Coupang CEO Resigns, a headline many in South Korea expected, but still signals a major moment for the country’s tech and e-commerce landscape. Coupang Corp. confirmed on Wednesday that its CEO, Park Dae-jun, has stepped down following a massive Coupang data breach that exposed the personal information of 33.7 million people, almost two-thirds of the country. Park said he was “deeply sorry” for the incident and accepted responsibility both for the breach and for the company’s response. His exit, while formally described as a resignation, is widely seen as a forced departure given the scale of the fallout and growing anger among customers and regulators. To stabilize the company, Coupang’s U.S. parent, Coupang Inc., has appointed Harold Rogers, its chief administrative officer and general counsel, as interim CEO. The parent company said the leadership change aims to strengthen crisis management and ease customer concerns.

What Happened in the Coupang Data Breach

The company clarified that the latest notice relates to the previously disclosed incident on November 29 and that no new leak has occurred. According to Coupang’s ongoing investigation, the leaked information includes:

• Customer names and email addresses
• Full shipping address book details, such as names, phone numbers, addresses, and apartment entrance access codes
• Portions of the order information

Coupang emphasized that payment details, passwords, banking information, and customs clearance codes were not compromised. As soon as it identified the leak, the company blocked abnormal access routes and tightened internal monitoring. It is now working closely with the Ministry of Science and ICT, the National Police Agency, the Personal Information Protection Commission (PIPC), the Korea Internet & Security Agency (KISA), and the Financial Supervisory Service.

Phishing, Smishing, and Impersonation Alerts

Coupang warned customers to be extra cautious as leaked data can fuel impersonation scams. The company reminded users that:

• Coupang never asks customers to install apps via phone or text.
• Unknown links in messages should not be opened.
• Suspicious communications should be reported to 112 or the Financial Supervisory Service.
• Customers must verify messages using Coupang’s official customer service numbers.

Users who stored apartment entrance codes in their delivery address book were also urged to change them immediately. The company also clarified that delivery drivers rarely call customers unless necessary to access a building or resolve a pickup issue, a small detail meant to help people recognize potential scam attempts.

Coupang CEO Resigns as South Korea Toughens Cyber Rules

The departure of CEO Park comes at a time when South Korea is rethinking how corporations respond to data breaches. The government’s 2025 Comprehensive National Cybersecurity Strategy puts direct responsibility on CEOs for major security incidents. It also expands CISOs' authority, strengthens IT asset management requirements, and gives chief privacy officers greater influence over security budgets. This shift follows other serious breaches, including SK Telecom’s leak of 23 million user records, which led to a record 134.8 billion won fine. Regulators are now considering fines of up to 1.2 trillion won for Coupang, roughly 3% of its annual sales, under the Personal Information Protection Act. The company also risks losing its ISMS-P certification, a possibility unprecedented for a business of its size.

Industry Scramble After a Coupang Data Breach of This Scale

A Coupang Data breach affecting tens of millions of people has sent shockwaves across South Korea’s corporate sector. Authorities have launched emergency inspections of 1,600 ISMS-certified companies and begun unannounced penetration tests. Security vendors say Korean companies are urgently adding multi-factor authentication, AI-based anomaly detection, insider threat monitoring, and stronger access controls. Police naming a former Chinese Coupang employee as a suspect has intensified focus on insider risk. Government agencies, including the National Intelligence Service, are also working with private partners to shorten cyber-incident analysis times from 14 days to 5 days using advanced AI forensic labs.

Looking Ahead

With the Coupang CEO's resignation development now shaping the company’s crisis trajectory, Coupang faces a long road to rebuilding trust among users and regulators. The company says its teams are working to resolve customer concerns quickly, but the broader lesson is clear: cybersecurity failures now carry real consequences, including at the highest levels of leadership.

Barts Health NHS Trust has confirmed that the data breach at Barts Health was carried out by the Russian-speaking Cl0p ransomware group, which exploited a vulnerability in Oracle E-Business Suite. The Barts Health data breach involved the theft of files from one of the trust’s invoice databases, exposing information linked to payments for treatment and other services, some dating back several years.  In its official notification, the trust stated, “As a result of a recent incident involving data from our trust, we are informing those potentially affected that there is a risk some personal data is compromised.”  The trust confirmed that the criminal group stole files containing names and addresses of individuals required to pay for treatment or services at a Barts Health hospital. These files were later posted on the dark web. Barts Health emphasized that it is pursuing legal remedies, noting, “We are taking urgent action and seeking a High Court order to ban the publication, use or sharing of this data by anyone.” 

Details of the Barts Health Data Breach and Exposed Information 

The cyberattack on Barts Health occurred after Cl0p exploited a flaw in Oracle E-Business Suite, a widely used system for automating business processes. Oracle has since corrected the vulnerability, which has affected multiple organizations globally.  The trust has reported the Barts Health data breach to NHS England, the National Cyber Security Centre, the Metropolitan Police, and the Information Commissioner’s Office. Despite the intrusion, Barts Health stressed that core healthcare systems remain secure: “Please note our electronic patient record and clinical systems are not affected, and we are confident our core IT infrastructure is secure.”  Paying patients are encouraged to review their treatment invoices to understand which details may have been exposed. Some former employees also appear in the files due to outstanding salary sacrifice amounts or overpayments. Nearly half of the compromised records relate to suppliers whose information is already publicly accessible.  The affected database also contains accounting files that Barts Health has managed since April 2024 for Barking, Havering, and Redbridge University Hospitals NHS Trust. Both trusts are coordinating efforts to limit the impact. 

Timeline of the Breach and Potential Risks to Individuals 

Although the theft occurred in August, Barts Health did not receive any indication that data had been compromised until November, when the files were uploaded to the dark web. None of the information has emerged on the open internet, restricting exposure to individuals with access to encrypted and compressed files on the dark web.  The trust warned that the stolen files cannot grant direct access to personal accounts but may help criminals craft scams to trick victims into sharing sensitive information or making payments. Individuals with concerns are advised to contact the trust’s data protection officer or consult national guidance such as “Stop! Think Fraud – How to stay safe from scams.”  Barts Health apologized for the incident, stating, “We are very sorry that this has happened and are taking steps with our suppliers to ensure that it could not happen again.”  The Cl0p ransomware group is a well-known cybercriminal syndicate recognized for its multilayer extortion operations, including encryption-less ransomware tactics. Responsible for extorting more than $500 million in ransom payments worldwide, Cl0p became prominent in 2019 through extensive phishing campaigns and malware. The group frequently exploits zero-day vulnerabilities, enabling high-impact attacks and ransom demands. 

The Washington Post last month reported it was among a list of data breach victims of the Oracle EBS-related vulnerabilities, with a threat actor compromising the data of more than 9,700 former and current employees and contractors. Now, a former worker is launching a class-action lawsuit against the Post, claiming inadequate security.

The post Ex-Employee Sues Washington Post Over Oracle EBS-Related Data Breach appeared first on Security Boulevard.

A former student has been charged over an extended series of security breaches linked to the Western Sydney University cyberattack that has affected the institution since 2021. According to police, the university endured repeated unauthorized access, data exfiltration, system compromises, and the misuse of its infrastructure, activities that also involved threats to release student information on the dark web. Authorities estimate that hundreds of staff and students have been impacted over the course of the breaches.  Detectives worked with Western Sydney University, the AFP’s Joint Policing Cyber Coordination Centre (JCP3), and external cybersecurity specialists to trace the intrusions. Their investigation led to a 27-year-old woman, a former student of the university, who was first arrested and charged in June.

The Complex Case of the Western Sydney University Cyberattack 

Despite the earlier arrest, police allege the student continued offending, sending more than 100,000 fraudulent emails to students to damage the university’s reputation and cause distress. As part of the continuing inquiry into the cyberattack on Western Sydney University, detectives executed a search warrant in North Kellyville, where the student was again arrested. Officers stated that she possessed a mobile phone modified to function as a computer terminal, allegedly used in cyber offences.  She was taken to The Hills Police Station and charged with multiple offences, including two counts of unauthorized function with intent to commit a serious offence, two counts of fabricating false evidence with intent to mislead a judicial tribunal, and breach of bail. Police say she also posted fabricated material online that was designed to exonerate herself during the ongoing legal proceedings. Bail was refused, and she was due to appear in court the following day. 

University Issues Public Notification After Continued Cyber Incidents 

Western Sydney University released a public notification on 23 October 2025, advising the community of personal information that may have been compromised in the broader Western Sydney University cyberattack pattern. The notice included a statement expressing regret over the situation:  “I want to again apologize for the impact this is having and give you my assurance that we are doing everything we can to rectify this issue and support our community.”  The university confirmed that it had been working closely with the NSW Police Force Cybercrime Squad’s Strike Force Docker, which had arrested and charged the former student on 25 June 2025. However, attempts to breach university systems continued even after the arrest, including attempts that exploited external IT service providers.  Unusual activity was detected twice, on 6 August and 11 August 2025, within the Student Management System, which is hosted by a third-party provider on a cloud platform. An immediate investigation led the university to shut down access to the platform. It was later confirmed that unauthorized access occurred through external systems linked to the platform between 19 June and 3 September 2025. These linked systems allow intruders to extract personal data from the Student Management System.  University investigators also determined that fraudulent emails sent on 6 October 2025 had used data stolen during this period. Authorities asked the university to delay notifying the community to avoid disrupting the police investigation. With approval finally granted, the university issued a comprehensive notice to students, former students, staff, offer recipients, The College, The International College, and Early Learning Ltd personnel. 

