CyberSecurity news

FlagThis - #databreach

@cyberinsider.com //
Legends International, a prominent entertainment venue management firm, has disclosed a data breach that occurred in November 2024. The breach compromised the personal information of both employees and visitors to venues managed by the company. According to reports, the company detected unauthorized activity within its IT systems on November 9, 2024, prompting an immediate investigation with the assistance of external cybersecurity experts. Legends International also notified law enforcement following the discovery of the cyberattack.

The investigation confirmed that unauthorized actors had accessed and exfiltrated files containing personal data. The compromised information varies by individual but may include sensitive details such as dates of birth, Social Security numbers, driver's license and government ID numbers, financial account details, medical information, and health insurance information. The company has stated that the individuals affected either worked at or visited a venue managed by Legends International.

In response to the breach, Legends International has taken steps to strengthen its security controls. While the company maintains that it is unaware of any misuse of personal information resulting from the incident, it is offering affected individuals a complimentary 24-month membership to Experian's IdentityWorks service. This service includes credit monitoring, identity restoration support, and up to $1 million in identity theft insurance. The incident has impacted at least 8,065 individuals in Texas and Massachusetts, though reports indicate that over 118,000 people nationwide may be affected.

Recommended read:
References :
  • cyberinsider.com: Legends International Discloses Data Breach Impacting Guests and Employees
  • Security Affairs: Entertainment venue management firm Legends International disclosed a data breach
  • BleepingComputer: Entertainment services giant Legends International discloses data breach
  • www.scworld.com: Legends International notifies customers, employees of data breach
  • Cyber Security News: Data Breach at Legends International Exposes Customer Information

@x.com //
Ahold Delhaize, the multinational retail and wholesale company with operations in both Europe and the United States, has confirmed a data breach following a cyberattack in November 2024. The company, which owns supermarket brands such as Stop & Shop, Giant Food, Food Lion and Hannaford, acknowledged that certain files were stolen from its U.S. business systems. The breach was claimed by the INC ransomware group, which has threatened to release sensitive information if its demands are not met, according to researchers at Arctic Wolf. The company is currently working with outside forensics experts to determine the exact nature of the compromised data and to comply with legal obligations regarding disclosure to affected individuals.

The cyberattack disrupted e-commerce operations, particularly affecting Hannaford's pickup and delivery services, which were halted for several days. Other U.S. banners also experienced disruptions and reduced availability for e-commerce services due to "system outages." While physical stores remained open and continued to accept most payment methods, including credit cards, Ahold Delhaize took some systems offline to protect them. The company also notified and updated law enforcement about the incident.

The INC ransomware group claims to have exfiltrated approximately 6 terabytes of data from Ahold Delhaize's U.S. division. This data includes sensitive documents and personal identifiers, raising concerns about potential misuse and privacy violations. Ahold Delhaize is advising customers to be vigilant for phishing attempts and fraudulent activity. The company is currently investigating the extent of the breach and is committed to taking necessary measures to contain the situation and prevent further unauthorized access.

Recommended read:
References :
  • The DefendOps Diaries: Ahold Delhaize Cyberattack: A Deep Dive into the Ransomware Breach
  • BleepingComputer: Ahold Delhaize confirms data theft after INC ransomware claims attack
  • www.cybersecuritydive.com: Ahold Delhaize confirms data stolen after threat group claims credit for November attack
  • www.scworld.com: Data breach confirmed by Ahold Delhaize after INC ransomware claims
  • Cyber Security News: Ahold Delhaize data breach in November 2024.
  • bsky.app: Food retail giant Ahold Delhaize confirms that data was stolen from its U.S. business systems during a November 2024 cyberattack.
  • gbhackers.com: GBHackers articles about Ahold Data stolen
  • www.techradar.com: Food retail giant behind several major US supermarket brands confirms data stolen in major ransomware breach
  • thecyberexpress.com: Ahold Delhaize USA, the parent company of several well-known American supermarket brands, has confirmed that data was stolen during a cyberattack that took place in the fall of 2024.
  • newsroom.aholddelhaize.com: Ahold Delhaize updates statement on Nov. 8, 2024 cybersecurity issue
  • Check Point Research: For the latest discoveries in cyber research for the week of 21st April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Retail giant Ahold Delhaize has suffered a cyber-attack resulting in data theft of customer information from its US business systems. The attack, claimed by ransomware group INC Ransom, impacted Ahold Delhaize USA […]
  • eSecurity Planet: Retail giant Ahold Delhaize has suffered a cyber-attack resulting in data theft of customer information from its US business systems.
  • thecyberexpress.com: The INC Ransom gang claimed responsibility for the cyberattack on Ahold Delhaize.
  • Davey Winder: Ahold Delhaize USA, the parent company of several well-known American supermarket brands, has confirmed that data was stolen during a cyberattack that took place in the fall of 2024.

Jenna McLaughlin@NPR Topics: Technology //
A whistleblower at the US National Labor Relations Board (NLRB) has come forward with allegations of a significant cybersecurity breach involving the Department of Government Efficiency (DOGE), overseen by Elon Musk. According to the whistleblower, Daniel Berulis, DOGE operatives arrived at the agency in early March and were granted unrestricted access to internal systems, a move that deviated from standard operating procedures. The whistleblower claims that these DOGE employees ignored infosec rules and were instructed to hand over any requested accounts and stay out of DOGE’s way.

