Explore top examples of SAML providers like Okta, Azure AD, and Ping Identity. Learn how to implement SAML SSO for secure enterprise identity management.

The post Examples of SAML Providers appeared first on Security Boulevard.

Confused about sso vs saml? Learn the difference between the authentication process and the XML-based protocol. Essential guide for engineering leaders and ctos.

The post Is SSO the Same as SAML? appeared first on Security Boulevard.

Learn how to implement and manage login instructions for various platforms using enterprise SSO, saml, and oidc to prevent data breach risks.

The post Login Instructions for Various Platforms appeared first on Security Boulevard.

SmarterTools was breached by hackers exploiting a vulnerability in its own SmarterMail software through an unknown virtual machine set up by an employee that wasn’t being updated. “Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network,” SmarterTools COO Derek Curtis noted in a Feb. 3 post. “Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.” Network segmentation helped limit the breach, Curtis said, so the company website, shopping cart, account portal, and other services “remained online while we mitigated the issue. None of our business applications or account data were affected or compromised.”

SmarterTools Breach Comes Amid SmarterMail Vulnerability Warnings

Curtis said SmarterTools was compromised by the Warlock ransomware group, “and we have observed similar activity on customer machines.” In a blog post today, ReliaQuest researchers said they’ve observed SmarterMail vulnerability CVE-2026-23760 exploited in attacks “attributed with moderate-to-high confidence to ‘Storm-2603.’ This appears to be the first observed exploitation linking the China-based actor to the vulnerability as an entry point for its ‘Warlock’ ransomware operations.” ReliaQuest said other ransomware actors may be targeting a second SmarterMail vulnerability. “This activity coincides with a February 5, 2026 CISA warning that ransomware actors are exploiting a second SmarterMail vulnerability (CVE-2026-24423),” ReliaQuest said. “We observed probes for this second vulnerability alongside the Storm-2603 activity. However, because these attempts originated from different infrastructure, it remains unclear whether Storm-2603 is rotating IP addresses or a separate group is capitalizing on the same window. “Specific attribution matters less than the operational reality: Internet-facing servers are being targeted by multiple vectors simultaneously,” ReliQuest added. “Patching one entry point is insufficient if the adversary is actively pivoting to another or—worse—has already established persistence using legitimate tools.” Curtis said that once Warlock actors gain access, “they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.”

SmarterTools Breach Limited by Linux Use

Curtis said the SmarterTools breach affected networks at the company office and a data center “which primarily had various labs where we do much of our QC work, etc.” “Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts,” he wrote. “None of the Linux servers were affected.” He said Sentinel One “did a really good job detecting vulnerabilities and preventing servers from being encrypted.” He said that SmarterMail Build 9518 (January 15) contains fixes for the vulnerabilities, while Build 9526 (January 22) “complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.” He said based on the company’s own breach and observations of customer incidents, Warlock actors “often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.” Common file names and programs abused by the threat actors have included:

• Velociraptor
• JWRapper
• Remote Access
• SimpleHelp
• WinRAR (older, vulnerable versions)
• exe
• dll
• exe
• Short, random filenames such as e0f8rM_0.ps1 or abc...
• Random .aspx files

“We hope this provides a fuller summary of what we have seen and what customers can look for in their own environments,” Curtis said. “We also hope it demonstrates that we are taking every possible step to prevent issues like this from occurring again and making every effort to consolidate what we’re seeing and sharing with our customers.”

The European Commission's central infrastructure for managing mobile devices was hit by a cyberattack on January 30, the Commission has revealed. The announcement said the European Commission mobile cyberattack was limited by swift action, but cybersecurity observers are speculating that the incident was linked to another recent European incident involving Netherlands government targets that was revealed around the same time.

European Commission Mobile Cyberattack Detailed

The European Commission’s Feb. 5 announcement said its mobile management infrastructure “identified traces of a cyber-attack, which may have resulted in access to staff names and mobile numbers of some of its staff members. The Commission's swift response ensured the incident was contained and the system cleaned within 9 hours. No compromise of mobile devices was detected.” The Commission said it will “continue to monitor the situation. It will take all necessary measures to ensure the security of its systems. The incident will be thoroughly reviewed and will inform the Commission's ongoing efforts to enhance its cybersecurity capabilities.” The Commission provided no further details on the attack, but observers wondered if it was connected to another incident involving Dutch government targets that was revealed the following day.

Dutch Cyberattack Targeted Ivanti Vulnerabilities

In a Feb. 6 letter (download, in Dutch) to the Dutch Parliament, State Secretary for Justice and Security Arno Rutte said the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) had been targeted in an “exploitation of a vulnerability in Ivanti Endpoint Manager Mobile (EPMM).” Rutte said the Dutch National Cyber ​​Security Centre (NCSC) was informed by Ivanti on January 29 about vulnerabilities in EPMM, which is used for managing and securing mobile devices, apps and content. On January 29, Ivanti warned that two critical zero-day vulnerabilities in EPMM were under attack. CVE-2026-1281 and CVE-2026-1340 are both 9.8-severity code injection flaws, affecting EPMM’s In-House Application Distribution and Android File Transfer Configuration features, and could allow unauthenticated remote attackers to execute arbitrary code on vulnerable on-premises EPMM installations without any prior authentication. “Based on the information currently available, I can report that at least the AP and the Rvdr have been affected,” Rutte wrote. Work-related data of AP employees, such as names, business email addresses, and telephone numbers, “have been accessed by unauthorized persons,” he added. “Immediate measures were taken after the incident was discovered. In addition, the employees of the AP and the Rvdr have been informed. The AP has reported the incident to its data protection officer. The Rvdr has submitted a preliminary data breach notification to the AP.” NCSC is monitoring further developments with the Ivanti vulnerability and “is in close contact” with international partners, the letter said. Meanwhile, the Chief Information Officer of the Dutch government “is coordinating the assessment of whether there is a broader impact within the central government.”

European Commission Calls for Stronger Cybersecurity Controls

The European Commission’s statement noted that “As Europe faces daily cyber and hybrid attacks on essential services and democratic institutions, the Commission is committed to further strengthen the EU's cybersecurity resilience and capabilities.” To that end, the Commission introduced a Cybersecurity Package on January 20 to bolster the European Union's cyber defenses. “A central pillar of this initiative is the Cybersecurity Act 2.0, which introduces a framework for a Trusted ICT Supply Chain to mitigate risks from high-risk suppliers,” the EC statement said.

Data accessed in October 2025 went undetected until February, affecting subscribers across the newsletter platform with no evidence of misuse yet identified.

Substack disclosed a security breach that exposed user email addresses, phone numbers and internal metadata to unauthorized third parties, revealing the incident occurred four months before the company detected the compromise. CEO Chris Best notified users Tuesday that attackers accessed the data in October 2025, though Substack only identified evidence of the breach on February 3.

"I'm incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here," Best wrote in the notification sent to affected users.

The breach allowed an unauthorized third party to access limited user data without permission through a vulnerability in Substack's systems. The company confirmed that credit card numbers, passwords and financial information were not accessed during the incident, limiting exposure to contact information and unspecified internal metadata.

Substack's Breach Detection Delay a Concern

The four-month detection gap raises questions about Substack's security monitoring capabilities and incident response procedures. Modern security frameworks typically emphasize rapid threat detection, with leading organizations aiming to identify breaches within days or hours rather than months. The extended dwell time—the period attackers maintained access before detection—gave threat actors ample opportunity to exfiltrate data undetected.

Substack claims it has fixed the vulnerability that enabled the breach but provided no technical details about the nature of the flaw or how attackers exploited it. The company stated it is conducting a full investigation and taking steps to improve systems and processes to prevent future incidents.

Best urged users to exercise caution with emails or text messages they receive, warning that exposed contact information could enable phishing attacks or social engineering campaigns. While Substack claims no evidence of data misuse exists, the four-month gap between compromise and detection means attackers had significant time to leverage stolen information.

The notification's vague language about "other internal metadata" leaves users uncertain about the full scope of exposed information. Internal metadata could include account creation dates, IP addresses, subscription lists, payment history or other details that, when combined with email addresses and phone numbers, create comprehensive user profiles valuable to attackers.

Substack Breach Impact

Newsletter platforms like Substack represent attractive targets for threat actors because they aggregate contact information for engaged audiences across diverse topics. Compromised email lists enable targeted phishing campaigns, while phone numbers facilitate smishing attacks—phishing via text message—that many users find less suspicious than email-based attempts.

The breach affects Substack's reputation as the platform competes for writers and subscribers against established players and emerging alternatives. Trust forms the foundation of newsletter platforms, where creators depend on reliable infrastructure to maintain relationships with paying subscribers.

Substack has not disclosed how many users were affected, whether the company will offer identity protection services, or if it has notified law enforcement about the breach. The company also has not confirmed whether it will face regulatory scrutiny under data protection laws in jurisdictions where affected users reside.

Users should remain vigilant for suspicious communications, enable two-factor authentication where available, and monitor accounts for unauthorized activity following the disclosure.

Also read: EU Data Breach Notifications Surge as GDPR Changes Loom

A comprehensive SAML development guide for engineering leaders. Learn about assertions, metadata, and securing single sign-on for enterprise CIAM.

The post SAML Development Guide appeared first on Security Boulevard.

Master Enterprise SSO in 2025. Learn about SAML, OIDC, and CIAM strategies for CTOs and VP Engineering to secure B2B platforms and prevent data breach.

The post The Ultimate Guide to Single Sign-On in 2025 appeared first on Security Boulevard.

Struggling with auth downtime? Learn why your online account service might be failing and how to implement Enterprise SSO and CIAM for 99.9% availability.

The post Is the Online Account Service Still Available? appeared first on Security Boulevard.

The BreachForums marketplace has suffered a leak, exposing the identities of nearly 324,000 cybercriminals. This incident highlights a critical shift in cyberattacks, creating opportunities for law enforcement while demonstrating the risks associated with breaches in the cybercriminal ecosystem.

The post BreachForums Breach Exposes Names of 324K Cybercriminals, Upends the Threat Intel Game appeared first on Security Boulevard.

On January 22, 2026, France’s data protection authority, the CNIL, imposed a €5 million fine on France Travail (formerly Pôle Emploi) for failing to properly secure the personal data of job seekers. The CNIL fine on France Travail highlights growing regulatory pressure across Europe to strengthen GDPR data security measures, especially when sensitive public-sector systems are involved. The decision follows a major cyberattack in early 2024 that exposed personal information linked to millions of individuals registered with France’s national employment services over the last two decades.

CNIL Fine on France Travail After Major Job Seekers’ Data Breach

The CNIL fine on France Travail comes after hackers successfully infiltrated the organisation’s information system during the first quarter of 2024. According to investigators, the attackers relied on social engineering, a method that exploits human trust and behaviour rather than purely technical vulnerabilities. Using these tactics, hackers were able to hijack the accounts of advisers working with CAP EMPLOI — organisations responsible for supporting employment access for people with disabilities. This breach allowed attackers to gain entry into France Travail’s broader digital environment.

Hackers Accessed 20 Years of Personal Data

Investigations confirmed that the attackers accessed data relating to all individuals currently registered, or previously registered, with France Travail over the past 20 years. This also included individuals holding candidate accounts on the official francetravail.fr platform. The compromised information included:

• National Insurance numbers
• Email addresses
• Postal addresses
• Telephone numbers

While the hackers did not access complete job seeker files — which may contain health-related information — the CNIL still considered the exposed dataset highly sensitive due to its scale and the nature of the identifiers involved. The breach affected an extremely large portion of the French population, making it one of the most significant recent incidents involving a public institution.

GDPR Article 32 and Failure to Ensure Data Security

The CNIL’s decision focuses heavily on failure to ensure the security of personal data processed, a requirement under Article 32 of the GDPR. Under GDPR data security rules, organisations must implement security measures that are appropriate to the risks involved. The CNIL concluded that France Travail’s technical and organisational safeguards were inadequate and could have made the attack more difficult if properly applied. The restricted committee identified several key weaknesses.

Weak Authentication and Poor Monitoring Measures

One of the main concerns raised was the lack of authentication procedures for CAP EMPLOI advisers accessing the France Travail system. Weak access controls made it easier for hackers to take over adviser accounts and move through the network. The CNIL also highlighted insufficient logging and monitoring capabilities, which reduced the organisation’s ability to detect abnormal behaviour or suspicious activity early. Additionally, CAP EMPLOI adviser permissions were defined too broadly. Advisers could access data on individuals they were not directly supporting, significantly increasing the volume of information available once an account was compromised. This overexposure amplified the scale of the breach.

Security Measures Were Identified but Not Implemented

In determining the sanction, the restricted committee noted that many appropriate security measures had already been identified by France Travail during earlier impact assessments. However, these measures were not actually implemented before the processing began. This gap between awareness and execution played an important role in the CNIL’s decision to impose a multi-million-euro penalty. As regulators increasingly stress proactive security compliance, failure to act on known risks is being treated as a serious breach of responsibility. Beyond the financial penalty, the CNIL has ordered France Travail to justify the corrective measures taken, along with a precise implementation schedule. If the organisation fails to meet these requirements, it will face an additional penalty of €5,000 per day of delay, increasing the pressure to demonstrate meaningful improvements quickly.

Why CNIL Fine on France Travail Is Not Based on Turnover

France Travail is a national public administrative institution funded mainly through social security contributions rather than commercial revenue. As a result, the CNIL explained that the fine is not based on turnover, but instead falls under the GDPR framework for public-sector bodies, with a maximum limit of €10 million for a data security breach. “All fines imposed by the CNIL, whether they concern private or public actors, are collected by the Treasury and paid into the State budget.”

