Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Leak. Show all posts
Personal Data
Dark Web Dark website Data Breach Data Brokers Data Leak data security DOGE Elon Musk ParkMobile Personal Data

Dark Web Site DogeQuest Targets Tesla Owners Using Data from ParkMobile Breach

 

A disturbing dark web website known as DogeQuest has surfaced, targeting Tesla owners and associates of Elon Musk by publishing their personal information. The data used on the site appears to have been sourced largely from a 2021 breach of the ParkMobile app, which affected over 21 million users. 

According to privacy research group ObscureIQ, 98.2% of the individuals listed on DogeQuest can be matched to victims of the ParkMobile hack. The site initially operated on the surface web but now functions under a .onion domain, which anonymizes its hosting and complicates takedown efforts by authorities. The purpose of DogeQuest is masked as an “artistic protest” platform, encouraging acts of vandalism against Tesla vehicles. 

Although the site claims neutrality by stating it does not endorse or condemn actions taken, it openly hosts names, home addresses, contact details, and even employment information of more than 1,700 individuals. These include not only Tesla drivers but also DOGE employees, their families, and high-profile individuals from the military, cybersecurity, and diplomatic sectors. The website’s presence has allegedly been linked to real-world vandalism, prompting federal investigations into its operations. 

ObscureIQ’s analysis reveals that the core data used by DogeQuest includes email addresses, phone numbers, and license plate details—information originally accessed through ParkMobile’s compromised Amazon Web Services cloud storage. While ParkMobile claimed at the time that no financial data was exposed, the combination of breached user data and information purchased from data brokers has been enough to target individuals effectively. 

A class-action lawsuit against ParkMobile later resulted in a $32 million settlement for failing to secure user data. Despite the gravity of the situation, no other public reporting had directly connected DogeQuest to the ParkMobile breach until ObscureIQ’s findings were shared. The doxxing platform has evolved into a larger campaign, now also publishing details of prominent federal employees and private sector figures. A spreadsheet reviewed by the Daily Caller News Foundation highlights how widespread and strategic the targeting has become, with individuals from sensitive fields like defense contracting and public health policy among the victims. 

Law enforcement agencies, including the FBI and DOJ, are now actively investigating both the digital and physical components of this campaign. Just last week, the Department of Justice charged three individuals suspected of attacking Tesla vehicles and infrastructure across multiple states. However, officials have not yet confirmed a direct link between these suspects and DogeQuest. The FBI has also noted a troubling increase in swatting incidents aimed at DOGE staff and affiliates, indicating that the site’s influence may extend beyond digital harassment into coordinated real-world disruptions. 

With DogeQuest continuing to evade takedown attempts due to its anonymized hosting, federal authorities face an uphill battle in curbing the campaign. ParkMobile has so far declined to comment on the matter. As the scope and sophistication of this doxxing effort grow, it underscores the lingering impact of data breaches and the increasing challenges in protecting personal information in the digital age.
Read more »
Windows
ChatGPT Cyber Crime Data Leak Microsoft Windows

Hacker's Dual Identity: Cybercriminal vs Bug Bounty Hunter

Hacker's Dual Identity: Cybercriminal vs Bug Bounty Hunter

EncryptHub is an infamous threat actor responsible for breaches at 618 organizations. The hacker reported two Windows zero-day flaws to Microsoft, exposing a conflicted figure that blurs the lines between cybercrime and security research. 

The reported flaws are CVE-2025-24061 (Mark of the Web bypass) and CVE-2025-24071 (File Explorer spoofing), which Microsoft fixed in its March 2025 Patch Tuesday updates, giving credit to the reporter as ‘SkorikARI.’ In this absurd incident, the actor had dual identities—EncryptHub and SkorikARI. The entire case shows us an individual who works in both cybersecurity and cybercrime. 

Discovery of EncryptHub’s dual identity 

Outpost24 linked SkorikARI and EncryptHub via a security breach, where the latter mistakenly revealed their credentials, exposing links to multiple accounts. The disclosed profile showed the actor’s swing between malicious activities and cybersecurity operations. 

Actor tried to sell zero-day on dark web

Outpost24’ security researcher Hector Garcia said the “hardest evidence was from the fact that the password files EncryptHub exfiltrated from his system had accounts linked to both EncryptHub” such as credentials to EncryptRAT- still in development, or “his account on xss.is, and to SkorikARI, like accesses to freelance sites or his own Gmail account.” 

Garcia also said there was a login to “hxxps://github[.]com/SkorikJR,” which was reported in July’s Fortinet story about Fickle Stealer; this helped them solve the puzzle. Another big reveal of the links to dual identity was ChatGPT conversations, where activities of both SkorikARI and EncryptHub could be found. 

Zero-day activities and operational failures in the past

Evidence suggests this wasn't EncryptHub's first involvement with zero-day flaws, as the actor has tried to sell it to other cybercriminals on hacking forums.

Outpost24 highlighted EncryptHub's suspicious activities- oscillating between cybercrime and freelancing. An accidental operational security (OPSEC) disclosed personal information despite their technical expertise. 

EncryptHub and ChatGPT 

Outpost24 found EncryptHub using ChatGPT to build phishing sites, develop malware, integrate code, and conduct vulnerability research. One ChatGPT conversation included a self-assessment showing their conflicted nature: “40% black hat, 30% grey hat, 20% white hat, and 10% uncertain.” The conversation also showed plans for massive (although harmless) publicity stunts affecting tens of thousands of computers.

Impact

EncryptHub has connections with ransomware groups such as BlackSuit and RansomHub who are known for their phishing attacks, advanced social engineering campaigns, and making of Fickle Stealer- a custom PowerShell-based infostealer. 