Scope of Compromised Information 

According to the public notification, the cyber incidents may have exposed a wide range of personal information, including contact details, names, dates of birth, identification numbers, nationality information, employment and payroll records, bank and tax details, driver's license and passport information, visa documentation, complaint files, and certain health, disability, and legal information.  Individual notifications are being issued to those affected, including updated findings from earlier incidents.  The notification advised individuals to change passwords, preferably to those of at least 15 characters, and implement multi-factor authentication across online accounts. Additional support services include a dedicated cyber incident website, a university phone line for inquiries, resources from the NSW Information and Privacy Commission, and reporting options via the Australian Cyber Security Centre for anyone who believes their information has been misused. 

FTC action takes center stage as the U.S. Federal Trade Commission has announced strong enforcement steps against education technology (Edtech) provider Illuminate Education, following a major data breach that exposed the personal information of more than 10 million students across the United States. The agency said the company failed to implement reasonable security measures despite promising schools and parents that student information was protected.

Why the Agency Intervened

FTC complaint outlines a series of allegations against the Wisconsin-based company, which provides cloud-based software tools for schools. According to the complaint, Illuminate Education claimed it used industry-standard practices to safeguard student information but failed to put in place basic security controls. The Illuminate Education data breach incident dates back to December 2021 when a hacker accessed the company’s cloud databases using login credentials belonging to a former employee who had left the company more than three years earlier. This lapse allowed unauthorized access to data belonging to 10.1 million students, including email addresses, home addresses, dates of birth, academic records, and sensitive health information. FTC officials said the company ignored warnings as early as January 2020, when a third-party vendor alerted them to several vulnerabilities in their systems. The data security failures included weak access controls, gaps in threat detection, and a lack of proper vulnerability monitoring and patch management. The agency also noted that student data was stored in plain text until at least January 2022, increasing the severity of the breach.

FTC Action: Requirements Under the Proposed Order

As part of the proposed settlement, the FTC will require Illuminate Education to adopt a comprehensive information security program and follow stricter privacy obligations. The proposed FTC order includes several mandatory steps:

• Deleting any personal information that is no longer required for service delivery.
• Following a transparent, publicly available data retention schedule that explains why data is collected and when it will be deleted.
• Implementing a detailed information security program to protect the confidentiality and integrity of personal information.
• Notifying the FTC when the company reports a data breach to any federal, state, or local authority.

The order also prohibits the company from misrepresenting its data security practices or delaying breach notifications to school districts and families. The FTC said Illuminate had waited nearly two years before informing some districts about the breach, impacting more than 380,000 students. The Commission has voted unanimously to advance the complaint and proposed order for public comment. It will be published in the Federal Register, where stakeholders can share feedback for 30 days before the FTC decides whether to finalize the consent order.

FTC Action and State-Level Enforcement

Alongside the federal enforcement, the state data breach settlement adds another layer of accountability. Attorneys General from California, Connecticut, and New York recently announced a $5.1 million settlement with Illuminate Education for failing to adequately protect student data during the same 2021 cyber incident. California will receive $3.25 million in civil penalties, and the settlement includes strict requirements designed to improve the company’s cybersecurity safeguards. With more than 434,000 California students affected, this marks one of the largest enforcement actions under the California K-12 Pupil Online Personal Information Protection Act (KOPIPA). State officials emphasized that educational technology companies must prioritize the security of children’s data, which often includes highly sensitive information like medical details and learning records.

South Korean e-commerce giant Coupang has confirmed a massive data breach that exposed personal information belonging to nearly 33.7 million customers, making it one of the country’s largest cybersecurity incidents in recent years. The company publicly apologised over the weekend, acknowledging that the Coupang data breach stemmed from unauthorised access that may have continued undetected for months. Park Dae-jun, CEO of Coupang, issued a statement on the company’s website saying, “We sincerely apologise once again for causing our customers inconvenience.” The firm, often referred to as the “Amazon of South Korea,” said it is cooperating with law enforcement and regulatory authorities as investigations continue.

Coupang Data Breach Went Undetected for Months

According to Coupang, the unauthorised access began on June 24 through overseas servers but was only discovered on November 18. The company initially believed only about 4,500 accounts were affected. However, further analysis revealed that 33.7 million users had some form of delivery-related personal information exposed. The leaked data includes customer names, phone numbers, email addresses, shipping addresses, and certain order histories. Coupang stressed that no payment card information, financial data, or login credentials were compromised. The company has 24.7 million active commercial users as of the third quarter, which means the Coupang data breach covers almost its entire user base.

Former Employee Identified as Main Suspect

South Korean police confirmed that they have secured the IP address used in the attack and have identified the suspect behind the breach. Investigators say the individual is a former Coupang employee, a Chinese national who has already left South Korea. “We are analysing server logs submitted by Coupang. We have secured the IP used by the suspect and are tracking them down,” an official at the Seoul Metropolitan Police said. Authorities are also verifying whether the individual is linked to an email sent to Coupang threatening to reveal the stolen information.

Government Steps In as Public Concern Rises

The Ministry of Science and ICT held an emergency meeting on Sunday to review the scale of the incident and assess whether Coupang violated any personal information protection rules. Minister Bae Kyung-hoon said regulators are closely monitoring the company’s handling of the breach. The Korea Internet & Security Agency (KISA) issued a public advisory warning users to remain alert for phishing attempts or scam messages pretending to be from Coupang. So far, police have not received reports of smishing or voice phishing linked to the breach, but authorities say preparations are in place in case the situation escalates. The Coupang data breach adds to growing frustration among South Korean consumers, who have witnessed a series of major data leaks this year. SK Telecom and other large companies have faced similar cybersecurity incidents, increasing pressure on businesses to strengthen internal security controls.

Coupang Issues Customer Guidance

The company has started notifying impacted customers through email and text messages. In an FAQ shared with users, Coupang clarified what information was exposed and what steps customers should take. The company reiterated that payment, card details, and passwords were not affected. Coupang also explained that it notified authorities immediately after confirming the issue and is committed to updating customers as the investigation progresses. For now, the company says users do not need to take additional action beyond remaining cautious of unsolicited calls, links or messages claiming to be from Coupang. Police are verifying the suspect’s identity, travel history, and potential motives. They are also examining whether the individual acted alone or was linked to a wider scheme. The case has now moved from an internal inquiry to a full-scale criminal investigation. As authorities continue to analyse server logs and cross-border activity, concerns remain that the scale or impact of the Coupang data breach could grow. For now, officials say there is no evidence of financial misuse, but investigations are still in early stages.

The French Football Federation confirmed this week that attackers used stolen credentials to breach centralized administrative software managing club memberships nationwide, exposing personal information belonging to licensed players registered through clubs across the country.

The FFF detected the unauthorized access and immediately disabled the compromised account while resetting all user passwords across the system, though threat actors had already exfiltrated member databases before detection.

The breach exposed names, gender, dates and places of birth, nationality, postal addresses, email addresses, telephone numbers, and license numbers. The federation claimed the intrusion and exfiltration remained limited to these data categories, with no financial information or passwords compromised in the incident.

According to the federation, which has over two million members, many of whom are minors, the breached data includes personally identifiable information that could be leveraged for phishing attacks. The FFF reported a record number of over 2.3 million football license holders in the country for the 2023-2024 season, according to the latest publicly available figures.

Second Attack in Two Years

This marks the third time in two years that the French Football Federation has suffered a cyberattack, with a March 2024 incident potentially exposing 1.5 million member records according to prosecutors. The pattern demonstrates persistent targeting of French sports organizations.

Cybersecurity researchers verified 18 months ago that a sample of FFF player details had been published on a well-known data leak forum, suggesting previous successful intrusions may have gone undetected.

The federation filed a criminal complaint and notified France's National Cybersecurity Agency ANSSI and data protection authority CNIL as required under European regulations. The FFF will directly contact individuals whose email addresses appear in the compromised database.

Phishing Campaign Warnings

Federation officials warned members to exercise extreme vigilance regarding suspicious communications appearing to originate from the FFF or local clubs. Threat actors commonly leverage stolen personally identifiable information to craft convincing phishing messages requesting that recipients open attachments, provide account credentials, passwords, or banking information.

Security experts note that smaller clubs and societies sometimes consider themselves insufficiently interesting for criminals to target, but this incident demonstrates how deeply everyday life depends on centralized platforms vulnerable to credential compromise.

The federation stressed upon its commitment to protecting entrusted data while acknowledging that numerous organizations face increasing numbers and evolving forms of cyberattacks. "The FFF is committed to protecting all the data entrusted to it and continually strengthens and adapts its security measures in order to face, like many other organizations, the growing variety and new forms of cyber-attacks," the statement said.

The reliance on a single centralized administrative platform across all French football clubs created a high-value target where credential compromise granted attackers access to member records from thousands of clubs simultaneously.

Also read: Chicago Fire FC Data Breach: Exposed Fan Info? Here’s What’s at Risk!