CNIL’s Role for Individuals Affected

The CNIL reminded the public that it serves as France’s personal data regulator, responding to requests and complaints from both individuals and professionals. Anyone can lodge a complaint with the CNIL when facing difficulties exercising their rights or when reporting violations of personal data protection rules. The authority can investigate organisations and issue sanctions where necessary. However, the CNIL does not have the power to compensate affected individuals directly. Those seeking compensation may file a complaint with the police. The France Travail data breach and subsequent CNIL sanction underline the importance of strong cybersecurity practices, especially for institutions handling large-scale citizen data. With regulators enforcing GDPR obligations more strictly, public bodies and private organisations alike are being reminded that data security is no longer optional — it is a legal and operational necessity.

Deep dive into SAML 2.0 architecture for enterprise SSO. Learn how IdPs and SPs exchange XML assertions for secure B2B authentication and CIAM.

The post What is SAML and how does SAML Authentication Work? appeared first on Security Boulevard.

A 149M-credential breach shows why encryption alone isn’t enough. Infostealer malware bypasses cloud security by stealing passwords at the endpoint—where encryption offers no protection.

The post Another Credential Leak, Another Dollar appeared first on Security Boulevard.

As Data Privacy Week 2026 gets underway from January 26 to 30, Canada’s Privacy Commissioner Philippe Dufresne has renewed calls for stronger data protection practices, modern privacy laws, and a privacy-first approach to emerging technologies such as artificial intelligence. In a statement marking Data Privacy Week 2026, Dufresne said data has become one of the most valuable resources of the 21st century, making responsible data management essential for both individuals and organizations. “Data is one of the most important resources of the 21st century and managing it well is essential for ensuring that individuals and organizations can confidently reap the benefits of a digital society,” he said. The Office of the Privacy Commissioner (OPC) has chosen privacy by design as its theme this year, highlighting the need for organizations to embed privacy into their programs, products, and services from the outset. According to Dufresne, this proactive approach can help organizations innovate responsibly, reduce risks, build for the future, and earn public trust.

Data Privacy Week 2026: Privacy by Design Takes Centre Stage

Speaking on the growing integration of technology into everyday life, Dufresne said Data Privacy Week 2026 is a timely opportunity to underline the importance of data protection. With personal data being collected, used, and shared at unprecedented levels, privacy is no longer a secondary concern. “Prioritizing privacy by design is my Office’s theme for Data Privacy Week this year, which highlights the benefits to organizations of taking a proactive approach to protect the personal information that is in their care,” he said. The OPC is also offering guidance for individuals on how to safeguard their personal information in a digital world, while providing organizations with resources to support privacy-first programs, policies, and services. These include principles to encourage responsible innovation, especially in the use of generative AI technologies.

Real-World Cases Show Why Privacy Matters

In parallel with Data Privacy Week 2026, Dufresne used a recent appearance before Parliament to point to concrete cases that show how privacy failures can cause serious and lasting harm. He referenced investigations into the non-consensual sharing of intimate images involving Aylo, the operator of Pornhub, and the 23andMe data breach, which exposed highly sensitive personal information of 7 million customers, including more than 300,000 Canadians. His office’s joint investigation into TikTok also highlighted the need to protect children’s privacy online. The probe not only resulted in a report but also led TikTok to improve its privacy practices in the interests of its users, particularly minors. Dufresne also confirmed an expanded investigation into X and its Grok chatbot, focusing on the emerging use of AI to create deepfakes, which he said presents significant risks to Canadians. “These are some of many examples that demonstrate the importance of privacy for current and future generations,” he told lawmakers, adding that prioritizing privacy is also a strategic and competitive asset for organizations.

Modernizing Canada’s Privacy Laws

A central theme of Data Privacy Week 2026 in Canada is the need to modernize privacy legislation. Dufresne said existing laws must be updated to protect Canadians in a data-driven world while giving businesses clear and practical rules. He voiced support for proposed changes under Bill C-15, the Budget 2025 Implementation Act, which would amend the Personal Information Protection and Electronic Documents Act (PIPEDA) to introduce a right to data mobility. This would allow individuals to request that their personal information be transferred to another organization, subject to regulations and safeguards. “A right to data mobility would give Canadians greater control of their personal information by allowing them to make decisions about who they want their information shared with,” he said, adding that it would also make it easier for people to switch service providers and support innovation and competition. Under the proposed amendments, organizations would be required to disclose personal information to designated organizations upon request, provided both are subject to a data-mobility framework. The federal government would also gain authority to set regulations covering safeguards, interoperability standards, and exceptions. Given the scope of these changes, Dufresne said it will be important for his office to be consulted as the regulations are developed.

A Call to Act During Data Privacy Week 2026

Looking ahead, Dufresne framed Data Privacy Week 2026 as both a moment of reflection and a call to action. “Let us work together to create a safer digital future for all, where privacy is everyone’s priority,” he said. He invited Canadians to take part in Data Privacy Week 2026 by joining the conversation online, engaging with content from the OPC’s LinkedIn account, and using the hashtag #DPW2026 to connect with others committed to advancing privacy in Canada and globally. As digital technologies continue to reshape daily life, the message from Canada’s Privacy Commissioner is clear: privacy is not just a legal requirement, but a foundation for trust, innovation, and long-term economic growth.

Nike has confirmed that it is investigating a potential cybersecurity incident after claims surfaced online that its internal data may have leaked by a cybercrime group. The same group, known for extortion-driven attacks against other companies, previously claimed the Nike cyberattack on its dark web site.  Nike acknowledged the situation of a potential cybersecurity incident, stating, “We always take consumer privacy and data security very seriously. We are investigating a potential cybersecurity incident and are actively assessing the situation.” The company has not yet disclosed whether the cyberattack on Nike involved customer, employee, or partner data. 

Hacker Group Claims the Nike Cyberattack

The allegations stem from a ransomware group known as World Leaks, which claimed on its website that it had published 1.4 terabytes of data allegedly tied to Nike’s business operations. The group did not specify what types of files or information were included in the purported leak.  The Cyber Express reached out to Nike for further details regarding the reported cyberattack on Nike. However, as of the time of writing, the company had not shared any additional updates or clarification about the incident or its potential impact.  World Leaks is an extortion-focused cybercrime group that steals corporate data to pressure victims into paying ransoms, threatening public disclosure if demands are not met. The group emerged in 2025 after rebranding from Hunters International, a ransomware gang active since 2023. Following increased law enforcement scrutiny, the group reportedly abandoned traditional file-encryption tactics and shifted entirely to data theft and extortion. It has since claimed hundreds of victims. 

Potential Partner Impact and Broader Industry Context 

It remains unclear whether the alleged Nike data breach affected information belonging to any of Nike’s major wholesale partners. The company works closely with large retailers such as Dick’s Sporting Goods, Macy’s, and JD Sports.  The reported cyberattack on Nike comes as data breaches continue to disrupt major corporations worldwide. High-profile cyber incidents in 2023 and 2024 affected companies, including MGM Resorts International, Clorox, and UnitedHealth Group. MGM disclosed losses of at least $100 million tied to its attack, while Clorox reported a decline of more than $350 million in quarterly net sales following its breach.  The incident also follows similar developments within the sportswear sector. TechCrunch recently reported that Under Armour launched an investigation after 72 million customer email addresses were posted online.  

Nike’s Business Challenges Amid Cybersecurity Concerns 

According to The Star, Nike has been working to regain its position as the world’s dominant sportswear brand after losing market share to smaller competitors. Against this backdrop, the emergence of a potential Nike cyberattack adds another layer of uncertainty. Despite the reports, Nike’s shares were flat as of late morning on Monday, indicating that investors may be waiting for verified details before reacting.  As investigations continue, it remains uncertain whether the alleged Nike data breach will be confirmed or what consequences may follow. Nike has stated only that it is actively assessing the situation, and further information is expected as the inquiry progresses and claims related to the cyberattack on Nike are independently evaluated.   This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We will update this post once we have more information on the Nike cyberattack or any additional information from the company. 

Learn how to manage Single Sign-on (SSO) account identities within app stores for enterprise security. Guide for CTOs on OIDC, SAML, and CIAM integration.

The post Single Sign-on Account Management in App Stores appeared first on Security Boulevard.

Authentication determines who gets in and who stays out. Getting this right means fewer breaches, less downtime, and stronger trust with customers.

The post Top Authentication Methods for Preventing Data Breaches appeared first on Security Boulevard.

💾

The fallout from the Manage My Health data breach is continuing, with the company warning that fraudsters may now be attempting to contact affected users by impersonating the online patient portal.  Manage My Health, which operates a widely used digital health platform in New Zealand, confirmed that most people impacted by the breach have now been notified. However, the organization cautioned that secondary criminal actors may be exploiting the situation by sending phishing or spam messages that appear to come from Manage My Health.  “We’re also aware that secondary actors may impersonate MMH and send spam or phishing emails to prompt engagement. These communications are not from MMH,” the company said in a statement. It added that it is investigating measures to limit this activity and has issued guidance to help users protect themselves.  The MMH cyberattack, which occurred late last year, involved unauthorized access to documents stored within a limited feature of the platform. Cyber criminals reportedly demanded thousands of dollars in ransom, threatening to release sensitive data on the dark web. If released, the information could have exposed the medical details of more than 120,000 New Zealanders. 

Information Accessed in the Manage My Health Data Breach 

According to Manage My Health, the cyberattack did not affect live GP clinical systems, prescriptions, appointment scheduling, secure messaging, or real-time medical records. Instead, the breach was confined to documents stored in the “My Health Documents” section of the platform.  These documents included files uploaded by users themselves, such as correspondence, reports, and test results, as well as certain clinical documents. The latter consisted of hospital discharge summaries and clinical letters related to care received in Northland Te Tai Tokerau.  Upon detecting unusual system activity, Manage My Health said it immediately secured the affected feature, blocked further unauthorized access, and activated its incident response plan. Independent cybersecurity specialists were engaged to investigate the incident and confirm its scope.  The company stated that the breach has since been contained and that testing has confirmed the vulnerability is no longer present. 

Notifications and Regulatory Response 

Manage My Health acknowledged that its initial response led to some individuals being notified prematurely. “When we first identified the breach, our priority was to promptly inform all potentially affected patients,” the organization said, noting that this cautious approach resulted in some people being contacted even though they were later found not to be impacted.  Following forensic investigations, those individuals were subsequently informed that their data had not been affected. Users can confirm their status by logging into the Manage My Health web application, where a green “No Impact” banner indicates no involvement in the incident.  The company said notification efforts are ongoing due to the complexity of coordinating communications across patient groups, authorities, and data controllers, while ensuring compliance with the New Zealand Privacy Act.  The Manage My Health data breach has also triggered regulatory scrutiny. The Office of the Privacy Commissioner (OPC) has announced an inquiry into the privacy aspects of the incident. Manage My Health confirmed it is working closely with the OPC, as well as Health New Zealand | Te Whatu Ora, the National Cyber Security Centre, and the New Zealand Police. 

Legal Action and Monitoring Efforts 

As part of its response to the MMH cyberattack, Manage My Health sought and was granted an interim injunction from the High Court. The injunction prohibits any third party from accessing, publishing, or disseminating the impacted data.  The organization said it is actively monitoring known data leak websites and is prepared to issue takedown notices immediately if any information appears online.  Additional security measures taken include remediating compromised account credentials, temporarily disabling the Health Documents module, and implementing continuous monitoring while broader security upgrades are rolled out. An independent forensic investigation remains ongoing, with the company declining to comment on specific technical findings at this stage. 

Guidance for Users 

Manage My Health has reiterated that it will never ask users for passwords or one-time security codes. It has urged caution when receiving unexpected or urgent messages claiming to be from the company.  Anyone contacted by individuals claiming to possess their health data is advised not to engage and to report the incident to New Zealand Police via 105, or 111 in an emergency, and notify Manage My Health support.  To assist those concerned about identity misuse, the company has partnered with IDCARE, which provides free and confidential cyber and identity support across Australia and New Zealand.  “We take the privacy of our clients and staff very seriously, and we sincerely apologise for any concern or inconvenience this incident may have caused,” Manage My Health said, adding that it remains committed to transparency as investigations into the cyberattack on Manage My Health continue. 

Ingram Micro, one of the world’s largest IT distributors, has confirmed that sensitive personal data was leaked following a ransomware attack that disrupted its operations last year. The Ingram Micro data breach incident, which paralysed the company’s logistics systems for nearly a week in July 2025, has now been linked to the theft of files containing employee and applicant information, affecting more than 42,000 individuals. The Ingram Micro data breach came to light through a mandatory filing with U.S. authorities, which revealed that 42,521 people were impacted, including five residents of the state of Maine. According to the company, the attackers accessed internal file repositories between July 2 and July 3, 2025, during an external system breach involving hacking. However, the breach was only discovered several months later, on December 26, 2025.

Ransomware Attack Led to Extended Disruption

The data exposure follows a ransomware attack that caused widespread operational disruption at Ingram Micro in July 2025. At the time, the company’s logistics were reportedly paralysed for about a week, affecting its ability to process and distribute products. While the immediate impact of Ingram Micro data breach on operations was known, it has now emerged that the attackers also exfiltrated sensitive files during the same period. In a notice sent to affected individuals, Ingram Micro said it detected a cybersecurity incident involving some of its internal systems on July 3, 2025. The company launched an investigation into the nature and scope of the issue and determined that an unauthorised third party had taken certain files from internal repositories over a two-day window.

Ingram Micro Data Breach: Personal and Employment Data Stolen

The compromised files included employment and job applicant records, containing a wide range of personal information. According to the Ingram Micro data breach notification, the stolen data may include names, contact information, dates of birth, and government-issued identification numbers such as Social Security numbers, driver’s licence numbers, and passport numbers. In addition, certain employment-related information, including work evaluations and application documents, was also accessed. The company noted that the types of affected personal information varied by individual. Ingram Micro employs approximately 23,500 people worldwide, and the breach affected both current and former employees, as well as job applicants. Ingram Micro said it took steps to contain and remediate the unauthorised activity as soon as the incident was detected. These measures included proactively taking certain systems offline and implementing additional security controls. The company also engaged leading cybersecurity experts to assist with its investigation and notified law enforcement. As part of its response to the Ingram Micro data breach, the company conducted a detailed review of the affected files to understand their contents. It was only after completing this review that Ingram Micro confirmed that some of the files contained personal information about individuals.