Read more »
User Data
Data Breach Data Leak Oracle Oracle Cloud User Data

Oracle Cloud Confirms Second Hack in a Month, Client Log-in Data Stolen

 

Oracle Corporation has warned customers of a second cybersecurity incident in the last month, according to Bloomberg News. A hacker infiltrated an older Oracle system and stole login credentials from client accounts, some of which date back as recently as 2024. 

The tech company reportedly informed clients that an attacker had gained access to a legacy environment—a system that had not been in active operation for roughly eight years. Although Oracle told clients that the environment had been dormant, the data retrieved included valid login credentials, which might pose a security concern, especially if users had not updated or deleted their accounts. 

This follows a prior hack last month, in which an anonymous individual attempted to sell stolen Oracle data online, prompting internal investigations. That incident, too, involved data stolen from Oracle's cloud servers in Austin, Texas. 

The FBI and cybersecurity firm CrowdStrike Holdings are presently looking into the most recent incident, Oracle informed some of its clients. According to individuals who spoke to Bloomberg, the attacker is thought to have demanded an extortion payment. Interestingly, Oracle has declared that there is no connection between the two incidents. 

According to the firm, this breach occurred due to an outdated, dormant system, whereas the previous one affected specific clients in the healthcare sector. Oracle has not yet released a statement to the public, but according to Reuters, the company told customers directly and stressed that the impact is minimal because of how old the system in question is. 

Last month, Oracle also notified clients last month of a compromise at the software-as-a-service (SaaS) company Oracle Health (formerly Cerner), which affected many healthcare organisations and hospitals in the United States.

Even though the company has not publicly reported the event, threat analysts confirmed that patient data was stolen during the attack, as evidenced by private contacts between Oracle Health and impacted clients, as well as talks with people involved. Oracle Health reported that the breach of legacy Cerner data transfer servers occurred on February 20, 2025, and that the perpetrators accessed the systems using compromised client credentials after January 22, 2025.
Read more »
Zero-day Flaw
Data Breach Data Leak Oracle User Privacy Zero-day Flaw

Oracle Finally Acknowledges Cloud Hack

 

Oracle is reportedly trying to downplay the impact of the attack while quietly acknowledging to clients that some of its cloud services have been compromised. 

A hacker dubbed online as 'rose87168' recently offered to sell millions of lines of data reportedly associated with over 140,000 Oracle Cloud tenants, including encrypted credentials. The hacker initially intended to extort a $20 million ransom from Oracle, but eventually offered to sell the data to anyone or swap it for zero-day vulnerabilities.

The malicious actor has been sharing a variety of materials to support their claims, such as a sample of 10,000 customer data records, a link to a file demonstrating access to Oracle cloud systems, user credentials, and a long video that seems to have been recorded during an internal Oracle meeting.

However, Oracle categorically denied an Oracle Cloud hack after the hacker's claims surfaced, stating, "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

However, multiple independent reports suggest Oracle privately notified concerned customers and confirmed a data incident. On the other hand, specifics remain unclear, and there appears to be some conflicting information. 

Bloomberg has learned from people familiar with the matter that Oracle has started privately informing users of a data leak involving usernames, passkeys and encrypted passwords. The FBI and CrowdStrike are reportedly investigating the incident.

Security firm CyberAngel learned from an unknown source that ‘Gen 1’ cloud servers were attacked — newer ‘Gen 2’ servers were not — that the exposed material is at least 16 months old and does not include full private details. 

“Our source, who we are not naming as requested, is reporting that Oracle has allegedly determined an attacker who was in the shared identity service as early as January 2025,” Cyber Angel said. “This exposure was facilitated via a 2020 Java exploit and the hacker was able to install a webshell along with malware. The malware specifically targeted the Oracle IDM database and was able to exfil data.” 

“Oracle allegedly became aware of a potential breach in late February and investigated this issue internally,” it added. “Within days, Oracle reportedly was able to remove the actor when the first demand for ransom was made in early March.” 

Following the story, cybersecurity expert Kevin Beaumont discovered from Oracle cloud users that the tech firm has simply verbally notified them; no written notifications have been sent. According to Beaumont, "Gen 1" servers might be a reference to Oracle Classic, the moniker for earlier Oracle Cloud services. Oracle is able to deny that Oracle Cloud was compromised thanks to this "wordplay," as Beaumont refers to it.
Read more »
Employee Data
Australia Australian Businesses Cybersecurity Researchers Data Breach Data Leak data security Database Leaked Database Security Employee Data

Sydney Tools Data Leak Exposes Millions of Customer and Employee Records

 

A major data leak from Sydney Tools, an Australian retailer specializing in power tools, hand tools, and industrial equipment, has potentially exposed the personal information of millions of customers and employees. The breach, discovered by cybersecurity researchers at Cybernews, involved an unprotected Clickhouse database that remained publicly accessible online, allowing unauthorized individuals to view sensitive data.  

According to the report, the database contained more than 5,000 records related to Sydney Tools employees, including both current and former staff. These records included full names, branch locations, salary details, and sales targets. Given that Sydney Tools reportedly employs around 1,000 people, a large portion of the exposed records likely belong to individuals who no longer work for the company. While no banking details were included in the leak, the exposure of employee information still poses a significant security risk. 

Cybercriminals could use these details to craft convincing phishing scams or for identity theft. Beyond employee data, the breach also exposed an even larger volume of customer information. The database reportedly contained over 34 million online purchase records, revealing customer names, email addresses, phone numbers, home addresses, and details of purchased items. The exposure of this information is particularly concerning, as it not only compromises privacy but also increases the risk of targeted scams. 

Customers who purchased expensive tools and equipment may be especially vulnerable to fraud or burglary attempts. Cybernews researchers have expressed serious concerns over the extent of the breach, highlighting that the database includes a mix of personally identifiable information (PII) and financial details. This kind of information is highly valuable to cybercriminals, who can exploit it for various fraudulent activities. The researchers attempted to notify Sydney Tools about the security lapse, urging them to secure the exposed database. 

