service provider. The collection, rather than a single event, represents a very extensive collection of compromised email and password pairs, which is exactly the kind of material that is used to generate credential-stuffing attacks, where criminals use recycled passwords to automate attempts to access their banking, shopping, and other online accounts.

In addition to highlighting the dangers associated with unpublicized or smaller breaches, this new discovery also underscores the danger that even high-profile breaches can pose when billions of exposed credentials are quietly redirected to attackers. This newly discovered cache is not simply the result of a single hack, but is the result of a massive aggregation of credentials gathered from earlier attacks, as well as malware information thieves' logs, which makes credential-based attacks much more effective.

A threat actor who exploits reused passwords will have the ability to move laterally between personal and corporate services, often turning a compromised login into an entry point into an increasingly extensive network. A growing number organisations are still dependent on password-only authentication, which poses a high risk to businesses due to the fact that exposed credentials make it much easier for attackers to target business systems, cloud platforms, and administrative accounts more effectively.

The experts emphasised the importance of adopting stronger access controls as soon as possible, including the generation of unique passwords by trusted managers, the implementation of universal two-factor authentication, and internal checks to identify credentials which have been reused or have previously been compromised.

For attackers to be able to weaponise these massive datasets, enterprises must also enforce zero-trust principles, implement least-privilege access, and deploy automated defences against credential-stuffing attempts. When a single email account is compromised, it can easily cascade into financial, cloud or corporate security breaches as email serves as the central hub for recovering accounts and accessing linked services.

Since billions of credentials are being circulated, it is clear that both individuals and businesses need to take a proactive approach to authentication, modernise security architecture, and treat every login as if it were a potential entry point for attackers. This dataset is also notable for its sheer magnitude, representing the largest collection of data Have I Been Pwned has ever taken on, nearly triple the volume of its previous collection.

As compiled by Synthient, a cybercriminal threat intelligence initiative run by a college student, the collection is drawn from numerous sources where stolen credentials are frequently published by cybercriminals. There are two highly volatile types of compromised data in this program: stealer logs gathered from malware on infected computers and large credential-stuffing lists compiled from earlier breaches, which are then combined, repackaged and traded repeatedly over the underground networks.

In order to process the material, HIBP had to use its Azure SQL Hyperscale environment at full capacity for almost two weeks, running 80 processing cores at full capacity. The integration effort was extremely challenging, as Troy Hunt described it as requiring extensive database optimisation to integrate the new records into a repository containing more than 15 billion credentials while maintaining uninterrupted service for millions of people every day.

In the current era of billions of credential pairs being circulated freely between attackers, researchers are warning that passwords alone do not provide much protection any more than they once did. One of the most striking results of this study was that of HIBP’s 5.9 million subscribers, or those who actively monitor their exposure, nearly 2.9 million appeared in the latest compilation of HIBP credentials. This underscores the widespread impact of credential-stuffing troves. The consequences are especially severe for the healthcare industry.

As IBM's 2025 Cost of a Data Breach Report indicates, the average financial impact of a healthcare breach has increased to $7.42 million, and a successful credential attack on a medical employee may allow threat actors to access electronic health records, patient information, and systems containing protected health information with consequences that go far beyond financial loss and may have negative economic consequences as well.

There is a growing concern about the threat of credential exposure outpacing traditional security measures, so this study serves as a decisive reminder to modernise digital defences before attackers exploit these growing vulnerabilities. Organisations should be pushing for passwordless authentication, continuous monitoring, and adaptive risk-based access, while individuals should take a proactive approach to maintaining their credentials as an essential rather than an optional task.

Ultimately, one thing is clear: in a world where billions of credentials circulate unchecked, the key to resilience is to anticipate breaches by strengthening the architecture, optimising the authentication process and maintaining security awareness instead of reacting to them after a breach takes place.

WA Law Firm Faces Cybersecurity Breach Following Ransomware Reports



 

Ransomware attack

AlphV Group Australian Government cyber resilience Cybersecurity Breach Data Breach Data Leak Data protection Digital Security Law Firm Hack Ransomware attack

WA Law Firm Faces Cybersecurity Breach Following Ransomware Reports

It seems that Western Australia's legal sector and government sectors are experiencing ripples right now following reports that the Russian ransomware group AlphV has successfully hacked the prominent national law firm HWL Ebsworth and extracted a ransom payment from the firm. This has sent shockwaves through the legal and government sectors across Western Australia.

It has raised serious concerns since May, when the first hints about the breach came to light, concerning the risk of revealing sensitive information, such as information pertaining to over 300 motor vehicle insurance claims filed with the Insurance Commission of Western Australia. In a statement released by the ABC on Monday, the ABC has confirmed that HWL Ebsworth data that was held by the company on behalf of WA government entities may have been compromised after a cybercriminal syndicate claimed to have published a vast repository of the firm’s files earlier this month on the dark web.