Support Offered to Affected Individuals

Ingram Micro is notifying impacted individuals and encouraging them to take steps to protect their personal information. Under U.S. law, affected individuals are entitled to one free credit report annually from each of the three nationwide consumer reporting agencies. The company has also arranged to provide complimentary credit monitoring and identity protection services for two years. In its notification, Ingram Micro urged people to remain vigilant by reviewing their account statements and monitoring their credit reports. The company included guidance on how to register for the free protection services and additional steps to reduce the risk of identity theft. For further assistance, Ingram Micro has set up a dedicated call centre for questions related to the breach. The company said it regrets any inconvenience caused and is working to address concerns raised by those affected.

Broader Implications for Corporate Cybersecurity

The incident highlights the growing risks organisations face from ransomware attacks that not only disrupt operations but also result in data theft. The delay between the occurrence of the breach in July and its discovery in December emphasizes the challenges companies face in detecting and containing sophisticated cyber intrusions. For large enterprises like Ingram Micro, which play a central role in global IT supply chains, the consequences of such attacks can extend beyond immediate operational losses. The exposure of sensitive employee and applicant data adds a long-term dimension to the impact, increasing the risk of identity theft and fraud for those affected. As investigations continue, the ransomware attack on Ingram Micro serves as a reminder of the importance of strong cybersecurity controls, continuous monitoring, and timely incident response to limit both operational disruption and data loss.

Spanish energy provider Endesa and its regulated electricity operator Energía XXI have begun notifying customers after detecting unauthorized access to the company’s internal systems, resulting in the exposure of personal and contract-related data. The Endesa data breach incident, publicly disclosed by the company, impacts customers linked to Endesa’s commercial platform and is currently under investigation. Endesa, Spain’s largest electric utility company and a subsidiary of the Enel Group, provides electricity and gas services to millions customers across Spain and Portugal. In total, the company reports serving approximately 22 million clients. The Endesa data breach specifically affects customers of Energía XXI, which operates under Spain’s regulated energy market.

Unauthorized Access Detected on Commercial Platform

According to Endesa, the security incident involved unauthorized and illegitimate access to its commercial platform, enabling attackers to view sensitive customer information tied to energy contracts. In a notification sent to affected customers, the company acknowledged the Endesa data breach, stating: “Despite the security measures implemented by this company, we have detected evidence of unauthorized and illegitimate access to certain personal data of our customers related to their energy contracts, including yours.” The company clarified that while account passwords were not compromised, other categories of data were potentially accessed during the incident. [caption id="attachment_108537" align="aligncenter" width="823"] Image Source: X[/caption]

Types of Data Potentially Exposed in Endesa Data Breach

Based on the ongoing investigation, Endesa confirmed that attackers may have accessed or exfiltrated the following information:

• Basic identification data
• Contact information
• National identity card numbers
• Contract-related data
• Possible payment details, including IBANs

Despite the scope of exposed data, Endesa emphasized that login credentials remained secure, reducing the likelihood of direct account takeovers.

Endesa Activates Incident Response Measures

Following detection of the Endesa data breach, the company activated its established security response protocols to contain and mitigate the incident. In its official statement, Endesa detailed the actions taken: “As soon as Endesa Energía became aware of the incident, the established security protocols and procedures were activated, along with all necessary technical and organizational measures to contain it, mitigate its effects, and prevent its recurrence.” These actions included blocking compromised internal accounts, analyzing log records, notifying affected customers, and implementing enhanced monitoring to detect further suspicious activity. The company confirmed that operations and services remain unaffected.

Authorities Notified as Investigation Continues

As required under applicable regulations, Endesa notified the Spanish Data Protection Agency and other relevant authorities after conducting an initial assessment of the incident. The company stated that the investigation is ongoing, involving both internal teams and external suppliers, to fully understand the cause and impact of the breach. Addressing customer concerns, Endesa noted: “As of the date of this communication, there is no evidence of any fraudulent use of the data affected by the incident, making it unlikely that a high-risk impact on your rights and freedoms will materialize.”

Customers Warned of Potential Phishing and Impersonation Risks

While no misuse of data has been identified so far, Endesa acknowledged potential risks associated with the exposed information. Customers have been urged to remain vigilant against identity impersonation, data misuse, phishing attempts, and spam campaigns. The company advised affected individuals to report any suspicious communications to its call center and to avoid sharing personal or sensitive information with unknown parties. Customers were also encouraged to contact law enforcement in case of suspected fraudulent activity. The Cyber Express Team has contacted Energía XXI and Endesa seeking further clarification on the incident and its impact. However, at the time of publication, no additional response had been received from either entity.

Canopy Health confirms it suffered a serious cyber intrusion that went undisclosed to patients for six months. The delayed notification has triggered anger and deep concern among those affected, many of whom say the Canopy Health data breach has eroded their confidence in health providers and the systems meant to protect sensitive personal information.  The Canopy Health cyberattack was publicly acknowledged this week after months of behind-the-scenes investigation. In an update posted on its website, Canopy Health said it identified the incident on 18 July 2025, when it detected that an unknown person had “temporarily obtained unauthorized access” to part of its internal systems used by its administration team.  Following a forensic investigation conducted by external cybersecurity experts, the organization said it had been advised that “unauthorized access to one of our servers likely occurred, and some data may have been copied.” Canopy Health added that the incident had since been contained, but confirmed the investigation was ongoing. 

Patients React to the Canopy Health Data Breach 

According to Radio New Zealand, a woman who requested anonymity said she only learned about the Canopy Health data breach after receiving an email from the company this week. “Six months is an outrageous amount of time to keep the breach secret,” she said.  She had previously been referred to one of Canopy Health’s clinics for mammograms under the government-funded national breast screening program, BreastScreen Aotearoa, and had also used its diagnostic imaging services. The woman said the email she received claimed there was “no indication that any credit card, banking information or identity documents were affected.” However, she noted this appeared to contradict Canopy Health’s website statement, which acknowledged hackers may have “accessed a small number of bank account numbers.”  The woman, who is also a user of the Manage My Health platform, said that beyond what she described as “obviously inadequate data security systems,” the slow and unclear communication from both companies was “completely unacceptable.” “I am angry, and my confidence in health services and data security in this country is at an all-time low,” she said. 

Concerns Over Financial and Identity Information 

Another Auckland resident, also granted anonymity by RNZ, said she was referred to Canopy Health for a mammogram through BreastScreen Aotearoa and only received a letter about the breach in mid-December. “It was definitely not acceptable that this happened in July, but I only received a letter months later,” she said. “I would never have known if they had not sent that letter. But in the period of time they’ve taken to send it to me, anything could have happened.”  She said she was not reassured by Canopy Health’s assertion that it was “unlikely” patients’ identities were at risk. “If any of my information were compromised in any way, it would affect me,” she said. “I don’t know what would be out there, especially with the job I do—what if it fell into the hands of the wrong person and was used against me?”  Under a Q&A section published on its website, Canopy Health said the hacker “may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes.” The company said it was “directly notifying potentially affected individuals” and added that it was “unlikely the threat actor can take significant action with these details, as sensitive bank account information is highly protected.” Patients concerned about the Canopy Health data breach were advised to contact their banks. 

Second Health Data Incident Raises Wider Questions 

The Canopy Health cyberattack comes amid heightened scrutiny of data security in the health sector. In late December, patient portal provider Manage My Health confirmed it had identified a separate security incident involving unauthorized access to its platform. The company said between 6 and 7 percent of its approximately 1.8 million registered users may have been affected.  Manage My Health later said more than half of impacted patients had received notification emails, and that unaffected users could see their status within the app. Of the roughly 125,000 patients affected by the ransomware attack, more than 80,000 are based in Northland—the only region where Health NZ uses Manage My Health to share hospital discharge summaries, outpatient clinic letters, and referral notifications with patients.  The operators of Manage My Health said they have received “independent confirmation” from IT experts that vulnerabilities in its code have now been fixed. Meanwhile, the fallout from the Canopy Health data breach and the broader Canopy Health cyberattack continues to raise serious questions about transparency, accountability, and the protection of patient data across the healthcare system. 

Australian insurance provider Prosura is investigating a cyber incident after detecting unauthorized access to parts of its internal systems, which has resulted in fraudulent emails being sent to some customers. The Prosura cyberattack, identified in early January, led the insurer to temporarily shut down key online services while it works to secure its systems and determine the full extent of the breach.  Prosura confirmed that it first identified the cyberattack on Prosura on January 3, 2026. In a media statement, the company said it discovered “unauthorized access to parts of our systems” and acted immediately to limit further risk.  “As a precaution, we have temporarily disabled the ability to purchase a policy, submit or manage a claim, or administer an existing policy via our self-service portal while we investigate and secure our environment,” Prosura said.  A subsequent Security Incident Update issued on Thursday, 8 January, provided additional clarity. According to the insurance provider, an unknown third party gained unauthorized access to a portion of its internal IT systems. Prosura also acknowledged that it was aware of online activity related to the incident and was prioritizing efforts to verify those claims.  While services remain offline, Prosura said it is conducting an urgent review of its systems and deploying additional security measures to prevent a recurrence of the Prosura cyberattack. 

Fraudulent Emails Linked to the Prosura Cyberattack

Alongside the system intrusion, Prosura reported that some customers received fraudulent emails connected to their existing or completed policies. These messages may reference the cyberattack on Prosura and instruct recipients to contact a third-party email address. The insurer urged customers not to respond to these emails, not to contact any external addresses mentioned, and to avoid clicking on links or opening attachments in unexpected messages. Customers were also advised to remain alert to phishing attempts via email, phone calls, or text messages that may use personal information to appear legitimate.

Customer Information Potentially Impacted 

Based on its investigation so far, Prosura believes some customer data may have been accessed during the cyberattack. The information potentially affected includes names, email addresses, phone numbers, country of residence, travel destinations, invoicing and pricing details, as well as policy start and end dates.  For customers who have previously made claims, the breach may also have exposed additional claim-related information. This could include driver’s licenses and associated images that were submitted as part of supporting documentation.  Prosura noted that there is no evidence that payment data was compromised. “Importantly, there is no indication that payment information (including credit card details) have been accessed,” the company stated, adding that it does not store credit card details within its systems. 

Regulatory Notifications and Ongoing Response 

The insurance provider confirmed it has notified both the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, and will alert other regulatory bodies as required. Prosura is also working with external cybersecurity specialists to investigate what happened, strengthen system security, and monitor for further developments.  “We are taking this incident extremely seriously. We will work with specialist cybersecurity experts to investigate what happened, secure our systems, and restore services safely,” the company said.  Despite the disruption, Prosura reassured customers that active policies remain valid. Policyholders with upcoming travel plans were advised that they can proceed as planned, as policy validity has not been affected by the incident. Customers needing claim support were instructed to contact Prosura directly via its official support email with “Claim” included in the subject line. 

Company Apology and Next Steps 

In a statement signed by Managing Director Mike Boyd, Prosura acknowledged the concern caused by the incident. “We know this is concerning, and we are sorry this has happened,” Boyd said. “Our focus is on protecting our customers, supporting those affected, and restoring services safely.”  Prosura said it will contact impacted parties directly once it confirms what information was involved and will provide further guidance and support as required. The company added that it will continue to issue updates as new facts emerge, noting that premature disclosures could lead to misinformation.  As the Prosura cyberattack investigation continues, the insurer has reiterated its advice for customers to stay vigilant, avoid suspicious communications, and rely only on official updates published through Prosura’s website and direct customer communications. 

Infostealer infections compounded by a lack of multi-factor authentication (MFA) have resulted in dozens of breaches at major global companies and calls for greater MFA use. The issue came to light in a Hudson Rock post that detailed the activity of a threat actor operating under the aliases “Zestix” and “Sentap.” The threat actor has auctioned data stolen from the corporate file-sharing portals of roughly 50 major global enterprises, targeting ShareFile, OwnCloud, and Nextcloud instances “belonging to critical entities across the aviation, robotics, housing, and government infrastructure sectors,” the report said, taking pains to note that lack of MFA was the primary cause. “... these catastrophic security failures were not the result of zero-day exploits in the platform architecture, but rather the downstream effect of malware infections on employee devices combined with a critical failure to enforce Multi-Factor Authentication (MFA),” the report said. Cyble’s threat intelligence database contains 56 dark web reports and client advisories on Zestix and Sentap going back to mid-2024, and the threat actor appears be connected to a significantly older X/Twitter account, according to a May 2025 Cyble profile. DarkSignal recently did an extensive profile of the threat actor.

Infostealers and No MFA Make Attacks Easy

The Hudson Rock report looked at 15 data breaches claimed by Zestix/Sentap and noted a common attack flow:

• Infection: “An employee inadvertently downloads a malicious file. The infostealer executes and harvests all saved credentials and browser history.”
• Aggregation: “These logs are aggregated in massive databases on the dark web. Zestix parses these logs specifically looking for corporate cloud URLs (ShareFile, Nextcloud).”
• Access: “Zestix simply uses the valid username and password extracted from the logs. Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door. No exploits, no cookies – just a password.”