However, as of their last update, the data reportedly remained accessible, raising further concerns about the company’s response to the issue. This incident underscores the ongoing risks posed by unprotected databases, which continue to be one of the leading causes of data breaches. Companies handling large volumes of customer and employee information must prioritize data security by implementing robust protection measures, such as encryption, multi-factor authentication, and regular security audits. Failing to do so not only puts individuals at risk but also exposes businesses to legal and reputational damage. 

With cybersecurity threats on the rise, organizations must remain vigilant in safeguarding sensitive information. Until Sydney Tools secures the database and provides assurances about how it will handle data protection in the future, customers and employees should remain cautious and monitor their accounts for any suspicious activity.
Read more »
Privacy
Backups Data Leak Google Google Maps Privacy

Google Deletes User Data by Mistake – Who’s Affected and What to Do

 



Google has recently confirmed that a technical problem caused the loss of user data from Google Maps Timeline, leaving some users unable to recover their saved location history. The issue has frustrated many, especially those who relied on Timeline to track their past movements.


What Happened to Google Maps Timeline Data?

For the past few weeks, many Google Maps users noticed that their Timeline data had suddenly disappeared. Some users, who had been saving their location history for years, reported that every single recorded trip was gone. Even after trying to reload or recover the data, nothing appeared.

Initially, Google remained silent about the issue, providing no confirmation or explanation. However, the company has now sent an email to affected users, explaining that a technical error caused the deletion of Timeline data for some people. Unfortunately, those who did not have an encrypted backup enabled will not be able to restore their lost records.


Can the Lost Data Be Recovered?

Google has advised users who have encrypted backups enabled to try restoring their Timeline data. To do this, users need to open the latest version of Google Maps, go to the Timeline section, and look for a cloud icon. By selecting the option to import backup data, there is a chance of retrieving lost history.

However, users without backups have no way to recover their data. Google did not provide a direct apology but acknowledged that the situation was frustrating for those who relied on Timeline to recall their past visits.


Why Does This Matter?

Many Google Maps users have expressed their disappointment, with some stating that years of stored memories have been lost. Some people use Timeline as a digital journal, tracking places they have visited over the years. The data loss serves as a reminder of how important it is to regularly back up personal data, as even large tech companies can experience unexpected issues that lead to data deletion.

Some users have raised concerns about Google’s reliability, wondering if this could happen to other services like Gmail or Google Photos in the future. Many also struggled to receive direct support from Google, making it difficult to get clear answers or solutions.


How to Protect Your Data in the Future

To avoid losing important data in cases like this, users should take the following steps:

Enable backups: If you use Google Maps Timeline, make sure encrypted backups are turned on to prevent complete data loss in the future.

Save data externally: Consider keeping important records in a separate cloud service or local storage.

Be aware of notifications: When Google sends alerts about changes to its services, take immediate action to protect your data.


While Google has assured users that they are working to prevent similar problems in the future, this incident highlights the importance of taking control of one’s own digital history. Users should not fully rely on tech companies to safeguard their personal data without additional protective measures.



Read more »
Oracle Cloud
Data Breach Data Leak Data Theft Login Servers Oracle Cloud

Oracle Denies Claim of Server Breach

 

Following a threat actor's claim to be selling 6 million data records allegedly stolen from Oracle Cloud's federated SSO login servers, Oracle denies that it was compromised. 

“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data," the company noted. 

This accusation follows the release of many text files yesterday by a threat actor going by the moniker rose87168, which included a sample database, LDAP details, and a list of the businesses they said were pilfered from Oracle Clouds' SSO platform.

The threat actor provided BleepingComputer with this URL as additional evidence that they were able to access Oracle Cloud servers. It displays an Internet Archive URL indicating that they submitted a.txt file to the login.us2.oraclecloud.com server that contained their ProtonMail email address.

The attackers uploaded a text file with their email address without having access to Oracle Cloud servers, as BleepingComputer explained when they got in touch with Oracle once more. 

Alleged Oracle data leak 

Rose87168 is currently offering the allegedly stolen data from Oracle Cloud's SSO service for an undisclosed fee or in exchange for zero-day exploits on the BreachForums hacking community. The information, which included enterprise manager JPS keys, Java Keystore (JKS) files, and encrypted SSO passwords, was allegedly stolen during an intrusion into Oracle servers based in 'login.(region-name).oraclecloud.com'.

"The SSO passwords are encrypted, they can be decrypted with the available files. also LDAP hashed password can be cracked," rose87168 says. "I'll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold.” 

They've also promised to share part of the data with anyone who can help decrypt the SSO or LDAP credentials. The threat actor told BleepingComputer that they acquired access to Oracle Cloud servers about 40 days ago and claimed to have emailed the firm after exfiltrating data from the US2 and EM2 regions.

In the email conversation, rose87168 said that they asked Oracle to pay 100,000 XMR for information on how they infiltrated the systems, but the company allegedly refused to pay after requesting for "all information needed for fix and patch.” 

When questioned how they breached the servers, the attackers stated that all Oracle Cloud servers are running a vulnerable version with a public CVE (flaw) that does not yet have a public PoC or exploit. However, BleepingComputer was unable to independently verify whether this was the case.
Read more »
User Security
Bank Scam Cyber Fraud Data Leak Financial Scam Fraudulent Message User Security

Five Ways to Identify a Bank Fraud And Stay Safe

 

It is not unusual for your bank to try to contact you. However, some of those emails and phone calls are simply scammers taking advantage of your trust in your bank to scam you. In general, you should be extremely sceptical of any unexpected messages. 

Modus operandi

You receive a phone call claiming to be from your bank informing you of a problem with your account. This is typically used for security purposes, such as informing you when someone is unlawfully accessing your account or has stolen your identity. 

