CyberSecurity news

FlagThis - #databreach

Dissent@DataBreaches.Net //
Genetic testing company 23andMe has filed for Chapter 11 bankruptcy protection, raising concerns about the future of its extensive genetic database. The move comes after years of financial struggles, exacerbated by a significant data breach in 2023 that affected almost seven million users. The company will try to find a buyer in a court-supervised sale of its assets, leaving the fate of millions of customers' DNA data uncertain. CEO Anne Wojcicki has stepped down but intends to independently bid for the firm, adding another layer of complexity to the situation.

The bankruptcy has ignited a debate about who owns users' genetic data and how it will be used. With over 15 million people entrusting their DNA to 23andMe, privacy advocates are urging customers to delete their data before it potentially falls into the wrong hands. The company's privacy policy indicates that personal information may be accessed, sold, or transferred during bankruptcy, mergers, or acquisitions, raising concerns about potential misuse. California Attorney General Rob Bonta has reminded customers of their right to request data deletion under state laws, offering a glimmer of control in this evolving situation.

Recommended read:
References :
  • The Register - Security: 23andMe's genes not strong enough to avoid Chapter 11
  • techcrunch.com: 23andMe faces an uncertain future — so does your genetic data
  • www.it-daily.net: Gene testing company 23andme files for insolvency
  • Latest News | KTVU: Bay Area-based 23andMe files for bankruptcy, raising concerns over genetic data
  • Us - CBSNews.com: 23andMe files for bankruptcy and will try to find a buyer
  • Siladitya Ray: 23andMe Files For Chapter 11 Bankruptcy—CEO Anne Wojcicki Exits
  • The Verge: 23andMe files for bankruptcy as CEO steps down
  • Reclaim The Net: Who Owns Your DNA Now?
  • 404 Media: DNA of 15 Million People for Sale in 23andMe Bankruptcy
  • WIRED: DNA-testing company 23andMe has filed for bankruptcy, which means the future of the company’s vast trove of customer data is unknown.
  • The DefendOps Diaries: 23andMe Bankruptcy: Navigating the Complexities of Genetic Data Privacy
  • www.bleepingcomputer.com: 23andMe files for bankruptcy, customers advised to delete DNA data
  • bsky.app: If you're in the market for the DNA of 15 million people, you're in luck https://www.404media.co/dna-of-15-million-people-for-sale-in-23andme-bankruptcy/
  • DataBreaches.Net: DataBreaches.net urges users to delete their DNA data from 23andMe after the bankruptcy.
  • www.theguardian.com: The Guardian covers the company's bankruptcy and its implications for customer data.
  • www.zdnet.com: Details on filing for bankruptcy and what users should do.
  • techcrunch.com: 23andMe files for bankruptcy: How to delete your data
  • www.healthcaredive.com: 23andMe files for bankruptcy; CEO Anne Wojcicki resigns
  • bsky.app: DNA data of millions of users is up for sale with the 23andMe bankruptcy
  • Malwarebytes: Malwarebytes reports on 23andMe bankruptcy: How to delete your data and stay safe from the 2023 breach
  • MSSP feed for Latest: MSSP Alert reports 23andMe's Bankruptcy Filing Fuels Privacy Concerns
  • SiliconANGLE: 23andMe files for Chapter 11 bankruptcy
  • The Next Web: 23andMe bankruptcy: Can EU and UK laws protect DNA data? Here’s what you need to know
  • SecureWorld News: 23andMe's Collapse Sparks Urgent Data Privacy Reckoning
  • Check Point Blog: Protecting the Unchangeable – 23andMe Bankruptcy and What It Means for Data Privacy
  • www.itpro.com: Millions of 23andMe users’ genetic data could be up for grabs – and experts worry it’s a looming privacy nightmare
  • CyberScoop: As 23andMe declares bankruptcy, privacy advocates sound alarm about DNA data
  • iHLS: Is Your Genetic Information at Risk? 23andMe Files for Bankruptcy
  • The Proton Blog: If you used 23andMe, your data could soon be for sale. Here's how to delete your data from 23andMe — and why you might want to do so sooner than later.
  • aboutdfir.com: California AG Reminds 23andMe Customers of Data Deletion Rights Amid Bankruptcy Filing
  • techxplore.com: Over the past decade, 23andMe has collected genetic data from millions of people—and now that the company has filed for bankruptcy, that information could be sold to the highest bidder, a Northeastern University data scientist warns.
  • Quartz: Officials think you should delete your 23andMe data. Here's how
  • www.scientificamerican.com: 23andMe Bankruptcy Leaves Troves of Genetic Data at Risk
  • Centraleyes: ​23andMe, the prominent consumer genetic testing company, filed for Chapter 11 bankruptcy on March 23, 2025, due to declining demand for its services and a significant data breach affecting millions of users. Co-founder Anne Wojcicki resigned as CEO but remains on the company’s board. Implications for Customer Genetic Data The bankruptcy raises concerns about the […] The post appeared first on .
  • IPVanish: DNA Testing Privacy: the Hidden Dangers of Genetic Data
  • PCMag UK security: 23andMe says any buyer must comply with its consumer privacy policy, but there's no telling who will buy the company and the DNA data it's collected on 15 million people.

ross.kelly@futurenet.com (Ross@itpro.com //
On March 20, 2025, a user on the Breach Forums, identified as "rose87168," claimed to have stolen six million records from Oracle Cloud's Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) services. The user offered the data for sale or in exchange for zero-day exploits. The compromised database allegedly contains sensitive information, including Java KeyStore (JKS) files, encrypted SSO and LDAP passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys. This could impact over 140,000 tenants, potentially creating a significant supply chain compromise.