“The era where brute-force attacks reigned supreme is waning,” the report said. “In its place, the Infostealer ecosystem has risen to become the primary engine of modern cybercrime. “Contrary to attacks involving sophisticated cookie hijacking or session bypasses, the Zestix campaign highlights a far more pedestrian – yet equally devastating – oversight: The absence of Multi-Factor Authentication (2FA).” Zestix relies on Infostealer malware such as RedLine, Lumma, or Vidar to infect personal or professional devices – and sometimes the gap between malware infection and exploitation is a long one, as old infostealer logs have led to new cyberattacks in some cases. “A critical finding in this investigation is the latency of the threat,” Hudson Rock said. “While some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them. This highlights a pervasive failure in credential hygiene; passwords were not rotated, and sessions were never invalidated, turning a years-old infection into a present-day catastrophe.”

ownCloud Calls for Greater MFA Use

ownCloud responded to the report with a call for greater MFA use by clients. In a security advisory, the company said, “The ownCloud platform was not hacked or breached. The Hudson Rock report explicitly confirms that no zero-day exploits or platform vulnerabilities were involved.” Stolen credentials from infostealer logs were "used to log in to ownCloud accounts that did not have Multi-Factor Authentication (MFA) enabled. As the report notes: ‘No exploits, no cookies—just a password.’” ownCloud said clients should immediately enable MFA on their ownCloud instances if they haven’t done so already. “MFA adds a critical second layer of verification that prevents unauthorized access even when credentials are compromised,” the company said. Recommended steps include:

• Enabling MFA on all user accounts using ownCloud’s two-factor authentication apps
• Resetting passwords for all users and requiring “strong, unique credentials”
• Reviewing access logs for suspicious activity
• Invalidating active sessions to force re-authentication with MFA

 

The hacking group Crimson Collective claims to have access to Brightspeed’s infrastructure and is disconnecting users from the company’s home internet services. The group made its latest claims in a post on Telegram yesterday. “Hey BrightSpeed, we disconnected alot of your users home internet.. they might be complaining you should check,” the Telegram post says. Asked by The Cyber Express how the group was able to do this, a Crimson Collective spokesperson replied, “we were able to do this with the access we had on their infrastructure,” suggesting that the extent of the claimed breach may go beyond customer data access. The Cyber Express reached out to Brightspeed to see if the company could confirm or deny Crimson Collective’s claims and will update this article with any response. So far the company has said only that it is “investigating reports of a cybersecurity event,” so any claims by the hacker group remain unconfirmed.

Crimson Collective’s Brightspeed Claims and Customer Risk

In a January 4 Telegram post, Crimson Collective claimed that the group had breached Brightspeed and obtained the personal data of more than a million residential customers of the U.S. fiber broadband provider. A day later, the threat group released a data sample to back up those claims. The group is also trying to sell the data, suggesting that any negotiations that may have taken place with Brightspeed had failed to progress. Crimson Collective claims to possess a wide range of data on Brightspeed customers, including names, email addresses, phone numbers, billing and service addresses, account status, network type, service instances, network assignments, IP addresses, latitude and longitude coordinates, payment history, payment card types and masked card numbers (last 4 digits), expiry dates, bank identification numbers (BINs), appointment and order records, and more. The data doesn’t include password or full credit card numbers that could put users at imminent risk of breach or theft, but the hacker group told The Cyber Express that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people's infrastructure.” Noelle Murata, Senior Security Engineer at Xcape, agreed that the data holds potential value for cybercriminals. “The stolen data reportedly includes payment card details and account histories that create opportunities for identity theft and sophisticated social engineering scams and are particularly dangerous when targeting a demographic that may be less digitally savvy,” Murata said in a statement shared with The Cyber Express.

Crimson Collective: An Emerging Threat

Crimson Collective first emerged last year with a Red Hat GitLab breach that exposed client Customer Engagement Reports (CERs) and other potentially sensitive data about client infrastructure. Murata said the Brightspeed attack “aligns with the Crimson Collective's pattern of exploiting cloud misconfigurations and leaked AWS credentials to bypass security measures.” The timing of the attack, coming just after the New Year holiday, is a possible example of "holiday hunting," where cybercriminals exploit reduced IT staffing over holidays, Murata said. “Service providers in rural and suburban areas often operate with limited security resources but face the same threats as larger urban carriers,” Murata said. “Transparency, prompt customer notification, and immediate containment will be crucial in the coming days.”

A hacktivist exposed and deleted three white supremacist websites during a presentation at a conference last week. The hacker and self-described journalist, who goes by Martha Root, appeared onstage dressed as Pink Ranger from the Power Rangers at the Chaos Communication Congress in Hamburg, Germany, and was joined by journalists Eva Hoffmann and Christian Fuchs. Near the end of the presentation, Root remotely deleted the servers of WhiteDate, WhiteChild and WhiteDeal to cheers from the audience. The owner of the dating, family and job sites confirmed the hack in a post on X, writing, “At min 43, they publicly delete all my websites while the audience rejoices. This is cyberterrorism. No wonder some of them hide their faces. But we will find them, and trust me, there will be repercussions.”

White Supremacist Websites Data Leaked

Root was able to extract significant data from more than 6,000 users from WhiteDate and published much of it on the site okstupid.lol, an apparent pun referencing OkCupid. Root did not include emails and private messages “for now,” but also apparently shared the full data set with DDoSecrets and HaveIBeenPwned. Root wrote on okstupid that their investigation into WhiteDate revealed “Poor cybersecurity hygiene that would make even your grandma’s AOL account blush,” “Image metadata (EXIF) so revealing, it practically hands out home addresses with a side of awkward selfies,” and “A gender ratio that makes the Smurf village look like a feminist utopia.” “Imagine calling yourselves the "master race" but forgetting to secure your own website—maybe try mastering to host Wordpress before world domination,” Root taunted on the site. Root mapped the user data on an interactive map, and indeed, the location data is precise, with specific digital latitude and longitude coordinates capable of identifying a user’s address. Coupled with additional information such as profile pictures and the redacted email addresses, user identification would appear to be possible in many cases.

Chatbot Used to Investigate White Supremacist Dating Site

Root also used a custom AI chatbot to interact with users and scale data collection. As they noted in a video, “Some of WhiteDate’s most dedicated Aryan suitors spent weeks chatting with a chatbot, trained, prompted, monitored by me. And while they flirted with their perfect trad wife, I collected data.” According to their abstract, Root, Hoffmann and Fuchs claim that "After months of observation, classic OSINT research, automated conversation analysis, and web scraping, we discovered who is behind these platforms and how their infrastructure works." According to HaveIBeenPwned, the WhiteDate data set includes Ages, Astrological signs, Bios, Education levels, Email addresses, Family structure, Genders, Geographic locations, Income levels, IQ levels, Nicknames, Physical attributes, Profile photos, Races, Relationship status and Sexual orientation. HaveIBeenPwned labeled the data as “sensitive,” and noted, “As this breach has been flagged as sensitive, it is not publicly searchable.” Users must sign in to their dashboard to review search results, and DDoSecrets has restricted access to the data too. The name Martha Root appears to be a pseudonym taken from an American peace activist from the early 20th century.

The hacking group Crimson Collective claims to have obtained the personal data of more than a million residential customers of U.S. fiber broadband provider Brightspeed. In a January 4 Telegram post, the group behind a Red Hat GitLab breach last year claimed to possess “over 1m+ residential user PII's,” or personally identifiable information. Crimson Collective said it would release a data sample on January 5 to give Brightspeed “some time first to answer to us.” It is not known what if any communications occurred between the company and the hacker group, but Crimson Collective made good on that threat and released the data sample today.

Crimson Collective Details Brightspeed Claims

Crimson Collective claims to possess a wide range of data on Brightspeed customers, including:

• Customer account master records containing names, email addresses, phone numbers, billing and service addresses, and account status
• Network type, consent flags, billing system, service instance, network assignment, and site IDs
• Address qualification responses with address IDs, full postal addresses, latitude and longitude coordinates, qualification status (fiber/copper/4G), maximum bandwidth, drop length, wire center, marketing profile codes, and eligibility flags
• User-level account details keyed by session/user IDs, “overlapping with PII including names, emails, phones, service addresses, account numbers, status, communication preferences, and suspend reasons”
• Payment history, including payment IDs, dates, amounts, invoice numbers, card types and masked payment card numbers (last 4 digits), gateways, and status
• Payment methods per account, including default payment method IDs, gateways, masked credit card numbers, expiry dates, bank identification numbers (BINs), holder names and addresses, status flags (Active/Declined), and created/updated timestamps
• Appointment and order records by billing account, including order numbers, status, appointment windows, dispatch and technician information, and install types.

Potential Risk for Brightspeed Users

In an email exchange with The Cyber Express, a Crimson Collective spokesperson noted that while the data doesn’t include password or credit card data that could put users at imminent risk of breach or theft, the group said that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people's infrastructure.” Asked if the group has established persistent access to Brightspeed’s environment, the spokesperson replied, “Cannot disclose this.” The Cyber Express also reached out to Brightspeed for comment and will update this article with any response. However, the company reportedly told Security Week that it is “currently investigating reports of a cybersecurity event. As we learn more, we will keep our customers, employees and authorities informed. We take the security of our networks and protection of our customers’ and employees’ information seriously and are rigorous in securing our networks and monitoring threats.”

Manage My Health (MMH) has released a detailed update on the ongoing investigation following a cyberattack that was first reported on 30 December 2025. The ManageMyHealth hack has affected a portion of the organization's user base, prompting urgent responses from MMH, Health New Zealand, and law enforcement agencies.  In its statement on 5 January 2026, MMH acknowledged the anxiety caused to both healthcare providers and patients. The company described the cyberattack on ManageMyHealth as a form of criminal activity targeting its systems and apologized for any distress caused. MMH confirmed it is coordinating closely with New Zealand Police, Health New Zealand, and other relevant authorities to respond to the incident.  “The immediate priority was to secure systems, protect patient data, and verify the accuracy of information before communicating with practices and patients,” MMH stated. The organization emphasized its commitment to transparency and pledged to provide daily updates whenever possible, though it acknowledged that legal and operational constraints can sometimes delay information release. 

The Deeper Insight into the ManageMyHealth Hack 

Independent forensic analysis has confirmed that the cyberattack on ManageMyHealth targeted only a specific module within the app, Health Documents, rather than the entire platform. Preliminary investigations indicate that approximately 6–7% of the 1.8 million registered users may have had documents accessed.  MMH clarified that there is currently no evidence of core patient database access, modification, destruction of records, or theft of user login credentials. However, the organization continues to work with cybersecurity specialists to verify which documents were affected and to ensure a full understanding of the breach.  “We have identified and closed the specific security gaps that allowed unauthorized access,” MMH said in its 3 January 2026 update. Additional safeguards, such as stricter login attempts and strengthened storage for health documents, have been implemented. Users are also encouraged to enable two-factor authentication via supported apps, including Google Authenticator and Microsoft Authenticator, to enhance account security. 

Coordinated Response to Data Breach at MMH 

In response to the MMH data breach, the organization has begun communications with general practices, providing secure, confidential lists of affected patients. Notifications to individuals are expected to commence shortly, coordinated with Health New Zealand, General Practice New Zealand (GPNZ), and the relevant Primary Health Organizations (PHOs).  MMH has also established measures to prevent further dissemination of sensitive information. Injunction orders have been obtained from the High Court to block third parties from distributing potentially compromised data, and an international monitoring team is actively tracking known leak sites for any illicit publications. “The cyberattack constitutes criminal activity, and any unlawful use of patient data will be pursued through legal action,” the company stated, while refraining from commenting on potential ransom demands, which remain under investigation by the New Zealand Police.

Support for Patients and Healthcare Providers 

To assist those affected, MMH plans to launch a dedicated 0800 helpline and online support desk. The company is working to ensure clear guidance for healthcare providers handling patient inquiries, aiming for consistent and accurate communication across the sector. MMH’s CEO, Vino Ramayah, highlighted the importance of restoring public trust. “We appreciate the patience of patients, practices, and partners while this complex investigation continues. Our priority remains transparency, system security, and appropriate support for all affected parties,” he said.  Independent forensic specialists continue to investigate the breach, and MMH has confirmed full cooperation with the Ministry of Health review. The findings are expected to inform improvements not only for MMH but across the broader health sector, reinforcing cybersecurity standards and preparedness against future incidents.  While MMH has taken immediate steps to secure its systems and support affected users, the investigation into the data breach at MMH remains ongoing, with updates expected as forensic confirmation and legal processes progress. This is an ongoing story, and The Cyber Express is closely monitoring the situation. We’ll update this post once we have more information on the ManageMyHealth hack or any further information from the company. 

Victims of the CL0P ransomware group’s August campaign targeting Oracle E-Business Suite vulnerabilities are still coping with the aftermath of the cyberattacks, as Korean Air and the University of Phoenix have become the latest to reveal details of the breach. The University of Phoenix reported earlier this month in an SEC filing that it was among the Oracle EBS victims, after the company was named as a victim by CL0P on the threat group’s dark web data leak site. In a new filing with the Maine Attorney General’s office, the University of Phoenix revealed the extent of the breach – nearly 3.5 million people may have had their personal data compromised, including names, dates of birth, Social Security numbers, and bank account and routing numbers. The sample notification letter provided by the university offered victims complimentary identity protection services. including a year of credit monitoring, dark web monitoring, a $1 million identity fraud loss reimbursement policy, and identity theft recovery services. Oracle EBS victims continue to grapple with the aftermath of the attacks even as CL0P has reportedly moved on to a new extortion campaign targeting internet-facing Gladinet CentreStack file servers.

Korean Air Among Oracle EBS Victims

Korean Air also reported a cyberattack that appears linked to the Oracle EBS campaign. According to news reports, KC&D Service – the former in-flight catering subsidiary of the airline that’s now owned by a private equity firm – informed Korean Air of a leak that involved personal data belonging to the airline’s employees. The compromised data involved 30,000 records and included names and bank account numbers. The breach was revealed in an “internal notice,” according to the reports. The airline said no customer data appears to have been compromised by the breach. According to Korea JoongAng Daily, Woo Kee-hong, vice chairman of Korean Air, said in a message to employees, “Korean Air takes this incident very seriously, especially since it involves employee data, even if it originated from a third-party vendor that was sold off. We are currently focusing all our efforts on identifying the full scope of the breach and who was affected.” While the reports didn’t specifically mention the Oracle EBS campaign, “Korean Air Catering” was one of more than 100 victims listed by CL0P on its data leak site. Other confirmed victims in the Oracle campaign have included The Washington Post, Harvard University, Dartmouth College, the University of Pennsylvania, American Airlines’ Envoy Air, Logitech, Cox, Mazda, Canon, and Hitachi’s GlobalLogic.

