CyberSecurity news

FlagThis - #DataLeak

@securityonline.info //

SK Telecom Breach Exposed 27 Million User Records - SK Telecom disclosed a data breach that occurred over three years, exposing the USIM data of 27 million subscribers due to malware.
SK Telecom, South Korea's largest mobile network operator, revealed a significant data breach in April 2025 that exposed the USIM data of 27 million subscribers. The company first detected malware on its networks on April 19, 2025, and responded by isolating the compromised servers. Investigations have since revealed the breach began as far back as June 15, 2022, with attackers deploying a web shell on one of SK Telecom's servers. This initial compromise provided a foothold in the network allowing them to execute commands and deploy additional malware payloads across multiple servers.

The attackers were able to steal a wide array of sensitive information, including users’ IMSI numbers, USIM authentication keys, network usage data, text messages, and contacts stored on SIM cards. A joint investigative committee comprising the South Korean government and SK Telecom discovered 25 separate backdoor programs on the company’s servers. Due to the undetected nature of the breach for nearly three years, the intruders were able to implant backdoors tailored to different malicious functions. SK Telecom only began logging server activity on December 31, 2024, creating a data void between June 15, 2022, and December 31, 2024, making it difficult to ascertain what data was exfiltrated or what malicious operations were executed during that time.

The breach has affected an estimated 26.95 million SK Telecom users, prompting the company to take immediate action. SK Telecom has suspended the onboarding of new customers and announced it will begin notifying all affected individuals to replace their SIM cards and adopt enhanced security measures. To mitigate the risks associated with SIM-swapping attacks, SK Telecom announced it would issue replacement SIM cards to all affected customers, while also implementing stricter safeguards to prevent unauthorized number transfers. The company also confirmed that USIM records for its entire subscriber base of 29 million people were exposed.

Recommended read:
References :
@cyberscoop.com //

PowerSchool Hacker Pleads Guilty to Extortion - A 19-year-old man pleaded guilty to hacking PowerSchool, extorting millions in exchange for not leaking student and teacher data, highlighting cybersecurity risks for educational institutions.
A 19-year-old college student from Worcester, Massachusetts, Matthew Lane, has agreed to plead guilty to charges related to a massive cyberattack on PowerSchool, a cloud-based education software provider. The cyberattack involved extorting millions of dollars from PowerSchool in exchange for not leaking the personal data of millions of students and teachers. Lane exploited stolen credentials to gain unauthorized access to PowerSchool's networks, leading to the theft of sensitive student and teacher data.

The data breach is considered one of the largest single breaches of American schoolchildren's data, affecting approximately 62.4 million students and 9.5 million teachers. According to court documents, Lane obtained stolen data from a U.S. telecommunications company before targeting PowerSchool. After the initial victim refused to pay a ransom, Lane allegedly sought to hack another company that would pay. The stolen information included sensitive details like Social Security numbers and academic records.

Lane will plead guilty to multiple charges, including cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. The incident has been described by authorities as a serious attack on the economy, with the potential to instill fear in parents regarding the safety of their children's data. This case highlights the increasing risk of cyberattacks targeting educational institutions and the importance of robust cybersecurity measures to protect student and teacher data.