Oracle has denied any breach of its cloud infrastructure. According to Oracle a spokesperson stated, "There has been no breach of Oracle Cloud...The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data." However, the attacker claimed to have planted evidence on Oracle's login server, specifically login.us2.oraclecloud.com, creating a text file captured by the Internet Archive's Wayback Machine as proof of access. Cybersecurity firm CloudSEK suggests that the US2 server might not have been patched against CVE-2021-35587, a known vulnerability in Oracle Access Manager within Fusion Middleware.

Recommended read:
References :
  • hackread.com: Oracle Denies Breach Amid Hacker’s Claim of Access to 6 Million Records
  • BleepingComputer: The threat actor who claimed to breach Oracle Cloud shared the following URL as proof of the breach showing what appears to be a file containing their email address uploaded to Oracle's servers
  • The DefendOps Diaries: Oracle Cloud Breach Allegations: Hacker Claims vs. Oracle's Denial
  • www.bleepingcomputer.com: Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers
  • research.kudelskisecurity.com: Oracle Cloud SSO, LDAP Records Dumped, 140k+ Tenants Affected
  • The Register - Software: Oracle Cloud says it's not true someone broke into its login servers and stole data
  • BrianKrebs: CloudSEK’s XVigil discovered a threat actor, selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud
  • www.cybersecurity-insiders.com: Oracle Cloud denies data breach claims of 6 million data files leak
  • Patrick C Miller :donor:: Oracle denies breach after hacker claims theft of 6 million data records
  • www.csoonline.com: Oracle Cloud breach may impact 140,000 enterprise customers
  • www.it-daily.net: 6 million data records: Oracle was allegedly hacked
  • eSecurity Planet: Oracle Cloud breach exposed 6M records from 140k+ tenants. Learn how attackers exploited vulnerabilities and steps organizations must take to secure data. The post appeared first on
  • www.techradar.com: Oracle denies data breach after hacker claims to hold six million records
  • securityonline.info: BreachForums Claims: Millions of Oracle Cloud Records Stolen
  • Arctic Wolf: On March 20, 2025, a Breach Forums user, “rose87168,†claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits.
  • Information Security Buzz: Cybersecurity Firm Uncovers Major Oracle Cloud Breach—Oracle Denies It
  • Arctic Wolf: Alleged Oracle Cloud Supply Chain Attack: Six Million Records Stolen, 140K Companies Affected
  • www.cybersecuritydive.com: Researchers back claim of Oracle Cloud breach despite company’s denials
  • www.scworld.com: A Breach Forums user claimed to have stolen six million records from Oracle Cloud's SSO and LDAP services and offered the data for sale.
  • www.scworld.com: Details of the alleged Oracle Cloud breach.
  • The DefendOps Diaries: Oracle Cloud Breach Allegations: Unraveling the Controversy
  • www.itpro.com: Oracle breach claims spark war of words with security researchers
  • SpiderLabs Blog: Trustwave SpiderLabs Threat Review: Alleged Oracle Compromise
  • The Register - Security: There are perhaps 10,000 reasons to doubt Oracle Cloud's security breach denial
  • Lobsters: Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
  • : A threat actor, known as “rose87168,â€� claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits.
  • Rescana: The Oracle Cloud breach resulted in the unauthorized access and alleged theft of 6 million records from Oracle's SSO and LDAP services,...
  • DataBreaches.Net: Oracle continues to deny it had any breach, but customers and researchers are claiming otherwise.
  • SpiderLabs Blog: On March 20, a relatively unknown user on Breach Forums posted the allegation that Oracle had suffered a data breach. According to   , the attacker claimed that 6 million customer records were exfiltrated from Oracle's SSO and LDAP systems.
  • GreyNoise: Alleged Oracle Cloud Supply Chain Attack: Six Million Records Stolen, 140K Companies Affected
  • www.cybersecuritydive.com: Researchers from CloudSEK are analyzing a data sample from a threat actor that claimed a massive breach involving 6 million records.
  • SecureWorld News: In what may become one of the most scrutinized cloud security incidents of 2025, Oracle has come under fire following claims by a threat actor alleging the exfiltration of more than six million records from Oracle Cloud Infrastructure (OCI), impacting more than 140,000 tenants.
  • Rescana: Executive Summary: The Oracle Health data breach significantly impacted multiple US healthcare organizations and hospitals by...