According to the affidavit submitted to the Senate Intelligence Committee, these actions led to a "significant cybersecurity breach" potentially exposing the agency's data to foreign adversaries. The whistleblower also alleges that during their activity, DOGE employees exfiltrated 10GB of data to servers in the US and disabled monitoring tools, raising concerns about potential data exposure. Berulis’s document points out that not even his CIO enjoyed the level of access given to DOGE unit operatives, and that the NLRB already had auditor accounts set up that provided enough privileges to check data without being able to edit, copy, or remove it.

The most alarming aspect of the allegations involves attempted access to the NLRB's systems from a Russian IP address using legitimate accounts created by DOGE staffers. These attempts were reportedly blocked, but the valid credentials used suggest a potential compromise. The NPR has reported that the data that DOGE moved could have included sensitive information on unions, ongoing legal cases and corporate secrets. Democratic lawmakers are calling for an investigation into the matter.

Recommended read:
References :
  • ciso2ciso.com: Whistleblower alleges Russian IP address attempted access to US agency’s systems via DOGE-created accounts – Source: www.csoonline.com
  • The Register - Security: Whistleblower describes DOGE IT dept rampage at America's labor watchdog
  • www.csoonline.com: Whistleblower alleges Russian IP address attempted access to US agency’s systems via DOGE-created accounts.
  • DataBreaches.Net: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
  • aboutdfir.com: A whistleblower’s disclosure details details how DOGE may have taken sensitive labor data In the first days of March, a team of advisers from President Trump’s new Department of Government Efficiency initiative arrived at the Southeast Washington, D.C., headquarters of the National Labor Relations Board.
  • Policy ? Ars Technica: Government IT whistleblower calls out DOGE, says he was threatened at home
  • NPR Topics: Technology: Someone using a Russian IP address attempted to access the internal systems of the US National Labor Relations Board (NLRB) using legitimate accounts set up by staff from Elon Musk's Department of Government Efficiency (DOGE), a whistleblower inside the agency has alleged.

David Jones@cybersecuritydive.com //
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on April 17, 2025, regarding increased breach risks following a potential compromise of legacy Oracle Cloud servers. This alert comes in response to public reporting of alleged threat activity targeting Oracle customers, though the scope and impact of the activity are currently unconfirmed. CISA's guidance urges organizations and individuals to take immediate steps to secure their IT environments amid claims of a large trove of customer credentials being compromised. The agency is also asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.

CISA is particularly concerned about situations where credential material may be exposed, reused across separate and unaffiliated systems, or embedded into applications and tools. Embedded credential material, which can be hardcoded into scripts, applications, infrastructure templates, or automation tools, is especially difficult to detect and can enable long-term unauthorized access if exposed. The compromise of credentials like usernames, emails, passwords, authentication tokens, and encryption keys can pose a significant risk to enterprise environments.

To mitigate these risks, CISA recommends organizations reset passwords for known affected users, especially those not federated through enterprise identity solutions. Additionally, they should review source code, infrastructure as code templates, automation scripts, and configuration files for hardcoded credentials, replacing them with secure authentication methods supported by centralized secret management. Monitoring authentication logs for anomalous activity, particularly using privileged, service, or federated identity accounts, is also crucial. Finally, CISA advises enforcing phishing-resistant multi-factor authentication for all user and administrator accounts whenever possible.

Recommended read:
References :
  • DataBreaches.Net: Sergiu Gatlan reports: On Wednesday, CISA warned of heightened breach risks after the compromise of legacy Oracle Cloud servers earlier this year and highlighted the significant threat to enterprise networks. CISA said, “the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate,...
  • BleepingComputer: On Wednesday, CISA warned of heightened breach risks after the compromise of legacy Oracle Cloud servers earlier this year and highlighted the significant threat to enterprise networks.
  • www.cybersecuritydive.com: The agency is asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.
  • MSSP feed for Latest: Legacy Oracle cloud breach poses credential exposure risk
  • hackread.com: Following reports of unauthorized access to a legacy Oracle cloud environment, CISA warns of potential credential compromise leading…
  • www.scworld.com: Secure legacy Oracle cloud credentials amid leak reports, CISA warns
  • www.itpro.com: CISA issues warning in wake of Oracle cloud credentials leak
  • securityonline.info: CISA Warns of Credential Risks Tied to Oracle Cloud Breach
  • The Register - Security: Oracle hopes talk of cloud data theft dies off. CISA just resurrected it for Easter
  • securityonline.info: CISA Warns of Credential Risks Tied to Oracle Cloud Breach
  • The DefendOps Diaries: Understanding the Oracle Cloud Breach: CISA's Guidance and Recommendations
  • ciso2ciso.com: CISA Urges Action on Potential Oracle Cloud Credential Compromise
  • ciso2ciso.com: Following reports of unauthorized access to a legacy Oracle cloud environment, CISA warns of potential credential compromise leading to phishing, network breaches, and data theft.

ross.kelly@futurenet.com (Ross@Latest from ITPro //
Hertz Corporation has announced a data breach affecting customers of its Hertz, Thrifty, and Dollar car rental brands. The breach stems from the exploitation of Cleo zero-day vulnerabilities in late 2024. Customer data, including personal information and driver's licenses, was stolen. The company confirmed the breach on February 10, 2025, stating that an unauthorized third party acquired Hertz data by exploiting vulnerabilities within Cleo's platform in October and December 2024.