Recommended read:
References :
  • cyberscoop.com: Massachusetts man will plead guilty in PowerSchool hack case
  • DataBreaches.Net: Massachusetts hacker to plead guilty to PowerSchool data breach
  • BleepingComputer: A 19-year-old college student from Worcester, Massachusetts, has agreed to plead guilty to a massive cyberattack on PowerSchool that extorted millions of dollars in exchange for not leaking the personal data of millions of students and teachers.
  • The DefendOps Diaries: Explore the PowerSchool data breach, its impact on education tech, and lessons for cybersecurity.
  • BleepingComputer: PowerSchool hacker pleads guilty to student data extortion scheme
  • www.bleepingcomputer.com: A 19-year-old college student from Worcester, Massachusetts, has agreed to plead guilty to a massive cyberattack on PowerSchool that extorted millions of dollars in exchange for not leaking the personal data of millions of students and teachers. [...]
  • cyberinsider.com: PowerSchool Hacker to Plead Guilty for Extortion Affecting Millions
  • Threats | CyberScoop: Massachusetts man will plead guilty in PowerSchool hack case
  • techcrunch.com: US student agrees to plead guilty to hack affecting tens of millions of students
  • The Register - Security: US teen to plead guilty to extortion attack against PowerSchool
  • CyberInsider: PowerSchool Hacker to Plead Guilty for Extortion Affecting Millions
  • hackread.com: 19-Year-Old Admits to PowerSchool Data Breach Extortion
  • techcrunch.com: US student agrees to plead guilty to hack affecting tens of millions of students
Dissent@DataBreaches.Net //

LockBit Ransomware Gang Hacked: Operational Data Leak - LockBit ransomware experienced a major security breach where sensitive operational data, including internal communications and Bitcoin wallet addresses, was leaked, raising concerns about the security of RaaS operations.
The LockBit ransomware group, a major player in the Ransomware-as-a-Service (RaaS) sector, has suffered a significant data breach. On May 7, 2025, the group's dark web affiliate panels were defaced, revealing a link to a MySQL database dump containing sensitive operational information. This exposed data includes Bitcoin addresses, private communications with victim organizations, user credentials, and other details related to LockBit's illicit activities. The defacement message, "Don't do crime CRIME IS BAD xoxo from Prague," accompanied the data leak, suggesting a possible motive of disrupting or discrediting the ransomware operation.

The exposed data from LockBit's affiliate panel is extensive, including nearly 60,000 unique Bitcoin wallet addresses and over 4,400 victim negotiation messages spanning from December 2024 through April 2025. Security researchers have confirmed the authenticity of the leaked data, highlighting the severity of the breach. The LockBit operator, known as "LockBitSupp," acknowledged the breach but claimed that no private keys were compromised. Despite previous setbacks, such as the "Operation Cronos" law enforcement action in February 2024, LockBit had managed to rebuild its operations, making this recent breach a significant blow to their infrastructure.

Analysis of the leaked information has uncovered a list of 20 critical Common Vulnerabilities and Exposures (CVEs) frequently exploited by LockBit in their attacks. These vulnerabilities span multiple vendors and technologies, including Citrix, PaperCut, Microsoft, VMware, Apache, F5 Networks, SonicWall, Fortinet, Ivanti, Fortra, and Potix. Additionally, the leaked negotiations revealed LockBit’s preference for Monero (XMR) cryptocurrency, offering discounts to victims who paid ransoms using this privacy-focused digital currency. Ransom demands typically ranged from $4,000 to $150,000, depending on the scale of the attack.

