CyberSecurity news
FlagThis - #databreach
|
@cyberinsider.com
//
Legends International, a prominent entertainment venue management firm, has disclosed a data breach that occurred in November 2024. The breach compromised the personal information of both employees and visitors to venues managed by the company. According to reports, the company detected unauthorized activity within its IT systems on November 9, 2024, prompting an immediate investigation with the assistance of external cybersecurity experts. Legends International also notified law enforcement following the discovery of the cyberattack.
The investigation confirmed that unauthorized actors had accessed and exfiltrated files containing personal data. The compromised information varies by individual but may include sensitive details such as dates of birth, Social Security numbers, driver's license and government ID numbers, financial account details, medical information, and health insurance information. The company has stated that the individuals affected either worked at or visited a venue managed by Legends International. In response to the breach, Legends International has taken steps to strengthen its security controls. While the company maintains that it is unaware of any misuse of personal information resulting from the incident, it is offering affected individuals a complimentary 24-month membership to Experian's IdentityWorks service. This service includes credit monitoring, identity restoration support, and up to $1 million in identity theft insurance. The incident has impacted at least 8,065 individuals in Texas and Massachusetts, though reports indicate that over 118,000 people nationwide may be affected. Recommended read:
References :
@x.com
//
Ahold Delhaize, the multinational retail and wholesale company with operations in both Europe and the United States, has confirmed a data breach following a cyberattack in November 2024. The company, which owns supermarket brands such as Stop & Shop, Giant Food, Food Lion and Hannaford, acknowledged that certain files were stolen from its U.S. business systems. The breach was claimed by the INC ransomware group, which has threatened to release sensitive information if its demands are not met, according to researchers at Arctic Wolf. The company is currently working with outside forensics experts to determine the exact nature of the compromised data and to comply with legal obligations regarding disclosure to affected individuals.
The cyberattack disrupted e-commerce operations, particularly affecting Hannaford's pickup and delivery services, which were halted for several days. Other U.S. banners also experienced disruptions and reduced availability for e-commerce services due to "system outages." While physical stores remained open and continued to accept most payment methods, including credit cards, Ahold Delhaize took some systems offline to protect them. The company also notified and updated law enforcement about the incident. The INC ransomware group claims to have exfiltrated approximately 6 terabytes of data from Ahold Delhaize's U.S. division. This data includes sensitive documents and personal identifiers, raising concerns about potential misuse and privacy violations. Ahold Delhaize is advising customers to be vigilant for phishing attempts and fraudulent activity. The company is currently investigating the extent of the breach and is committed to taking necessary measures to contain the situation and prevent further unauthorized access. Recommended read:
References :
Jenna McLaughlin@NPR Topics: Technology
//
A whistleblower at the US National Labor Relations Board (NLRB) has come forward with allegations of a significant cybersecurity breach involving the Department of Government Efficiency (DOGE), overseen by Elon Musk. According to the whistleblower, Daniel Berulis, DOGE operatives arrived at the agency in early March and were granted unrestricted access to internal systems, a move that deviated from standard operating procedures. The whistleblower claims that these DOGE employees ignored infosec rules and were instructed to hand over any requested accounts and stay out of DOGE’s way.
According to the affidavit submitted to the Senate Intelligence Committee, these actions led to a "significant cybersecurity breach" potentially exposing the agency's data to foreign adversaries. The whistleblower also alleges that during their activity, DOGE employees exfiltrated 10GB of data to servers in the US and disabled monitoring tools, raising concerns about potential data exposure. Berulis’s document points out that not even his CIO enjoyed the level of access given to DOGE unit operatives, and that the NLRB already had auditor accounts set up that provided enough privileges to check data without being able to edit, copy, or remove it. The most alarming aspect of the allegations involves attempted access to the NLRB's systems from a Russian IP address using legitimate accounts created by DOGE staffers. These attempts were reportedly blocked, but the valid credentials used suggest a potential compromise. The NPR has reported that the data that DOGE moved could have included sensitive information on unions, ongoing legal cases and corporate secrets. Democratic lawmakers are calling for an investigation into the matter. Recommended read:
References :
David Jones@cybersecuritydive.com
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on April 17, 2025, regarding increased breach risks following a potential compromise of legacy Oracle Cloud servers. This alert comes in response to public reporting of alleged threat activity targeting Oracle customers, though the scope and impact of the activity are currently unconfirmed. CISA's guidance urges organizations and individuals to take immediate steps to secure their IT environments amid claims of a large trove of customer credentials being compromised. The agency is also asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.
