CyberSecurity news

FlagThis - #databreach

Dissent@DataBreaches.Net //
Pearson, the global education and publishing giant, has confirmed it suffered a cyberattack resulting in the theft of corporate data and customer information. The breach was discovered by BleepingComputer, who reported that the attackers gained unauthorized access to Pearson's systems. Pearson, a UK-based company, is a major player in academic publishing, digital learning tools, and standardized assessments, serving schools, universities, and individuals across over 70 countries.

Pearson stated that after discovering the unauthorized access, they acted to stop the breach, investigate the incident, and ascertain what data was affected with forensics experts. They also supported law enforcements investigation. Furthermore, Pearson said they've taken steps to deploy additional security measures onto their systems, including enhanced security monitoring and authentication. BleepingComputer was tipped off that someone used an exposed GitLab Personal Access token to compromise Pearson’s development environment in January 2025. The token was found in a public .git/config file, with the attackers using this access to find even more login credentials, hardcoded in the source code, which they then used to infiltrate the company’s network and steal corporate and customer information.

The company downplayed the significance of the breach, suggesting the stolen data was largely outdated, referring to it as "legacy data." Pearson has not disclosed the number of individuals affected, nor the specific types of information exposed. There was no employee information among the stolen files, it was confirmed.

Recommended read:
References :
  • DataBreaches.Net: Lawrence Abrams reports: Education giant Pearson suffered a cyberattack, allowing threat actors to steal corporate data and customer information, BleepingComputer has learned.
  • BleepingComputer: Education giant Pearson suffered a cyberattack, allowing threat actors to steal corporate data and customer information, BleepingComputer has learned.
  • www.techradar.com: Another case of exposed Git configuration files leading up to a larger compromise, this time against education giant Pearson.
  • malware.news: Cyberattack compromises Pearson data

Dissent@DataBreaches.Net //
References: Davey Winder , DataBreaches.Net , bsky.app ...
Hackers claiming affiliation with Anonymous have targeted GlobalX Airlines, an airline reportedly used by the Trump administration for deportations to El Salvador. The hacktivists defaced the airline's website, leaving a message aimed at former President Trump. They also claimed to have stolen sensitive data, including flight records and passenger manifests, potentially exposing details about deportees. The attackers asserted that they were acting because GlobalX was ignoring lawful orders against what they called "fascist plans."

The leaked data, as reported by 404 Media, provides granular insight into who was deported on GlobalX flights, when, and to where. The breached information includes flight logs, passenger lists, and itinerary details spanning from January to May 2025. Concerns have been raised about the potential impact on individuals deported, especially those whose whereabouts were previously unknown, with at least one case showing the hacked data held more accurate records than official government lists.

The hack exposed vulnerabilities in GlobalX's cybersecurity, as the hackers claim to have accessed the company's AWS cloud infrastructure and GitHub account through a developer token. They also claimed to have sent messages to pilots through a flight operations tool. As of this report, neither GlobalX nor the U.S. immigration authorities have issued an official response to the security breach.

Recommended read:
References :
  • Davey Winder: Anonymous Hacks Airline Used In Trump El Salvador Deportations
  • DataBreaches.Net: GlobalX, Airline for Trump’s Deportations, Hacked
  • techcrunch.com: GlobalX, airline used for Trump deportations, gets hacked: Report
  • bsky.app: Hackers hit deportation airline GlobalX, leak flight manifests, and leave an unsubtle message for "Donnie" Trump
  • www.404media.co: Man ‘Disappeared’ by ICE Was on El Salvador Flight Manifest, Hacked Data Shows
  • www.bitdefender.com: Hackers hit deportation airline GlobalX, leak flight manifests, and leave an unsubtle message for “Donnie†Trump

@The DefendOps Diaries //
Ascension, one of the largest private healthcare systems in the United States, is facing scrutiny following a significant data breach. The company revealed that the personal and healthcare information of over 430,000 patients was exposed in an incident disclosed last month. The breach stemmed from a compromise affecting a former business partner, highlighting the inherent risks associated with third-party vendors and the critical need for robust cybersecurity measures within the healthcare ecosystem.

The vulnerability in third-party software allowed attackers access to sensitive patient data. Depending on the patient, the attackers could access personal health information related to inpatient visits, including the physician's name, admission and discharge dates, diagnoses, and more. The data breach underscores the importance of healthcare organizations thoroughly vetting and continuously monitoring third-party vendors and their software solutions. This situation exemplifies how a single point of failure in the supply chain can have far-reaching consequences for patient privacy and data security.