@zdnet.com //
Federal cybersecurity agencies, including the FBI and CISA, have issued an urgent advisory regarding the escalating threat of Medusa ransomware. Since its emergence in 2021, Medusa has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. The group's activities have accelerated in recent months, prompting immediate action recommendations for organizations. Medusa operates as a Ransomware-as-a-Service (RaaS) model, now recruiting affiliates from criminal forums to launch attacks, encrypt data, and extort victims worldwide.

Medusa actors leverage common ransomware tactics, including phishing campaigns and exploiting unpatched software vulnerabilities. They employ a double extortion strategy by encrypting victim data and threatening to publicly release it if the ransom is not paid. To mitigate the risk, CISA and the FBI recommend organizations update systems regularly to close known vulnerabilities, implement network segmentation to restrict lateral movement, and enable multi-factor authentication for all services. They also urge organizations to report incidents promptly to aid in tracking and combating the growing threat.

Recommended read:
References :
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
  • securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
  • DataBreaches.Net: #StopRansomware: Medusa Ransomware
  • Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
  • securityaffairs.com: SecurityAffairs article: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
  • www.cybersecuritydive.com: Medusa ransomware slams critical infrastructure organizations
  • www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
  • www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
  • : FBI and CISA Warn of Medusa Ransomware Impacting Critical Infrastructure
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • The DefendOps Diaries: Explore the impact of Medusa ransomware on critical infrastructure and learn strategies to enhance cybersecurity defenses.
  • www.scworld.com: Medusa ransomware, a ransomware-as-a-service group, has increased attacks targeting critical infrastructure, potentially preparing for geopolitical conflicts. Recent attacks indicate a 150% increase in this activity.
  • Tenable Blog: Tenable article: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
  • SOC Prime Blog: SOC Prime blog: Medusa Ransomware Attacks Covered in AA25-071A Detection
  • be4sec: Medusa Ransomware is Targeting Critical Infrastructure
  • be4sec: This advisory summarizes the key activities of prominent ransomware groups in January 2025, highlighting a significant increase in Medusa attacks.
  • aboutdfir.com: Medusa ransomware group has been actively targeting critical infrastructure organizations, employing a double extortion tactic.
  • www.techradar.com: US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
  • cyble.com: The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a well-timed advisory on the Medusa ransomware group last week, as Cyble has detected an acceleration in the group’s activities in recent months.
  • Email Security - Blog: Medusa Ransomware: Multi-Industry Threat on the Rise
  • techxplore.com: Cybersecurity officials warn against potentially costly Medusa ransomware attacks
  • Security | TechRepublic: Medusa Ransomware Strikes 300+ Targets: FBI & CISA Urge Immediate Action to #StopRansomware
  • eSecurity Planet: Medusa Ransomware Warning: CISA and FBI Issue Urgent Advisory
  • Blue Team Con: CISA and the FBI warn about Medusa ransomware, urging organizations to update security, enable MFA, and report incidents to mitigate the growing threat.
  • thecyberexpress.com: Medusa Ransomware Surge: 60 Victims in 3 Months—Are You Next?
  • www.zdnet.com: How to guard against a vicious Medusa ransomware attack - before it's too late
  • www.cysecurity.news: The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware.
  • Sam Bent: Cybercriminal Group Medusa Targets Critical Infrastructure Sectors A sophisticated cybercriminal group known as Medusa has been targeting many critical infrastructure sectors in the United States.
  • The Hacker News: Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
  • www.cybersecuritydive.com: Medusa ransomware using malicious driver as EDR killer

@World - CBSNews.com //
References: bsky.app , CyberInsider , bsky.app ...
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.

The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.

Recommended read:
References :
  • bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
  • The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
  • bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
  • The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
  • The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
  • DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
  • bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
  • Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
  • Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
  • Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
  • BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
  • hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
  • Risky Business Media: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
  • Security | TechRepublic: The article discusses the charges against Chinese hackers for their role in a global cyberespionage campaign.
  • techxplore.com: US indicts 12 Chinese nationals in hacking
  • : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
  • Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
  • Blog: FieldEffect blog post about U.S. indicts 12 Chinese nationals for cyber espionage.
  • blog.knowbe4.com: U.S. Justice Department Charges China’s Hackers-for-Hire Working IT Contractor i-Soon
  • Talkback Resources: The article details the indictment of 12 Chinese individuals for hacking activities.
  • Schneier on Security: The article discusses the indictment of Chinese hackers for their involvement in global hacking activities.

do son@Daily CyberSecurity //
The Medusa ransomware operation has significantly impacted critical infrastructure sectors, affecting over 300 organizations in the United States by February 2025. According to CISA, these attacks have targeted essential services across various industries, including medical, education, legal, insurance, technology, and manufacturing. This widespread impact highlights the vulnerability of critical infrastructure and the potential for severe disruptions. The healthcare sector has been a primary target, with ransom demands ranging from $100,000 to $15 million, potentially disrupting patient care and compromising sensitive data.