OpenAI has confirmed a security incident involving Mixpanel, a third-party analytics provider used for its API product frontend. The company clarified that the OpenAI Mixpanel security incident stemmed solely from a breach within Mixpanel’s systems and did not involve OpenAI’s infrastructure. According to the initial investigation, an attacker gained unauthorized access to a portion of Mixpanel’s environment and exported a dataset that included limited identifiable information of some OpenAI API users. OpenAI stated that users of ChatGPT and other consumer-facing products were not impacted.

OpenAI Mixpanel Security Incident: What Happened

The OpenAI Mixpanel security incident originated on November 9, 2025, when Mixpanel detected an intrusion into a section of its systems. The attacker successfully exported a dataset containing identifiable customer information and analytics data. Mixpanel notified OpenAI on the same day and shared the affected dataset for review on November 25. OpenAI emphasized that despite the breach, no OpenAI systems were compromised, and sensitive information such as chat content, API requests, prompts, outputs, API keys, passwords, payment details, government IDs, or authentication tokens were not exposed. The exposed dataset was strictly limited to analytics data collected through Mixpanel’s tracking setup on platform.openai.com, the frontend interface for OpenAI’s API product.

Information Potentially Exposed in the Mixpanel Data Breach

OpenAI confirmed that the type of information potentially included in the dataset comprised:

• Names provided on API accounts
• Email addresses associated with API accounts
• Coarse location data (city, state, country) based on browser metadata
• Operating system and browser information
• Referring websites
• Organization or User IDs linked to API accounts

OpenAI noted that the affected information does not include chat content, prompts, responses, or API usage data. Additionally, ChatGPT accounts, passwords, API keys, financial details, and government IDs were not involved in the incident.

OpenAI’s Response and Security Measures

In response to the Mixpanel security incident, OpenAI immediately removed Mixpanel from all production services and began reviewing the affected datasets. The company is actively notifying impacted organizations, admins, and users through direct communication. OpenAI stated that it has not found any indication of impact beyond Mixpanel’s systems but continues to closely monitor for signs of misuse. To reinforce user trust and strengthen data protection, OpenAI has:

• Terminated its use of Mixpanel
• Begun conducting enhanced security reviews across all third-party vendors
• Increased security requirements for partners and service providers
• Initiated a broader review of its vendor ecosystem

OpenAI reiterated that trust, security, and privacy remain central to its mission and that transparency is a priority when addressing incidents involving user data.

Phishing and Social Engineering Risks for Impacted Users

While the exposed information does not include highly sensitive data, OpenAI warned that the affected details, such as names, email addresses, and user IDs, could be leveraged in phishing or social engineering attacks. The company urged users to remain cautious and watch for suspicious messages, especially those containing links or attachments. Users are encouraged to:

• Verify messages claiming to be from OpenAI
• Be wary of unsolicited communication
• Enable multi-factor authentication (MFA) on their accounts
• Avoid sharing passwords, API keys, or verification codes

OpenAI stressed that the company never requests sensitive credentials through email, text, or chat. OpenAI confirmed it will provide further updates if new information emerges from ongoing investigations. Impacted users can reach out at mixpanelincident@openai.com for support or clarification.

SitusAMC, a major provider of back-end services for leading banks and lenders, has confirmed a SitusAMC data breach that resulted in the compromise of certain client and customer information. The SitusAMC data breach incident, discovered earlier this month, has raised concerns due to the company’s extensive role in mortgage origination, servicing, and compliance within the real-estate financing ecosystem. Responding to The Cyber Express team query, Michael Franco, Chief Executive Officer (CEO) of SitusAMC, said, “We recently became aware of a data security incident impacting certain of our systems. We promptly retained leading third-party experts, launched an investigation, and notified law enforcement. The incident has been contained and SitusAMC is fully operational. No encrypting malware was deployed on our systems. We are in direct contact with our clients about this matter. We remain focused on analyzing any potentially affected data and will provide updates directly to our clients as our investigation progresses.” According to the company’s disclosure, SitusAMC became aware of the incident on November 12, 2025, and later determined that specific information stored on its systems had been accessed without authorization. While the full scope of the SitusAMC data breach remains under investigation, the company stated that the impacted information includes corporate data associated with clients, such as accounting records and legal agreements, along with certain data belonging to clients’ customers. SitusAMC emphasized that the incident did not involve encrypting malware and that its operational services continue to run without disruption. External cybersecurity experts and federal law enforcement authorities are assisting in the ongoing investigation.

SitusAMC Data Breach Details

In its public notice, the company disclosed that upon detecting the incident, immediate steps were taken to investigate, contain, and secure its systems. The firm began working closely with third-party specialists and notified federal law enforcement to ensure a coordinated response. SitusAMC reiterated that although some information was compromised, all services remain fully operational. No ransomware activity or system encryption was detected, indicating that the attack did not follow the pattern of typical extortion-driven breaches. The company is continuing to analyze the impacted data and remains in close contact with affected clients. In response to the breach, SitusAMC implemented several additional security measures aimed at strengthening its environment against further threats. These steps include resetting credentials, disabling certain remote access tools, updating firewall rules, and enhancing internal security configurations. The company noted that it is still determining which specific services and products may have been affected. However, early assessments indicate that core business operations remain intact.

Impact on Client and Customer Data

The company confirmed that certain client business information was accessed during the incident. This includes internal corporate data and documentation related to client relationships. SitusAMC also stated that some customer information tied to clients may have been impacted, though the nature and extent of this exposure is still being assessed. SitusAMC assured stakeholders that it is working “around the clock” alongside its advisors to determine the full level of impact and will provide updates as the investigation progresses.

Customer Notification and Transparency

To maintain transparency, the company publicly released an example of the customer notification letter distributed on November 22, 2025. The letter outlines what occurred, the types of information potentially exposed, and the steps being taken to safeguard systems moving forward. [caption id="attachment_107113" align="aligncenter" width="1024"] Source: SitusAMC[/caption] In the letter, the company reiterated that the incident is contained, services remain fully operational, and no encrypting malware was used. Clients were encouraged to reach out to the company’s security team for additional queries.

SitusAMC, a services provider with clients like JP MorganChase and Citi, said its systems were hacked and the data of clients and their customers possibly compromised, sending banks and other firms scrambling. The data breach illustrates the growth in the number of such attacks on third-party providers in the financial services sector.

The post Hack of SitusAMC Puts Data of Financial Services Firms at Risk appeared first on Security Boulevard.

An attack on the app of CRM platform-provider Gainsight led to the data of hundreds of Salesforce customers being compromised, highlighting the ongoing threats posed by third-party software in SaaS environments and illustrating how one data breach can lead to others, cybersecurity pros say.

The post Salesforce: Some Customer Data Accessed via Gainsight Breach appeared first on Security Boulevard.

Salesforce is investigating potential unauthorized access to customers’ Salesforce data that may have occurred through the Gainsight customer success platform. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said in an advisory today. The Salesforce advisory was short on detail, but the incident appears to share similarities with a recent OAuth-based breach of the Salesloft Drift platform that compromised the Salesforce environments of dozens, if not hundreds, of organizations. That breach was linked to the Scattered LAPSUS$ Hunters threat group. In an email exchange with The Cyber Express, Scattered LAPSUS$ Hunters also claimed responsibility for the current Gainsight incident. “Yes, we are responsible for it,” the group told The Cyber Express. “Nearly 300 organisations are affected by it.” The group named four large organizations allegedly hit in the latest incident, but it is The Cyber Express’ policy not to name unconfirmed cyberattack victims.

Salesforce Detects ‘Unusual Activity’ Involving Gainsight App

Salesforce said in the advisory that it has identified “unusual activity involving Gainsight-published applications connected to Salesforce.” Those apps are installed and managed directly by customers. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the CRM vendor said. “Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.” Salesforce said there is “no indication” that the incident resulted from a vulnerability in the Salesforce platform. “The activity appears to be related to the app’s external connection to Salesforce,” the company said. Salesforce said it has notified known affected customers directly and will continue to provide updates. The CRM vendor said customers who need assistance can reach the company through Salesforce Help.

Salesloft Drift Breach Affected Gainsight Too

It will be some time before the extent of the current incident is known, but the Salesloft Drift incident affected the CRM environments of scores of well-known companies, among them Google, Cloudflare, Palo Alto Networks, and many more prominent names. The Scattered LAPSUS$ threat group launched social engineering attacks on Salesforce environments too. Scattered LAPSUS$ Hunters claims 760 organizations were hit in the Salesloft Drift incident, one of which was Gainsight’s own Salesforce environment. The Cyber Express has reached out to Gainsight for comment and will update this story as new information emerges.

American Food delivery platform DoorDash has disclosed a DoorDash cybersecurity incident after an unauthorized third party accessed certain user information through a targeted social engineering attack. The company confirmed that the DoorDash data breach affected an unspecified number of users but clarified that no sensitive or financial information was accessed. According to DoorDash’s public statement, the incident began when a company employee was manipulated into granting access through a social engineering scam. This reflects a rising trend where attackers exploit human behavior rather than system weaknesses, posing significant risks even to companies with mature cybersecurity programs.

DoorDash Cybersecurity Incident: Social Engineering Identified as the Root Cause

The company revealed that threat actors did not rely on malware or exploit software vulnerabilities. Instead, they used deceptive tactics to influence an employee and gain initial access. This form of attack continues to challenge organizations, as technical security controls often cannot prevent human error. DoorDash stated that its response team quickly identified the data breach, shut down unauthorized access, and initiated an internal investigation. The company has also referred the matter to law enforcement.