Their response is to ask you to transfer all funds to a safe account' while the problem is resolved. The problem is that no one is attempting to access your account, and you are sending money directly to the crooks. The funds are then moved swiftly to other accounts around the world. 

Additionally, bank transfer scams might be the most common telephone, or vishing, scam, but they are far from the only one. Others may attempt to gain remote control of your computer by claiming there is a problem with your internet connection or that you have a virus.

In reality, they use this time to install malware on your computer and steal your personal information. Another strategy is to claim you're eligible for a refund or compensation but have received too much. You will then be asked to return the difference. 

How to detect a scam  

Urgency:  Fraudulent mails can generate a sense of urgency or mislead you into acting quickly. They may warn you about account termination, blocking your ATM card, or missing out on a limited-time promotion. Be wary of messages that urge you to take immediate action. 

Sender information: Legitimate banks usually send messages from certain phone numbers or email addresses. Be wary of messages from unknown phones or addresses that use generic greetings such as "Dear Customer" instead of your name. 

Personal data: Real banks would never request critical information such as your password, CVV code, OTP (One Time Password), or entire account number over SMS or email. If a message prompts you to update or verify such information, do not answer and instead contact your bank immediately. 

Grammatical errors: Legitimate bank messages are usually well-written and formatted. Typos, grammatical errors, and unprofessional language can all be indicators of a fake message. 

Verify: If you are unsure regarding a message, always contact your bank immediately using their official contact information (phone number or website) to enquire about its legality.

Better safe than sorry

The Federal Trade Commission reports that last year, fraud cost consumers over $12.5 billion. You can take measures to make it difficult for a bad actor to leave with anything, even though it could be simple for them to contact you by email, text, or social media. It's wise to use caution when dealing with something as important as your finances.
Read more »
Personal Data
Bank CyberSecurity Bank Data Leak Cleo Server CLOP Customer Data Data Breach Data Leak Data Theft Identity Theft Personal Data

Western Alliance Bank Data Breach Exposes Nearly 22,000 Customers’ Personal Information

 

Western Alliance Bank has alerted nearly 22,000 customers that their personal information was compromised following a cyberattack in October. The breach stemmed from a vulnerability in a third-party vendor’s secure file transfer software, which allowed attackers to gain unauthorized access to the bank’s systems and extract sensitive customer data. 

Western Alliance, a subsidiary of Western Alliance Bancorporation with over $80 billion in assets, first disclosed the incident in a February SEC filing. The bank revealed that hackers exploited a zero-day vulnerability in the software, which was officially disclosed on October 27, 2024. However, unauthorized access to the bank’s systems had already occurred between October 12 and October 24. The breach was only confirmed after the attackers leaked stolen files online. 

According to breach notification letters sent to 21,899 affected customers and filed with the Office of Maine’s Attorney General, the stolen data includes names, Social Security numbers, birth dates, financial account details, driver’s license numbers, tax identification numbers, and passport information if previously provided to the bank. Despite the exposure, Western Alliance stated there is no evidence of fraud or identity theft resulting from the breach. 

To support affected customers, the bank is offering one year of free identity protection services through Experian IdentityWorks Credit 3B. Although Western Alliance did not disclose the name of the compromised software in its SEC filing or customer notifications, the Clop ransomware gang has claimed responsibility for the attack. In January, Clop listed the bank among 58 companies targeted in a campaign that exploited a critical zero-day vulnerability (CVE-2024-50623) in Cleo LexiCom, VLTransfer, and Harmony software. 

The ransomware group had previously leveraged similar security flaws in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA to conduct large-scale data theft operations. Further investigations revealed that Clop exploited an additional zero-day vulnerability (CVE-2024-55956) in Cleo software in December. This allowed them to deploy a Java-based backdoor, dubbed “Malichus,” enabling deeper infiltration into victims’ networks. Cleo, which serves over 4,000 organizations worldwide, confirmed the vulnerability had been used to install malicious backdoor code in affected instances of its Harmony, VLTrader, and LexiCom software. 

The full extent of the breach remains unclear, but it highlights the growing risks posed by vulnerabilities in third-party software. Organizations relying on such solutions must remain vigilant, promptly apply security patches, and implement robust defenses to prevent similar incidents.
Read more »
iOS
API Keys App security cloud storage Cybersecurity Data Breach Data Leak Encryption Hardcoded Secrets iOS

Thousands of iOS Apps Expose Sensitive Data Through Hardcoded Secrets, Researchers Warn

 

Cybersecurity researchers have uncovered alarming vulnerabilities in thousands of iOS applications, revealing that hardcoded secrets in their code have put users' sensitive information at risk.

A recent analysis by Cybernews examined over 156,000 iOS apps and detected more than 815,000 hardcoded secrets—some of which are highly sensitive and could potentially lead to security breaches or data leaks.

The term "secret" broadly refers to sensitive credentials like API keys, passwords, and encryption keys. These are often embedded directly into an app’s source code for convenience during development, but developers sometimes fail to remove them before release. According to Cybernews, the average iOS app exposes 5.2 secrets, and 71% of apps contain at least one leaked credential.

While some of these hardcoded secrets pose minimal risk, the report highlights serious threats. Researchers identified over 83,000 cloud storage endpoints, with 836 exposed without authentication, potentially leaking more than 400TB of data. Additionally, 51,000 Firebase endpoints were discovered, thousands of which were accessible to outsiders. Other exposed credentials include API keys for platforms like Fabric API, Live Branch, and MobApp Creator.

Among the most critical findings were 19 hardcoded Stripe secret keys, which directly control financial transactions. Cybernews researchers emphasized the severity of this issue, stating: “Stripe is widely used by e-commerce and even fintech companies to handle online payments.”

This vulnerability could allow cybercriminals to manipulate transactions or gain unauthorized access to payment infrastructure.