Recommended read:
References :
  • DataBreaches.Net: CoinPedia reports: “Don’t do crime. CRIME IS BAD. xoxo from Prague.” That’s the message left behind after hackers gave LockBit – a ransomware gang known for extorting millions. Yes, they just got a brutal taste of their own medicine.
  • Metacurity: All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip." LockBit ransomware gang hacked, victim negotiations exposed
  • Searchlight Cyber: Searchlight’s threat intelligence team shares their early observations from the LockBit data leak On May 7 2025 it was reported that the dark web affiliate panel of the Ransomware-as-a-Service (RaaS) group LockBit has been hijacked.
  • www.bitdegree.org: LockBit Hacked: 60,000 Bitcoin Addresses and 4,400 Ransom Chats Go Public
  • BleepingComputer: The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.
  • hackread.com: LockBit’s dark web domains were hacked, exposing internal data, affiliate tools, and over 60,000 Bitcoin wallets in a…
  • Davey Winder: 60,000 Bitcoin Wallets Leaked As LockBit Ransomware Hackers Get Hacked
  • www.it-daily.net: LockBit hacker group was hacked
  • socradar.io: LockBit Hacked: 60,000 Bitcoin Addresses Leaked
  • securityaffairs.com: The LockBit ransomware site was breached, database dump was leaked online
  • slcyber.io: Early Analysis of the LockBit Data Leak
  • hackread.com: LockBit’s Dark Web Domains Hacked, Internal Data and Wallets Leaked
  • The DefendOps Diaries: LockBit Ransomware Gang Hacked: Internal Operations Exposed
  • www.scworld.com: Data breach exposes LockBit ransomware gang
  • www.itpro.com: LockBit ransomware group falls victim to hackers itself
  • Help Net Security: LockBit Hacked: What does the leaked data show?
  • Talkback Resources: Valuable information leaked from LockBit ransomware operation's administration panel, revealing details on affiliates, ransom negotiations, and potential infighting within the cybercriminal community.
  • ComputerWeekly.com: reports analysis of the LockBit 3.0 data leak
  • Tech Monitor: Ransomware group LockBit faces breach, affiliate data exposed
  • www.tripwire.com: LockBit ransomware gang breached, secrets exposed
  • cybersecuritynews.com: The affiliate panel of the infamous LockBit Ransomware-as-a-Service (RaaS) group has been hacked and defaced, showing a link to a MySQL database dump ostensibly containing leaked data relating to the group’s operations.
  • bsky.app: LockBit Ransomware Gang Breached, Secrets Exposed
  • OODAloop: LockBit ransomware group was hacked, exposing internal operations data, potentially affecting future operations.
Pierluigi Paganini@Security Affairs //

Hacker Stole Data From Modified Signal Provider - TeleMessage, a modified Signal clone used by U.S. government officials, was hacked, exposing archived messages and data and highlighting security risks associated with modifying secure messaging platforms.
A hacker has successfully breached TeleMessage, an Israeli company that provides modified versions of secure messaging apps such as Signal, WhatsApp and Telegram to the U.S. government. The breach resulted in the exfiltration of sensitive data, including archived messages from these modified apps. TeleMessage has suspended all services and is currently investigating the incident. The breach highlights the vulnerabilities associated with modifying secure messaging applications, especially concerning the preservation of end-to-end encryption.

The compromised data includes the contents of direct messages and group chats, as well as contact information for government officials. 404 Media reported that the hack exposed data related to U.S. Customs and Border Protection (CBP), the cryptocurrency exchange Coinbase, and several other financial institutions. The hacker claimed the entire process of accessing TeleMessage’s systems took only 15-20 minutes, underscoring the ease with which the security was circumvented. Despite the breach, there are reports that messages from top US government officials and cabinet members were not compromised.