Educational institutions have also been significantly affected, with 21 attacks reported in February 2025 alone. These attacks disrupt academic activities and compromise personal information of students and staff. In response, CISA, in partnership with the FBI and MS-ISAC, released a joint Cybersecurity Advisory providing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with known Medusa ransomware activity. The advisory encourages organizations to ensure operating systems and software are up to date, segment networks to restrict lateral movement, and filter network traffic to prevent unauthorized access.

Recommended read:
References :
  • Industrial Cyber: Recent findings from Symantec indicate a significant rise in Medusa ransomware activity, which is reportedly being operated as...
  • securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
  • : Symantec found that Medusa has listed almost 400 victims on its data leaks site since early 2023, demanding ransom payments as high as $15m
  • Broadcom Software Blogs: Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023.
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • The DefendOps Diaries: Medusa Ransomware: A Growing Threat to Critical Infrastructure
  • RedPacket Security: CISA: CISA and Partners Release Cybersecurity Advisory on Medusa Ransomware
  • gbhackers.com: Medusa Ransomware Hits 300+ Critical Infrastructure Organizations Worldwide
  • securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
  • www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
  • securityaffairs.com: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
  • Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
  • www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
  • CyberInsider: FBI: Medusa Ransomware Has Breached 300 Critical Infrastructure Organizations
  • www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released - with at least one organisation hit with a "triple-extortion" threat. Read more in my article on the Tripwire State of Security blog.
  • Resources-2: On March 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Medusa ransomware [1]. Medusa ransomware emerged as Ransomware-as-a-Service in June 2021 and gained infamy by compromising over 300 victims from critical infrastructure sectors, including healthcare, insurance, technology, manufacturing, legal, and technology.
  • : CISA, FBI Warn of Medusa Ransomware Impacting Critical Infrastructure
  • www.cybersecuritydive.com: The ransomware-as-a-service gang tallied more than 300 victims in industries such as healthcare, manufacturing and technology.
  • The Register - Security: Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand
  • DataBreaches.Net: #StopRansomware: Medusa Ransomware
  • hackread.com: FBI and CISA Urge Enabling 2FA to Counter Medusa Ransomware
  • Talkback Resources: #StopRansomware: Medusa Ransomware | CISA [net] [mal]
  • Tenable Blog: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
  • SOC Prime Blog: Medusa Ransomware Detection: The FBI, CISA & Partners Warn of Increasing Attacks by Ransomware Developers and Affiliates Against Critical Infrastructure
  • www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted

info@thehackernews.com (The@The Hacker News //
References: The Hacker News , , Cyber Security News ...
A new sophisticated Phishing-as-a-Service (PhaaS) platform, dubbed "Morphing Meerkat," is exploiting DNS MX records to dynamically deliver tailored phishing pages, targeting over 100 brands. This operation enables both technical and non-technical cybercriminals to launch targeted attacks, bypassing security systems through the exploitation of open redirects on adtech servers and compromised WordPress websites. The platform's primary attack vector involves mass spam delivery and dynamic content tailoring, evading traditional security measures.

Researchers have discovered that Morphing Meerkat queries DNS MX records using Cloudflare DoH or Google Public DNS to customize fake login pages based on the victim's email service provider. This technique allows the platform to map these records to corresponding phishing HTML files, featuring over 114 unique brand designs. This personalized phishing experience significantly increases the likelihood of successful credential theft. The phishing kit also uses code obfuscation and anti-analysis measures to hinder detection, supporting over a dozen languages to target users globally.

Recommended read:
References :
  • The Hacker News: Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
  • : Morphing Meerkat PhaaS Platform Spoofs 100+ Brands
  • www.scworld.com: More than 100 brands' login pages have been spoofed by the newly emergent Morphing Meerkat phishing-as-a-service platform through the exploitation of Domain Name System mail exchange records, The Hacker News reports.
  • Cyber Security News: Hackers Use DNS MX Records to Generate Fake Login Pages for Over 100+ Brands
  • The DefendOps Diaries: Morphing Meerkat: A Sophisticated Phishing-as-a-Service Threat
  • www.techradar.com: This new phishing campaign can tailor its messages to target you with your favorite businesses
  • Christoffer S.: Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks
  • hackread.com: Details advanced phishing operation exploiting DNS vulnerabilities.
  • Infoblox Blog: Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims.
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Cyber Security News: A sophisticated phishing operation has emerged that creatively leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims' email providers.
  • gbhackers.com: Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed “Morphing Meerkat,â€� that leverages DNS mail exchange (MX) records to dynamically serve tailored phishing pages mimicking over 100 brands.
  • Security Affairs: A PhaaS platform, dubbed 'Morphing Meerkat,' uses DNS MX records to spoof over 100 brands and steal credentials, according to Infoblox Threat Intel
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records

jane.mccallion@futurenet.com (Jane@itpro.com //
Security expert Troy Hunt, the creator of the data breach notification site Have I Been Pwned, has fallen victim to a sophisticated phishing attack. The incident, which occurred on March 25, 2025, resulted in the compromise of his email subscriber list, affecting approximately 16,000 current and past subscribers to his personal blog. The attackers gained access to Hunt's Mailchimp account after he clicked on a malicious link in an email disguised as a legitimate notice from the email marketing provider.