The Ascension data breach has broader implications for healthcare cybersecurity. The incident serves as a stark reminder of the vulnerabilities in healthcare systems, especially those involving third-party software. The lessons learned emphasize the need for strengthening cybersecurity defenses against third-party and ransomware threats. Healthcare providers must prioritize data protection, regularly assess the security of their partners, and implement robust measures to protect patient information from evolving cyber threats.

Recommended read:
References :
  • bsky.app: Ascension, one of the largest private healthcare systems in the United States, has revealed that a data breach disclosed last month affects the personal and healthcare information of over 430,000 patients.
  • securityaffairs.com: Ascension reveals personal data of 437,329 patients exposed in cyberattack
  • The DefendOps Diaries: Lessons from the Ascension Data Breach: Strengthening Healthcare Cybersecurity
  • www.bleepingcomputer.com: Ascension, one of the largest private healthcare systems in the United States, has revealed that a data breach disclosed last month affects the personal and healthcare information of over 430,000 patients.
  • BleepingComputer: Ascension, one of the largest private healthcare systems in the United States, has revealed that a data breach disclosed last month affects the personal and healthcare information of over 430,000 patients.
  • BleepingComputer: Ascension, one of the largest private healthcare systems in the United States, has revealed that a data breach disclosed last month affects the personal and healthcare information of over 430,000 patients.
  • MeatMutts: Human Error Reveals Massive Data Breach in Ascension Healthcare System
  • Tech Monitor: Ascension data breach exposes information of over 430,000 patients

@cyble.com //
The ransomware landscape is experiencing significant shifts in April 2025, with groups like Qilin taking center stage. Despite a general decline in ransomware attacks from 564 in March to 450 in April, the lowest level since November 2024, Qilin has surged to the top of the ransomware rankings. This rise is attributed to the realignment of cybercriminal groups within the chaotic Ransomware-as-a-Service (RaaS) ecosystem. Qilin is reportedly leveraging sophisticated tools and techniques, contributing to their increased success in recent months.

Qilin's success is partly due to the adoption of advanced tactics, techniques, and procedures (TTPs). Threat actors associated with Qilin have been observed utilizing malware such as SmokeLoader, along with a previously undocumented .NET compiled loader called NETXLOADER, in campaigns dating back to November 2024. NETXLOADER is a highly obfuscated loader designed to deploy additional malicious payloads and bypass traditional detection mechanisms, making it difficult to analyze. This loader plays a critical role in Qilin's stealthy malware delivery method. The surge in activity is reflected in the doubling of disclosures on Qilin's data leak site since February 2025, making it the top ransomware group in April.

The emergence of new actors like DragonForce is reshaping the threat landscape. The group is built for the gig economy. Its features include a 20% revenue share, white-label ransomware kits, pre-built infrastructure. DragonForce quickly moved to absorb affiliates following the April 2025 disappearance of RansomHub, pitching itself as an agile alternative to collapsed legacy operators. A historic surge in ransomware activity is occurring. A total of 2,289 publicly named ransomware victims were reported in just Q1 a 126% year-over-year increase, setting an all-time high. 74 distinct ransomware groups are now operating concurrently, highlighting an explosion of new actors and affiliate-driven threats.

Recommended read:
References :
  • cyble.com: Ransomware Attacks April 2025: Qilin Emerges from Chaos
  • cyble.com: Global ransomware attacks in April 2025 declined to 450 from 564 in – the lowest level since November 2024 – as major changes among the leading Ransomware-as-a-Service (RaaS) groups caused many affiliates to align with new groups.
  • The Hacker News: Qilin Ransomware Ranked Highest in April 2025 with Over 45 Data Leak Disclosures
  • www.redpacketsecurity.com: [QILIN] – Ransomware Victim: www[.]hcsheriff[.]gov

Dissent@DataBreaches.Net //
The LockBit ransomware group, a major player in the Ransomware-as-a-Service (RaaS) sector, has suffered a significant data breach. On May 7, 2025, the group's dark web affiliate panels were defaced, revealing a link to a MySQL database dump containing sensitive operational information. This exposed data includes Bitcoin addresses, private communications with victim organizations, user credentials, and other details related to LockBit's illicit activities. The defacement message, "Don't do crime CRIME IS BAD xoxo from Prague," accompanied the data leak, suggesting a possible motive of disrupting or discrediting the ransomware operation.