CISA is particularly concerned about situations where credential material may be exposed, reused across separate and unaffiliated systems, or embedded into applications and tools. Embedded credential material, which can be hardcoded into scripts, applications, infrastructure templates, or automation tools, is especially difficult to detect and can enable long-term unauthorized access if exposed. The compromise of credentials like usernames, emails, passwords, authentication tokens, and encryption keys can pose a significant risk to enterprise environments. To mitigate these risks, CISA recommends organizations reset passwords for known affected users, especially those not federated through enterprise identity solutions. Additionally, they should review source code, infrastructure as code templates, automation scripts, and configuration files for hardcoded credentials, replacing them with secure authentication methods supported by centralized secret management. Monitoring authentication logs for anomalous activity, particularly using privileged, service, or federated identity accounts, is also crucial. Finally, CISA advises enforcing phishing-resistant multi-factor authentication for all user and administrator accounts whenever possible. Recommended read:
References :
ross.kelly@futurenet.com (Ross@Latest from ITPro
//
Hertz Corporation has announced a data breach affecting customers of its Hertz, Thrifty, and Dollar car rental brands. The breach stems from the exploitation of Cleo zero-day vulnerabilities in late 2024. Customer data, including personal information and driver's licenses, was stolen. The company confirmed the breach on February 10, 2025, stating that an unauthorized third party acquired Hertz data by exploiting vulnerabilities within Cleo's platform in October and December 2024.
The stolen data varies depending on the region, but generally includes customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. In some instances, Social Security numbers and other government-issued identification numbers were also compromised. Notices about the breach have been posted on Hertz websites for customers in Australia, Canada, the European Union, New Zealand, the United Kingdom, and several U.S. states, including California, Maine, and Texas. Hertz has disclosed that at least 3,400 customers in Maine and some 96,665 customers in Texas were affected. The company attributed the breach to vulnerabilities in Cleo's software, which was targeted by the Clop ransomware gang in 2024. This breach highlights the significant cybersecurity risks associated with third-party vendors and the potential for mass data theft. It is another example of the widespread consequences that can occur from zero-day exploits in widely used enterprise file transfer products. Those affected have been advised to take precautions to protect their personal and financial information. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
References:
securityaffairs.com
, www.cysecurity.news
A cybercriminal group has suffered a taste of its own medicine after its website was hacked, with the attacker leaving a message warning against illegal activity. In a separate incident, the National Social Security Fund (CNSS) of Morocco has confirmed a data breach following a cyber attack. The incidents highlight the ever-present threat of cybercrime, even within the cybercriminal underworld itself.
The CNSS of Morocco has acknowledged that its computer systems were targeted by cyber attacks, leading to a data breach. A threat actor, using the alias 'Jabaroot', claimed responsibility for stealing large volumes of citizen data. The actor is reportedly targeting government systems in Morocco. The CNSS has activated its security protocols and launched an internal investigation to determine the extent and origin of the breach. Initial investigations have revealed that leaked documents circulating on social media contain false, inaccurate, or incomplete information. The Fund is working diligently to understand the full scope of the incident and protect the personal data and confidentiality of user information. Recommended read:
References :
@hackread.com
//
The Medusa ransomware group has claimed responsibility for a cyberattack on NASCAR, alleging the theft of over 1TB of data. In a posting on its dark web leak site, Medusa has demanded a $4 million ransom for the deletion of NASCAR's data. The group has placed a countdown timer on the leak site, threatening to make the stolen data available to anyone on the internet after the deadline. The countdown deadline can be extended at a cost of $100,000 per day.