Although the full extent of the breach is unclear, investigations are currently underway to determine how large the data exposure is and what the potential consequences are. It has been reported that an ICWA spokesperson acknowledged in an official statement that there has been an impact on the Commission, which is responsible for providing insurance coverage for all vehicles registered in Western Australia as well as overseeing the government's self-insurance programs for property, workers' compensation, and liability.

Although the agency indicated that the extent of any data compromise cannot yet be verified because of ongoing investigation restrictions, the agency noted that it cannot verify the extent of any data compromise at the moment. A spokesperson from the Insurance Commission said, “The details of the data that has been accessed are not yet known, but this is part of a live investigation that we are actively supporting. It is important to note that this situation is extremely serious and that the information that may be compromised is sensitive.

Anubis, a ransomware group that was a part of the law firm that has been involved in the cyberattack, escalated the cyberattack by releasing a trove of sensitive information belonging to one of the firm's clients, which caused the cyberattack to take an alarming turn. The leaked material was reportedly containing confidential business correspondence, financial records, and deeply personal correspondence.

An extensive collection of data was exposed, including screenshots of text messages sent and received by the client and family members, emails, and even Facebook posts - all of which revealed intimate details about private family disputes that surrounded the client. Anubis stated, in its statement on the dark web, that the cache contained “financial information, correspondence, personal messages, and other details of family relationships.”

Despite this, the company highlighted the possibility of emotional and reputational damage as a result of such exposure. It was pointed out by the group that families already going through difficult circumstances like divorce, adoption, or child custody battles were now going to experience additional stress due to their private matters being made public, even though the full scope of the breach remains unclear, and the ransomware operators have yet to provide a specific ransom amount, making it difficult to speculate about the intentions of the attackers.

Cyber Daily contacted Paterson & Dowding in response to inquiries it received, and a spokesperson confirmed that there had been unauthorized access to data and exfiltration by the firm. “Our team immediately acted upon becoming aware of unusual activity on our system as soon as we became aware of it, engaging external experts to deal with the incident, and launching an urgent investigation as soon as possible,” said the spokesperson.

There is no doubt in the minds of the firm that a limited number of personal information had been accessed, but the threat actors had already published a portion of the data online. In addition to notifying affected clients and employees, Paterson & Dowding is coordinating with regulatory bodies, including the Australian Cyber Security Centre and the Office of the Information Commissioner, about the incident.

A representative of the company stated that he regretted the distress the firm had caused as a result of the breach of confidentiality and compliance. Meanwhile, an individual identifying himself as Tobias Keller - a self-proclaimed "journalist" and representative of Anubis - told Cyber Daily that Paterson & Dowding was one of four Australian law firms targeted by a larger cyber campaign, which included Pound Road Medical Center and Aussie Fluid Power, among others.

While the HWL Ebsworth cyberattack is still unfolding, it has raised increasing concern from the federal and state government authorities as the investigation continues. In addition to providing independent legal services to the Insurance Commission of Western Australia (ICWA), the firm also reviews its systems in order to determine if any client information has been compromised. In this position, one of 15 legal partners serves the Insurance Commission of Western Australia (ICWA).

A representative of ICWA confirmed that the firm is currently assessing the affected data in order to clarify the situation for impacted parties. However, a court order in New South Wales prohibiting the agency from accessing the leaked files has hampered its own ability to verify possible data loss.

As ICWA's Chief Executive Officer Rod Whithear acknowledged the Commission's growing concerns, he stated that a consent framework for limited access to the information is being developed as a result of a consent framework being developed. Currently, the Insurance Commission is implementing a consent regime that will allow them to assess whether data has been exfiltrated and if so, will be able to assess the exfiltrated information." He assured that the Commission remains committed to supporting any claimant impacted by the breach.

In addition to its involvement in insurance-related matters, HWL Ebsworth has established an extensive professional relationship with multiple departments of the State government of Washington. According to the firm's public transportation radio network replacement program, between 2017 and 2020, it was expected that it would receive approximately $280,000 for its role in providing legal advice to the state regarding its replacement of public transport radio networks, a project which would initially involve a $200 million contract with Huawei, the Chinese technology giant.

A $6.6 million settlement with Huawei and its partner firm was reached in 2020 after U.S. trade restrictions rendered the project unviable, ultimately resulting in Huawei and its partner firm being fined $6.6 million. Aside from legal representation for public housing initiatives and Government Employees Superannuation Board, HWL Ebsworth has provided legal representation for the Government Employees Superannuation Board as well.