The exposed data from LockBit's affiliate panel is extensive, including nearly 60,000 unique Bitcoin wallet addresses and over 4,400 victim negotiation messages spanning from December 2024 through April 2025. Security researchers have confirmed the authenticity of the leaked data, highlighting the severity of the breach. The LockBit operator, known as "LockBitSupp," acknowledged the breach but claimed that no private keys were compromised. Despite previous setbacks, such as the "Operation Cronos" law enforcement action in February 2024, LockBit had managed to rebuild its operations, making this recent breach a significant blow to their infrastructure.

Analysis of the leaked information has uncovered a list of 20 critical Common Vulnerabilities and Exposures (CVEs) frequently exploited by LockBit in their attacks. These vulnerabilities span multiple vendors and technologies, including Citrix, PaperCut, Microsoft, VMware, Apache, F5 Networks, SonicWall, Fortinet, Ivanti, Fortra, and Potix. Additionally, the leaked negotiations revealed LockBit’s preference for Monero (XMR) cryptocurrency, offering discounts to victims who paid ransoms using this privacy-focused digital currency. Ransom demands typically ranged from $4,000 to $150,000, depending on the scale of the attack.

Recommended read:
References :
  • DataBreaches.Net: CoinPedia reports: “Don’t do crime. CRIME IS BAD. xoxo from Prague.” That’s the message left behind after hackers gave LockBit – a ransomware gang known for extorting millions. Yes, they just got a brutal taste of their own medicine.
  • Metacurity: All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip." LockBit ransomware gang hacked, victim negotiations exposed
  • Searchlight Cyber: Searchlight’s threat intelligence team shares their early observations from the LockBit data leak On May 7 2025 it was reported that the dark web affiliate panel of the Ransomware-as-a-Service (RaaS) group LockBit has been hijacked.
  • www.bitdegree.org: LockBit Hacked: 60,000 Bitcoin Addresses and 4,400 Ransom Chats Go Public
  • BleepingComputer: The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.
  • hackread.com: LockBit’s dark web domains were hacked, exposing internal data, affiliate tools, and over 60,000 Bitcoin wallets in a…
  • Davey Winder: 60,000 Bitcoin Wallets Leaked As LockBit Ransomware Hackers Get Hacked
  • www.it-daily.net: LockBit hacker group was hacked
  • socradar.io: LockBit Hacked: 60,000 Bitcoin Addresses Leaked
  • securityaffairs.com: The LockBit ransomware site was breached, database dump was leaked online
  • slcyber.io: Early Analysis of the LockBit Data Leak
  • hackread.com: LockBit’s Dark Web Domains Hacked, Internal Data and Wallets Leaked
  • The DefendOps Diaries: LockBit Ransomware Gang Hacked: Internal Operations Exposed
  • www.scworld.com: Data breach exposes LockBit ransomware gang
  • www.itpro.com: LockBit ransomware group falls victim to hackers itself
  • Help Net Security: LockBit Hacked: What does the leaked data show?
  • Talkback Resources: Valuable information leaked from LockBit ransomware operation's administration panel, revealing details on affiliates, ransom negotiations, and potential infighting within the cybercriminal community.
  • ComputerWeekly.com: reports analysis of the LockBit 3.0 data leak
  • Tech Monitor: Ransomware group LockBit faces breach, affiliate data exposed
  • Graham Cluley: LockBit ransomware gang breached, secrets exposed
  • cybersecuritynews.com: The affiliate panel of the infamous LockBit Ransomware-as-a-Service (RaaS) group has been hacked and defaced, showing a link to a MySQL database dump ostensibly containing leaked data relating to the group’s operations.
  • bsky.app: LockBit Ransomware Gang Breached, Secrets Exposed

@ai-techpark.com //
SpyCloud, a leading identity threat protection company, released an analysis on May 7th, 2025, revealing that a staggering 94% of Fortune 50 companies have had employee identity data exposed due to phishing attacks. The analysis is based on nearly 6 million phished data records recaptured from the criminal underground over the last six months. These findings highlight the growing scale and sophistication of phishing attacks, with cybercriminals increasingly targeting high-value identity data for follow-on attacks such as ransomware, account takeover, and fraud. The data provides valuable insights for organizations to enhance their defenses, improve user training, and prevent identity-based attacks.