Hunt immediately disclosed the breach, emphasizing the importance of transparency and acknowledging his frustration with falling for the scam. The phishing email exploited a sense of urgency by claiming a spam complaint had triggered a temporary suspension of his account, prompting him to enter his credentials and one-time passcode. While 2FA was enabled on his Mailchimp account, the phish still managed to get the one time passcode. Industry experts have said the incident underscores how even seasoned cybersecurity professionals can be vulnerable to social engineering tactics that prey on human weaknesses, such as tiredness and a sense of urgency.

Recommended read:
References :
  • bsky.app: Have I Been Pwned creator Troy Hunt says the data of over 16,000 newsletter subscribers has been stolen after he fell for a Mailchimp phishing attack
  • cyberinsider.com: Details the phishing attack on Troy Hunt's Mailchimp account, exposing subscriber data.
  • The Register - Security: Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish
  • DataBreaches.Net: Troy Hunt, owner of HaveIBeenPwned.com, writes: You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the...
  • PCMag UK security: Creator of HaveIBeenPwned Data Breach Site Falls for Phishing Email.
  • Information Security Buzz: Security consultant and founder of the popular Troy Hunt, a security consultant who runs the popular data-breach search service Have I Been Pwned?, has disclosed that he has become a victim of a phishing attack that exposed the email addresses of 16,000 subscribers to his blog troyhunt.com.   “Every active subscriber on my list will shortly [...]
  • www.itpro.com: Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
  • www.csoonline.com: Even anti-scammers get scammed: security expert Troy Hunt pwned by phishing email
  • www.techradar.com: HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
  • haveibeenpwned.com: In March 2025, . The exported list contained 16k email addresses and other data automatically collected by Mailchimp including IP address and a derived latitude, longitude and time zone.
  • Malwarebytes: Security expert Troy Hunt hit by phishing attack
  • heise Security: Have I Been Pwned: Projektbetreiber Troy Hunt gepwned Der Betreiber von Have I Been Pwned wurde selbst Opfer eines Phishing-Angriffs. Die E-Mails der Newsletter-Mailingliste wurden gestohlen.
  • bsky.app: Troy Hunt's mailing list got phished. Commiserations to him. If it can happen to Troy, it can probably happen to you.

Carly Page@TechCrunch //
The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, has announced a significant data breach affecting over 500,000 members. The breach, which occurred in July 2024, resulted in attackers stealing sensitive personal information. PSEA is now notifying the impacted individuals about the incident and the potential risks.

The stolen data includes highly sensitive information, such as government-issued identification documents, Social Security numbers, passport numbers, medical information, and financial data like card numbers with PINs and expiration dates. Member account numbers, PINs, passwords, and security codes were also accessed. PSEA took steps to ensure, to the best of its ability and knowledge, that the stolen data was deleted.

Recommended read:
References :
  • bsky.app: The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.
  • BleepingComputer: The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.
  • techcrunch.com: US teachers’ union says hackers stole sensitive personal data on over 500,000 members
  • www.bleepingcomputer.com: Pennsylvania education union data breach hit 500,000 people
  • The Register - Security: Attackers swipe data of 500k+ people from Pennsylvania teachers union
  • The DefendOps Diaries: Understanding the PSEA Data Breach: Lessons and Future Prevention
  • : The Pennsylvania State Education Association (PSEA) has sent breach notifications to over 500,000 current and former members
  • Zack Whittaker: Pennsylvania's biggest union for educators had a data breach, exposing over half a million members' personal information.
  • securityaffairs.com: Pennsylvania State Education Association data breach impacts 500,000 individuals
  • Carly Page: The Pennsylvania State Education Association says hackers stole the sensitive personal and financial information of more than half a million of its members.  PSEA said it “took steps†to ensure the stolen data was deleted, suggesting it was the target of a ransomware or data extortion attack, and subsequently paid a ransom demand to the hackers responsible
  • infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
  • securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
  • techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
  • CyberInsider: Cyber Insider article about Russian Zero-Day Firm Offering Record $4 Million for Telegram Exploits
  • www.techradar.com: Data breach at Pennsylvania education union potentially exposes 500,000 victims

Pierluigi Paganini@securityaffairs.com //
A new ransomware group named Arkana Security is claiming responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers. Arkana Security also claims the hack of US telco provider WideOpenWest (WOW!). This nascent ransomware gang’s breach purportedly compromised over 403,000 WOW! user accounts, pilfering data, including full names, usernames, salted passwords, email addresses, login histories, and security questions and answers.



The attackers boast of full backend control and have even created a music video montage to demonstrate their level of access. Additionally, they claim to have exfiltrated a separate CSV file with 2.2 million records, including names, addresses, phone numbers, and devices. While WOW! has yet to acknowledge Arkana Security's claims, threat researchers traced the attack's origins to an infostealer infection in September last year that enabled access to WOW!'s critical systems.