TeleMessage, which was recently in the spotlight after former U.S. National Security Advisor Mike Waltz was seen using their modified version of Signal, offers archiving services for messages. However, the hack revealed that the archived chat logs were not end-to-end encrypted between the modified app and the ultimate archive destination controlled by the TeleMessage customer. Smarsh, the parent company of TeleMessage, has engaged an external cybersecurity firm to support the investigation and has temporarily suspended all TeleMessage services as a precaution. A Coinbase spokesperson stated that the company is closely monitoring the situation, but has not found any evidence of sensitive customer information being accessed or accounts being at risk.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov
  • Talkback Resources: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov [app]
  • www.techradar.com: TeleMessage, the Signal-esque app used by the Trump administration, has been hacked
  • www.metacurity.com: A hacker stole content from the Telemessage system used by the US government
  • TechCrunch: TeleMessage, a modified Signal clone used by US govt. officials, has been hacked
  • The DefendOps Diaries: TeleMessage Breach: Unveiling the Risks of Modified Secure Messaging Apps
  • techcrunch.com: TeleMessage, a modified Signal clone used by US government officials, has been hacked
  • Risky Business Media: Trump admin’s Signal clone gets hacked, messages exposed
  • The Register - Security: Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
  • siliconangle.com: The security of U.S. government officials’ communications has come under the spotlight again after a modified Signal app used to archive data from third-party messaging apps was hacked in less than 30 minutes.
  • WIRED: Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked
  • CyberInsider: Signal Clone App Used by Trump Officials Breached in Minutes
  • Metacurity: Criminal scam network run by Darcula exposed by journalists, DragonForce takes credit for Co-op attack, NoName attacked Romanian gov't websites on election day, US indicts Black Kingdom ransomware dev, Trump wants to slash nearly $500m from CISA, Qilin claims Cobb Co. attack, much more
  • arstechnica.com: TeleMessage, a company that provides modified versions of Signal for message archiving, has suspended its services after a reported hack, exposing communications from U.S. government officials.
  • hackread.com: TM SGNL, a chat app by US-Israeli firm TeleMessage used by Trump officials, halts operations after a breach…
  • www.404media.co: A hacker has exploited a vulnerability in TeleMessage, a company that provides modified versions of encrypted messaging apps, to extract archived messages and data related to U.S. government officials and companies that used the service, according to a report by 404 Media.
  • www.csoonline.com: The Israeli company behind the obscure messaging app former US national security advisor Mike Waltz was photographed using on his iPhone last week was recently hacked, it has been alleged.
  • Metacurity: You ask yourself how the Trump administration's insane messing around with the Signal app and its clones could get any worse, and then the universe tells you how. The Signal Clone the Trump Admin Uses Was Hacked
  • Dropsafe: US Gov’t Signal-clone with backdoor for message retention, hacked, messages leaked | …I really hope #Ofcom are watching re: the impact of proposed client side scanning
  • BleepingComputer: Unofficial Signal app used by Trump officials investigates hack
  • arstechnica.com: Signal clone used by Trump official stops operations after report it was hacked
  • securityaffairs.com: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov
  • go.theregister.com: Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
  • iHLS: Israeli Encrypted Messaging Archiving Platform Used by U.S. Officials Compromised in Cyberattack
  • www.insicurezzadigitale.com: Clonazione di Signal: sospesa dopo hacking un’app utilizzata da un ex funzionario dell’amministrazione Trump
  • bsky.app: TeleMessage, the Signal clone used by US government officials, suffers hack
  • Privacy ? Graham Cluley: TeleMessage, the Signal clone used by US government officials, suffers hack
  • WIRED: The Signal clone Mike Waltz Was Caught Using Has Direct Access to User Chats
  • www.wired.com: Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked
  • WIRED: Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage
  • Metacurity: TeleMessage suspends service following reported hack
Lorenzo Franceschi-Bicchierai,@TechCrunch //

4chan Hacked: Source Code and User Data Leaked - 4chan suffered a major security breach resulting in a service outage and the leak of sensitive internal data, including source code and moderator email addresses, reportedly triggered by community infighting.
References: , Joseph Cox , techcrunch.com ...
The notorious imageboard 4chan has suffered a major security breach, resulting in a service outage and the leak of sensitive internal data. The incident, which occurred on Monday night and Tuesday, has raised concerns about the exposure of user information and the potential compromise of the anonymity afforded to the site's administrators and moderators. Hackers claim to have exfiltrated the site's source code, moderator email addresses, and internal communications, posting screenshots of 4chan's backend systems on a rival forum known as Soyjak.party.

The breach was reportedly triggered by community infighting and a "meme war" between users of 4chan and Soyjak.party. The hackers claim to have had access to 4chan's systems for over a year. The leaked data includes a list of alleged 4chan administrator and moderator usernames with associated email addresses, leading to concerns about potential doxxing and the exposure of personal information. One 4chan janitor, who spoke on the condition of anonymity, confirmed that they are “confident” that the leaked data and screenshots are “all real.”