The stolen data varies depending on the region, but generally includes customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. In some instances, Social Security numbers and other government-issued identification numbers were also compromised. Notices about the breach have been posted on Hertz websites for customers in Australia, Canada, the European Union, New Zealand, the United Kingdom, and several U.S. states, including California, Maine, and Texas. Hertz has disclosed that at least 3,400 customers in Maine and some 96,665 customers in Texas were affected.

The company attributed the breach to vulnerabilities in Cleo's software, which was targeted by the Clop ransomware gang in 2024. This breach highlights the significant cybersecurity risks associated with third-party vendors and the potential for mass data theft. It is another example of the widespread consequences that can occur from zero-day exploits in widely used enterprise file transfer products. Those affected have been advised to take precautions to protect their personal and financial information.

Recommended read:
References :
  • securityaffairs.com: Hertz disclosed a data breach following 2024 Cleo zero-day attack
  • techcrunch.com: Hertz says customers’ personal data and driver’s licenses stolen in data breach
  • The DefendOps Diaries: Hertz Data Breach: Lessons in Cybersecurity and Vendor Management
  • www.bleepingcomputer.com: Hertz confirms customer info, drivers' licenses stolen in data breach
  • Zack Whittaker: New by me: Car rental giant Hertz has confirmed a data breach affecting customers' personal information, driver's licenses, and payment card data. Customers worldwide are being notified.
  • techcrunch.com: Hertz says customers' personal data and driver's licenses stolen in data breach
  • BleepingComputer: Car rental giant Hertz Corporation warns it suffered a data breach after customer data for its Hertz, Thrifty, and Dollar brands was stolen in the Cleo zero-day data theft attacks.
  • www.itpro.com: Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the last
  • Malwarebytes: Hertz data breach caused by CL0P ransomware attack on vendor Cleo
  • PCMag UK security: Hackers Stole Credit Card, Driver's License Info in Hertz Data Breach
  • Zack Whittaker: Hertz won't say how many are affected by its breach, but continues to notify U.S. states, giving a little indication of the numbers. Per its filing in Texas today, Hertz said 96,665 Texas residents are affected. Plus 3,400 people in Maine and that's already 100,000+ people in two states alone.
  • www.cybersecuritydive.com: Hertz says personal data breached in connection with Cleo file-transfer flaws
  • ComputerWeekly.com: Hertz warns UK customers of Cleo-linked data breach
  • The Register - Security: Where it Hertz: Customer data driven off in Cleo attacks
  • cyberinsider.com: Hertz Confirms Data Breach Following Clop Ransomware Leaks
  • cyberinsider.com: Analysis of how the Clop ransomware group exploited zero-day vulnerabilities to compromise Hertz's systems
  • Help Net Security: Car rental company Hertz suffers a data breach from exploitation of vulnerabilities in third-party software.
  • hackread.com: Hertz Confirms Data Breach After Hackers Stole Customer PII

Pierluigi Paganini@securityaffairs.com //
A cybercriminal group has suffered a taste of its own medicine after its website was hacked, with the attacker leaving a message warning against illegal activity. In a separate incident, the National Social Security Fund (CNSS) of Morocco has confirmed a data breach following a cyber attack. The incidents highlight the ever-present threat of cybercrime, even within the cybercriminal underworld itself.

The CNSS of Morocco has acknowledged that its computer systems were targeted by cyber attacks, leading to a data breach. A threat actor, using the alias 'Jabaroot', claimed responsibility for stealing large volumes of citizen data. The actor is reportedly targeting government systems in Morocco.

The CNSS has activated its security protocols and launched an internal investigation to determine the extent and origin of the breach. Initial investigations have revealed that leaked documents circulating on social media contain false, inaccurate, or incomplete information. The Fund is working diligently to understand the full scope of the incident and protect the personal data and confidentiality of user information.

Recommended read:
References :

@hackread.com //
The Medusa ransomware group has claimed responsibility for a cyberattack on NASCAR, alleging the theft of over 1TB of data. In a posting on its dark web leak site, Medusa has demanded a $4 million ransom for the deletion of NASCAR's data. The group has placed a countdown timer on the leak site, threatening to make the stolen data available to anyone on the internet after the deadline. The countdown deadline can be extended at a cost of $100,000 per day.

To verify its claim, Medusa has published screenshots of what it claims are internal NASCAR documents. These include names, email addresses, and phone numbers of NASCAR employees and sponsors, as well as invoices, financial reports, and more. Furthermore, the ransomware gang has published a substantial directory illustrating NASCAR's internal file structure and the names of documents that have been exfiltrated. While NASCAR has not yet confirmed or denied reports of the attack, the details published by Medusa on its leak site appear credible.

The Medusa ransomware group operates under a ransomware-as-a-service (RaaS) model and is known for its double extortion tactics. The FBI and CISA issued a joint cybersecurity advisory last month warning that Medusa ransomware had impacted over 300 organizations, including those in critical infrastructure sectors such as medical, education, legal, insurance, technology, and manufacturing. Past victims include Minneapolis Public Schools, which refused to pay a million-dollar ransom and saw approximately 92 GB of stolen data released to the public.