Recommended read:
References :
  • Cyber Security News: The largest US internet provider, WideOpenWest (WOW!), is allegedly compromised by Arkana Security, a recently discovered ransomware group.
  • securityaffairs.com: Arkana Security, a new ransomware group, claims to have breached the telecommunications provider WideOpenWest (WOW!), stealing customer data.
  • www.scworld.com: WideOpenWest purportedly breached by nascent ransomware gang
  • CyberInsider: Arkana ransomware group has claimed responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers.
  • BleepingComputer: The new ransomware group Arkana Security claims to have hacked US telecom provider WOW!, stealing customer data.
  • Information Security Buzz: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US. The malicious actors boasted they had full backend control and even put a music video montage together to illustrate exactly how much access they had.
  • DataBreaches.Net: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)
  • PCMag UK security: Hacking group Arkana Security gives WideOpenWest (WOW!) until 5 p.m. PST today to pay a ransom, or it will sell customer data to the highest bidder. WOW! says it's investigating.
  • The Register - Security: Cyber-crew claims it cracked American cableco, releases terrible music video to prove it
  • www.csoonline.com: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US.
  • Talkback Resources: Arkana Security group claims the hack of US telco provider WideOpenWest (WOW!)

@itpro.com //
Advanced Computer Software Group, an NHS software supplier, has been fined £3 million by the Information Commissioner's Office (ICO) for security failures that led to a disruptive ransomware attack in 2022. The ICO determined that Advanced Computer Software Group failed to implement appropriate security measures prior to the attack, which compromised the personal information of tens of thousands of NHS patients. The LockBit ransomware group was identified as the perpetrator, gaining access through a customer account lacking multi-factor authentication (MFA).

Personal information belonging to 79,404 people was taken in the attack, including instructions for carers on how to gain entry into the properties of 890 people who were receiving care at home. The stolen data included checklists for medics on how to get into vulnerable people's homes. The ICO cited gaps in applying MFA policies across the organization, a lack of vulnerability scanning, and inadequate patch management as the primary facilitators of the attack.

Recommended read:
References :
  • bsky.app: NHS provider Advanced has been fined £3m by ICO for security failures that led to the hugely disruptive ransomware hack in 2022. One shocking new detail - not only was personal info of 79k people taken - it included instructions for carers on how to gain entry into 890 patient's homes.
  • The Register - Security: Data stolen included checklist for medics on how to get into vulnerable people's homes The UK's data protection watchdog is dishing out a £3.07 million ($3.95 million) fine to Advanced Computer Software Group, whose subsidiary's security failings led to a ransomware attack affecting NHS care.
  • techcrunch.com: NHS vendor Advanced will pay just over £3 million ($3.8 million) in fines for not implementing basic security measures before it suffered a ransomware attack in 2022, the U.K.’s data protection regulator has confirmed.
  • www.itpro.com: The Information Commissioner's Office (ICO) said Advanced Computer Software Group failed to use appropriate security measures before the 2022 attack, which put the personal information of tens of thousands of NHS patients at risk.
  • DataBreaches.Net: The UK’s data protection watchdog is dishing out a £3.07 million ($3.95 million) fine to Advanced Computer Software Group, whose subsidiary’s security failings led to a ransomware attack affecting NHS care. This is nearly half the fine the Information Commissioner’s Office provisionally floated...
  • www.cybersecurity-insiders.com: NHS LockBit ransomware attack yields £3.07 million penalty on tech provider
  • www.bleepingcomputer.com: UK fines software provider £3.07 million for 2022 ransomware breach
  • The DefendOps Diaries: Understanding the 2022 NHS Ransomware Attack: Lessons and Future Preparedness
  • Tech Monitor: UK ICO fines Advanced Computer Software £3m after NHS data breach
  • www.scworld.com: Advanced slapped with almost $4M fine after LockBit hack

Titiksha Srivastav@The420.in //
Lee Enterprises, a major American media company with over 75 publications, has confirmed a ransomware attack that has disrupted operations across its network. The notorious Qilin ransomware gang has claimed responsibility for the February 3rd attack, alleging the theft of 350GB of sensitive data. This stolen data purportedly includes investor records, financial arrangements, payments to journalists and publishers, funding for tailored news stories, and even approaches to obtaining insider information. The cyberattack has resulted in widespread outages, significantly impacting the distribution of printed newspapers, subscription services, and internal business operations.