To verify its claim, Medusa has published screenshots of what it claims are internal NASCAR documents. These include names, email addresses, and phone numbers of NASCAR employees and sponsors, as well as invoices, financial reports, and more. Furthermore, the ransomware gang has published a substantial directory illustrating NASCAR's internal file structure and the names of documents that have been exfiltrated. While NASCAR has not yet confirmed or denied reports of the attack, the details published by Medusa on its leak site appear credible. The Medusa ransomware group operates under a ransomware-as-a-service (RaaS) model and is known for its double extortion tactics. The FBI and CISA issued a joint cybersecurity advisory last month warning that Medusa ransomware had impacted over 300 organizations, including those in critical infrastructure sectors such as medical, education, legal, insurance, technology, and manufacturing. Past victims include Minneapolis Public Schools, which refused to pay a million-dollar ransom and saw approximately 92 GB of stolen data released to the public. Recommended read:
References :
@cybersecuritynews.com
//
A hacker using the alias "Satanic" has claimed responsibility for a significant data breach affecting WooCommerce, a widely used eCommerce platform. The breach, said to have occurred on April 6, 2025, reportedly compromised over 4.4 million user records. According to the hacker's posts on Breach Forums, the data was not directly extracted from WooCommerce's core infrastructure but from systems closely linked to websites utilizing the platform, potentially through third-party integrations such as CRM or marketing automation tools. The alleged breach has raised concerns about the security of third-party integrations within the WooCommerce ecosystem.
The compromised database reportedly includes an extensive array of sensitive information. This includes 4,432,120 individual records, 1.3 million unique email addresses, and 998,000 phone numbers. It also encompasses metadata on corporate websites, such as technology stacks and payment solutions. A sample of the stolen data reveals records from prominent organizations like the National Institute of Standards and Technology (NIST), Texas.gov, NVIDIA Corporation, the New York City Department of Education, and Oxford University Press. Each record contains detailed information typically found in marketing databases, including estimated revenue, marketing platforms, hosting providers, and social media links. Adding to the woes of WooCommerce users, a separate security threat has emerged with the discovery of a malicious Python package named "disgrasya" on PyPI. This package, detected by the Socket Research Team, contains an automated carding script specifically designed to target WooCommerce stores using CyberSource as their payment gateway. The malware simulates legitimate user behavior to avoid detection while exfiltrating stolen credit card data. Organizations are advised to enable fraud protection rules, monitor for suspicious patterns, implement CAPTCHA or bot protection, and rate limit checkout and payment endpoints to mitigate the risk of automated carding attacks. Recommended read:
References :
@www.cybersecurity-insiders.com
//
The US Treasury's Office of the Comptroller of the Currency (OCC) has disclosed a significant email breach, classified as a "major incident." The breach, which went undetected for over a year, involved unauthorized access to 150,000 emails within 100 accounts belonging to US bank regulators at the OCC. These emails contained highly sensitive details concerning the financial condition of federally regulated financial institutions, information critical to the OCC's examinations and supervisory oversight processes. The OCC became aware of unusual activity on February 11th, discovering an administrative account interacting with agency mailboxes in an unauthorized manner. IT staff confirmed the unauthorized access and disabled the affected accounts the following day.