The findings challenge the common belief that iOS apps offer stronger security compared to other platforms.

“Many people believe that iOS apps are more secure and less likely to contain malware. However, our research shows that many apps in the ecosystem contain easily accessible hardcoded credentials. We followed the trail and found open databases with personal data and accessible infrastructure,” said Aras Nazarovas, a security researcher at Cybernews.

This study underscores the importance of secure coding practices and urges developers to adopt better security protocols to prevent data breaches and unauthorized access.


Read more »
User Security
Data Breach Data Leak Ransomware attack Retirement Service Firm United States User Security

Ransomware Attack on Retirement Services Firm Exposes Thousands of US School Data

 

A ransomware assault targeting retirement service firm Carruth Compliance Consulting has resulted in a data breach affecting dozens of school districts and thousands of individuals in the US. Carruth Compliance Consulting (CCC) administers retirement savings accounts for public schools and non-profit organisations.

Carruth announced on its website on January 13, 2025, that it had detected suspicious activity on its computer systems on December 21, 2024. An investigation revealed that hackers gained access to company networks between December 19 and December 26, and stole some files. 

The company claims that private information such as name, Social Security number, financial account information, and, in specific circumstances, driver's license numbers, medical billing information, W-2 information, and tax filings were among the hacked files. Free identity restoration and credit monitoring services are being provided to affected consumers. 

A relatively new ransomware organisation called Skira claimed responsibility for the Carruth attack this week, claiming to have taken about 469 gigabytes of data, including databases, source code, and the data the company had included in their customer notification. Only four additional victims are listed on Skira's Tor-based leak website as of this writing; the first victim was revealed in December 2024. 

While Carruth has not disclosed the number of impacted organisations and individuals, dozens of school districts and institutions across multiple states have confirmed in recent weeks that they have been affected by the cybersecurity issue. School districts notified state attorneys general that Carruth was unable to identify affected individuals, and each educational institution is seeking to identify current and former employees whose personal information was provided with the retirement services provider. 

To date, nine school districts in Maine have reported identifying more than 20,000 individuals affected by a data breach, as mandated by the attorney general. The Carruth data breach comes just weeks after it was revealed that hackers may have stolen the personal information of millions of students and instructors in the United States and Canada after a cyberattack on education software and services company PowerSchool.
Read more »
Sensitive Data Leak
Cyber Attacks Data Leak data security Data Theft IT Systems Ransomware attack Ransomware group Ransomwares Sensitive Data Leak

Tata Technologies Cyberattack: Hunters International Ransomware Gang Claims Responsibility for 1.4TB Data Theft

 

Hunters International, a ransomware group known for high-profile cyberattacks, has claimed responsibility for a January 2025 cyberattack on Tata Technologies. The group alleges it stole 1.4TB of sensitive data from the company and has issued a threat to release the stolen files if its ransom demands are not met. Tata Technologies, a Pune-based global provider of engineering and digital solutions, reported the cyberattack in January. 

The company, which operates in 27 countries with over 12,500 employees, offers services across the automotive, aerospace, and industrial sectors. At the time of the breach, Tata Technologies confirmed that the attack had caused disruptions to certain IT systems but stated that client delivery services remained unaffected. The company also assured stakeholders that it was actively restoring impacted systems and conducting an internal investigation with cybersecurity experts. 

However, more than a month later, Hunters International listed Tata Technologies on its dark web extortion page, taking responsibility for the attack. The group claims to have exfiltrated 730,000 files, totaling 1.4TB of data. While the ransomware gang has threatened to publish the stolen files within a week if a ransom is not paid, it has not provided any samples or disclosed the nature of the compromised documents. Tata Technologies has yet to release an update regarding the breach or respond to the hackers’ claims. 

BleepingComputer, a cybersecurity news platform, attempted to contact the company for a statement but did not receive an immediate response. Hunters International emerged in late 2023, suspected to be a rebranded version of the Hive ransomware group. Since then, it has carried out multiple high-profile attacks, including breaches of Austal USA, a U.S. Navy contractor, and Japanese optics company Hoya. 

The group has gained notoriety for targeting various organizations without ethical restraint, even engaging in extortion schemes against individuals, such as cancer patients from Fred Hutchinson Cancer Center. Although many of the gang’s claims have been verified, some remain disputed. For example, in August 2024, the U.S. Marshals Service denied that its systems had been compromised, despite Hunters International’s assertions.  

With cybercriminals continuing to exploit vulnerabilities, the Tata Technologies breach serves as another reminder of the persistent and evolving threats posed by ransomware groups.
Read more »
remote access
Data Leak Infostealer malware Microsoft Teams remote access

Cybercriminals Abuse Microsoft Teams & Quick Assist for Remote Access

 

Trend Micro security experts discovered a sophisticated cyberattack that included social engineering tactics and commonly employed remote access tools. The attack, which uses stealthy infostealer malware, gives thieves permanent access over vulnerable PCs and allows them to steal sensitive data.

According to Trend Micro Threat Intelligence, the majority of incidents since October 2024 have been concentrated in North America, with 21 breaches reported. The US was the most affected, with 17 cases, followed by Canada and the United Kingdom, each with five. Europe documented a total of 18 incidents. 

Modus operandi 

Threat actors utilise social engineering techniques to acquire initial access by deceiving victims into submitting credentials. Microsoft Teams is used for impersonation, and Quick Assist and other remote access applications allow attackers to escalate privileges. OneDriveStandaloneUpdater.exe, a genuine OneDrive update application, is used to sideload malicious DLLs and grant attackers network access.

Subsequently, the attackers install BackConnect malware, which allows them to keep control of affected systems. Malicious files are hosted and propagated via commercial cloud storage services, leveraging misconfigured or publicly available storage buckets. 