Recommended read:
References :
  • Rescana: Rescana post about the ransomware attack on NASCAR
  • hackread.com: Medusa Ransomware Claims NASCAR Breach in Latest Attack, Demands $4M Ransom
  • bsky.app: Medusa ransomware gang claims to have hacked NASCAR. https://www.bitdefender.com/en-us/blog/hotforsecurity/medusa-ransomware-hacked-nascar
  • cybersecuritynews.com: The Medusa ransomware group has reportedly launched a major cyberattack on the National Association for Stock Car Auto Racing (NASCAR), demanding a $4 million ransom to prevent the release of sensitive data.
  • www.bitdefender.com: Medusa ransomware gang claims to have hacked NASCAR The Medusa ransomware-as-a-service (RaaS) claims to have compromised the computer systems of NASCAR, the United States' National Association for Stock Car Auto Racing, and made off with more than 1TB of data.
  • www.cysecurity.news: Hackers Demand $4 Million After Alleged NASCAR Data Breach. The motorsports industry has recently been faced with troubling news that NASCAR may have become the latest high-profile target for a ransomware attack as a result of the recent hackread.com report.
  • Cyber Security News: Medusa Ransomware Claims NASCAR Hack, Demands $4 Million Ransom

@cybersecuritynews.com //
A hacker using the alias "Satanic" has claimed responsibility for a significant data breach affecting WooCommerce, a widely used eCommerce platform. The breach, said to have occurred on April 6, 2025, reportedly compromised over 4.4 million user records. According to the hacker's posts on Breach Forums, the data was not directly extracted from WooCommerce's core infrastructure but from systems closely linked to websites utilizing the platform, potentially through third-party integrations such as CRM or marketing automation tools. The alleged breach has raised concerns about the security of third-party integrations within the WooCommerce ecosystem.

The compromised database reportedly includes an extensive array of sensitive information. This includes 4,432,120 individual records, 1.3 million unique email addresses, and 998,000 phone numbers. It also encompasses metadata on corporate websites, such as technology stacks and payment solutions. A sample of the stolen data reveals records from prominent organizations like the National Institute of Standards and Technology (NIST), Texas.gov, NVIDIA Corporation, the New York City Department of Education, and Oxford University Press. Each record contains detailed information typically found in marketing databases, including estimated revenue, marketing platforms, hosting providers, and social media links.

Adding to the woes of WooCommerce users, a separate security threat has emerged with the discovery of a malicious Python package named "disgrasya" on PyPI. This package, detected by the Socket Research Team, contains an automated carding script specifically designed to target WooCommerce stores using CyberSource as their payment gateway. The malware simulates legitimate user behavior to avoid detection while exfiltrating stolen credit card data. Organizations are advised to enable fraud protection rules, monitor for suspicious patterns, implement CAPTCHA or bot protection, and rate limit checkout and payment endpoints to mitigate the risk of automated carding attacks.

Recommended read:
References :
  • Cyber Security News: CyberPress article on WooCommerce Allegedly Breached
  • hackread.com: Hackread article on WooCommerce data breach
  • Cyber Security News: Hackers Allegedly Claiming WooCommerce Breach, 4.4 Million Customer Details Stolen
  • hackread.com: Hacker Claims WooCommerce Data Breach, Selling 4.4 Million User Records
  • cyberpress.org: WooCommerce Allegedly Breached, 4.4 Million Customer Details Exposed

@www.cybersecurity-insiders.com //
The US Treasury's Office of the Comptroller of the Currency (OCC) has disclosed a significant email breach, classified as a "major incident." The breach, which went undetected for over a year, involved unauthorized access to 150,000 emails within 100 accounts belonging to US bank regulators at the OCC. These emails contained highly sensitive details concerning the financial condition of federally regulated financial institutions, information critical to the OCC's examinations and supervisory oversight processes. The OCC became aware of unusual activity on February 11th, discovering an administrative account interacting with agency mailboxes in an unauthorized manner. IT staff confirmed the unauthorized access and disabled the affected accounts the following day.

Advertisement

The OCC notified Congress about the incident on the same day as a Bloomberg report, calling it a “major incident.” Internal and independent investigations of email accounts and attachments indicate that OCC first became aware of the incident Feb. 11, when the office was notified of an administrative account that was interacting with agency mailboxes in an unusual fashion. The next day, IT staff confirmed the account’s access was unauthorized and disabled the accounts. Acting Comptroller of the Currency Rodney E. Hood stated that immediate steps have been taken to determine the full extent of the breach and address organizational deficiencies that contributed to it. Hood promised full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.

Cybersecurity experts have expressed concern about the implications of this breach. The compromised data could allow malicious actors to exploit weaknesses in banks' cybersecurity controls and processes, making it easier to perpetrate fraud or disrupt services. Knowing the weakest targets and their specific vulnerabilities provides a significant advantage to attackers, enabling them to target banks with precision. Security experts also point to how recent cuts at CISA and other federal agencies will weaken cybersecurity in the federal government and across the public sector and U.S. election systems. The OCC is collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury during its investigations.