CL0P’s File Services Exploits

CL0P’s ability to exploit file sharing and transfer services at scale has made it a top five ransomware group over its six-year history, with more than 1,000 known victims to date, according to Cyble threat intelligence data. Other CL0P campaigns have targeted Cleo MFT, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, and GoAnywhere, among others. CL0P’s exploitation of Cleo MFT vulnerabilities led to a record number of ransomware attacks earlier this year, and CL0P has also successfully exploited Accellion FTA vulnerabilities. Some reports have linked the Oracle EBS campaign to the FIN11 threat group, with CL0P acting as the public face of the campaign.

The former employee behind the recent Coupang data breach tried to cover his tracks by smashing his MacBook Air and throwing it into a river, the company revealed in a recent update on the incident. The alleged perpetrator panicked when news outlets reported on the Coupang breach, the December 25 update said. “Among other things, the perpetrator stated that he physically smashed his MacBook Air laptop, placed it in a canvas Coupang bag, loaded the bag with bricks, and threw the bag into a nearby river,” the update said. Using maps and descriptions from the former employee, divers were able to recover the laptop from the river. “It was exactly as the perpetrator claimed—in a canvas Coupang bag loaded with bricks—and its serial number matched the serial number in the perpetrator’s iCloud account,” Coupang said. Coupang has since updated the post twice, once to reassure customers that the company was cooperating fully with the government in its investigation, and the second time to announce a “customer compensation plan to restore customer trust” with vouchers worth about USD $35 (50,000 won) per customer.

Coupang Breach Smaller than Feared

Much of the update sought to reassure customers of the Korean online retailer that the breach was smaller than initially feared. While initial reports said the breach – which led to the CEO’s resignation – might have compromised the data of more than 33 million, Coupang said its investigation indicates that while the perpetrator may have accessed 33 million accounts, he “retained limited user data from only 3,000 accounts and subsequently deleted the user data.” The user data included 2,609 building entrance codes, but no payment, log-in data or individual customs numbers were accessed, and the perpetrator never transferred any of the data to third parties, the company said. Coupang said it conducted its investigation with Mandiant, Palo Alto Networks and Ernst & Young.

Perpetrator ‘Confessed Everything’

Coupang said it used “digital fingerprints” and other forensic evidence to identify the former employee allegedly responsible for the breach. “The perpetrator confessed everything and revealed precise details about how he accessed user data,” the company said. The former employee used “an internal security key that he took while still working at the company” to access “basic user data” from more than 33 million customer accounts. He retained user data (name, email, phone number, address and partial order histories) from about 3,000 accounts, plus 2,609 building entrance access codes. The Coupang statement notes repeatedly that the alleged perpetrator’s story is supported by the available forensic evidence, likely to reassure customers that the breach wasn’t as bad as initially feared. The statement frequently uses phrases such as “exactly as the perpetrator described” to underscore that the forensic evidence supports the former employee’s claims. “The investigative findings to date are consistent with the perpetrator’s sworn statements and found no evidence that contradicts these statements,” the company says in another section. “The perpetrator stated that he used a personal desktop PC and a MacBook Air laptop to provision access and to store a limited amount of user data,” the Coupang statement said. “Independent forensic investigation confirmed that Coupang systems were accessed using one PC system and one Apple system as the primary hardware interfaces, exactly as the perpetrator described.” The perpetrator also turned over the PC system and four hard drives from the system, “on which analysts found the script used to carry out the attack,” the company said.

The Shinhan Card data breach has exposed the personal information of approximately 192,000 card merchants, the South Korea–based financial services company confirmed on Tuesday. The incident, which involved the unauthorized disclosure of phone numbers and limited personal details, has been reported to the country’s Personal Information Protection Commission (PIPC). According to Shinhan Card, the breach affected self-employed individuals who operate franchised merchant locations and had shared personal details as part of standard merchant agreements. The company said there is currently no evidence that sensitive financial information, such as credit card numbers, bank account details, or national identification numbers, was compromised.

Employee Misconduct Identified as Cause of Shinhan Card Data Breach

In a statement, Shinhan Card clarified that the Shinhan Card data breach was not the result of an external cyberattack. Instead, the company suspects internal misconduct, with an employee at a sales branch allegedly transmitting merchant data to a card recruiter for sales-related purposes. “This was not due to external hacking but an employee’s misconduct,” a Shinhan Card official said, adding that the internal process involved has since been blocked. The company launched an internal investigation immediately after becoming aware of the incident and has taken steps to prevent similar actions in the future.

Scope of Personal Information Leak

The leaked data primarily involved mobile phone numbers, which accounted for roughly 180,000 cases. In about 8,000 instances, phone numbers were leaked alongside names. A smaller subset of records also included additional details such as birthdates and gender. Shinhan Card stated that its investigation has not identified cases where citizen registration numbers, card numbers, account details, or credit information were exposed. At this stage, the company has also said that no confirmed cases of misuse of the leaked information have been reported. The personal information leak affected merchants who signed contracts with Shinhan Card between March 2022 and May 2025, according to findings shared with regulators.

Shinhan Card Data Breach Timeline and Regulatory Notification

The breach came to light last month following a report submitted to the Personal Information Protection Commission, South Korea’s data protection authority. After receiving the notification, the PIPC requested supporting materials from Shinhan Card to assess the scope and cause of the incident. Following its internal review, Shinhan Card formally reported the data breach to the PIPC on December 23, complying with regulatory disclosure requirements. The company has continued to cooperate with authorities as the review process continues.

Company Response and Merchant Support Measures

In response to the Shinhan Card data breach, the company published an apology and detailed guidance on its website and mobile application. It also launched a dedicated page allowing affected merchants to check whether their personal data was compromised. “We will make every effort to protect our customers and prevent similar incidents from recurring,” a Shinhan Card spokesperson said. The company has emphasized that it is strengthening internal controls and reviewing access permissions related to merchant data. Shinhan Card also urged merchants to remain vigilant for potential phishing or unsolicited contact attempts, even though no additional harm linked to the leaked data has been confirmed so far.

Broader Implications for Financial Data Protection

The Shinhan Card data breach incident highlights ongoing challenges around data governance and insider risk within financial institutions, even as companies continue to invest heavily in cybersecurity defenses against external threats. While many breaches globally involve hacking or ransomware, incidents stemming from employee misconduct remain a persistent concern for banks and payment providers. Authorities have not yet announced whether penalties or corrective actions will follow the investigation. For now, Shinhan Card maintains that it is focused on customer protection and restoring trust following the incident.

After a recent data breach that affected Pornhub Premium members, Pornhub has updated its online statement to warn users about potential direct contact from cybercriminals.

“We are aware that the individuals responsible for this incident have threatened to contact impacted Pornhub Premium users directly. You may therefore receive emails claiming they have your personal information. As a reminder, we will never ask for your password or payment information by email.”

Pornhub is one of the world’s most visited adult video-sharing websites, allowing users to view content anonymously or create accounts to upload and interact with videos.

Pornhub has reported that on November 8, 2025, a security breach at third-party analytics provider Mixpanel exposed “a limited set of analytics events for certain users.” Pornhub stressed that this was not a breach of Pornhub’s own systems, and said that passwords, payment details, and financial information were not exposed.

Mixpanel confirmed it experienced a security incident on November 8, 2025, but disputes that the Pornhub data originated from that breach. The company stated there is:

 “No indication that this data was stolen from Mixpanel during our November 2025 security incident or otherwise.”

Regardless of the source, cybercriminals commonly attempt to monetize stolen user data through direct extortion. At the moment, it is unclear how many users are affected, although available information suggests that only Premium members had their data exposed.

In October, we reported that one in six mobile users are targeted by sextortion scams. Sextortion is a form of online blackmail where criminals threaten to share a person’s private, nude, or sexually explicit images or videos unless the victim complies with their demands—often for more sexual content, sexual favors, or money.

Having your email address included in a dataset of known Pornhub users makes you a likely target for this type of blackmail.

How to stay safe from sextortion

Unless you used a dedicated throwaway email address to sign up for Pornhub Premium, you should be prepared to receive a sextortion-type email. If one arrives:

• Any message referencing your Pornhub use, searches, or payment should be treated as an attempt to exploit breached or previously leaked data.
• Never provide passwords or payment information by email. Pornhub has stated it will not ask for these.
• Do not respond to blackmail emails. Ignore demands, do not pay, and do not reply—responding confirms your address is actively monitored.
• Save extortion emails, including headers, content, timestamps, and attachments, but do not open links or files. This information can support reports to your email provider, local law enforcement, or cybercrime units.
• Change your Pornhub password (if your account is still active) and ensure it’s unique and not reused anywhere else.
• Turn on multi-factor authentication (MFA) for your primary email account and any accounts that could be used for account recovery or identity verification.
• Review your bank and card statements for unfamiliar charges and report any suspicious transactions at once.
• If you used a real-name email address for Pornhub, consider moving sensitive subscriptions to a separate, pseudonymous email going forward.

Use STOP, our simple scam response framework to help protect against scams. 

• S—Slow down: Don’t let urgency or pressure push you into action. Take a breath before responding. Legitimate businesses like your bank or credit card don’t push immediate action.  
• T—Test them: If you answered the phone and are feeling panicked about the situation, likely involving a family member or friend, ask a question only the real person would know—something that can’t be found online. 
• O—Opt out: If it feels off, hang up or end the conversation. You can always say the connection dropped. 
• P—Prove it: Confirm the person is who they say they are by reaching out yourself through a trusted number, website or method you have used before. 

Should you have doubts about the legitimacy of any communications, submit them to Malwarebytes Scam Guard. It will help you determine whether it’s a scam and provide advice on how to act.

---

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

A newly identified security flaw in Somalia’s electronic visa platform has raised serious concerns about the safety of personal data belonging to thousands of travelers, only weeks after the country acknowledged a major breach affecting tens of thousands of applicants. Investigations show that the Somalia e-visa system lacks essential protection methods, making it possible for unauthorized users to access and download sensitive documents with minimal effort.  The Somalia e-visa flaw was confirmed this week by Al Jazeera after receiving a tip from a source with professional experience in web development. According to the source, the e-visa platform could be exploited to retrieve large numbers of visa files containing highly sensitive personal information. The exposed data includes applicants’ passport details, full names, and dates of birth, information that could be misused for a wide range of criminal or intelligence-related activities. 

Ignored Warnings Followed by Independent Verification of Global Data Exposure 

The source not only shared evidence of the exposed data with Al Jazeera but also demonstrated that they had formally alerted Somali authorities to the e-visa vulnerability the previous week. Despite these warnings, the individual stated that there was no response from officials and no indication that the flaw had been addressed or corrected.  Al Jazeera independently verified the claims by replicating the vulnerability described by the source. During testing, journalists were able to download e-visas belonging to dozens of individuals within a short period. The compromised files included personal information of applicants from several countries, including Somalia, Portugal, Sweden, the United States, and Switzerland.  “Breaches involving sensitive personal data are particularly dangerous as they put people at risk of various harms, including identity theft, fraud, and intelligence gathering by malicious actors,” Bridget Andere, a senior policy analyst at the digital rights organization Access Now, said in comments to Al Jazeera. She noted that the consequences of such failures extend beyond technical problems and can have lasting effects on individuals’ safety and privacy. 

Somalia E-Visa Vulnerability Emerges as Fallout Continues from Earlier Mass Data Breach 

The Somalia e-visa flaw comes barely a month after Somali officials announced an inquiry into an earlier cyberattack on the same e-visa system. That previous incident prompted warnings from both the United States and the United Kingdom governments. According to those alerts, personal information belonging to more than 35,000 Somalia e-visa applicants had been leaked.  At the time, the US Embassy in Somalia detailed the scope of the exposure, stating that the compromised data included applicants’ names, photographs, dates and places of birth, email addresses, marital status, and home addresses.  In response, Somalia’s Immigration and Citizenship Agency (ICA) moved the e-visa platform to a new internet domain, citing the change as an effort to strengthen security. On November 16, the agency said it was treating the breach with “special importance” and confirmed that an investigation had been launched. However, the discovery of a fresh e-visa vulnerability suggests that the underlying security issues may not have been fully resolved. 

Security Claims Clash with Legal Duties 

Earlier that same week, Somalia’s Defence Minister, Ahmed Moalim Fiqi, publicly praised the Somalia e-visa system. He claimed it had played a role in preventing ISIL (ISIS) fighters from entering the country, as Somali forces continued a months-long battle against a local affiliate of the group in the northern regions.  “The government’s push to deploy the e-visa system despite being clearly unprepared for potential risks, then redeploying it after a serious data breach, is a clear example of how disregard for people’s concerns and rights when introducing digital infrastructures can erode public trust and create avoidable vulnerabilities,” Andere said. She also expressed alarm that Somali authorities had not issued any formal public notice about the serious November data breach.  Under Somalia’s data protection law, data controllers are required to notify the national data protection authority when breaches occur. In high-risk cases, such as incidents involving sensitive personal data, affected individuals must also be informed. “Extra protections should apply in this case because it involves people of different nationalities and therefore multiple legal jurisdictions,” Andere added.  Al Jazeera said it could not disclose specific technical details of the current security flaw, as the vulnerability remains unpatched, and publicizing it could enable further exploitation. Any sensitive information obtained during the investigation was destroyed to protect the privacy of those affected. 

The University of Sydney has confirmed a major cybersecurity incident that resulted in the exposure of personal information belonging to thousands of current and former staff members, as well as smaller groups of students, alumni, and supporters. The University of Sydney cyberattack was formally disclosed to the university community on December 18, 2025, after the institution detected unauthorized access to an internal online IT code library.  University officials said the suspicious activity was identified last week during monitoring of the platform, which is primarily used for software development and code storage. While the system was never intended to house personal records, investigators found that historical data files had been stored within the library, largely for testing purposes. These files were accessed and downloaded by an unauthorized party before the university intervened.  Upon discovering the University of Sydney cyberattack, the university immediately blocked unauthorized access and secured the affected environment. Officials also clarified that the cyberattack on University of Sydney was unrelated to a separate incident involving student results reported earlier. 