The BackConnect malware has been linked by researchers to QakBot, a loader malware that was the focus of the 2023 takedown effort called "Operation Duckhunt." Access to target computers by Black Basta ransomware attackers was made possible in large part via QakBot. After it was taken down, these threat actors switched to alternative methods to continue operating. 

Black Basta and Cactus ransomware link 

Trend Micro analysts recently investigated cases in which the Black Basta and Cactus ransomware perpetrators used the identical BackConnect malware. This malware allows cybercriminals to execute commands remotely, steal credentials, and steal financial information.

In 2023, Black Basta alone extorted $107 million from victims, with manufacturing the largest hit, followed by financial sectors and real estate. Attackers also utilised WinSCP, an open-source file transfer client, to move data within infected systems. The infected files were first acquired from a cloud storage provider before being repackaged and distributed using system vulnerabilities. 

Further investigation into Black Basta's internal chat breaches indicates that members of the gang are now using Cactus ransomware. Researchers believe that this transition will allow Cactus to remain a major threat by 2025.
Read more »
Ransomware group
Cyber Attacks Data Leak data security Genea Healthcare Breach Patient Data Ransomware attack Ransomware group

Genea Cyberattack: Termite Ransomware Leaks Sensitive Patient Data

 

One of Australia’s leading fertility providers, Genea Pty Ltd, has been targeted in a cyberattack allegedly carried out by the Termite ransomware group. On February 26, 2025, the group claimed responsibility for breaching Genea’s systems and stated that they had stolen 700GB of data from 27 company servers. The stolen information reportedly includes financial documents, invoices, medical records, personal identification data, and detailed patient questionnaires. 

Among these files are Protected Health Information (PHI), which contains personal medical histories and sensitive patient details. The cyberattack was first confirmed by Genea on February 19, 2025, when the company disclosed that its network had been compromised. The breach caused system outages and disrupted operations, leading to an internal investigation supported by cybersecurity experts. Genea moved quickly to assess the extent of the damage and reassure patients that the incident was being addressed with urgency. 

In an update released on February 24, 2025, the company acknowledged that unauthorized access had been detected within its patient management systems. By February 26, 2025, Genea confirmed that some of the stolen data had been leaked online by the attackers. In a public statement, the company expressed deep regret over the breach, acknowledging the distress it may have caused its patients. In response, Genea took immediate legal action by securing a court-ordered injunction to prevent further distribution or use of the stolen information. 

This measure was part of the company’s broader effort to protect affected individuals and limit the potential damage caused by the breach. To assist those impacted, Genea partnered with IDCARE, Australia’s national identity and cyber support service. Affected individuals were encouraged to seek help and take necessary steps to safeguard their personal information. The company urged patients to remain alert for potential fraud or identity theft attempts, particularly unsolicited emails, phone calls, or messages requesting personal details.  

The attack was initially detected on February 14, 2025, when suspicious activity was observed within Genea’s network. Upon further investigation, it was revealed that unauthorized access had occurred, and patient data had been compromised. The attackers reportedly targeted Genea’s patient management system, gaining entry to folders containing sensitive information. The exposed data includes full names, contact details, medical histories, treatment records, Medicare card numbers, and private health insurance information. 

However, as of the latest update, there was no evidence that financial data, such as bank account details or credit card numbers, had been accessed. Despite the severity of the breach, Genea assured patients that its medical and administrative teams were working tirelessly to restore affected systems and minimize disruptions to fertility services. Ensuring continuity of patient care remained a top priority while the company simultaneously focused on strengthening security measures to prevent further incidents. 

In response to the breach, Genea has been collaborating with the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC) to investigate the full extent of the attack. The company is committed to keeping affected individuals informed and taking all necessary precautions to enhance its cybersecurity framework. Patients were advised to monitor their accounts and report any suspicious activity to authorities. 

As a precaution, Genea recommended that affected individuals follow security guidelines issued by official government agencies such as the Australian Cyber Security Centre and the ACCC’s Scamwatch. For those concerned about identity theft, IDCARE’s experts were made available to provide support and guidance on mitigating risks associated with cybercrime. The incident has highlighted the growing risks faced by healthcare providers and the importance of implementing stronger security measures to protect patient data.
Read more »
User Privacy
Data Leak Mobile Security Samsung Folder Secure Folder User Privacy

Samsung Secure Folder Vulnerability Exposes Hidden Images

 

Samsung's Secure Folder, a feature designed to provide industry-grade security for sensitive data on Galaxy smartphones, has been identified to have a major flaw. Recent discoveries indicate that apps and images saved in the Secure Folder can be accessible under certain conditions, raising concerns about the privacy and security of the data stored there. 

Modus operandi

The Secure Folder acts as a "Work" profile, allowing users to keep private apps, images, and files separate from their primary profile. Normally, when an app seeks to access files from the Secure Folder, the system prevents it unless the app is specifically approved. 

However, a Reddit user named lawyerz88 revealed that this security feature is ineffective when utilising a "Work" app (with a media picker) linked to a separate work profile. In that instance, files stored in the Secure Folder become available via the app. So it is not difficult to circumvent the intended privacy protections.

“If you have the work profile enabled through something like Island or Shelter (or you know, your actual workplace), any apps in the work profile can access the entirety of files saved in a secure folder without any restrictions whatsoever.” notes the Reddit user. “It seems it’s restricted by policy only and only from the personal profile and someone forgot to restrict access via another work profile.” 

Android Authority confirmed the flaw with the Shelter app, which allows you to create a work profile on any device. This means that anyone with physical access to a Galaxy smartphone might use this flaw to view Secure Folder data. 

Samsung's claim of strong security is called into question by this defect, since private data kept in the Secure Folder can be accessed without the owner's knowledge.While accessing the Secure Folder usually requires biometric authentication or a PIN/password, the workaround via Work applications renders these safeguards ineffective. 