Recommended read:
References :
  • cyberscoop.com: Treasury bureau notifies Congress that email hack was a ‘major’ cybersecurity incident
  • thecyberexpress.com: Hackers Had Access to 150,000 Emails in U.S. Treasury Email Breach
  • www.scworld.com: Hackers accessed 150,000 emails of 100 US bank regulators at OCC
  • securityaffairs.com: The US Treasury’s OCC disclosed an undetected major email breach for over a year
  • CyberScoop: The OCC said the February incident resulted in the theft of “highly sensitive information" tied to the financial conditions of federally regulated institutions.
  • BleepingComputer: Hackers lurked in Treasury OCC’s systems since June 2023 breach
  • www.cybersecuritydive.com: Treasury Department bank regulator discloses major hack

Dissent@DataBreaches.Net //
Oracle has confirmed a cloud data breach, issuing notifications to customers about a cybersecurity incident. The confirmation follows claims by a threat actor alleging possession of millions of data lines related to over 140,000 Oracle Cloud tenants, including sensitive Personally Identifiable Information (PII), along with corporate and financial data. The company states the breach involved what it described as "two obsolete servers," and maintains that its Oracle Cloud Infrastructure (OCI) was not compromised, and no OCI customer data was viewed or stolen. However, this incident has brought into question Oracle's communication strategy and the accuracy of its disclosures.

The company's initial response has sparked debate and criticism, with cybersecurity experts and customers expressing concern over potential inconsistencies in Oracle's narrative. While Oracle claims the issue stemmed from "obsolete servers," independent analyses and customer confirmations suggest that customer data may have been compromised, contradicting the company's initial denial of an OCI breach. The discrepancy between Oracle's statements and the emerging evidence has raised questions about transparency and the potential use of carefully chosen terminology to minimize the perceived impact of the incident.

The communication strategy has drawn specific criticism regarding Oracle's distinction between "Oracle Cloud" and "Oracle Cloud Classic." Experts, like Kevin Beaumont, have pointed out that this distinction allows Oracle to deny a breach of "Oracle Cloud" while acknowledging issues with "Oracle Classic," which is still part of Oracle's cloud services. This approach raises concerns about potential wordplay and its effects on customer trust and Oracle's reputation. The incident highlights the challenges companies face in maintaining transparency and trust during cybersecurity incidents, especially when sensitive customer data is at risk.

Recommended read:
References :
  • DataBreaches.Net: Oracle’s statement to customers is still raising questions about its disclosure and transparency
  • The DefendOps Diaries: Explore Oracle's security incident, its communication strategy, and the implications for customer trust and industry standards.
  • securityaffairs.com: Oracle confirms a cloud data breach, quietly informing customers while downplaying the impact of the security breach.
  • BleepingComputer: Oracle finally confirmed in email notifications sent to customers that a hacker stole and leaked credentials that were stolen from what it described as "two obsolete servers."
  • The Register - Security: Oracle says its cloud was in fact compromised
  • securityonline.info: Oracle Data Breach: Authenticity Confirmed Despite Denial
  • Cyber Security News: CyberPress on Oracle Confirms Breach
  • cyberinsider.com: Oracle Sends “Not a Breach†Notices to Customers Following Data Exposure
  • phishingtackle.com: Oracle Confirms Cloud Data Breach, Privately Alerts Affected Customers
  • Techzine Global: Oracle confirms data breach via outdated servers, denies cloud breach
  • The Register - Security: The Reg translates the letter in which Oracle kinda-sorta tells customers it was pwned
  • Phishing Tackle: Oracle Confirms Cloud Data Breach, Privately Alerts Affected Customers
  • securityonline.info: At the end of March, a hacker claimed to have breached Oracle’s cloud infrastructure, allegedly exfiltrating approximately six million records. These reportedly included sensitive materials such as Oracle Cloud customer security keys, encrypted credentials, and LDAP authentication data. The threat actor even published a sample of the data as proof. Oracle promptly denied the breach, […] The post appeared first on .
  • CyberInsider: Cybersecurity Insiders article about Oracle's sends the data exposure notices to customers
  • www.csoonline.com: Oracle admits breach of ‘obsolete servers,’ denies main cloud platform affected

@www.cybersecurity-insiders.com //
The Office of the Comptroller of the Currency (OCC), an independent bureau within the U.S. Treasury Department, has confirmed a major email breach impacting approximately 100 bank regulators' accounts. The breach, which lasted for over a year, resulted in unauthorized access to more than 150,000 emails containing sensitive details about banks the agency oversees. According to the OCC's public statement, the compromised emails included highly sensitive information relating to the financial condition of federally regulated financial institutions and used in examination and supervisory oversight processes.

The OCC discovered the unauthorized access after being notified by Microsoft about unusual network behavior on Feb. 11. Following the discovery, the OCC notified Congress of the incident, describing it as a "major information security incident". Analysis by the OCC concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence. The agency has since launched an internal and independent third-party review to determine the full extent of the breach and identify vulnerabilities that led to the unauthorized access.

Security experts have expressed concern over the news, emphasizing the potential for malicious actors to exploit the exposed information. One expert noted that knowing the weakest targets and their vulnerabilities could enable attackers to launch a broad series of attacks to disrupt services or perpetrate fraud. The OCC also notified the Cybersecurity and Infrastructure Security Agency (CISA) that there is no indication of any impact to the financial sector at this time. The OCC incident is considered the second high-profile breach for the Treasury Department in recent months, the first one involved Chinese state-sponsored hackers breaching their network.