Advertisement The OCC notified Congress about the incident on the same day as a Bloomberg report, calling it a “major incident.” Internal and independent investigations of email accounts and attachments indicate that OCC first became aware of the incident Feb. 11, when the office was notified of an administrative account that was interacting with agency mailboxes in an unusual fashion. The next day, IT staff confirmed the account’s access was unauthorized and disabled the accounts. Acting Comptroller of the Currency Rodney E. Hood stated that immediate steps have been taken to determine the full extent of the breach and address organizational deficiencies that contributed to it. Hood promised full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access. Cybersecurity experts have expressed concern about the implications of this breach. The compromised data could allow malicious actors to exploit weaknesses in banks' cybersecurity controls and processes, making it easier to perpetrate fraud or disrupt services. Knowing the weakest targets and their specific vulnerabilities provides a significant advantage to attackers, enabling them to target banks with precision. Security experts also point to how recent cuts at CISA and other federal agencies will weaken cybersecurity in the federal government and across the public sector and U.S. election systems. The OCC is collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury during its investigations. Recommended read:
References :
Dissent@DataBreaches.Net
//
Oracle has confirmed a cloud data breach, issuing notifications to customers about a cybersecurity incident. The confirmation follows claims by a threat actor alleging possession of millions of data lines related to over 140,000 Oracle Cloud tenants, including sensitive Personally Identifiable Information (PII), along with corporate and financial data. The company states the breach involved what it described as "two obsolete servers," and maintains that its Oracle Cloud Infrastructure (OCI) was not compromised, and no OCI customer data was viewed or stolen. However, this incident has brought into question Oracle's communication strategy and the accuracy of its disclosures.
The company's initial response has sparked debate and criticism, with cybersecurity experts and customers expressing concern over potential inconsistencies in Oracle's narrative. While Oracle claims the issue stemmed from "obsolete servers," independent analyses and customer confirmations suggest that customer data may have been compromised, contradicting the company's initial denial of an OCI breach. The discrepancy between Oracle's statements and the emerging evidence has raised questions about transparency and the potential use of carefully chosen terminology to minimize the perceived impact of the incident. The communication strategy has drawn specific criticism regarding Oracle's distinction between "Oracle Cloud" and "Oracle Cloud Classic." Experts, like Kevin Beaumont, have pointed out that this distinction allows Oracle to deny a breach of "Oracle Cloud" while acknowledging issues with "Oracle Classic," which is still part of Oracle's cloud services. This approach raises concerns about potential wordplay and its effects on customer trust and Oracle's reputation. The incident highlights the challenges companies face in maintaining transparency and trust during cybersecurity incidents, especially when sensitive customer data is at risk. Recommended read:
References :
@www.cybersecurity-insiders.com
//
The Office of the Comptroller of the Currency (OCC), an independent bureau within the U.S. Treasury Department, has confirmed a major email breach impacting approximately 100 bank regulators' accounts. The breach, which lasted for over a year, resulted in unauthorized access to more than 150,000 emails containing sensitive details about banks the agency oversees. According to the OCC's public statement, the compromised emails included highly sensitive information relating to the financial condition of federally regulated financial institutions and used in examination and supervisory oversight processes.
The OCC discovered the unauthorized access after being notified by Microsoft about unusual network behavior on Feb. 11. Following the discovery, the OCC notified Congress of the incident, describing it as a "major information security incident". Analysis by the OCC concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence. The agency has since launched an internal and independent third-party review to determine the full extent of the breach and identify vulnerabilities that led to the unauthorized access. Security experts have expressed concern over the news, emphasizing the potential for malicious actors to exploit the exposed information. One expert noted that knowing the weakest targets and their vulnerabilities could enable attackers to launch a broad series of attacks to disrupt services or perpetrate fraud. The OCC also notified the Cybersecurity and Infrastructure Security Agency (CISA) that there is no indication of any impact to the financial sector at this time. The OCC incident is considered the second high-profile breach for the Treasury Department in recent months, the first one involved Chinese state-sponsored hackers breaching their network. Recommended read:
References :
@Latest from ITPro
//
Europcar Mobility Group has confirmed a data breach affecting potentially up to 200,000 customers. The breach occurred through unauthorized access to the company’s GitLab repositories. According to reports, the stolen data includes source code for Europcar's Android and iOS mobile applications, as well as personal data linked to tens of thousands of customers. This incident raises significant security concerns, as the exposure of source code could potentially reveal vulnerabilities that could be exploited in future attacks.