The tech giant reportedly acknowledged that they were aware of the user's findings after he reported them. The firm recently rectified the boot loop issue linked with the Secure Folder, and now that more people are aware of it, we hope it is resolved as quickly as possible.
Read more »
User Privacy
Cyber Fraud Data Leak Financial Scam Indian Banking MHA User Privacy

Open Access to Critical Data With Bank Staff Leading to Financial Scam

 

A concerning trend has sent shockwaves across cybersecurity authorities, with central cyber and intelligence organisations tracking and documenting large-scale data leaks perpetrated by bank staff and third party contractors. 

According to a senior Indian government official, the issue has been raised to the highest levels of government, prompting an emergency meeting at the Ministry of Home Affairs (MHA) a few weeks ago to develop a resolution. The government agencies have determined that unlimited access to critical banking data, granted to staff and third-party vendors, is directly supporting rampant cyber fraud and significant financial losses among citizens. 

“The exposure of highly sensitive banking data to employees, particularly outsourced staff and third-party vendors, is leading to severe information leaks. Cybercriminals are exploiting this breach to systematically target and defraud citizens," a top government official stated. 

What is more concerning is the potential involvement of high management-level bank executives. Intelligence agencies officials at the meeting stated that despite repeated accusations, both public and private sector institutions had failed to take action against fraudulent activity. “Shockingly, banks are neglecting action on nearly 60-70 percent of fraudulent accounts reported on the National Cybercrime Reporting Portal (NCRP)," a senior official who attended the MHA meeting noted. 

Financial intelligence agencies have also detected severe flaws in banking security. The MHA meeting featured a detailed analysis of cyber fraud trends, mule accounts, and bank reaction times. The statistics show a stunning increase in cybercrime events, demonstrating that current security measures are ineffective. Banks seem reluctant to take corrective action, creating serious concerns about their accountability. 

In line with the most recent Reserve Bank of India (RBI) recommendation, authorities have highlighted the need for swift and strict action due to the rapid evolution of cybercrime. According to officials, unregulated data leaks from banks' own infrastructure will continue to fuel cybercriminal networks, putting millions of clients at risk, unless banks strengthen their internal controls and take decisive action.
Read more »
Security Incident
Data Breach Data Leak Financial Data Fintech Security Incident

Fintech Giant Finastra Breach Exposed Private Data, Company Notifies Victims

 

The financial technology behemoth Finastra is alerting victims of a data breach after unidentified hackers initially gained access to its networks in October 2024 and took their personal data. More than 8,100 financial institutions in 130 countries, including 45 of the top 50 banks in the world, rely on London-based Finastra to supply financial services software applications.

The security incident was discovered on November 7 after Finastra detected malicious activity on some of its systems, as the business warned in breach notification letters given to those impacted by the breach. 

"Our investigation revealed that an unauthorized third party accessed a Secure File Transfer Platform (SFTP) at various times between October 31, 2024 and November 8, 2024. Findings from the investigation indicate that on October 31, 2024, the unauthorized third party obtained certain files from the SFTP," the fintech giant noted. 

"Finastra has no indication the unauthorized third party further copied, retained, or shared any of the data. We have no reason to suspect your information has or will be misused. As a result, we believe the risk to individuals whose personal data was involved is low.” 

At least 65 people in the state whose financial account information was stolen received breach notification letters from Finastra last week, although the company has not yet disclosed the number of victims or the type of data that was compromised (apart from the names of the victims), according to filings with the Massachusetts Attorney General's office. 

Additionally, the financial services organisation offers those whose information was compromised or stolen in the incident two years of free credit monitoring and identity restoration services through Experian.

The hack is believed to be connected to a (now-deleted) post on the BreachForums online cybercrime community by a threat actor called "abyss0" who claimed to sell 400GB of data allegedly stolen from Finastra's network, despite the fact that Finastra only revealed a very small amount of information in filings with Attorney General offices.

Last year in November, when a local media outlet enquired about the forum post, a Finastra spokesperson declined to confirm or deny ownership of the data, stating that the company experienced a limited-scope security incident and is assessing its impact.

"On November 7, 2024 Finastra's Security Operations Center (SOC) detected suspicious activity related to an internally hosted Secure File Transfer Platform (SFTP) we use to send files to certain customers," Finastra added. 

Finastra was also forced to shut down parts of its systems in March 2020 to combat what Tom Kilroy, the company's Chief Operating Officer at the time, described as a ransomware attack. While the company did not disclose how the attackers got access to its systems, cyber threat intelligence firm Bad Packets discovered that Finastra had many unpatched Pulse Secure VPN and Citrix ADC (NetScaler) servers prior to the attack.
Read more »
Hackers
CVE CVEs Cybersecurity Dark Web Data Breach Data Leak data security FortiGate devices Hackers

Hackers Leak 15,000 FortiGate Device Configs, IPs, and VPN Credentials

 

A newly identified hacking group, the Belsen Group, has leaked critical data from over 15,000 FortiGate devices on the dark web, making sensitive technical details freely available to cybercriminals. The leak includes configuration files, IP addresses, and VPN credentials, significantly increasing security risks for affected organizations. 

Emerging on cybercrime forums and social media just this month, the Belsen Group has been actively promoting itself. As part of its efforts, the group launched a Tor website where it released the stolen FortiGate data, seemingly as a way to establish its presence in the hacking community. In a post on an underground forum, the group claimed responsibility for breaching both government and private-sector systems, highlighting this operation as its first major attack. 

The exposed data is structured within a 1.6 GB archive, organized by country. Each country’s folder contains multiple subfolders corresponding to specific FortiGate device IP addresses. Inside, configuration files such as configuration.conf store FortiGate system settings, while vpn-passwords.txt holds various credentials, some of which remain in plaintext. 