The attack has caused delays in the distribution of print publications and has partially limited online operations. Lee Enterprises anticipates a phased recovery over the next several weeks and has implemented temporary measures, including manual processing of transactions. The company has also launched a forensic investigation to determine the full extent of the breach. The Qilin ransomware group's actions have brought attention to the increasing threat facing media organizations and the importance of robust cybersecurity measures to protect sensitive information and maintain operational integrity.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: Qilin ransomware gang claimed responsibility for the Lee Enterprises attack
  • www.cysecurity.news: CySecurity News: Lee Enterprises Faces Prolonged Ransomware Attack Disrupting Newspaper Operations
  • The420.in: The420.in: American Media Group Hit by Cyber Attack, 75 Newspapers Disrupted & Informers’ Data Leaked
  • bsky.app: The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.
  • bsky.app: The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.
  • Information Security Buzz: Qilin Claims Lee Enterprises Ransomware Attack
  • securityaffairs.com: The Qilin ransomware group claimed responsibility for the recent cyberattack on Lee Enterprises, which impacted dozens of local newspapers. Lee Enterprises, Inc. is a publicly traded American media company. It publishes 79 newspapers in 25 states, and more than
  • CyberInsider: Reports that Qilin ransomware gang claimed responsibility for Lee Enterprises attack, threatens to leak stolen data
  • www.cysecurity.news: reports on Ransomware
  • Zack Whittaker: Lee Enterprises is still experiencing disruption and outages after a ransomware attack.
  • Metacurity: UK ICO launches children's social media privacy probe, Qilin claims attack on Lee Enterprises, Polish Space Agency breached, Cellebrite zero days used to hack Serbian student's phone, Man sentenced to 24 years for putting CSAM on dark web, Canceled CFPB contracts threaten data security, much more
  • Konstantin :C_H:: Qilin claims attack on Lee Enterprises,
  • The420.in: Qilin ransomware group claimed responsibility for the Lee Enterprises attack.
  • Kim Zetter: Reports Qilin claims attack on Lee Enterprises
  • BleepingComputer: Qilin claiming responsibility for the cyberattack on Lee Enterprises.
  • BleepingComputer: Qilin Ransomware Gang Claims Lee Enterprises Attack
  • DataBreaches.Net: Japanese cancer hospital confirms breach; Qilin gang claims responsibility
  • The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
  • www.cysecurity.news: Qilin Ransomware Outfit Claims Credit for Lee Enterprises Breach
  • securityaffairs.com: Qilin Ransomware group claims to have breached the Ministry of Foreign Affairs of Ukraine, marking a significant cybersecurity attack.
  • www.scworld.com: The ransomware group Qilin has taken credit for the cyberattack on Lee Enterprises.

Amar Ćemanović@CyberInsider //
References: Carly Page , CyberInsider , techcrunch.com ...
Japanese telecom giant NTT Communications has confirmed a data breach impacting nearly 18,000 corporate customers. The company discovered unauthorized access to its internal systems on February 5, 2025. Hackers are reported to have accessed details of these organizations, potentially compromising sensitive data.

The stolen data includes customer names, contract numbers, phone numbers, email addresses, physical addresses, and information on service usage belonging to 17,891 organizations, according to NTT Com. While NTT Com has restricted access to compromised devices and disconnected another compromised device, the specific nature of the cyberattack and the identity of the perpetrators remain unknown. It’s not yet known how many individuals had personal data stolen.

Recommended read:
References :
  • Carly Page: Japanese telecom giant NTT Communications says hackers stole the data of almost 18,000 corporate customers during a February cyberattack. It’s not yet known how many individuals had personal data stolen or who was behind the NTT breach
  • CyberInsider: NTT Communications Suffers Data Breach Impacting 18,000 Companies
  • BleepingComputer: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
  • techcrunch.com: Unidentified hackers breached NTT Com’s network to steal personal information of employees at thousands of corporate customers
  • bsky.app: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
  • The DefendOps Diaries: Lessons from the NTT Data Breach: A 2025 Perspective
  • bsky.app: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
  • www.scworld.com: NTT Communications says hackers stole the data of almost 18,000 corporate customers during a February cyberattack
  • securityaffairs.com: Japanese telecom giant NTT suffered a data breach that impacted 18,000 companies
  • The420.in: Japanese Telecom Giant NTT Suffers Data Breach, Impacting 18,000 Companies
  • www.it-daily.net: The Japanese ICT provider NTT Communications (NTT Com) has admitted to a serious security breach that resulted in the loss of information on a total of 17,891 corporate customers.
  • www.scworld.com: Nearly 18K orgs' data compromised in NTT Communications hack

Aninda Chakraborty@Tech Monitor //
Western Alliance Bank recently disclosed a data breach impacting 21,899 customers. The incident stemmed from a vulnerability in third-party secure file transfer software, highlighting the risks associated with relying on external vendors for critical operations. Attackers exploited a zero-day vulnerability to exfiltrate sensitive files from the bank's systems, prompting an internal investigation after stolen files were leaked online. The breach occurred between October 12 and October 24 of the previous year, but the vulnerability wasn't disclosed by the vendor until October 27, highlighting the time it can take to discover these issues.

The compromised data included names, Social Security numbers, dates of birth, financial account details, driver’s license numbers, tax identification numbers, and even passport information in some cases. The Clop ransomware gang has been attributed to the breach, adding Western Alliance Bank to its leak site after exploiting vulnerabilities in Cleo Harmony and related software. The bank is offering affected customers one year of credit monitoring as a precaution, while urging heightened vigilance for potential identity theft and fraud.