Recommended read:
References :
  • CyberScoop: Treasury bureau notifies Congress that email hack was a ‘major’ cybersecurity incident
  • The Register - Security: Sensitive financial files feared stolen from US bank watchdog
  • www.cybersecurity-insiders.com: Hackers breach email systems of OCC to gather intelligence from emails
  • Metacurity: Hackers intercepted emails at US Comptroller of the Currency for over a year
  • thecyberexpress.com: Hackers Had Access to 150,000 Emails in U.S. Treasury Email Breach
  • www.cybersecuritydive.com: Treasury Department bank regulator discloses major hack
  • www.scworld.com: Hackers accessed 150,000 emails of 100 US bank regulators at OCC
  • Tech Monitor: OCC reports major email security breach to US Congress
  • cyberscoop.com: Treasury bureau notifies Congress that email hack was a ‘major’ cybersecurity incident
  • securityaffairs.com: The US Treasury’s OCC disclosed an undetected major email breach for over a year
  • www.csoonline.com: OCC email system breach described as ‘stunning, serious’

@Latest from ITPro //
Europcar Mobility Group has confirmed a data breach affecting potentially up to 200,000 customers. The breach occurred through unauthorized access to the company’s GitLab repositories. According to reports, the stolen data includes source code for Europcar's Android and iOS mobile applications, as well as personal data linked to tens of thousands of customers. This incident raises significant security concerns, as the exposure of source code could potentially reveal vulnerabilities that could be exploited in future attacks.

Europcar is currently assessing the full extent of the damage caused by the breach. Preliminary findings indicate that the compromised data includes names and email addresses of users belonging to the Goldcar and Ubeeqo brands. The compromised records date back as far as 2017 and 2020. Europcar maintains that no financial information, passwords, or biometric details were exposed. The company has notified data protection authorities and has begun the process of informing affected customers about the incident.

The attacker reportedly claimed responsibility for the breach in late March and attempted to extort Europcar, threatening to release 37GB of stolen data. The data allegedly includes internal backups, infrastructure documentation, and application source code. Europcar has denied that all of its GitLab repositories were compromised, but has confirmed that the threat actor accessed over 9,000 SQL files and 269 environment configuration files. The method of access remains unclear, although similar breaches often involve stolen credentials obtained through infostealer malware. The investigation is ongoing.

Recommended read:
References :
  • techhq.com: Up to 200,000 Europcar users affected in GitLab security breach
  • www.it-daily.net: Europcar hacked: Up to 200,000 customer data at risk
  • www.itpro.com: Europcar data breach could affect up to 200,000 customers
  • www.scworld.com: Up to 200K purportedly impacted by Europcar GitLab breach
  • Techzine Global: Data breach at Europcar: GitLab hack affects up to 200,000 customers

Mandvi@Cyber Security News //
The Everest ransomware gang's dark web leak site has been compromised in a brazen act of cyber defiance. The site, typically used by the gang to publish stolen data and extort victims, was hacked and defaced, disrupting their operations significantly. The attackers replaced the usual content with a taunting message: "Don’t do crime CRIME IS BAD xoxo from Prague," showcasing a clear intent to disrupt and mock the cybercriminals.

This incident marks a rare occasion where a ransomware group becomes the target of a cyberattack, highlighting vulnerabilities even within sophisticated cybercriminal networks. Security experts speculate that the attackers may have exploited weaknesses in Everest’s web infrastructure, potentially a WordPress vulnerability. The takedown of the site disrupts Everest’s ability to pressure victims and underscores the risks faced by cybercriminal organizations, showing they are not immune to being targeted themselves.

The breach of Everest's leak site underscores an emerging trend of counterattacks and internal sabotage targeting ransomware groups. While the identity of the attacker remains unknown, the defacement underscores vulnerabilities within cybercriminal networks, potentially stemming from insider threats or rival factions. This attack comes amid broader shifts in the ransomware landscape, with recent data indicating a decline in victim payouts during 2024, as more organizations adopt robust cybersecurity measures and refuse to comply with ransom demands.

Recommended read:
References :
  • Cyber Security News: In a significant cybersecurity incident, the leak site operated by the Everest ransomware gang was hacked and defaced over the weekend.
  • The DefendOps Diaries: News about Everest Ransomware's Dark Web Leak Site Defaced and Taken Offline
  • BleepingComputer: Everest ransomware's dark web leak site defaced, now offline
  • cyberpress.org: Hackers Breach and Deface Everest Ransomware Gang’s Leak Site
  • Secure Bulletin: Secure Bulletin discusses how the Everest ransomware gang faced an unprecedented blow, with their leak site hacked and defaced.
  • techcrunch.com: TechCrunch reports the dark web leak site of the Everest ransomware gang got hacked.
  • gbhackers.com: Everest ransomware's dark web leak site defaced, highlighting vulnerabilities in cybercriminal networks and impacting their operations.
  • The Hacker News: The darknet leak site used by the ransomware gang Everest went offline Monday after being apparently hacked and defaced over the weekend.
  • The Record: The darknet leak site used by the ransomware gang Everest went offline Monday after being apparently hacked and defaced over the weekend. Everest ransomware group’s darknet site offline following defacement
  • Cyber Security News: Everest Ransomware Gang Leak Site Hacked and Defaced
  • Techzine Global: Leak site of ransomware gang Everest has been hacked
  • gbhackers.com: gbhackers article highlighting the defacement of the Everest ransomware leak site
  • securityaffairs.com: SecurityAffairs article about Everest ransomware group’s Tor leak site offline after a defacement.
  • securebulletin.com: In a surprising turn of events, the Everest ransomware gang—a notorious Russia-linked cybercriminal organization—has suffered a significant setback.
  • www.scworld.com: Cyberattack takes down Everest ransomware leak site
  • ciso2ciso.com: Everest ransomware group’s Tor leak site offline after a defacement – Source: securityaffairs.com
  • therecord.media: The darknet leak site used by the ransomware gang Everest went offline Monday after being apparently hacked and defaced over the weekend.