Europcar is currently assessing the full extent of the damage caused by the breach. Preliminary findings indicate that the compromised data includes names and email addresses of users belonging to the Goldcar and Ubeeqo brands. The compromised records date back as far as 2017 and 2020. Europcar maintains that no financial information, passwords, or biometric details were exposed. The company has notified data protection authorities and has begun the process of informing affected customers about the incident. The attacker reportedly claimed responsibility for the breach in late March and attempted to extort Europcar, threatening to release 37GB of stolen data. The data allegedly includes internal backups, infrastructure documentation, and application source code. Europcar has denied that all of its GitLab repositories were compromised, but has confirmed that the threat actor accessed over 9,000 SQL files and 269 environment configuration files. The method of access remains unclear, although similar breaches often involve stolen credentials obtained through infostealer malware. The investigation is ongoing. Recommended read:
References :
Mandvi@Cyber Security News
//
The Everest ransomware gang's dark web leak site has been compromised in a brazen act of cyber defiance. The site, typically used by the gang to publish stolen data and extort victims, was hacked and defaced, disrupting their operations significantly. The attackers replaced the usual content with a taunting message: "Don’t do crime CRIME IS BAD xoxo from Prague," showcasing a clear intent to disrupt and mock the cybercriminals.
This incident marks a rare occasion where a ransomware group becomes the target of a cyberattack, highlighting vulnerabilities even within sophisticated cybercriminal networks. Security experts speculate that the attackers may have exploited weaknesses in Everest’s web infrastructure, potentially a WordPress vulnerability. The takedown of the site disrupts Everest’s ability to pressure victims and underscores the risks faced by cybercriminal organizations, showing they are not immune to being targeted themselves. The breach of Everest's leak site underscores an emerging trend of counterattacks and internal sabotage targeting ransomware groups. While the identity of the attacker remains unknown, the defacement underscores vulnerabilities within cybercriminal networks, potentially stemming from insider threats or rival factions. This attack comes amid broader shifts in the ransomware landscape, with recent data indicating a decline in victim payouts during 2024, as more organizations adopt robust cybersecurity measures and refuse to comply with ransom demands. Recommended read:
References :
@cyble.com
//
The ransomware landscape continues to experience significant turbulence as groups target each other's infrastructure and tactics shift. Notably, a group known as DragonForce has been actively hacking its rivals, with RansomHub, a major Ransomware-as-a-Service (RaaS) platform and one of the most active groups, being their latest target. DragonForce has previously targeted Mamona and BlackLock. This takeover of RansomHub could lead to a significant shift in the RaaS model, potentially leading to affiliates developing their own brands and further fragmenting the threat landscape.
Researchers infiltrated the online infrastructure associated with BlackLock ransomware and uncovered configuration files, credentials, and a history of executed commands. This also resulted in clear web IP addresses being revealed, which were hidden behind Tor infrastructure. BlackLock, which emerged in January 2025 and was previously known as El_Dorado, had listed 46 victims prior to the incident. Coincidently (or maybe using the same exploit) BlackLock’s leak site was also defaced. Hunters International, a RaaS group that some believe evolved from Hive, appears to be rebranding and shifting operations, moving away from an unprofitable and risky ransomware business and focusing solely on exfiltrating data and extorting victims. The decision appears to come in the wake of international law enforcement operations. Hunters appears to be shifting its operations, dropping the encryption part of the equation and focusing purely on data exfiltration and extortion, launching under the name “World Leaks”. Recommended read:
References :
Bill Toulas@BleepingComputer
//
The State Bar of Texas has confirmed a data breach following a ransomware attack claimed by the INC ransomware gang. The breach, which occurred between January 28 and February 9, 2025, involved unauthorized access to the organization's network, leading to the exfiltration of sensitive information. The incident was discovered on February 12, 2025, prompting immediate action to secure the network and initiate an investigation with the assistance of third-party forensic specialists. The organization is the second-largest bar association in the United States, with over 100,000 licensed attorneys, regulating the legal profession in Texas by overseeing licensing, continuing legal education, ethical compliance, and disciplinary actions.