Decoding the University of Sydney Cyberattack

According to the university’s investigation to date, the data breach at the University of Sydney affected a wide range of individuals. The compromised files included a historical dataset from a retired system containing personal information about staff employed at the university as of September 4, 2018. Exposed details included names, dates of birth, phone numbers, home addresses, and basic employment information such as job titles and dates of employment.  In total, personal information belonging to around 10,000 current staff and affiliates and approximately 12,500 former staff and affiliates from that period was accessed. In addition, a collection of historical datasets, primarily from 2010 to 2019, contained personal information relating to about 5,000 students and alumni, along with data belonging to six supporters.  Vice President for Operations Nicole Gower addressed staff in a written message confirming the scope of the University of Sydney cyberattack and offering an apology. “We understand this news may cause concern, and we sincerely apologise for any distress this may cause,” Gower wrote. “While the data has been accessed and downloaded, there is currently no evidence that it has been used or published.” 

Investigation, Notifications, and Official Response

The University of Sydney has reported the incident to multiple government authorities, including the NSW Privacy Commissioner, the Australian Cyber Security Centre, the Tertiary Education Quality and Standards Agency, the National Student Ombudsman, and ID Support NSW. The university is also working with external cybersecurity partners to assess whether any of the accessed data has been disclosed online.  At this stage, the university believes the unauthorized access was confined to a single platform and did not compromise other university systems. However, the investigation remains ongoing and is expected to continue into the new year due to its complexity.  Notifications to affected individuals began on December 18, 2025. The university expects to complete this process by January 2026, once file reviews are finalized, and contact details for all impacted individuals are confirmed. Updates and responses to frequently asked questions are being published on the university’s website as the situation evolves. 

Support Services and Advice for Affected Individuals

In response to the University of Sydney data breach, a range of support services has been made available to staff, students, alumni, and affiliates. A dedicated cyber incident support service has been established to handle inquiries and will remain operational during the university’s closedown period from December 20, 2025, to January 5, 2026, excluding public holidays.  Staff members have access to counseling and wellbeing services through Converge International, while students can seek free and confidential support through Student Wellbeing services, which are available 24/7. Additional assistance is available through external organizations such as ID Support NSW, IDCARE, Beyond Blue, and Lifeline.  The university has also issued guidance urging affected individuals to remain vigilant by monitoring accounts for unusual activity, changing passwords, enabling multi-factor authentication, and being cautious of phishing attempts. Officials advised sharing details of the incident on social media to reduce the risk of scams.  University leadership reiterated that cybersecurity remains a priority and noted that an extensive program to strengthen data management practices has been underway for the past three years. Further updates will be provided as the investigation into the cyberattack on University of Sydney progresses and additional findings become available. 

SoundCloud has confirmed a cyberattack on its platform after days of user complaints about service disruptions and connectivity problems. In what is being reported as a SoundCloud cyberattack, threat actors gained unauthorized access to one of its systems and exfiltrated a limited set of user data. “SoundCloud recently detected unauthorized activity in an ancillary service dashboard,” the company said. “Upon making this discovery, we immediately activated our incident response protocols and promptly contained the activity.”  Reports of trouble began circulating over several days, with users reporting that they were unable to connect to SoundCloud or experiencing access issues when using VPNs. After the disruptions persisted, the company issued a public statement on its website acknowledging the SoundCloud cyberattack incident. 

DoS Follows Initial SoundCloud Cyberattack

According to the music hosting service provider, the SoundCloud cyberattack was followed by a wave of denial-of-service attacks that further disrupted access to the platform. The company said it experienced multiple DoS incidents after the breach was contained, two of which were severe enough to take the website offline and prevent users from accessing the service altogether.  SoundCloud stated that it was ultimately able to repel the attacks, but the interruptions were enough to draw widespread attention from users and the broader technology community. These events highlighted the cascading impact of a cyberattack on SoundCloud, where an initial security compromise was compounded by availability-focused attacks designed to overwhelm the platform. 

Scope of Exposed Data and User Impact 

While the SoundCloud cyberattack raised immediate concerns about user privacy, the company stresses that the exposed data was limited. SoundCloud said its investigation found no evidence that sensitive information had been accessed.  “We understand that a purported threat actor group accessed certain limited data that we hold,” the company said. “We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed.”  Instead, the data involved consisted of email addresses and information already visible on public SoundCloud profiles. According to the company, approximately 20 percent of SoundCloud users were affected by the breach.   Although SoundCloud described the data as non-sensitive, the scale of the exposure is notable. Email addresses can still be leveraged in phishing campaigns or social engineering attacks, even when other personal details remain secure.  SoundCloud added that it is confident the attackers’ access has been fully shut down. “We are confident that any access to SoundCloud data has been curtailed,” the company said. 

Security Response and Ongoing Connectivity Issues 

The company did not attribute the SoundCloud cyberattack to a specific hacking group but confirmed that it is working with third-party cybersecurity experts and has fully engaged its incident response protocols. As part of its remediation efforts, the company said it has enhanced monitoring and threat detection, reviewed and reinforced identity and access controls, and conducted a comprehensive audit of related systems.  Some of these security upgrades had unintended consequences. SoundCloud acknowledged that changes made to strengthen its defenses contributed to the VPN connectivity issues reported by users in recent days.  “We are actively working to resolve these VPN related access issues,” the company said. 

PornHub is facing renewed scrutiny after confirming that some Premium users’ activity data was exposed following a security incident at a third-party analytics provider. The PornHub data breach disclosure comes as the platform faces increasing regulatory scrutiny in the United States and reported extortion attempts linked to the stolen data. The issue stems from a data breach linked not to PornHub’s own systems, but to Mixpanel, an analytics vendor the platform previously used. On December 12, 2025, PornHub published a security notice confirming that a cyberattack on Mixpanel led to the exposure of historical analytics data, affecting a limited number of Premium users. According to PornHub, the compromised data included search and viewing history tied to Premium accounts, which has since been used in extortion attempts attributed to the ShinyHunters extortion group. “A recent cybersecurity incident involving Mixpanel, a third-party data analytics provider, has impacted some Pornhub Premium users,” the company stated in its notice dated December 12, 2025.  PornHub stresses that the incident did not involve a compromise of its own systems and that sensitive account information remained protected.  “Specifically, this situation affects only select Premium users. It is important to note that this was not a breach of Pornhub Premium’s systems. Passwords, payment details, and financial information remain secure and were not exposed.”  According to PornHub, the affected records are not recent. The company said it stopped working with Mixpanel in 2021, indicating that any stolen data would be at least four years old. Even so, the exposure of viewing and search behavior has raised privacy concerns, particularly given the stigma and personal risk that can accompany such information if misused. 

Mixpanel Smishing Attack Triggered Supply-Chain Exposure 

The root of the incident was a PornHub cyberattack by proxy, a supply-chain compromise. Mixpanel disclosed on November 27, 2025, that it had suffered a breach earlier in the month. The company detected the intrusion on November 8, 2025, after a smishing (SMS phishing) campaign allowed threat actors to gain unauthorized access to its systems. Mixpanel CEO Jen Taylor addressed the incident in a public blog post, stressing transparency and remediation.  “On November 8th, 2025, Mixpanel detected a smishing campaign and promptly executed our incident response processes,” Taylor wrote. “We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts. We engaged external cybersecurity partners to remediate and respond to the incident.”  Mixpanel said the breach affected only a “limited number” of customers and that impacted clients were contacted directly. The company outlined an extensive response that included revoking active sessions, rotating compromised credentials, blocking malicious IP addresses, performing global password resets for employees, and engaging third-party forensic experts. Law enforcement and external cybersecurity advisors were also brought in as part of the response. 

OpenAI and PornHub Among Impacted Customers 

PornHub was not alone among Mixpanel’s customers caught up in the incident. OpenAI disclosed on November 26, 2025, one day before Mixpanel’s public announcement, that it, too, had been affected. OpenAI clarified that the incident occurred entirely within Mixpanel’s environment and involved limited analytics data related to some API users.  “This was not a breach of OpenAI’s systems,” the company said, adding that no chats, API requests, credentials, payment details, or government IDs were exposed. OpenAI noted that it uses Mixpanel to manage web analytics on its API front end.  PornHub denoted a similar assurance in its own disclosure, stating that it had launched an internal investigation with the support of cybersecurity experts and had engaged with relevant authorities. “We are working diligently to determine the nature and scope of the reported incident,” the company said, while urging users to remain vigilant for suspicious emails or unusual activity.  Despite those assurances, the cyberattack on PornHub, albeit indirect, has drawn attention due to the sensitive nature of the exposed data and the reported extortion attempts now linked to it. 

PornHub Data Breach Comes Amid Expanding U.S. Age-Verification Laws 

The PornHub data breach arrives at a time when the platform is already under pressure from sweeping age-verification laws across the United States. PornHub is currently blocked in 22 states, including Alabama, Arizona, Arkansas, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Mississippi, Montana, Nebraska, North Carolina, North Dakota, Oklahoma, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, and Wyoming. These restrictions stem from state laws requiring users to submit government-issued identification or other forms of age authentication to access explicit content.  Louisiana was the first state to enact such a law, and others followed after the U.S. Supreme Court ruled in June that Texas’s age-verification statute was constitutional. Although PornHub is not blocked in Louisiana, the requirement for ID verification has had a significant impact. Aylo, PornHub’s parent company, said that the traffic in the state dropped by approximately 80 percent after the law took effect.  Aylo has repeatedly criticized the implementation of these laws. “These people did not stop looking for porn. They just migrated to darker corners of the internet that don’t ask users to verify age, that don’t follow the law, that don’t take user safety seriously,” the company said in a statement.  Aylo added that while it supports age verification in principle, the current approach creates new risks. Requiring large numbers of adult websites to collect highly sensitive personal information, the company argued, puts users in danger if those systems are compromised.

Coupang CEO Resigns, a headline many in South Korea expected, but still signals a major moment for the country’s tech and e-commerce landscape. Coupang Corp. confirmed on Wednesday that its CEO, Park Dae-jun, has stepped down following a massive Coupang data breach that exposed the personal information of 33.7 million people, almost two-thirds of the country. Park said he was “deeply sorry” for the incident and accepted responsibility both for the breach and for the company’s response. His exit, while formally described as a resignation, is widely seen as a forced departure given the scale of the fallout and growing anger among customers and regulators. To stabilize the company, Coupang’s U.S. parent, Coupang Inc., has appointed Harold Rogers, its chief administrative officer and general counsel, as interim CEO. The parent company said the leadership change aims to strengthen crisis management and ease customer concerns.

What Happened in the Coupang Data Breach

The company clarified that the latest notice relates to the previously disclosed incident on November 29 and that no new leak has occurred. According to Coupang’s ongoing investigation, the leaked information includes:

• Customer names and email addresses
• Full shipping address book details, such as names, phone numbers, addresses, and apartment entrance access codes
• Portions of the order information

Coupang emphasized that payment details, passwords, banking information, and customs clearance codes were not compromised. As soon as it identified the leak, the company blocked abnormal access routes and tightened internal monitoring. It is now working closely with the Ministry of Science and ICT, the National Police Agency, the Personal Information Protection Commission (PIPC), the Korea Internet & Security Agency (KISA), and the Financial Supervisory Service.

Phishing, Smishing, and Impersonation Alerts

Coupang warned customers to be extra cautious as leaked data can fuel impersonation scams. The company reminded users that:

• Coupang never asks customers to install apps via phone or text.
• Unknown links in messages should not be opened.
• Suspicious communications should be reported to 112 or the Financial Supervisory Service.
• Customers must verify messages using Coupang’s official customer service numbers.

Users who stored apartment entrance codes in their delivery address book were also urged to change them immediately. The company also clarified that delivery drivers rarely call customers unless necessary to access a building or resolve a pickup issue, a small detail meant to help people recognize potential scam attempts.

Coupang CEO Resigns as South Korea Toughens Cyber Rules

The departure of CEO Park comes at a time when South Korea is rethinking how corporations respond to data breaches. The government’s 2025 Comprehensive National Cybersecurity Strategy puts direct responsibility on CEOs for major security incidents. It also expands CISOs' authority, strengthens IT asset management requirements, and gives chief privacy officers greater influence over security budgets. This shift follows other serious breaches, including SK Telecom’s leak of 23 million user records, which led to a record 134.8 billion won fine. Regulators are now considering fines of up to 1.2 trillion won for Coupang, roughly 3% of its annual sales, under the Personal Information Protection Act. The company also risks losing its ISMS-P certification, a possibility unprecedented for a business of its size.

Industry Scramble After a Coupang Data Breach of This Scale

A Coupang Data breach affecting tens of millions of people has sent shockwaves across South Korea’s corporate sector. Authorities have launched emergency inspections of 1,600 ISMS-certified companies and begun unannounced penetration tests. Security vendors say Korean companies are urgently adding multi-factor authentication, AI-based anomaly detection, insider threat monitoring, and stronger access controls. Police naming a former Chinese Coupang employee as a suspect has intensified focus on insider risk. Government agencies, including the National Intelligence Service, are also working with private partners to shorten cyber-incident analysis times from 14 days to 5 days using advanced AI forensic labs.

Looking Ahead

With the Coupang CEO's resignation development now shaping the company’s crisis trajectory, Coupang faces a long road to rebuilding trust among users and regulators. The company says its teams are working to resolve customer concerns quickly, but the broader lesson is clear: cybersecurity failures now carry real consequences, including at the highest levels of leadership.