The incident has also raised questions about 4chan's data security practices and the "false sense of security" that the platform's anonymity may have provided to users. Security experts have warned that the breach could expose the identities of individuals involved in running the forums, which have become central to alt-right movements. While the full extent of the damage remains unclear, the hack represents a significant challenge for 4chan, potentially impacting its continued operation and raising concerns about the safety and privacy of its users.

Recommended read:
References :
  • : Sure looks like a five year old, inter-image board beef led to the hacking of notorious message board 4chan. The hackers claim to have exposed code for the site, the emails of moderators, and a list of mod communications, we got some of the data. https://www.404media.co/4chan-is-down-following-what-looks-to-be-a-major-hack-spurred-by-meme-war/
  • Joseph Cox: Sure looks like a five year old, inter-image board beef led to the hacking of notorious message board 4chan. The hackers claim to have exposed code for the site, the emails of moderators, and a list of mod communications, we got some of the data.
  • infosec.exchange: NEW: The notorious image board 4chan has been hacked. Site has been intermittently down for hours, and hackers have published screenshots of site's backend, alleged source code, and list of moderators and "janitors." One janitor told us they are "confident" data is "all real."
  • techcrunch.com: The infamous website was taken down and working intermittently, while hackers leaked alleged data like moderators email addresses, and source code.
  • WIRED: Suspected 4chan Hack Could Expose Longtime, Anonymous Admins
  • DataBreaches.Net: 4chan hacked, internal data leaked on rival image board Mikael Thalen reports: The notorious imageboard 4chan is currently inaccessible after hackers appear to have leaked internal data from the website.
  • The Register - Security: 4chan, the 'internet’s litter box,' appears to have been pillaged by rival forum Source code, moderator info, IP addresses, more allegedly swiped and leaked Thousands of 4chan users reported outages Monday night amid rumors on social media that the edgy anonymous imageboard had been ransacked by an intruder, with someone on a rival forum claiming to have leaked its source code, moderator identities, and users' IP addresses.
  • PCMag UK security: 4chan Goes Offline After Hacker Appears to Hijack the Site The notorious internet bulletin board has gone offline, possibly from a serious hack, causing some to wonder if the site can recover.
  • 404 Media: 4chan Is Down Following What Looks to Be a Major Hack Spurred By Meme War Hackers claim to have obtained 4chan's code, emails of moderators, and internal communications.
  • techcrunch.com: Notorious image board 4chan hacked and internal data leaked
  • BleepingComputer: Infamous message board 4chan taken down following major hack
  • thecyberexpress.com: 4Chan Outage Sparks Cyberattack Rumors and Data Leak Concerns
  • securityonline.info: 4chan Suffers Major Cyberattack, Sensitive Data Leaked
  • securityonline.info: 4chan Suffers Major Cyberattack, Sensitive Data Leaked
  • Sam Bent: 4chan Hacked to Hell: But Was It Always a Fed Honeypot?
  • www.404media.co: 4chan Is Down Following What Looks to Be a Major Hack Spurred By Meme War
  • www.itnews.com.au: Notorious internet messageboard 4chan hacked, posts claim
  • hackread.com: 4chan Breached? Hacker from Rival Soyjak Forum Claims Source Code Leak
  • Risky.Biz: China puts up reward for three NSA hackers; ransomware attack disrupts dialysis clinics; 4chan hacked.
  • Zack Whittaker: The leak included email addresses linked to moderators, triggering suspicions of a breach, with one moderator believing it to be genuine.
  • www.scworld.com: Notorious online forum 4chan has been taken down following a significant cyberattack claimed by members of the Soyjak.party imageboard, or The Party, on Monday
  • hackread.com: 4chan Breached? Hacker from Rival Soyjak Forum Claims Source Code Leak
  • www.newsweek.com: massive 4chan breach, source code leak, moderator and janitor account information leaked

Posts

Blogs

Research Tools