Approximately 2,700 individuals were affected by the breach. The compromised data includes full names, Social Security numbers, financial account details such as credit and debit card numbers, driver’s licenses, and medical and health insurance details. The exposure of such a wide array of sensitive information poses significant risks of identity theft and financial fraud. The Texas State Bar has emphasized that there is no current evidence of misuse or fraudulent activity involving the compromised data but is urging affected parties to remain vigilant and monitor their financial accounts and credit reports for suspicious activity over the next 12 to 24 months. In response to the data breach, the State Bar of Texas has implemented additional security measures to prevent future incidents and is reviewing its data privacy policies. Affected individuals are being notified directly and offered complimentary credit monitoring services through Experian for a specified period, including features such as credit monitoring, identity restoration support, and identity theft insurance coverage up to $1 million. Recipients were advised to consider activating a credit freeze or placing a fraud alert on their credit files to mitigate potential risks from the data exposure. The incident serves as a wake-up call for legal cybersecurity, highlighting the vulnerabilities inherent in even the most established institutions and emphasizing the need for robust data protection measures. Recommended read:
References :
@cyberalerts.io
//
The Port of Seattle, the U.S. government agency responsible for Seattle's seaport and airport, is currently notifying approximately 90,000 individuals about a significant data breach. The breach occurred after a ransomware attack in August 2024, where personal information was stolen from previously used port systems. The compromised data includes names, dates of birth, Social Security numbers, driver’s licenses, ID cards, and some medical information. The organization runs Seattle-Tacoma International Airport, parks, and container terminals. Of those affected, about 71,000 are Washington state residents.
The August 24 incident severely damaged the systems used by the city’s port and airport, forcing workers to take extraordinary measures to help travelers. The ransomware attack caused considerable disruption, knocking out the airport’s Wi-Fi, and employees had to resort to using dry-erase boards for flight and baggage information. Screens throughout the facility were down, and some airlines had to manually sort through bags. Legacy systems utilized for employee data were specifically targeted, and the post-mortem revealed that encryptions and system disconnections impacted services like baggage handling, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking. Following the attack, the Rhysida ransomware group claimed responsibility and demanded a ransom. However, port officials confirmed in September that they refused to pay, with executive director Steve Metruck explaining that “paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars.” The Port is offering one year of free credit monitoring services to the victims and has posted the breach notice online for those without available mailing addresses. The agency emphasizes that the attack did not affect the proprietary systems of major airline and cruise partners or the systems of federal partners like the Federal Aviation Administration, Transportation Security Administration, and U.S. Customs and Border Protection. Recommended read:
References :
Swagath Bandhakavi@Tech Monitor
//
Australian pension funds have been hit by a massive wave of credential stuffing attacks over the past week, compromising thousands of members' accounts. The coordinated cyber assaults targeted multiple large superannuation funds, including AustralianSuper, Australian Retirement Trust, Rest, Insignia, and Hostplus. Reports indicate that hackers successfully stole savings from some members, with over 20,000 accounts breached. The Association of Superannuation Funds of Australia (ASFA), the industry's peak body, acknowledged that "a number of members were affected," despite efforts to repel the majority of attempts.
Financial losses have been reported by some funds, with one provider losing over $500,000 due to unauthorized withdrawals. Affected customers experienced service disruptions, with many unable to access their superannuation accounts. Some users reported that their account balances were wiped clean. The attackers strategically targeted accounts of retirees, who are more likely to request lump sum withdrawals, suggesting a deep understanding of the Australian pension system and user behaviour. In response to the security breach, affected superannuation providers reassured clients that their funds were secure and that they were working to resolve the issue. One fund, Rest, stated that approximately 8,000 members may have had some limited personal details accessed. The Australian government has acknowledged the breach and is organizing a response across government, regulators, and industry. Cyber security experts are calling for enhanced security measures, including the implementation of multi-factor authentication (MFA), to protect member data and retirement savings from future attacks. Recommended read:
References :
|