What Information Was Accessed in DoorDash Data Breach

DoorDash confirmed that some users, spanning consumers, Dashers, and merchants, were impacted. The type of user information accessed varied and may have included:

• First and last name
• Phone number
• Email address
• Physical address

The company emphasized that no sensitive information such as Social Security numbers, government-issued IDs, driver’s license details, bank information, or payment card data was compromised in DoorDash cybersecurity incident. DoorDash added that it has no evidence of fraud, identity theft, or misuse of the accessed information.

DoorDash Response and Security Enhancements

Following the DoorDash cybersecurity incident, the company implemented several measures to strengthen its cybersecurity posture. These steps include:

• Deploying new security system enhancements to detect and block similar malicious activities
• Increasing employee security awareness training focused on social engineering threats
• Engaging an external cybersecurity firm to assist in the investigation and provide expert guidance
• Coordinating with law enforcement for ongoing inquiry

DoorDash reiterated its commitment to improving user security, stating that it strives to “get 1% better every day” and protect user privacy through continuous improvements.

User Notifications and Support

The company noted that affected users have been notified where required under applicable laws. To address concerns and questions, DoorDash has set up a dedicated call center available in English and French for users in the U.S., Canada, and international regions. Users seeking more information can contact the hotline using reference code B155060. DoorDash also clarified that customers of Wolt or Deliveroo were not impacted by this incident, as the breach was limited exclusively to DoorDash systems and data. Guidance for Users While no sensitive data was compromised, DoorDash advised users to remain cautious of unsolicited communications requesting personal information. The company warned users to avoid clicking suspicious links or downloading unexpected attachments, as such tactics are commonly used in social engineering attacks. DoorDash stated that users do not need to take any immediate action to protect their accounts, as the compromised information was limited to basic contact details and there is no evidence of misuse.

The intrusion a year ago into Conduent Business Solutions' systems, likely by the SafePay ransomware group, that affected more than 10.5 individuals will likely cost the company more than $50 million in related expenses and millions more to settle the lawsuits that are piling up.

The post Conduent Faces Financial Hit, Lawsuits from Breach Affecting 10.5 Million appeared first on Security Boulevard.

Checkout.com said the notorious ShinyHunters threat group breached a badly decommissioned legacy cloud storage system last used by the company in 2020 and stole some merchant data. The hackers demanded a ransom, but the company instead will give the amount demanded to cybersecurity research groups.

The post ShinyHunters Compromises Legacy Cloud Storage System of Checkout.com appeared first on Security Boulevard.

The Washington Post has confirmed that it was breached by a threat campaign targeting Oracle E-Business Suite vulnerabilities. The Washington Post data breach is one of more than 40 victims claimed by the CL0P ransomware group in a campaign that is believed to have targeted Oracle E-Business Suite vulnerability CVE-2025-61884, but so far only four of the victims have confirmed that they were breached: The Post, Harvard University, American Airlines’ Envoy Air, and Hitachi’s GlobalLogic. The Post confirmed the data breach in a Nov. 12 filing with the Maine Attorney General’s office.

Washington Post Data Breach Detailed in Letter

The Washington Post data breach timeline was detailed in a letter from a law firm representing the newspaper to Maine Attorney General Aaron Frey. The letter states that on September 29, The Post “was contacted by a bad actor who claimed to have gained access to its Oracle E-Business Suite applications.” The Post letter said the company subsequently launched an investigation of its Oracle application environment with the help of experts. “During the investigation, Oracle announced that it had identified a previously unknown and widespread vulnerability in its E-Business Suite software that permitted unauthorized actors to access many Oracle customers’ E-Business Suite applications,” The Post’s letter states. “The Post’s investigation confirmed that it was impacted by this exploit and determined that, between July 10, 2025, and August 22, 2025, certain data was accessed and acquired without authorization.” On October 27, 2025, The Post “confirmed that certain personal information belonging to current and former employees and contractors was affected by this incident. The affected information varies by individual but may include individuals’ names, bank account numbers and associated routing numbers, Social Security numbers, and/or tax ID numbers.” On November 12, The Post said it notified 31 Maine residents of the incident, but the total number of affected employees and contractors is believed to total just under 10,000. The Post said it has offered complimentary identity protection services through IDX to individuals whose Social Security numbers or tax ID numbers were exposed in the breach.

CL0P Oracle Victims Number More Than 40

While only four victims have confirmed they were hit in the Oracle cyberattack campaign, the Cl0p ransomware group has claimed roughly 45 victims to date from the campaign on its dark web data leak site. Alleged victims claimed by CL0P have included major electronics companies, energy and utility organizations, technology companies, manufacturers, medical technology companies, healthcare providers, major colleges and universities, insurers, security companies, banks, construction and engineering firms, mining companies and communications companies, among other industries and sectors. CL0P has tended to cluster victims in campaigns targeting specific vulnerabilities throughout its six-year-history, including 267 claimed victims in February 2025 that drove ransomware attacks to record highs that month.

Checkout.com data breach concerns have surfaced after the global payment processor confirmed it was recently targeted by the cybercrime group ShinyHunters. The company reported that attackers gained access to documents stored in an old third-party cloud environment, though its core payment processing systems and sensitive financial information remain unaffected. According to early findings, the Checkout.com data breach occurred when ShinyHunters accessed a legacy storage system last used in 2020. The environment contained internal operational files and merchant onboarding documents. Checkout.com confirmed that the system had not been properly decommissioned, enabling unauthorized access.

Legacy Cloud System at Center of Checkout.com Data Breach

The Checkout.com data breach affects an estimated 25% of the company’s current merchant base, although the compromised data does not include payment card numbers, merchant bank funds, or any information linked to real-time transaction processing. In its statement, Checkout.com emphasized that its live payment platform was completely isolated from the targeted system. As a result, no transactional services, payment flows, or merchant funds were put at risk. The Checkout.com data breach came to light when ShinyHunters contacted Checkout.com last week with an extortion demand. Instead of complying, the company publicly announced that it would not pay the ransom. Checkout.com stated that it will donate the equivalent amount requested by the criminals to two major institutions known for cybersecurity research: Carnegie Mellon University and the University of Oxford’s Cyber Security Center. The company said the decision aims to turn a criminal attack into an opportunity to strengthen the broader security community.

CTO Takes Responsibility and Calls for Transparency

Mariano Albera, Chief Technology Officer at Checkout.com, issued a detailed response acknowledging the company’s responsibility in failing to fully retire the outdated cloud storage system. He confirmed that the breach stemmed from a system “used in 2020 and prior years” and reiterated that no sensitive financial data was touched. Albera apologized for the concern caused to merchants and partners, stating:

• “This was our mistake, and we take full responsibility.”
• “We regret that this incident has caused worry for our partners and people.”
• “Security, transparency and trust are the foundation of our industry.”

Albera stressed that Checkout.com is committed to informing any potentially affected partners and is cooperating with law enforcement and relevant regulators as part of a broader investigation.

Company Strengthens Commitment to Merchant Protection

While the Checkout.com data breach involved non-critical information, the company acknowledged the importance of addressing lapses tied to legacy technology. It also promised full support to any merchant seeking clarification or assistance. Checkout.com noted that its support channels remain open and that account representatives are proactively reaching out to anyone whose data may have been stored in the legacy system. The organization said this incident will also influence future technology governance processes, particularly those tied to sunsetting outdated infrastructure and third-party storage environments. Checkout.com says its choice to donate the ransom amount is intended as a symbolic yet meaningful stance against cyber extortion. By funding academic cybersecurity research, the company aims to help strengthen defenses not just for itself but for the wider digital ecosystem. The company stated that it will continue prioritizing transparency, accountability, and stronger security investments to ensure such incidents do not recur.

The Attorneys General of California, Connecticut, and New York have announced a $5.1 million settlement with Illuminate Education, Inc., an educational technology company, for failing to adequately protect student data in a 2021 cyber incident. The Illuminate Education data breach exposed the personal information of millions of students across the United States, including over 434,000 students in California alone. The settlement includes $3.25 million in civil penalties for California and a series of court-approved requirements to strengthen the company’s cybersecurity posture. The announcement marks one of the most significant enforcement actions under California’s K-12 Pupil Online Personal Information Protection Act (KOPIPA), highlighting growing regulatory attention on the privacy of children’s data in the digital age.

Illuminate Education Data Breach That Exposed Sensitive Student Data

The 2021 Illuminate education data breach occurred when a hacker gained access to Illuminate’s systems using credentials belonging to a former employee, an account that had never been deactivated. Once inside the network, the attacker created new credentials, maintained access for several days, and stole or deleted student data. The compromised information included names, races, medical conditions, and details related to special education services — all considered highly sensitive personal data. An investigation by the California Department of Justice found that Illuminate failed to implement basic cybersecurity practices, including:

• Terminating access for former employees
• Monitoring suspicious logins or activities
• Securing backup databases separately from live systems

Investigators also revealed that Illuminate had made misleading claims in its Privacy Policy, suggesting its safeguards met federal and state requirements when they did not. The company had even advertised itself as a signatory of the Student Privacy Pledge, only to be removed after the breach.