Barts Health NHS Trust has confirmed that the data breach at Barts Health was carried out by the Russian-speaking Cl0p ransomware group, which exploited a vulnerability in Oracle E-Business Suite. The Barts Health data breach involved the theft of files from one of the trust’s invoice databases, exposing information linked to payments for treatment and other services, some dating back several years.  In its official notification, the trust stated, “As a result of a recent incident involving data from our trust, we are informing those potentially affected that there is a risk some personal data is compromised.”  The trust confirmed that the criminal group stole files containing names and addresses of individuals required to pay for treatment or services at a Barts Health hospital. These files were later posted on the dark web. Barts Health emphasized that it is pursuing legal remedies, noting, “We are taking urgent action and seeking a High Court order to ban the publication, use or sharing of this data by anyone.” 

Details of the Barts Health Data Breach and Exposed Information 

The cyberattack on Barts Health occurred after Cl0p exploited a flaw in Oracle E-Business Suite, a widely used system for automating business processes. Oracle has since corrected the vulnerability, which has affected multiple organizations globally.  The trust has reported the Barts Health data breach to NHS England, the National Cyber Security Centre, the Metropolitan Police, and the Information Commissioner’s Office. Despite the intrusion, Barts Health stressed that core healthcare systems remain secure: “Please note our electronic patient record and clinical systems are not affected, and we are confident our core IT infrastructure is secure.”  Paying patients are encouraged to review their treatment invoices to understand which details may have been exposed. Some former employees also appear in the files due to outstanding salary sacrifice amounts or overpayments. Nearly half of the compromised records relate to suppliers whose information is already publicly accessible.  The affected database also contains accounting files that Barts Health has managed since April 2024 for Barking, Havering, and Redbridge University Hospitals NHS Trust. Both trusts are coordinating efforts to limit the impact. 

Timeline of the Breach and Potential Risks to Individuals 

Although the theft occurred in August, Barts Health did not receive any indication that data had been compromised until November, when the files were uploaded to the dark web. None of the information has emerged on the open internet, restricting exposure to individuals with access to encrypted and compressed files on the dark web.  The trust warned that the stolen files cannot grant direct access to personal accounts but may help criminals craft scams to trick victims into sharing sensitive information or making payments. Individuals with concerns are advised to contact the trust’s data protection officer or consult national guidance such as “Stop! Think Fraud – How to stay safe from scams.”  Barts Health apologized for the incident, stating, “We are very sorry that this has happened and are taking steps with our suppliers to ensure that it could not happen again.”  The Cl0p ransomware group is a well-known cybercriminal syndicate recognized for its multilayer extortion operations, including encryption-less ransomware tactics. Responsible for extorting more than $500 million in ransom payments worldwide, Cl0p became prominent in 2019 through extensive phishing campaigns and malware. The group frequently exploits zero-day vulnerabilities, enabling high-impact attacks and ransom demands. 

A former student has been charged over an extended series of security breaches linked to the Western Sydney University cyberattack that has affected the institution since 2021. According to police, the university endured repeated unauthorized access, data exfiltration, system compromises, and the misuse of its infrastructure, activities that also involved threats to release student information on the dark web. Authorities estimate that hundreds of staff and students have been impacted over the course of the breaches.  Detectives worked with Western Sydney University, the AFP’s Joint Policing Cyber Coordination Centre (JCP3), and external cybersecurity specialists to trace the intrusions. Their investigation led to a 27-year-old woman, a former student of the university, who was first arrested and charged in June.

The Complex Case of the Western Sydney University Cyberattack 

Despite the earlier arrest, police allege the student continued offending, sending more than 100,000 fraudulent emails to students to damage the university’s reputation and cause distress. As part of the continuing inquiry into the cyberattack on Western Sydney University, detectives executed a search warrant in North Kellyville, where the student was again arrested. Officers stated that she possessed a mobile phone modified to function as a computer terminal, allegedly used in cyber offences.  She was taken to The Hills Police Station and charged with multiple offences, including two counts of unauthorized function with intent to commit a serious offence, two counts of fabricating false evidence with intent to mislead a judicial tribunal, and breach of bail. Police say she also posted fabricated material online that was designed to exonerate herself during the ongoing legal proceedings. Bail was refused, and she was due to appear in court the following day. 

University Issues Public Notification After Continued Cyber Incidents 

Western Sydney University released a public notification on 23 October 2025, advising the community of personal information that may have been compromised in the broader Western Sydney University cyberattack pattern. The notice included a statement expressing regret over the situation:  “I want to again apologize for the impact this is having and give you my assurance that we are doing everything we can to rectify this issue and support our community.”  The university confirmed that it had been working closely with the NSW Police Force Cybercrime Squad’s Strike Force Docker, which had arrested and charged the former student on 25 June 2025. However, attempts to breach university systems continued even after the arrest, including attempts that exploited external IT service providers.  Unusual activity was detected twice, on 6 August and 11 August 2025, within the Student Management System, which is hosted by a third-party provider on a cloud platform. An immediate investigation led the university to shut down access to the platform. It was later confirmed that unauthorized access occurred through external systems linked to the platform between 19 June and 3 September 2025. These linked systems allow intruders to extract personal data from the Student Management System.  University investigators also determined that fraudulent emails sent on 6 October 2025 had used data stolen during this period. Authorities asked the university to delay notifying the community to avoid disrupting the police investigation. With approval finally granted, the university issued a comprehensive notice to students, former students, staff, offer recipients, The College, The International College, and Early Learning Ltd personnel. 

Scope of Compromised Information 

According to the public notification, the cyber incidents may have exposed a wide range of personal information, including contact details, names, dates of birth, identification numbers, nationality information, employment and payroll records, bank and tax details, driver's license and passport information, visa documentation, complaint files, and certain health, disability, and legal information.  Individual notifications are being issued to those affected, including updated findings from earlier incidents.  The notification advised individuals to change passwords, preferably to those of at least 15 characters, and implement multi-factor authentication across online accounts. Additional support services include a dedicated cyber incident website, a university phone line for inquiries, resources from the NSW Information and Privacy Commission, and reporting options via the Australian Cyber Security Centre for anyone who believes their information has been misused. 

FTC action takes center stage as the U.S. Federal Trade Commission has announced strong enforcement steps against education technology (Edtech) provider Illuminate Education, following a major data breach that exposed the personal information of more than 10 million students across the United States. The agency said the company failed to implement reasonable security measures despite promising schools and parents that student information was protected.

Why the Agency Intervened

FTC complaint outlines a series of allegations against the Wisconsin-based company, which provides cloud-based software tools for schools. According to the complaint, Illuminate Education claimed it used industry-standard practices to safeguard student information but failed to put in place basic security controls. The Illuminate Education data breach incident dates back to December 2021 when a hacker accessed the company’s cloud databases using login credentials belonging to a former employee who had left the company more than three years earlier. This lapse allowed unauthorized access to data belonging to 10.1 million students, including email addresses, home addresses, dates of birth, academic records, and sensitive health information. FTC officials said the company ignored warnings as early as January 2020, when a third-party vendor alerted them to several vulnerabilities in their systems. The data security failures included weak access controls, gaps in threat detection, and a lack of proper vulnerability monitoring and patch management. The agency also noted that student data was stored in plain text until at least January 2022, increasing the severity of the breach.

FTC Action: Requirements Under the Proposed Order

As part of the proposed settlement, the FTC will require Illuminate Education to adopt a comprehensive information security program and follow stricter privacy obligations. The proposed FTC order includes several mandatory steps:

• Deleting any personal information that is no longer required for service delivery.
• Following a transparent, publicly available data retention schedule that explains why data is collected and when it will be deleted.
• Implementing a detailed information security program to protect the confidentiality and integrity of personal information.
• Notifying the FTC when the company reports a data breach to any federal, state, or local authority.

The order also prohibits the company from misrepresenting its data security practices or delaying breach notifications to school districts and families. The FTC said Illuminate had waited nearly two years before informing some districts about the breach, impacting more than 380,000 students. The Commission has voted unanimously to advance the complaint and proposed order for public comment. It will be published in the Federal Register, where stakeholders can share feedback for 30 days before the FTC decides whether to finalize the consent order.

FTC Action and State-Level Enforcement

Alongside the federal enforcement, the state data breach settlement adds another layer of accountability. Attorneys General from California, Connecticut, and New York recently announced a $5.1 million settlement with Illuminate Education for failing to adequately protect student data during the same 2021 cyber incident. California will receive $3.25 million in civil penalties, and the settlement includes strict requirements designed to improve the company’s cybersecurity safeguards. With more than 434,000 California students affected, this marks one of the largest enforcement actions under the California K-12 Pupil Online Personal Information Protection Act (KOPIPA). State officials emphasized that educational technology companies must prioritize the security of children’s data, which often includes highly sensitive information like medical details and learning records.

South Korean e-commerce giant Coupang has confirmed a massive data breach that exposed personal information belonging to nearly 33.7 million customers, making it one of the country’s largest cybersecurity incidents in recent years. The company publicly apologised over the weekend, acknowledging that the Coupang data breach stemmed from unauthorised access that may have continued undetected for months. Park Dae-jun, CEO of Coupang, issued a statement on the company’s website saying, “We sincerely apologise once again for causing our customers inconvenience.” The firm, often referred to as the “Amazon of South Korea,” said it is cooperating with law enforcement and regulatory authorities as investigations continue.

Coupang Data Breach Went Undetected for Months

According to Coupang, the unauthorised access began on June 24 through overseas servers but was only discovered on November 18. The company initially believed only about 4,500 accounts were affected. However, further analysis revealed that 33.7 million users had some form of delivery-related personal information exposed. The leaked data includes customer names, phone numbers, email addresses, shipping addresses, and certain order histories. Coupang stressed that no payment card information, financial data, or login credentials were compromised. The company has 24.7 million active commercial users as of the third quarter, which means the Coupang data breach covers almost its entire user base.

Former Employee Identified as Main Suspect

South Korean police confirmed that they have secured the IP address used in the attack and have identified the suspect behind the breach. Investigators say the individual is a former Coupang employee, a Chinese national who has already left South Korea. “We are analysing server logs submitted by Coupang. We have secured the IP used by the suspect and are tracking them down,” an official at the Seoul Metropolitan Police said. Authorities are also verifying whether the individual is linked to an email sent to Coupang threatening to reveal the stolen information.

Government Steps In as Public Concern Rises

The Ministry of Science and ICT held an emergency meeting on Sunday to review the scale of the incident and assess whether Coupang violated any personal information protection rules. Minister Bae Kyung-hoon said regulators are closely monitoring the company’s handling of the breach. The Korea Internet & Security Agency (KISA) issued a public advisory warning users to remain alert for phishing attempts or scam messages pretending to be from Coupang. So far, police have not received reports of smishing or voice phishing linked to the breach, but authorities say preparations are in place in case the situation escalates. The Coupang data breach adds to growing frustration among South Korean consumers, who have witnessed a series of major data leaks this year. SK Telecom and other large companies have faced similar cybersecurity incidents, increasing pressure on businesses to strengthen internal security controls.

Coupang Issues Customer Guidance

The company has started notifying impacted customers through email and text messages. In an FAQ shared with users, Coupang clarified what information was exposed and what steps customers should take. The company reiterated that payment, card details, and passwords were not affected. Coupang also explained that it notified authorities immediately after confirming the issue and is committed to updating customers as the investigation progresses. For now, the company says users do not need to take additional action beyond remaining cautious of unsolicited calls, links or messages claiming to be from Coupang. Police are verifying the suspect’s identity, travel history, and potential motives. They are also examining whether the individual acted alone or was linked to a wider scheme. The case has now moved from an internal inquiry to a full-scale criminal investigation. As authorities continue to analyse server logs and cross-border activity, concerns remain that the scale or impact of the Coupang data breach could grow. For now, officials say there is no evidence of financial misuse, but investigations are still in early stages.

The French Football Federation confirmed this week that attackers used stolen credentials to breach centralized administrative software managing club memberships nationwide, exposing personal information belonging to licensed players registered through clubs across the country.

The FFF detected the unauthorized access and immediately disabled the compromised account while resetting all user passwords across the system, though threat actors had already exfiltrated member databases before detection.

The breach exposed names, gender, dates and places of birth, nationality, postal addresses, email addresses, telephone numbers, and license numbers. The federation claimed the intrusion and exfiltration remained limited to these data categories, with no financial information or passwords compromised in the incident.

According to the federation, which has over two million members, many of whom are minors, the breached data includes personally identifiable information that could be leveraged for phishing attacks. The FFF reported a record number of over 2.3 million football license holders in the country for the 2023-2024 season, according to the latest publicly available figures.

Second Attack in Two Years

This marks the third time in two years that the French Football Federation has suffered a cyberattack, with a March 2024 incident potentially exposing 1.5 million member records according to prosecutors. The pattern demonstrates persistent targeting of French sports organizations.

Cybersecurity researchers verified 18 months ago that a sample of FFF player details had been published on a well-known data leak forum, suggesting previous successful intrusions may have gone undetected.

The federation filed a criminal complaint and notified France's National Cybersecurity Agency ANSSI and data protection authority CNIL as required under European regulations. The FFF will directly contact individuals whose email addresses appear in the compromised database.

Phishing Campaign Warnings

Federation officials warned members to exercise extreme vigilance regarding suspicious communications appearing to originate from the FFF or local clubs. Threat actors commonly leverage stolen personally identifiable information to craft convincing phishing messages requesting that recipients open attachments, provide account credentials, passwords, or banking information.

Security experts note that smaller clubs and societies sometimes consider themselves insufficiently interesting for criminals to target, but this incident demonstrates how deeply everyday life depends on centralized platforms vulnerable to credential compromise.

The federation stressed upon its commitment to protecting entrusted data while acknowledging that numerous organizations face increasing numbers and evolving forms of cyberattacks. "The FFF is committed to protecting all the data entrusted to it and continually strengthens and adapts its security measures in order to face, like many other organizations, the growing variety and new forms of cyber-attacks," the statement said.

The reliance on a single centralized administrative platform across all French football clubs created a high-value target where credential compromise granted attackers access to member records from thousands of clubs simultaneously.