Recommended read:
References :
  • bsky.app: Arizona-based Western Alliance Bank is notifying nearly 22,000 customers their personal information was stolen in October after a third-party vendor's secure file transfer software was breached.
  • Secure Bulletin: Western Alliance Bank data breach: 21,899 customers impacted
  • The DefendOps Diaries: Understanding the Western Alliance Bank Data Breach: Lessons in Cybersecurity
  • BleepingComputer: Western Alliance Bank notifies 21,899 customers of data breach
  • Tech Monitor: Western Alliance Bank confirms data breach affecting over 21,000 customers
  • BleepingComputer: Arizona-based Western Alliance Bank is notifying nearly 22,000 customers their personal information was stolen in October after a third-party vendor's secure file transfer software was breached.
  • Information Security Buzz: Western Alliance Bank has announced a data breach affecting 21,899 people, that was caused by an October 2024 cyberattack on a third-party file transfer software.
  • www.itpro.com: Western Alliance Bank admits cyber attack exposed 22,000 customers

Dissent@DataBreaches.Net //
A data breach at Oracle Health has impacted multiple healthcare organizations and hospitals across the United States. The breach involved a threat actor gaining unauthorized access to legacy servers and stealing patient data. The incident, which occurred on February 20, 2025, was initially discovered by Oracle Health, formerly known as Cerner, but has only recently been publicly disclosed by BleepingComputer on March 28, 2025, after Oracle Health failed to respond to requests for comments.

The compromised data includes sensitive information from electronic health records, single sign-on credentials, Lightweight Directory Access Protocol passwords, OAuth2 keys, and tenant data. It is believed that the breach was facilitated through the use of compromised customer credentials, aligning with known attack techniques. The implications for healthcare organizations are substantial, particularly concerning compliance with HIPAA regulations, and could lead to legal repercussions and financial penalties for affected entities.

Oracle Health is facing criticism for its lack of transparency regarding the incident. The company is reportedly telling hospitals that they will not notify patients directly, placing the responsibility on them to determine if the stolen data violates HIPPA laws. However, Oracle Health has committed to assisting in identifying impacted individuals and providing notification templates to help with notifications.

Recommended read:
References :
  • bsky.app: Oracle Health breach compromises patient data at US hospitals
  • BleepingComputer: A breach at Oracle Health impacts multiple U.S. healthcare organizations and hospitals after patient data was stolen from legacy servers.
  • Rescana: Executive Summary: The Oracle Health data breach significantly impacted multiple US healthcare organizations and hospitals by...
  • DataBreaches.Net: Oracle Health breach compromises patient data at US hospitals
  • The DefendOps Diaries: The Oracle Health breach highlights urgent need for healthcare IT modernization to protect patient data and comply with regulations.
  • Lobsters: Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
  • bsky.app: A breach at Oracle Health impacts multiple U.S. healthcare organizations and hospitals after patient data was stolen from legacy servers.

Dissent@DataBreaches.Net //
Recent data breaches have affected multiple organizations, exposing sensitive information and highlighting the importance of robust security measures. SOCRadar's Dark Web Team has uncovered several significant threats, including a breach at AUTOSUR, a French vehicle inspection company, where approximately 10.7 million customer records were leaked. The exposed data includes customer names, emails, phone numbers, hashed passwords, home addresses, vehicle information, and license plate numbers. This breach poses significant risks such as identity theft, phishing attacks, and financial fraud.

Unauthorized access to shipping portals associated with Lenovo and HP has also been detected, targeting shipment tracking activities in India. This breach could expose sensitive supply chain information. Furthermore, cybercriminals are actively exploiting the gaming and entertainment sectors, utilizing tools such as a Disney+ credential checker and exploiting a leaked FiveM database. A massive dataset of crypto and forex leads is also up for sale, creating risks of fraud and financial scams. Additionally, Cardiovascular Consultants Ltd. (CVC) in Arizona experienced a ransomware attack, impacting 484,000 patients, with data later appearing on a clear net IP address associated with “WikiLeaksV2." The breach at Sunflower and CCA impacted 220,968 individuals according to a filing with the Maine Attorney General's Office.

Recommended read:
References :
  • socradar.io: AUTOSUR Breach, FiveM Database Leak, Disney+ Account Checker, Crypto Leads & Forex Scams Exposed
  • www.cysecurity.news: Sunflower and CCA Suffer Data Breaches, Exposing Hundreds of Thousands of Records
  • Security - Troy Hunt: Inside the "3 Billion People" National Public Data Breach
  • securityaffairs.com: California Cryobank, the largest US sperm bank, disclosed a data breach
  • MSSP feed for Latest: Data Breach Hits California Cryobank
  • infosec.exchange: Okay, this is not good: "Executive Summary On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys."
  • research.kudelskisecurity.com: Oracle Cloud SSO, LDAP Records Dumped, 140k+ Tenants Affected