Legal and Regulatory Response

California Attorney General Rob Bonta called the case “a reminder to all tech companies, especially those handling children’s data, that California law demands strong safeguards.” “Illuminate failed to appropriately safeguard the data of school children,” Bonta said. “Our investigation revealed troubling security deficiencies that should never have happened for a company entrusted with protecting sensitive data about kids.” Connecticut Attorney General William Tong added that the case marked the first enforcement action under Connecticut’s Student Data Privacy Law. “Technology is everywhere in schools today,” he said. “This action holds Illuminate accountable and sends a clear message to educational technology companies that they must take privacy obligations seriously.” New York Attorney General Letitia James echoed similar concerns: “Students, parents, and teachers should be able to trust that their schools’ online platforms are safe and secure. Illuminate violated that trust and failed to take even basic steps to protect student data.”

Compliance Measures and Industry Lessons

As part of the settlement, Illuminate has agreed to:

• Strengthen account management and terminate credentials of former employees.
• Enable real-time monitoring for suspicious activity.
• Segregate backup databases from active networks.
• Notify authorities promptly in case of future breaches.
• Remind school districts to review stored student data for retention and deletion compliance.

This Illuminate Education data breach case follows several other enforcement actions led by Attorney General Bonta, including settlements with Sling TV, Blackbaud, and Tilting Point Media, each involving data privacy violations.

EdTech Sector Under Radar

The Illuminate case emphasizes the critical need for cybersecurity in educational technology. As schools increasingly depend on digital platforms, student data has become a prime target for cybercriminals. Experts emphasize that proactive measures such as continuous monitoring, identity management, and early threat detection are essential to prevent similar incidents. Platforms like Cyble Vision are designed to help organizations detect breaches, monitor risks in real-time, and safeguard sensitive data against evolving cyber threats. For education providers, regulators, and enterprises alike, this case serves as a clear signal — cyber negligence is no longer an option. To learn how Cyble can help strengthen your organization’s data protection and threat monitoring capabilities, request a demo and see how proactive intelligence can prevent the next breach.

Cybercrime is now a global, professionalised industry. Learn how AI, ransomware, and organised groups are reshaping cybersecurity and business defence.

The post The Professionalised World of Cybercrime and the New Arms Race  appeared first on Security Boulevard.

The University of Pennsylvania has confirmed that a hacker stole sensitive university data during a recent cyberattack. The breach, first detected on October 31, 2025, resulted in unauthorized access to systems connected to the university’s development and alumni activities.  Initially, the University of Pennsylvania dismissed reports of a hack as “fraudulent.” However, officials later acknowledged that data was indeed taken. In a statement released to alumni and shared publicly, the university explained that staff “rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker.” 

The University of Pennsylvania Breach and Attack Details

The attackers gained access through a social engineering technique, a method that deceives individuals into revealing their credentials. Once inside, the hackers sent a mass email from official university addresses. The email read: “We got hacked. We love breaking federal laws like FERPA (all your data will be leaked). Please stop giving us money.”  According to reports, the hackers compromised a PennKey single sign-on account, which allowed them access to multiple internal systems, including the university’s VPN, Salesforce databases, SAP systems, and SharePoint files. This access reportedly lasted for nearly two days, from October 30 to October 31, before being detected and contained.  An internal source revealed that the university requires multi-factor authentication (MFA) for students, staff, and alumni accounts as a security measure. However, some senior officials were allegedly granted exemptions from the MFA requirement.  When asked about the MFA exemptions or adoption rates, a university spokesperson declined to comment beyond the official data incident page. 

Scope of the Data Theft

While the full scope of the data breach remains unclear, reports suggest that as many as 1.2 million records may have been compromised. The stolen data reportedly includes names, contact details, donation records, estimated net worth, and demographic information such as race, religion, and sexual orientation. The hacker also claimed to have accessed documents related to donor activities and bank transaction receipts.  Although the university is still assessing the damage, officials confirmed that medical systems operated by Penn Medicine were not affected. As required by law, the university will contact individuals whose personal data was compromised, though no timeline has been announced. 

Investigation and Legal Fallout

The University of Pennsylvania has reported the incident to the Federal Bureau of Investigation (FBI) and enlisted third-party cybersecurity experts to assist in the investigation. Despite these actions, the university is already facing potential legal consequences. At least one class-action lawsuit has been filed by former students, accusing the university of negligence in protecting personal data.  The hackers’ motivations appear mixed. In the initial message to the university community, the attackers criticized legacy admissions and affirmative action policies, stating, “We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits.” However, further statements from the group indicate their primary motive was financial, aiming to profit from the stolen data rather than make a political statement. 

An Iran-linked threat group claims to have accessed the security cameras of an Israeli defense contractor and leaked videos of internal meetings and employees working on defense systems. The threat group – Cyber Toufan – has been posting about the alleged breach of Maya Engineering on its Telegram channels for at least a few weeks, but the group’s claims became public in recent days in an X post and articles on media sites such as Straight Arrow News and Breached Company. The claims remain unverified, and The Cyber Express has reached out to Maya for comment and will update this article with any official statement, but the alleged incident shows the importance of including surveillance cameras and other sensitive devices in cybersecurity plans. “Scary stuff,” SANS instructor and consultant Kevin Garvey said on X. “Shows how *any* connected asset needs rigorous security associated to it! Good reminder to all to check if cameras and other peripherals are part of your standard vuln management and secure config programs (amongst others functional programs).”

Alleged Israeli Defense Contractor Breach

A check of Cyber Toufan’s Telegram channels by The Cyber Express found claims of the hack as early as October 12 (image below). [caption id="attachment_106549" align="aligncenter" width="533"] October 12 Telegram post by Cyber Toufan claiming Maya hack[/caption] However, the group claims to have had access to Maya’s systems for more than a year. “One and a half years after gaining full access to the network, we have explored every part of it and reached the QNAP archive,” claims a Cyber Toufan post reported by International Cyber Digest on X. “Through the systems, we have breached Elbit and Rafael's through then. Their phones, printers, routers and cameras as well. We have recorded your meetings with sound and video for over a year. This is just the beginning with Maya!” Footage released by the group shows company employees allegedly working on several defense systems, including missile and drone systems, and the group also claims to possess technical drawings of sensitive parts like missile components.

Cyber Toufan's Link to Iran

Cyber Toufan’s advanced tactics suggest technical acumen well beyond that of a typical hacktivist group, raising the possibility of a nation-state link to Iran. Cyble’s threat intelligence profile of the group states, “Cyber Toufan is a threat actor group known for targeting Israeli organizations, with possible nation-state support from Iran. Their tactics include hack-and-leak operations, data breaches, and data destruction, impacting numerous organizations. Their activities are linked to geopolitical tensions in the Middle East, featuring a mix of technical breaches and psychological warfare. Threat actors associated with Cyber Toufan operate by infiltrating systems to steal sensitive data and disrupt operations, aiming to cause economic and political damage to their targets.”

Balancer V2, one of the most prominent automated market makers (AMMs), has suffered a large-scale security incident. The Balancer data breach exposed a critical Balancer vulnerability within its smart contract infrastructure, allowing an attacker to siphon as much as $128 million worth of digital assets from the platform in minutes.  The Balancer data breach stemmed from a flaw in the V2 vault and its liquidity pools. Investigations by blockchain analysts revealed that a maliciously deployed contract exploited Balancer’s pool initialization process. This contract manipulated internal calls in the vault, bypassing protection meant to prevent unauthorized swaps or balance changes.  The vulnerability was tied to a faulty check in the manageUserBalance function, where the internal validation mechanism (_validateUserBalanceOp) could be bypassed. By exploiting this loophole, the attacker was able to specify unauthorized parameters and drain funds from the vault without proper permission.  The attack began with a series of rapid Ethereum mainnet transactions before expanding across several networks. The composable design of Balancer V2, where multiple pools share a single vault, amplified the impact, making it easier for the exploit to spread. 

Extent of the Balancer Data Breach

Preliminary data shows the attacker stole between $110 million and $116 million, with some estimates reaching $128 million, making it one of the largest DeFi exploits of 2025.  The stolen assets included several liquid staking derivatives and wrapped tokens such as WETH, wstETH, osETH, frxETH, rsETH, and rETH. Most of the funds—around $70 million- were drained from the Ethereum mainnet, while the Base and Sonic networks lost approximately $7 million combined. Other chains accounted for at least $2 million in additional losses.  On-chain activity shows that the stolen assets were funneled into newly created wallets, with funds later moved through cross-chain bridges and likely laundered through privacy mixers.  Despite the extensive nature of the Balancer vulnerability, investigators confirmed that no private keys were compromised; the breach was purely a smart contract exploit. 

Security Audits and Community Reactions

What makes the Balancer hack particularly interesting is that the protocol had undergone more than ten independent audits. Its V2 vault was reviewed three separate times by different security firms. Yet the exploit still occurred, a fact that has reignited debate over the reliability of DeFi audits.  Suhail Kakar noted on X (formerly Twitter):  “Balancer went through 10+ audits. The vault was audited three separate times by different firms—still got hacked for $110M. This space needs to accept that ‘audited by X’ means almost nothing. Code is hard, DeFi is harder.”  Other blockchain researchers echoed similar concerns, emphasizing that composable DeFi systems—where smart contracts interact in complex, interdependent ways—create additional attack vectors even when individual components appear secure.  This is not Balancer’s first security challenge. The platform previously suffered smaller incidents, including a $520,000 exploit in June 2020, an $11.9 million attack in March 2023, and a $2.1 million loss in August 2023 due to precision vulnerabilities in its V2 Boosted Pools. 