Also read: Chicago Fire FC Data Breach: Exposed Fan Info? Here’s What’s at Risk!

OpenAI has confirmed a security incident involving Mixpanel, a third-party analytics provider used for its API product frontend. The company clarified that the OpenAI Mixpanel security incident stemmed solely from a breach within Mixpanel’s systems and did not involve OpenAI’s infrastructure. According to the initial investigation, an attacker gained unauthorized access to a portion of Mixpanel’s environment and exported a dataset that included limited identifiable information of some OpenAI API users. OpenAI stated that users of ChatGPT and other consumer-facing products were not impacted.

OpenAI Mixpanel Security Incident: What Happened

The OpenAI Mixpanel security incident originated on November 9, 2025, when Mixpanel detected an intrusion into a section of its systems. The attacker successfully exported a dataset containing identifiable customer information and analytics data. Mixpanel notified OpenAI on the same day and shared the affected dataset for review on November 25. OpenAI emphasized that despite the breach, no OpenAI systems were compromised, and sensitive information such as chat content, API requests, prompts, outputs, API keys, passwords, payment details, government IDs, or authentication tokens were not exposed. The exposed dataset was strictly limited to analytics data collected through Mixpanel’s tracking setup on platform.openai.com, the frontend interface for OpenAI’s API product.

Information Potentially Exposed in the Mixpanel Data Breach

OpenAI confirmed that the type of information potentially included in the dataset comprised:

• Names provided on API accounts
• Email addresses associated with API accounts
• Coarse location data (city, state, country) based on browser metadata
• Operating system and browser information
• Referring websites
• Organization or User IDs linked to API accounts

OpenAI noted that the affected information does not include chat content, prompts, responses, or API usage data. Additionally, ChatGPT accounts, passwords, API keys, financial details, and government IDs were not involved in the incident.

OpenAI’s Response and Security Measures

In response to the Mixpanel security incident, OpenAI immediately removed Mixpanel from all production services and began reviewing the affected datasets. The company is actively notifying impacted organizations, admins, and users through direct communication. OpenAI stated that it has not found any indication of impact beyond Mixpanel’s systems but continues to closely monitor for signs of misuse. To reinforce user trust and strengthen data protection, OpenAI has:

• Terminated its use of Mixpanel
• Begun conducting enhanced security reviews across all third-party vendors
• Increased security requirements for partners and service providers
• Initiated a broader review of its vendor ecosystem

OpenAI reiterated that trust, security, and privacy remain central to its mission and that transparency is a priority when addressing incidents involving user data.

Phishing and Social Engineering Risks for Impacted Users

While the exposed information does not include highly sensitive data, OpenAI warned that the affected details, such as names, email addresses, and user IDs, could be leveraged in phishing or social engineering attacks. The company urged users to remain cautious and watch for suspicious messages, especially those containing links or attachments. Users are encouraged to:

• Verify messages claiming to be from OpenAI
• Be wary of unsolicited communication
• Enable multi-factor authentication (MFA) on their accounts
• Avoid sharing passwords, API keys, or verification codes

OpenAI stressed that the company never requests sensitive credentials through email, text, or chat. OpenAI confirmed it will provide further updates if new information emerges from ongoing investigations. Impacted users can reach out at mixpanelincident@openai.com for support or clarification.

SitusAMC, a major provider of back-end services for leading banks and lenders, has confirmed a SitusAMC data breach that resulted in the compromise of certain client and customer information. The SitusAMC data breach incident, discovered earlier this month, has raised concerns due to the company’s extensive role in mortgage origination, servicing, and compliance within the real-estate financing ecosystem. Responding to The Cyber Express team query, Michael Franco, Chief Executive Officer (CEO) of SitusAMC, said, “We recently became aware of a data security incident impacting certain of our systems. We promptly retained leading third-party experts, launched an investigation, and notified law enforcement. The incident has been contained and SitusAMC is fully operational. No encrypting malware was deployed on our systems. We are in direct contact with our clients about this matter. We remain focused on analyzing any potentially affected data and will provide updates directly to our clients as our investigation progresses.” According to the company’s disclosure, SitusAMC became aware of the incident on November 12, 2025, and later determined that specific information stored on its systems had been accessed without authorization. While the full scope of the SitusAMC data breach remains under investigation, the company stated that the impacted information includes corporate data associated with clients, such as accounting records and legal agreements, along with certain data belonging to clients’ customers. SitusAMC emphasized that the incident did not involve encrypting malware and that its operational services continue to run without disruption. External cybersecurity experts and federal law enforcement authorities are assisting in the ongoing investigation.

SitusAMC Data Breach Details

In its public notice, the company disclosed that upon detecting the incident, immediate steps were taken to investigate, contain, and secure its systems. The firm began working closely with third-party specialists and notified federal law enforcement to ensure a coordinated response. SitusAMC reiterated that although some information was compromised, all services remain fully operational. No ransomware activity or system encryption was detected, indicating that the attack did not follow the pattern of typical extortion-driven breaches. The company is continuing to analyze the impacted data and remains in close contact with affected clients. In response to the breach, SitusAMC implemented several additional security measures aimed at strengthening its environment against further threats. These steps include resetting credentials, disabling certain remote access tools, updating firewall rules, and enhancing internal security configurations. The company noted that it is still determining which specific services and products may have been affected. However, early assessments indicate that core business operations remain intact.

Impact on Client and Customer Data

The company confirmed that certain client business information was accessed during the incident. This includes internal corporate data and documentation related to client relationships. SitusAMC also stated that some customer information tied to clients may have been impacted, though the nature and extent of this exposure is still being assessed. SitusAMC assured stakeholders that it is working “around the clock” alongside its advisors to determine the full level of impact and will provide updates as the investigation progresses.

Customer Notification and Transparency

To maintain transparency, the company publicly released an example of the customer notification letter distributed on November 22, 2025. The letter outlines what occurred, the types of information potentially exposed, and the steps being taken to safeguard systems moving forward. [caption id="attachment_107113" align="aligncenter" width="1024"] Source: SitusAMC[/caption] In the letter, the company reiterated that the incident is contained, services remain fully operational, and no encrypting malware was used. Clients were encouraged to reach out to the company’s security team for additional queries.

Salesforce is investigating potential unauthorized access to customers’ Salesforce data that may have occurred through the Gainsight customer success platform. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said in an advisory today. The Salesforce advisory was short on detail, but the incident appears to share similarities with a recent OAuth-based breach of the Salesloft Drift platform that compromised the Salesforce environments of dozens, if not hundreds, of organizations. That breach was linked to the Scattered LAPSUS$ Hunters threat group. In an email exchange with The Cyber Express, Scattered LAPSUS$ Hunters also claimed responsibility for the current Gainsight incident. “Yes, we are responsible for it,” the group told The Cyber Express. “Nearly 300 organisations are affected by it.” The group named four large organizations allegedly hit in the latest incident, but it is The Cyber Express’ policy not to name unconfirmed cyberattack victims.

Salesforce Detects ‘Unusual Activity’ Involving Gainsight App

Salesforce said in the advisory that it has identified “unusual activity involving Gainsight-published applications connected to Salesforce.” Those apps are installed and managed directly by customers. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the CRM vendor said. “Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.” Salesforce said there is “no indication” that the incident resulted from a vulnerability in the Salesforce platform. “The activity appears to be related to the app’s external connection to Salesforce,” the company said. Salesforce said it has notified known affected customers directly and will continue to provide updates. The CRM vendor said customers who need assistance can reach the company through Salesforce Help.

Salesloft Drift Breach Affected Gainsight Too

It will be some time before the extent of the current incident is known, but the Salesloft Drift incident affected the CRM environments of scores of well-known companies, among them Google, Cloudflare, Palo Alto Networks, and many more prominent names. The Scattered LAPSUS$ threat group launched social engineering attacks on Salesforce environments too. Scattered LAPSUS$ Hunters claims 760 organizations were hit in the Salesloft Drift incident, one of which was Gainsight’s own Salesforce environment. The Cyber Express has reached out to Gainsight for comment and will update this story as new information emerges.

Last week on Malwarebytes Labs:

• Update Chrome now: 20 security fixes just landed
• How scammers use your data to create personalized tricks that work
• Ransomware gang claims Conduent breach: what you should watch for next
• Fake PayPal invoice from Geek Squad is a tech support scam
• Atlas browser’s Omnibox opens up new privacy and security risks
• Gmail breach panic? It’s a misunderstanding, not a hack
• School’s AI system mistakes a bag of chips for a gun
• Around 70 countries sign new UN Cybercrime Convention—but not everyone’s on board
• NSFW ChatGPT? OpenAI plans “grown-up mode” for verified adults
• How to set up two factor authentication (2FA) on your Instagram account
• Phishing scam uses fake death notices to trick LastPass users

Stay safe!

---

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Update – October 30, 2025: New information confirms that Conduent’s 2024 breach has impacted over 10.5 million people, based on notifications filed with multiple state attorneys general. The largest disclosure came from the Oregon government, which reported a total of 10.5 million affected US residents. Additional notices listed 4 million in Texas, 76,000 in Washington, and several hundred in Maine.

---

Even if you’ve never heard of Conduent, you could be one of the many people caught up in its recent data breach. Conduent provides technology services to several US state governments, including Medicaid, child support, and food programs, with the company stating that it “supports approximately 100 million US residents across various government health programs, helping state and federal agencies.”

In a breach notification, Conduent says:

“On January 13, 2025, we discovered that we were the victim of a cyber incident that impacted a limited portion of our network.”

An investigation found that an unauthorized third party had access to its systems from October 21, 2024, until the intrusion was stopped on discovery.

Breach notification letters will be sent to affected individuals, detailing what personal information was exposed. According to The Record, Conduent said more than 400,000 people in Texas were impacted, with data including Social Security numbers, medical information and health insurance details. Another 76,000 people in Washington, 48,000 in South Carolina, 10,000 in New Hampshire and 378 in Maine were also affected. Conduent has filed additional breach notices in Oregon, Massachusetts, California, and New Hampshire.

The stolen data sets may include:​

• Names
• Social Security numbers
• Dates of birth
• Medical information
• Health insurance details

If all of those apply, it’s certainly enough for criminals to commit identity theft.

Ransomware group SafePay reportedly claimed responsibility for the attack and listed Conduent on its leak site.

SafePay, which emerged in late 2024, threatened to publish or sell stolen data if its demands weren’t met, claiming to have exfiltrated a staggering 8.5 terabytes of files from Conduent’s systems. Though relatively new on the scene, SafePay has quickly built a reputation for large-scale extortion targeting high-profile clients globally.

Breaches like this reinforce the need for robust cybersecurity and incident response in the public sector. For the potentially millions of people affected, stay alert to fraud and identity theft.

Protecting yourself after a data breach

If you think you’ve been the victim of this or any other data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

After a misinterpretation of an interview with a security researcher, several media outlets hinted at a major Gmail breach.

Reporters claimed the incident took place in April. In reality, the researcher had said there was an enormous amount of Gmail usernames and passwords circulating on the dark web.

Those are two very different things. The credentials probably stem from a great many past attacks and breaches over the years.

But the rumors spread quickly—enough that Google felt it had to deny that their Gmail systems had suffered a breach.

“The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It’s not reflective of a new attack aimed at any one person, tool, or platform.”

What happens is that cybercriminals buy and sell databases containing stolen usernames and passwords from data breaches, information stealers, and phishing campaigns. They do this to expand their reach or combine data from different sources to create more targeted attacks.

The downside for them is that many of these credentials are outdated, invalid, or linked to accounts that are no longer in use.

The downside for everyone else is that misleading reporting like this causes panic where there’s no need for it—whether it stems from misunderstanding technical details or from the pressure to make a headline.

Still, it’s always smart to check whether your email address has been caught up in a breach.

You can use our Digital Footprint scanner to see if your personal information is exposed online and take steps to secure it. If you find any passwords that you still use, change them immediately and enable multi-factor authentication (2FA) for those accounts wherever possible.

---

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

Peer-to-peer lending marketplace Prosper detected unauthorized activity on their systems on September 2, 2025.

It published an FAQ page later that month to address the incident. During the incident, the attacker stole personal information belonging to Prosper customers and loan applicants.

As Prosper stated:

“We have evidence that confidential, proprietary, and personal information, including Social Security numbers, was obtained, including through unauthorized queries made on Company databases that store customer and applicant data.”

While Prosper did not share the number of affected people, BleepingComputer reported that it affected 17.6 million unique email addresses.

The stolen data associated with the email addresses reportedly includes customers’ names, government-issued IDs, employment status, credit status, income levels, dates of birth, physical addresses, IP addresses, and browser user-agent details.

Prosper advised that no one gained unauthorized access to customer accounts or funds and that their customer-facing operations continued without interruption.

Even without account access, the stolen data is more than enough to fuel targeted, personalized phishing and even identity theft. The investigation is still ongoing but Prosper has promised to offer free credit monitoring, as appropriate, after determining what data was affected.

Protecting yourself after a data breach

If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Mango has reported a data breach at one of its external marketing service providers. The Spanish fashion retailer says that only personal contact information has been exposed—no financial data.

The breach took place at the service provider and did not affect Mango’s own systems. According to the breach notification, the stolen information was limited to:

• First name (not your last name)
• Country
• Postal code
• Email address
• Telephone number

“Under no circumstances has your banking information, credit cards, ID/passport, or login credentials or passwords been compromised.”

Because Mango operates in more than 100 countries, affected individuals could be located across multiple regions where Mango markets to customers through its external partner. As Mango has not named the third-party provider or disclosed how many customers were affected, we cannot precisely identify where these customers are located.

Mango has not released any details about the attackers behind the breach. Although the stolen data itself does not pose an immediate risk, cybercriminals often follow breaches like this with phishing campaigns, exploiting the limited personal information they obtained.

We’ll update this story if Mango releases more information about the breach or the customers impacted.

Protecting yourself after a data breach

Affected customers say they have received a data breach notification of which we have seen screenshots in Spanish and English.

If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.