In light of the breach, the state government has clarified, apart from the ICWA, that no other agencies seem to have been directly affected as a result. A significant vulnerability has been highlighted by this incident in the intersection of government operations with private legal service providers, but the incident has also highlighted broader issues related to cyber security.

Addressing the broader impacts of the attack will also be in the hands of the new Cyber Security Coordinator, Air Marshal Darren Goldie, who was appointed in order to strengthen the national cyber resilience program. The Minister of Home Affairs, Clare O'Neill, has described the breach as one of the biggest cyber incidents Australia has experienced in recent years, placing it alongside a number of major cases such as Latitude, Optus, and Medibank.

The Australian Federal Police and Victorian Police, working together with the Australian Cyber Security Centre, continue to investigate the root cause and impact of the attack. A number of cyber incidents are unfolding throughout Australia, which serves to serve as an alarming reminder of how fragile digital trust is becoming within the legal and governmental ecosystems of the country. Experts say that while authorities are intensifying their efforts to locate the perpetrators and strengthen defenses, the breach underscores the urgent need for stronger cybersecurity governance among third parties and law firms involved in the handling of sensitive data.

The monitoring of threats, employee awareness, and robust data protection frameworks, the nation's foremost challenge is now to rebuild trust in institutions and information integrity, beyond just restoring the systems. Beyond just restoring systems, rebuilding confidence in institutions and information integrity are the most urgent tasks facing us today.

Hacker Claims Responsibility for University of Pennsylvania Breach Exposing 1.2 Million Donor Records



 

Hacker attack

Cyberattaccks Data Breach Data Leak Data protection Data Safety User Data data security Hacker attack

Hacker Claims Responsibility for University of Pennsylvania Breach Exposing 1.2 Million Donor Records

A hacker has taken responsibility for the University of Pennsylvania’s recent “We got hacked” email incident, claiming the breach was far more extensive than initially reported. The attacker alleges that data on approximately 1.2 million donors, students, and alumni was exposed, along with internal documents from multiple university systems. The cyberattack surfaced last Friday when Penn alumni and students received inflammatory emails from legitimate Penn.edu addresses, which the university initially dismissed as “fraudulent and obviously fake.”

According to the hacker, their group gained full access to a Penn employee’s PennKey single sign-on (SSO) credentials, allowing them to infiltrate critical systems such as the university’s VPN, Salesforce Marketing Cloud, SAP business intelligence platform, SharePoint, and Qlik analytics. The attackers claim to have exfiltrated sensitive personal data, including names, contact information, birth dates, estimated net worth, donation records, and demographic details such as religion, race, and sexual orientation. Screenshots and data samples shared with cybersecurity publication BleepingComputer appeared to confirm the hackers’ access to these systems.

The hacker stated that the breach began on October 30th and that data extraction was completed by October 31st, after which the compromised credentials were revoked. In retaliation, the group allegedly used remaining access to the Salesforce Marketing Cloud to send the offensive emails to roughly 700,000 recipients. When asked about the method used to obtain the credentials, the hacker declined to specify but attributed the breach to weak security practices at the university. Following the intrusion, the hacker reportedly published a 1.7 GB archive containing spreadsheets, donor-related materials, and files allegedly sourced from Penn’s SharePoint and Box systems.

The attacker told BleepingComputer that their motive was not political but financial, driven primarily by access to the university’s donor database. “We’re not politically motivated,” the hacker said. “The main goal was their vast, wonderfully wealthy donor database.” They added that they were not seeking ransom, claiming, “We don’t think they’d pay, and we can extract plenty of value out of the data ourselves.” Although the full donor database has not yet been released, the hacker warned it could be leaked in the coming months.

In response, the University of Pennsylvania stated that it is investigating the incident and has referred the matter to the FBI. “We understand and share our community’s concerns and have reported this to the FBI,” a Penn spokesperson confirmed. “We are working with law enforcement as well as third-party technical experts to address this as rapidly as possible.” Experts warn that donors and affiliates affected by the breach should remain alert to potential phishing attempts and impersonation scams.

With detailed personal and financial data now at risk, attackers could exploit the information to send fraudulent donation requests or gain access to victims’ online accounts. Recipients of any suspicious communications related to donations or university correspondence are advised to verify messages directly with Penn before responding.

The University of Pennsylvania breach highlights the growing risks faced by educational institutions holding vast amounts of personal and donor data, emphasizing the urgent need for robust access controls and system monitoring to prevent future compromises.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Menu Item

33.7 million customer data leaked

About the incident

The measures

Police investigation

What next?

About the incident

Attack tactic

Risks of stolen data