User Warnings and Aftermath

Experts urged users exposed to Balancer V2 pools to take immediate precautions: 

1. Withdraw funds from affected pools as soon as possible. 
2. Revoke smart contract approvals for Balancer-related addresses via platforms such as Revoke, DeBank, or Etherscan. 
3. Monitor wallet activity using tools like Dune Analytics or Etherscan to spot unusual transactions. 
4. Stay informed by following updates from auditors and blockchain security firms such as PeckShield and Nansen. 

The impact of the Balancer hack was felt across the broader DeFi market. The BAL token dropped by roughly 5–10% in value, and Balancer’s total value locked (TVL) decreased sharply as liquidity providers withdrew funds amid growing uncertainty. 

Last week on Malwarebytes Labs:

• Update Chrome now: 20 security fixes just landed
• How scammers use your data to create personalized tricks that work
• Ransomware gang claims Conduent breach: what you should watch for next
• Fake PayPal invoice from Geek Squad is a tech support scam
• Atlas browser’s Omnibox opens up new privacy and security risks
• Gmail breach panic? It’s a misunderstanding, not a hack
• School’s AI system mistakes a bag of chips for a gun
• Around 70 countries sign new UN Cybercrime Convention—but not everyone’s on board
• NSFW ChatGPT? OpenAI plans “grown-up mode” for verified adults
• How to set up two factor authentication (2FA) on your Instagram account
• Phishing scam uses fake death notices to trick LastPass users

Stay safe!

---

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Update – October 30, 2025: New information confirms that Conduent’s 2024 breach has impacted over 10.5 million people, based on notifications filed with multiple state attorneys general. The largest disclosure came from the Oregon government, which reported a total of 10.5 million affected US residents. Additional notices listed 4 million in Texas, 76,000 in Washington, and several hundred in Maine.

---

Even if you’ve never heard of Conduent, you could be one of the many people caught up in its recent data breach. Conduent provides technology services to several US state governments, including Medicaid, child support, and food programs, with the company stating that it “supports approximately 100 million US residents across various government health programs, helping state and federal agencies.”

In a breach notification, Conduent says:

“On January 13, 2025, we discovered that we were the victim of a cyber incident that impacted a limited portion of our network.”

An investigation found that an unauthorized third party had access to its systems from October 21, 2024, until the intrusion was stopped on discovery.

Breach notification letters will be sent to affected individuals, detailing what personal information was exposed. According to The Record, Conduent said more than 400,000 people in Texas were impacted, with data including Social Security numbers, medical information and health insurance details. Another 76,000 people in Washington, 48,000 in South Carolina, 10,000 in New Hampshire and 378 in Maine were also affected. Conduent has filed additional breach notices in Oregon, Massachusetts, California, and New Hampshire.

The stolen data sets may include:​

• Names
• Social Security numbers
• Dates of birth
• Medical information
• Health insurance details

If all of those apply, it’s certainly enough for criminals to commit identity theft.

Ransomware group SafePay reportedly claimed responsibility for the attack and listed Conduent on its leak site.

SafePay, which emerged in late 2024, threatened to publish or sell stolen data if its demands weren’t met, claiming to have exfiltrated a staggering 8.5 terabytes of files from Conduent’s systems. Though relatively new on the scene, SafePay has quickly built a reputation for large-scale extortion targeting high-profile clients globally.

Breaches like this reinforce the need for robust cybersecurity and incident response in the public sector. For the potentially millions of people affected, stay alert to fraud and identity theft.

Protecting yourself after a data breach

If you think you’ve been the victim of this or any other data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Australia's Privacy Commissioner Carly Kind has issued a determination against online wine wholesaler Vinomofo Pty Ltd, finding the company interfered with the privacy of almost one million individuals by failing to take reasonable steps to protect their personal information from security risks.

The determination represents one of the most comprehensive applications of Australian Privacy Principle 11.1 (APP 11.1) to cloud migration projects and provides critical guidance for organizations undertaking similar infrastructure transitions.

The finding follows a 2022 data breach that occurred during a large-scale data migration project, exposing approximately 17GB of data belonging to 928,760 customers and members. The determination goes beyond technical security failures, identifying systemic cultural and governance deficiencies that Commissioner Kind found demonstrated Vinomofo's failure to value or nurture attention to customer privacy.

The Breach: Migration Gone Wrong

In 2022, Vinomofo experienced a data breach amid what the company described as a "large data migration project." An unauthorized third party gained access to the company's database hosted on a testing platform, which, despite being separate from the live website, contained real customer information.

The exposed database held approximately 17GB of data comprising identity information including gender and date of birth, contact information such as names, email addresses, phone numbers, and physical addresses, and financial information. The breach initially came to light when security researcher Troy Hunt flagged the incident on social media, and subsequent investigation revealed the stolen data had been advertised for sale on Russian-language cybercrime forums.

Also read: Wine Company Vinomofo Confirms Data Breach, 500,000 Customers at Risk

The testing platform exposure reveals a fundamental security misconfiguration that has become increasingly common as organizations migrate to cloud infrastructure. Testing and development environments frequently contain production data but receive less rigorous security controls than production systems, creating attractive targets for threat actors who recognize this vulnerability pattern.

Vinomofo's initial public statements downplayed the breach's severity, emphasizing that the company "does not hold identity or financial data such as passports, drivers' licences or credit cards/bank details" and assuring customers that "no passwords, identity documents or financial information were accessed." However, the Privacy Commissioner's investigation revealed more significant failures in the company's security posture and governance.

Privacy as an Afterthought

Perhaps the determination's most significant finding concerns Vinomofo's organizational culture. Commissioner Kind concluded that "Vinomofo's culture and business posture failed to value or nurture attention to customer privacy, as exemplified by failures regarding its policies and procedures, training, and cultural approach to privacy."

This cultural assessment goes beyond technical security measures to examine the organizational prioritization of privacy protection. The Commissioner observed that privacy wasn't embedded into business processes, decision-making frameworks, or corporate values—it remained peripheral rather than fundamental to operations.

The determination identified specific manifestations of this cultural failure:

Policy and Procedure Deficiencies: Vinomofo lacked adequate policies governing data handling during migration projects, security requirements for testing environments, and access controls for sensitive customer information.

Training Inadequacies: The company failed to provide sufficient privacy and security training to personnel involved in data migration and infrastructure management, resulting in preventable errors and oversights.

Cultural Approach: Privacy considerations weren't integrated into strategic planning, risk management, or operational decision-making processes, treating privacy compliance as a checkbox exercise rather than a core business imperative.

Known Risks Ignored

The Commissioner's determination revealed that Vinomofo was aware of deficiencies in its security governance and recognized the need to uplift its security posture at least two years prior to the 2022 incident. This finding transforms the breach from an unfortunate accident into a foreseeable consequence of deliberate inaction.

The determination states: "The respondent was aware of the deficiencies in its security governance and that it needed to uplift its security posture at least 2 years prior to the Incident." This awareness without corresponding action demonstrates a failure of corporate governance that extended beyond the IT security function to board and executive leadership levels.

Organizations face resource constraints and competing priorities that can delay security improvements. However, the Commissioner's finding that Vinomofo knew about security deficiencies for two years before the breach eliminates any claim of unforeseen circumstances. This represents a calculated risk—one that ultimately materialized with consequences for nearly one million customers.

The "Reasonable Steps" Standard

The determination centers on Australian Privacy Principle 11.1, which requires entities holding personal information to take "such steps as are reasonable in the circumstances" to protect that information from misuse, interference, loss, unauthorized access, modification, or disclosure.

The Commissioner concluded that "the totality of steps taken by the respondent were not reasonable in the circumstances" to protect the personal information it held. This holistic assessment examines not individual security controls but the comprehensive security program considering organizational context, threat environment, and data sensitivity.

The determination provides valuable guidance on how "reasonable steps" should be interpreted in the context of data migration projects, particularly when using cloud infrastructure providers. Key considerations include:

Cloud Security Responsibilities: Organizations cannot delegate privacy obligations to cloud service providers. While providers like Amazon Web Services (where Vinomofo hosted its database) offer security features and controls, customers remain responsible for properly configuring and managing those controls.

Testing Environment Security: Testing and development environments containing real customer data must receive security controls commensurate with the sensitivity of that data. The separation from production systems doesn't reduce security obligations when personal information is involved.

Migration Risk Management: Data migration projects create heightened security risks during transition periods when data exists in multiple locations, access patterns change, and configurations evolve. Organizations must implement enhanced controls during migrations to address these elevated risks.

Awareness and Action: Knowing about security deficiencies creates an obligation to address them within reasonable timeframes. Extended delays between identifying risks and implementing mitigations may constitute unreasonable conduct under APP 11.1.

Shared Responsibility Misunderstood

The determination's emphasis on cloud infrastructure provider obligations addresses a widespread misunderstanding of the shared responsibility model that governs cloud security. Cloud providers offer infrastructure and security capabilities, but customers must properly configure and manage those capabilities to protect their data.