Cybersecurity researcher Kevin Beaumont examined the leak and confirmed that these files include firewall rules, private keys, and other highly sensitive details that could be exploited by attackers. Further analysis suggests that the breach is linked to a known vulnerability from 2022—CVE-2022-40684—which was actively exploited before Fortinet released a security patch. 

According to Beaumont, evidence from a forensic investigation into a compromised device revealed that this zero-day vulnerability provided attackers with initial access. The stolen data appears to have been gathered in October 2022, around the same time this exploit was widely used. Fortinet had previously warned that CVE-2022-40684 was being leveraged by attackers to extract system configurations and create unauthorized super-admin accounts under the name fortigate-tech-support. 

Reports from the German news site Heise further confirm that the leaked data originates from devices running FortiOS firmware versions 7.0.0-7.0.6 or 7.2.0-7.2.2. The fact that FortiOS 7.2.2 was specifically released to address this vulnerability raises questions about whether some systems remained compromised even after the fix was made available. 

Although the leaked files were collected over two years ago, they still pose a significant threat. Configuration details, firewall rules, and login credentials could still be exploited if they were not updated after the original breach. Given the scale of the leak, cybersecurity experts strongly recommend that administrators review their FortiGate device settings, update passwords, and ensure that no outdated configurations remain in use.
Read more »
Sensitive Information
Data Breach Data Leak data security DDoS Hackers Personal Data Police Sensitive Information

Hackers Leak 8,500 Files from Lexipol, Exposing U.S. Police Training Manuals

 

An anonymous hacker group called the “puppygirl hacker polycule” recently made headlines by leaking over 8,500 files from Lexipol, a private company that provides training materials and policy manuals for police departments across the United States. 

As first reported by The Daily Dot, the data breach exposed internal documents, including thousands of police policies, emails, phone numbers, addresses, and other sensitive information about Lexipol employees. The hackers published the stolen data on Distributed Denial of Secrets (DDoS), a nonprofit platform for leaked information. In a statement, the group said they targeted Lexipol because, in their view, there aren’t “enough hacks against the police,” so they took action themselves.  

Founded in 2003, Texas-based Lexipol LLC, also known for its online training platform PoliceOne, has become a significant force in police privatization. The company supplies policy manuals and training content to more than 20% of U.S. police departments, according to a 2022 Indiana Law Journal analysis. This widespread adoption has effectively shaped public policy, despite Lexipol being a private company. 

Critics have long raised concerns about Lexipol’s focus on minimizing legal liability for police departments rather than addressing issues like excessive force or racial profiling. The Intercept reported in 2020 that Lexipol’s training materials, used by the NYPD after the George Floyd protests, prioritized protecting departments from lawsuits rather than promoting accountability or reform. 

Additionally, Lexipol has actively opposed proposed changes to police use-of-force standards, favoring a more lenient “objectively reasonable” standard. The leaked documents revealed striking similarities in policy language across different police departments, with matching sections on use-of-force protocols and even identical “Code of Ethics” pages — some ending with a religious oath dedicating officers to their profession before God. 

Despite Lexipol’s intent to reduce legal risks for its clients, some police departments using its policies have faced legal consequences. In 2017, Culver City, CA, adopted a Lexipol manual that suggested detaining suspected undocumented immigrants based on “lack of English proficiency,” contradicting the city’s sanctuary status. Similarly, Spokane, WA, paid a $49,000 settlement in 2018 after police violated local immigration laws using Lexipol’s guidance. 

Although the puppygirl hacker polycule isn’t linked to previous major breaches, their tactics echo those of SiegedSec, a group known for hacking government sites and playfully demanding research into “IRL catgirls.” As political tensions rise, the hackers predict more “hacktivist” attacks, aiming to expose injustices and empower public awareness. The Lexipol breach serves as a stark reminder of the vulnerabilities in privatized law enforcement systems and the growing influence of cyberactivism.
Read more »
USAID
Cyber Security Data Leak DOGE Elon Musk Threat Landscape USAID

Threat Analysts Warn of the 'Largest Data Breach' After Elon Musk's DOGE Controversy

 

The debate over Elon Musk's Department of Government Efficiency continues, with the world's richest man accused of snooping on some of America's most sensitive data. The DOGE has been tasked with reducing government spending by a paltry $2 trillion, which Musk himself admits might be unfeasible. 

However, the billionaire and his crew have lost no time to shed the fat, targeting everything from the National Space Council to USAID. Concerns have been raised regarding the DOGE's level of access, and some staff members have received death threats as a result of the debate.

"You can’t un-ring this bell,” the anonymous source told the local media outlet. Once these DOGE guys have access to these data systems, they can ostensibly do with it what they want." 

Four sources spoke to the local media outlet, but only Scott Cory would go on record. The former CIO for an HHS agency said: "The longer this goes on, the greater the risk of potential fatal compromise increases.” 

The National Oceanic and Atmospheric Administration, the Office of Personnel Management, the Department of Health and Human Services, and the U.S. Treasury have all apparently been accessed by the DOGE. "I don't think the public quite understands the level of danger," a federal agency administrator continued. 

With its newfound authority, the DOGE might prevent payments to government agencies and redirect funds to organisations it chooses. There are concerns that possible access to Federal Aviation could be "dire," even if Musk hasn't altered the current system yet. 

There have also been criticism that he has brought in a young team of technical wizards, but one payment-systems expert remarked that this is actually a good thing: "If you were going to organise a heist of the US Treasury, why in the world would you bring a handful of college students?" He went on to suggest that you'd need numerous people with at least ten years of experience with COBOL. 

Despite not being paid, working 120 hours a week, and sleeping in the offices, DOGE employees have been flexing their muscles to make some significant savings. Looking at the broad picture, one source concluded: "I'd want to believe that this is all so enormous and convoluted that they won't be successful in whatever they're attempting to do. But I wouldn't bet that outcome against their egos.”
Read more »
Subscribe to: Posts (Atom)