@cyble.com //
References: bsky.app , cyble.com , BlackFog ...
The ransomware landscape continues to experience significant turbulence as groups target each other's infrastructure and tactics shift. Notably, a group known as DragonForce has been actively hacking its rivals, with RansomHub, a major Ransomware-as-a-Service (RaaS) platform and one of the most active groups, being their latest target. DragonForce has previously targeted Mamona and BlackLock. This takeover of RansomHub could lead to a significant shift in the RaaS model, potentially leading to affiliates developing their own brands and further fragmenting the threat landscape.

Researchers infiltrated the online infrastructure associated with BlackLock ransomware and uncovered configuration files, credentials, and a history of executed commands. This also resulted in clear web IP addresses being revealed, which were hidden behind Tor infrastructure. BlackLock, which emerged in January 2025 and was previously known as El_Dorado, had listed 46 victims prior to the incident. Coincidently (or maybe using the same exploit) BlackLock’s leak site was also defaced.

Hunters International, a RaaS group that some believe evolved from Hive, appears to be rebranding and shifting operations, moving away from an unprofitable and risky ransomware business and focusing solely on exfiltrating data and extorting victims. The decision appears to come in the wake of international law enforcement operations. Hunters appears to be shifting its operations, dropping the encryption part of the equation and focusing purely on data exfiltration and extortion, launching under the name “World Leaks”.

Recommended read:
References :
  • bsky.app: There's a ransomware group named DragonForce going around hacking its rivals. After Mamona and BlackLock, the group has now hacked RansomHub—a major RaaS platform and one of the most active groups today.
  • cyble.com: Ransomware Attack Levels Remain High as Major Change Looms
  • Searchlight Cyber: BlackLock Ransomware Exposed and DragonForce Makes Moves
  • BlackFog: BlackFog Report Reveals Record Number of Ransomware Attacks from January to March
  • www.tripwire.com: Ransomware reaches a record high, but payouts are dwindling

Bill Toulas@BleepingComputer //
The State Bar of Texas has confirmed a data breach following a ransomware attack claimed by the INC ransomware gang. The breach, which occurred between January 28 and February 9, 2025, involved unauthorized access to the organization's network, leading to the exfiltration of sensitive information. The incident was discovered on February 12, 2025, prompting immediate action to secure the network and initiate an investigation with the assistance of third-party forensic specialists. The organization is the second-largest bar association in the United States, with over 100,000 licensed attorneys, regulating the legal profession in Texas by overseeing licensing, continuing legal education, ethical compliance, and disciplinary actions.

Approximately 2,700 individuals were affected by the breach. The compromised data includes full names, Social Security numbers, financial account details such as credit and debit card numbers, driver’s licenses, and medical and health insurance details. The exposure of such a wide array of sensitive information poses significant risks of identity theft and financial fraud. The Texas State Bar has emphasized that there is no current evidence of misuse or fraudulent activity involving the compromised data but is urging affected parties to remain vigilant and monitor their financial accounts and credit reports for suspicious activity over the next 12 to 24 months.

In response to the data breach, the State Bar of Texas has implemented additional security measures to prevent future incidents and is reviewing its data privacy policies. Affected individuals are being notified directly and offered complimentary credit monitoring services through Experian for a specified period, including features such as credit monitoring, identity restoration support, and identity theft insurance coverage up to $1 million. Recipients were advised to consider activating a credit freeze or placing a fraud alert on their credit files to mitigate potential risks from the data exposure. The incident serves as a wake-up call for legal cybersecurity, highlighting the vulnerabilities inherent in even the most established institutions and emphasizing the need for robust data protection measures.

Recommended read:
References :
  • The DefendOps Diaries: Texas State Bar data breach: A wake-up call for legal cybersecurity
  • BleepingComputer: Texas State Bar warns of data breach after INC ransomware claims attack
  • www.scworld.com: Separate breaches reported by Texas city's utility payment site, state bar
  • gbhackers.com: Texas State Bar Confirms Data Breach, Begins Notifying Affected Consumers
  • Cyber Security News: CyberPress article on State Bar data breach
  • bsky.app: The State Bar of Texas is warning it suffered a data breach after the INC ransomware gang claimed to have breached the organization and began leaking samples of stolen data.
  • BleepingComputer: The State Bar of Texas is warning it suffered a data breach after the INC ransomware gang claimed to have breached the organization and began leaking samples of stolen data.
  • Jon Greig: The Texas State Bar announced a data breach on the same day

@cyberalerts.io //
The Port of Seattle, the U.S. government agency responsible for Seattle's seaport and airport, is currently notifying approximately 90,000 individuals about a significant data breach. The breach occurred after a ransomware attack in August 2024, where personal information was stolen from previously used port systems. The compromised data includes names, dates of birth, Social Security numbers, driver’s licenses, ID cards, and some medical information. The organization runs Seattle-Tacoma International Airport, parks, and container terminals. Of those affected, about 71,000 are Washington state residents.