Amazon Web Services, where Vinomofo stored the exposed database, provides extensive security features including encryption, access controls, network isolation, and monitoring capabilities. However, these features require proper implementation and configuration by customers. A misconfigured S3 bucket, overly permissive access policies, or inadequate network controls can expose data despite the underlying platform's security capabilities.

The breach appears to have resulted from Vinomofo's configuration and management of its AWS environment rather than vulnerabilities in AWS itself. This pattern has become common in cloud data breaches—organizations migrate to cloud platforms attracted by scalability and cost benefits but lack the expertise or diligence to properly secure their cloud deployments.

For organizations using cloud infrastructure providers, the determination establishes clear expectations:

Configuration Management: Organizations must implement rigorous configuration management processes ensuring security settings align with best practices and data protection requirements.

Access Controls: Cloud environments require carefully designed access control policies following least-privilege principles. The flexibility of cloud platforms can create excessive access if not properly managed.

Monitoring and Detection: Cloud platforms provide extensive logging and monitoring capabilities, but organizations must actively use these capabilities to detect suspicious activity and security misconfigurations.

Expertise Requirements: Securing cloud environments requires specialized knowledge. Organizations must ensure personnel managing cloud infrastructure possess appropriate expertise or engage qualified consultants.

The Remedial Declarations

The Commissioner made several declarations requiring Vinomofo to cease certain acts and practices, though specific details weren't disclosed in the public announcement. These declarations typically include requirements to:

Implement comprehensive information security programs addressing identified deficiencies, conduct regular security assessments and audits of systems handling personal information, provide privacy and security training to relevant personnel, establish privacy governance frameworks with clear accountability and oversight, and review and enhance policies and procedures governing data handling, particularly during migration projects.

The declarations serve multiple purposes beyond Vinomofo's specific case. They provide a roadmap for other organizations undertaking similar cloud migrations or managing customer data at scale. They establish regulatory expectations about minimum acceptable security practices. And they create precedent that future enforcement actions can reference when addressing similar failures.

Breathless news stories about a Gmail data breach began to appear online after media outlets misinterpreted a report about Gmail passwords stolen by infostealers. Urgent headlines like “Urgent alert issued to anyone who uses Gmail after 183 million passwords leaked” created some panic among Google account holders, necessitating a response from Google and a security researcher who had posted the infostealer logs that started the panic. “Reports of a “Gmail security breach impacting millions of users” are false,” Google said in a post on X. “Gmail’s defenses are strong, and users remain protected. “The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web," Google added. "It’s not reflective of a new attack aimed at any one person, tool, or platform.” The researcher, Troy Hunt of HaveIBeenPwned, said in his own X post that “This story has suddenly gained *way* more traction in recent hours, and something I thought was obvious needs clarifying: this *is not* a Gmail leak, it simply has the credentials of victims infected with malware, and Gmail is the dominant email provider.”

Gmail Data Breach Stories Appeared After Infostealer Data Published

The news stories began to appear after HaveIBeenPwned published an infostealer data set containing 183 million unique email addresses, the websites they were entered into, and the passwords used. Hunt wrote about the data set in a separate blog post, and stories misunderstanding the nature of infostealer malware took over from there. Gmail may have been the most common email address type in the data set, but hardly the only one, as Hunt noted: “There is every imaginable type of email address in this corpus: Outlook, Yahoo, corporate, government, military and yes, Gmail. This is typical of a corpus of data like this and there is nothing Google specific about it.” Leaks of all manner of account credentials appear in infostealer databases, and Gmail’s wide usage simply makes it one of the more common email credentials stolen by the malware. Credentials involving Gmail addresses appear in Cyble’s “Leaked Credentials” threat intelligence database more than 6 billion times, but many may be duplicates because stolen credentials frequently appear on more than one dark web marketplace or forum.

Protecting Your Gmail Account

Google said that Gmail users “can protect themselves from credential theft by turning on 2-step verification and adopting passkeys as a stronger and safer alternative to passwords, and resetting passwords when they are found in large batches like this. “Gmail takes action when we spot large batches of open credentials, helping users reset passwords and resecure accounts,” the company added. Using complex, unique passwords and resetting them often is another email security step to take. As Hunt noted, “The primary risk is for people who continue to use those credentials on *any* websites, and the mitigation is a password manager and 2FA.”

After a misinterpretation of an interview with a security researcher, several media outlets hinted at a major Gmail breach.

Reporters claimed the incident took place in April. In reality, the researcher had said there was an enormous amount of Gmail usernames and passwords circulating on the dark web.

Those are two very different things. The credentials probably stem from a great many past attacks and breaches over the years.

But the rumors spread quickly—enough that Google felt it had to deny that their Gmail systems had suffered a breach.

“The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It’s not reflective of a new attack aimed at any one person, tool, or platform.”

What happens is that cybercriminals buy and sell databases containing stolen usernames and passwords from data breaches, information stealers, and phishing campaigns. They do this to expand their reach or combine data from different sources to create more targeted attacks.

The downside for them is that many of these credentials are outdated, invalid, or linked to accounts that are no longer in use.

The downside for everyone else is that misleading reporting like this causes panic where there’s no need for it—whether it stems from misunderstanding technical details or from the pressure to make a headline.

Still, it’s always smart to check whether your email address has been caught up in a breach.

You can use our Digital Footprint scanner to see if your personal information is exposed online and take steps to secure it. If you find any passwords that you still use, change them immediately and enable multi-factor authentication (2FA) for those accounts wherever possible.

---

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

A new study that looked at 231 people exposed by a 2022 UK data leak of Afghans seeking resettlement after the Taliban takeover found that 49 had friends or colleagues killed in Afghanistan. The UK Afghan data leak report, by the charity Refugee Legal Support in consultation with two academics, looked at the damage done by the Ministry of Defence (MoD) data leak of 18,000 people who had applied for asylum. The report was submitted to a House of Commons Defence Committee inquiry into the data breach.

UK Afghan Data Leak Exposed 87% to Risk and Threats

The survey focused on 231 respondents who said they had been told directly by the Ministry of Defence that their data had been exposed in the leak, which was the result of an inadvertent emailing of a spreadsheet by a soldier. Of the 231 affected Afghans, 200, or 87%, “reported personal risks and/or threats to family members,” the report said, and 207 (89%) “reported impacts on their own physical and/or mental health and the same number (207) reported negative impacts on their family’s physical and/or mental health.” Some of the responses detailed in the report are harrowing. One respondent said, “My father was brutally beaten to the point that his toenails were forcibly removed, and my parents remain under constant and serious threat. My family and I continue to face intimidation, repeated house searches, and ongoing danger to our safety.” “I live under constant fear for my life and the safety of my family due to repeated raids, threats from the Taliban and local intelligence groups, and the risk of forced marriage for my daughter,” said another respondent. “The ongoing stress, anxiety, and fear for my family’s well-being have severely impacted my emotional and physical well-being.” One respondent who had relocated to the UK said fears from the breach remain a constant torment for family members who remain in Afghanistan. “Whether it's legal advice, mental health resources, or help accelerating family reunification, anything that can ease this burden would mean the world to me,” the person said.

UK Advice Deemed Inadequate

The report also found that the advice given to the affected Afghans in the wake of the breach was largely inadequate. The report described “a profound mismatch between the MoD’s security advice” – which focused on things like restricting use of social media accounts and advising the use of VPNS – “and the severity of reported risks and threats, which included direct threats, violence, and displacement.” One respondent said, “The security advice provided by the Ministry of Defence was very general and limited. They only advised me not to answer calls from unknown numbers and to secure my emails. These instructions were insufficient given the serious threats and risks I faced, including my house being searched, my brothers being summoned by intelligence services, and direct threats to our lives. Such general advice did not provide any practical help to protect my situation.” The report also found “no evidence that the Ministry of Defence offered local risk management or follow-up with individuals outside of the UK” who were affected by the data breach and were not offered resettlement. The report called for expedited review of remaining resettlement cases, including affected family members. “As both the quantitative and qualitative data from our survey shows, the data breach has had devastating consequences for many individuals and families,” the Refugee Legal Support report said. “The UK Government must act decisively to protect those affected, restore trust, and ensure that such a failure never happens again; or that if it does, those placed at risk will not also be left alone in the dark.”

Peer-to-peer lending marketplace Prosper detected unauthorized activity on their systems on September 2, 2025.

It published an FAQ page later that month to address the incident. During the incident, the attacker stole personal information belonging to Prosper customers and loan applicants.

As Prosper stated:

“We have evidence that confidential, proprietary, and personal information, including Social Security numbers, was obtained, including through unauthorized queries made on Company databases that store customer and applicant data.”

While Prosper did not share the number of affected people, BleepingComputer reported that it affected 17.6 million unique email addresses.

The stolen data associated with the email addresses reportedly includes customers’ names, government-issued IDs, employment status, credit status, income levels, dates of birth, physical addresses, IP addresses, and browser user-agent details.

Prosper advised that no one gained unauthorized access to customer accounts or funds and that their customer-facing operations continued without interruption.

Even without account access, the stolen data is more than enough to fuel targeted, personalized phishing and even identity theft. The investigation is still ongoing but Prosper has promised to offer free credit monitoring, as appropriate, after determining what data was affected.

Protecting yourself after a data breach

If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Mango has reported a data breach at one of its external marketing service providers. The Spanish fashion retailer says that only personal contact information has been exposed—no financial data.

The breach took place at the service provider and did not affect Mango’s own systems. According to the breach notification, the stolen information was limited to:

• First name (not your last name)
• Country
• Postal code
• Email address
• Telephone number

“Under no circumstances has your banking information, credit cards, ID/passport, or login credentials or passwords been compromised.”

Because Mango operates in more than 100 countries, affected individuals could be located across multiple regions where Mango markets to customers through its external partner. As Mango has not named the third-party provider or disclosed how many customers were affected, we cannot precisely identify where these customers are located.

Mango has not released any details about the attackers behind the breach. Although the stolen data itself does not pose an immediate risk, cybercriminals often follow breaches like this with phishing campaigns, exploiting the limited personal information they obtained.

We’ll update this story if Mango releases more information about the breach or the customers impacted.

Protecting yourself after a data breach

Affected customers say they have received a data breach notification of which we have seen screenshots in Spanish and English.

If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

A blood center has begun sending data breach notifications to its users after suffering a ransomware attack and theft of personal data.

The New York Blood Center’s (NYBC) suffered the ransomware attack in January, in which an unauthorized party gained access to its network and acquired copies of a subset of files. The security incident was first noticed on January 26, 2025, but this week NYBC has started notifying victims.

NYBC publicly acknowledged the scale but has not issued a precise number of affected people due to ongoing investigations and limitations in contact information for all service recipients. Based on documents that NYBC submitted to regulators in several states, hackers could have stolen information belonging to at least tens of thousands of people.

NYBC ranks among the largest independent community-based blood collection organizations in the US. It serves over 75 million people across more than 17 states and delivers about one million lifesaving blood products annually.

The information varies per affected individual but can include:

• Name
• Social Security number
• Driver’s license or other government identification card number.
• Financial account information if you participated in direct deposit.

NYBC also provides clinical services, and diagnostic blood testing, for which it needs clinical information from healthcare providers. New York Blood Center Enterprises said some of this information was also accessed by the attackers during the cyber incident.

So far it is unknown which ransomware group might have been behind the attack, and we have seen no threats to publish or sell the acquired data. But this could change quickly once negotiations about the ransom come to an end without the cybercriminals getting paid what they demand.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

Anthropic—the company behind the widely renowned coding chatbot, Claude—says it uncovered a large-scale extortion operation in which cybercriminals abused Claude to automate and orchestrate sophisticated attacks.

The company issued a Threat Intelligence report in which it describes several instances of Claude abuse. In the report it states that:

“Cyber threat actors leverage AI—using coding agents to actively execute operations on victim networks, known as vibe hacking.”

This means that cybercriminals found ways to exploit vibe coding by using AI to design and launch attacks. Vibe coding is a way of creating software using AI, where someone simply describes what they want an app or program to do in plain language, and the AI writes the actual code to make it happen.

The process is much less technical than traditional programming, making it easy and fast to build applications, even for those who aren’t expert coders. For cybercriminals this lowers the bar for the technical knowledge needed to launch attacks, and helps the criminals to do it faster and at a larger scale.

Anthropic provides several examples of Claude’s abuse by cybercriminals. One of them was a large-scale operation which potentially affected at least 17 distinct organizations in just the last month across government, healthcare, emergency services, and religious institutions.

The people behind these attacks integrated the use of open source intelligence tools with an “unprecedented integration of artificial intelligence throughout their attack lifecycle.”

This systematic approach resulted in the compromise of personal records, including healthcare data, financial information, government credentials, and other sensitive information.

The primary goal of the cybercriminals is the extortion of the compromised organizations. The attacker created ransom notes to compromised systems demanding payments ranging from $75,000 to $500,000 in Bitcoin. But if the targets refuse to pay, the stolen personal records are bound to be published or sold to other cybercriminals.

Other campaigns stopped by Anthropic involved North Korean IT worker schemes, Ransomware-as-a-Service operations, credit card fraud, information stealer log analysis, a romance scam bot, and a Russian-speaking developer using Claude to create malware with advanced evasion capabilities.

But the case in which Anthropic found cybercriminals attack at least 17 organizations represents an entirely new phenomenon where the attacker used AI throughout the entire operation. From gaining access to the target’s systems to writing the ransomware notes—for every step Claude was used to automate this cybercrime spree.

Anthropic deploys a Threat Intelligence team to investigate real world abuse of their AI agents and works with other teams to find and improve defenses against this type of abuse. They also share key findings of the indicators with partners to help prevent similar abuse across the ecosystem.

Anthropic did not name any of the 17 organizations, but it stands to reason we’ll learn who they are sooner or later. One by one, when they report data breaches, or as a whole if the cybercriminals decide to publish a list.

Check your digital footprint

Data breaches of organizations that we’ve given our data to happen all the time, and that stolen information is often published online. Malwarebytes has a free tool for you to check how much of your personal data has been exposed—just submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scanner and we’ll give you a report and recommendations.

Anthropic—the company behind the widely renowned coding chatbot, Claude—says it uncovered a large-scale extortion operation in which cybercriminals abused Claude to automate and orchestrate sophisticated attacks.

The company issued a Threat Intelligence report in which it describes several instances of Claude abuse. In the report it states that:

“Cyber threat actors leverage AI—using coding agents to actively execute operations on victim networks, known as vibe hacking.”

This means that cybercriminals found ways to exploit vibe coding by using AI to design and launch attacks. Vibe coding is a way of creating software using AI, where someone simply describes what they want an app or program to do in plain language, and the AI writes the actual code to make it happen.

The process is much less technical than traditional programming, making it easy and fast to build applications, even for those who aren’t expert coders. For cybercriminals this lowers the bar for the technical knowledge needed to launch attacks, and helps the criminals to do it faster and at a larger scale.

Anthropic provides several examples of Claude’s abuse by cybercriminals. One of them was a large-scale operation which potentially affected at least 17 distinct organizations in just the last month across government, healthcare, emergency services, and religious institutions.

The people behind these attacks integrated the use of open source intelligence tools with an “unprecedented integration of artificial intelligence throughout their attack lifecycle.”

This systematic approach resulted in the compromise of personal records, including healthcare data, financial information, government credentials, and other sensitive information.

The primary goal of the cybercriminals is the extortion of the compromised organizations. The attacker created ransom notes to compromised systems demanding payments ranging from $75,000 to $500,000 in Bitcoin. But if the targets refuse to pay, the stolen personal records are bound to be published or sold to other cybercriminals.

Other campaigns stopped by Anthropic involved North Korean IT worker schemes, Ransomware-as-a-Service operations, credit card fraud, information stealer log analysis, a romance scam bot, and a Russian-speaking developer using Claude to create malware with advanced evasion capabilities.

But the case in which Anthropic found cybercriminals attack at least 17 organizations represents an entirely new phenomenon where the attacker used AI throughout the entire operation. From gaining access to the target’s systems to writing the ransomware notes—for every step Claude was used to automate this cybercrime spree.

Anthropic deploys a Threat Intelligence team to investigate real world abuse of their AI agents and works with other teams to find and improve defenses against this type of abuse. They also share key findings of the indicators with partners to help prevent similar abuse across the ecosystem.

Anthropic did not name any of the 17 organizations, but it stands to reason we’ll learn who they are sooner or later. One by one, when they report data breaches, or as a whole if the cybercriminals decide to publish a list.

Check your digital footprint

Data breaches of organizations that we’ve given our data to happen all the time, and that stolen information is often published online. Malwarebytes has a free tool for you to check how much of your personal data has been exposed—just submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scanner and we’ll give you a report and recommendations.

Last week we reported about some serious leaks in Tea Dating Advice, an app that provides a space for women to exchange information about men they know, have met, or have dated in the past.

The app aims to provide a platform where people can share relevant information about, say, potentially abusive partners. However, it leaked images and private messages, leading to 10 potential class action lawsuits in federal and state courts for negligent data practices.

Now it has been revealed that the male equivalent, TeaOnHer, has exposed users’ personal information as well, including government IDs and selfies.

TeaOnHer, which ranks high in the Lifestyle apps category for iOS, allows men to share photos and information about women they have dated. It appears to have been designed with a sense of vengeance against the Tea Dating Advice app: It uses similar language in the App Store description, and as it turns out, it’s just as leaky.

TechCrunch reports it found at least one vulnerability that allows any user access to other users’ email addresses, driver’s licenses, self-reported location, and selfies. Perhaps most distressingly, the news outlet also discovered that guest users could view explicit images of women, likely shared without consent.

TechCrunch also found an email address and password of the app’s creator. Although it didn’t test that hypothesis for legal reasons, it seems likely using those credentials might provide access to the administrator panel of the app.

It is disappointing that apps made for sharing private information and ranked so high in the App Store apparently have such a poor security standard.

TeaOnHer’s creator did not respond to emails from TechCrunch asking where to report the flaws, so TechCrunch only shared the fact that the flaws exist without going into much detail. This is commendable given the sensitivity of the shared data.

Protecting yourself after a data breach

While there are no indications that anyone else has accessed this data, it is an option we can’t ignore. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.