The August 24 incident severely damaged the systems used by the city’s port and airport, forcing workers to take extraordinary measures to help travelers. The ransomware attack caused considerable disruption, knocking out the airport’s Wi-Fi, and employees had to resort to using dry-erase boards for flight and baggage information. Screens throughout the facility were down, and some airlines had to manually sort through bags. Legacy systems utilized for employee data were specifically targeted, and the post-mortem revealed that encryptions and system disconnections impacted services like baggage handling, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking.

Following the attack, the Rhysida ransomware group claimed responsibility and demanded a ransom. However, port officials confirmed in September that they refused to pay, with executive director Steve Metruck explaining that “paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars.” The Port is offering one year of free credit monitoring services to the victims and has posted the breach notice online for those without available mailing addresses. The agency emphasizes that the attack did not affect the proprietary systems of major airline and cruise partners or the systems of federal partners like the Federal Aviation Administration, Transportation Security Administration, and U.S. Customs and Border Protection.

Recommended read:
References :
  • BleepingComputer: ​Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack.
  • The DefendOps Diaries: Ransomware Breach at Port of Seattle: An In-Depth Analysis
  • www.bleepingcomputer.com: Port of Seattle says ransomware breach impacts 90,000 people
  • bsky.app: ​Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack.
  • therecord.media: Port of Seattle says 90,000 people impacted in 2024 ransomware attack
  • securityaffairs.com: SecurityAffairs article discussing Port of Seattle data breach impacts 90,000 people
  • Talkback Resources: Port of Seattle August data breach impacted 90,000 people [mal]
  • Cybernews: Port of Seattle has informed approximately 90,000 individuals about a data breach that happened last year.
  • www.scworld.com: Officials at the Port of Seattle confirmed that nearly 90,000 individuals, most of whom are from Washington state, had their data stolen following an August attack by the Rhysida ransomware operation, reports Security Affairs.

Swagath Bandhakavi@Tech Monitor //
Australian pension funds have been hit by a massive wave of credential stuffing attacks over the past week, compromising thousands of members' accounts. The coordinated cyber assaults targeted multiple large superannuation funds, including AustralianSuper, Australian Retirement Trust, Rest, Insignia, and Hostplus. Reports indicate that hackers successfully stole savings from some members, with over 20,000 accounts breached. The Association of Superannuation Funds of Australia (ASFA), the industry's peak body, acknowledged that "a number of members were affected," despite efforts to repel the majority of attempts.

Financial losses have been reported by some funds, with one provider losing over $500,000 due to unauthorized withdrawals. Affected customers experienced service disruptions, with many unable to access their superannuation accounts. Some users reported that their account balances were wiped clean. The attackers strategically targeted accounts of retirees, who are more likely to request lump sum withdrawals, suggesting a deep understanding of the Australian pension system and user behaviour.

In response to the security breach, affected superannuation providers reassured clients that their funds were secure and that they were working to resolve the issue. One fund, Rest, stated that approximately 8,000 members may have had some limited personal details accessed. The Australian government has acknowledged the breach and is organizing a response across government, regulators, and industry. Cyber security experts are calling for enhanced security measures, including the implementation of multi-factor authentication (MFA), to protect member data and retirement savings from future attacks.

Recommended read:
References :
  • bsky.app: A massive wave of credential stuffing attacks hit multiple large Australian super funds, compromising thousands of members' accounts over the weekend.
  • DataBreaches.Net: Hackers strike Australia’s largest pension funds in coordinated attacks
  • thecyberexpress.com: Multiple Australian superannuation funds affected by coordinated cyberattack.
  • www.bleepingcomputer.com: Australian superannuation funds hit by wave of credential stuffing attacks.
  • The Register - Security: Retirement funds reportedly raided after unexplained portal probes and data theft
  • The DefendOps Diaries: Cyber Attacks on Australian Pension Funds: A Call for Enhanced Security
  • The420.in: Cyberattacks Hit Australia’s Largest Pension Funds Rs 2.72 Crore Stolen
  • www.cybersecurity-insiders.com: Cyberattacks on Australian pension funds cause financial losses and account lock-downs.
  • Techzine Global: Several major Australian pension funds have been targeted in a coordinated cyberattack, possibly compromising the personal data of thousands of members.
  • Cyber Security News: Australian Pension Funds Hacked: Members Face Financial Losses
  • securityonline.info: Report on the cyberattack targeting Australian superannuation funds.
  • gbhackers.com: Australian Pension Funds Hacked: Members Face Financial Losses
  • Cyber Security News: Australian Pension Funds Hacked – Members to LOSE Money from Their Accounts
  • techxplore.com: Hackers have hit major super funds—a cyber expert explains how to stop it from happening again
  • bsky.app: A massive wave of credential stuffing attacks hit multiple large Australian super funds, compromising thousands of members' accounts over the weekend.
  • Risky.Biz: Risky Bulletin: Hackers hit Australia's superannuation pension funds
  • Risky Business Media: RBNEWS408 - Hackers hit Australia's superannuation pension funds
  • www.scworld.com: Reuters reports that major Australian pension funds AustralianSuper, Australian Retirement Trust, Insignia, Hostplus, and Rest Super have disclosed being impacted by a series of attacks during the last weekend of March.
  • ciso2ciso.com: Aussie Pension Savers Hit with Wave of Credential Stuffing Attacks – Source: www.infosecurity-magazine.com
  • ciso2ciso.com: Australian superannuation fund providers were targeted en masse last weekend, with as many as 20,000 customer accounts reportedly hijacked in what appears to have been a credential stuffing raid.