Nearly 82% of phishing victims had their email credentials compromised in prior data breaches, according to SpyCloud's analysis. This gives attackers a critical advantage, emphasizing the importance of monitoring and securing compromised credentials. The exposed data often includes email addresses (81% of records), IP addresses (42%), and user-agent information (31%) which identifies device and browser details. The top industries impersonated in phishing campaigns include telecommunications, IT, and financial services, highlighting the specific targets of these malicious activities.

To combat the escalating phishing threat, Brian Jack, chief information security officer at KnowBe4, a partner of SpyCloud, emphasizes the need for ongoing security awareness training and swift, targeted action to remediate exposures. He stated that "Combining human vigilance with actionable intelligence is the most effective way to stop phishing in its tracks – and prevent it from opening the door to broader cyberattacks.” The rise of phishing attacks is attributed to cybercriminals modernizing their tactics and evolving campaigns into industrial-scale operations, aided by phishing-as-a-service (PhaaS) platforms and AI.

Recommended read:
References :
  • hackernoon.com: SpyCloud releases analysis of nearly 6 million phished data records recaptured from the criminal underground over the last six months.
  • hackread.com: SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks
  • www.cybersecurity-insiders.com: SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks
  • NextBigFuture.com: SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks
  • ai-techpark.com: The analyzed that phising is causing 94% of data records to be stolen from fortune 50 companies.
  • www.cybersecurity-insiders.com: SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

Dissent@DataBreaches.Net //
In December 2024, PowerSchool, a major provider of K-12 software serving 60 million students across North America, experienced a significant data breach. Hackers gained access to sensitive student and teacher data, including personally identifiable information such as Social Security numbers and health data, through a single stolen credential. The company, believing it was the best course of action, paid an undisclosed ransom to the threat actor to prevent the data from being made public, however this has proven to be unsuccessful.

Months later, it has been revealed that the threat actors are now directly targeting individual school districts with extortion demands, using the stolen data from the initial breach. The Toronto District School Board (TDSB), along with other schools in North America, has confirmed receiving ransom demands from the attackers. The exposed information includes names, contact details, birth dates, Social Security numbers, and even some medical alert data. PowerSchool has confirmed that these extortion attempts are related to the original breach and is working with law enforcement.

Cybersecurity experts have warned against paying ransoms, as there is no guarantee that hackers will delete the stolen data. This case exemplifies the risk of paying extortion demands, as the threat actors have resurfaced to revictimize affected individuals and institutions with additional demands. PowerSchool is offering two years of free identity protection to affected individuals, however there will be pressure for them to improve its security and reassure stakeholders that it can prevent similar incidents in the future.

Recommended read:
References :
  • bsky.app: The hacker behind PowerSchool's December breach is now extorting schools, threatening to release stolen student and teacher data.
  • Threats | CyberScoop: The large education tech vendor was hit by a cyberattack and paid a ransom in December. Now, a threat actor is attempting to extort the company’s customers with stolen data.
  • The Register - Security: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied
  • The DefendOps Diaries: Report discussing the PowerSchool data breach and its implications.
  • BleepingComputer: PowerSchool is warning that the hacker behind its December cyberattack is now individually extorting schools, threatening to release the previously stolen student and teacher data if a ransom is not paid. [...]
  • www.bleepingcomputer.com: BleepingComputer reports on PowerSchool hacker extorting school districts.
  • cyberscoop.com: PowerSchool customers hit by downstream extortion threats
  • BleepingComputer: PowerSchool hacker now extorting individual school districts
  • malware.news: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (2)
  • DataBreaches.Net: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • PCMag UK security: UK PCMag covers PowerSchool attackers extorting teachers.
  • go.theregister.com: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied Now individual school districts extorted by fiends
  • Metacurity: PowerSchool hackers are extorting schools despite the company's ransom payment
  • techcrunch.com: TechCrunch article on PowerSchool being hacked.
  • hackread.com: PowerSchool Paid Ransom, Now Hackers Target Teachers for More
  • ExpressVPN Blog: Teachers report that bad actors are now targeting them with threatening emails demanding payment following a massive 2024 breach affecting schools across the US and Canada. One of the largest hacks of US schools continues as teachers across the country say that threat actors are extorting them for more money and threatening to release the data.
  • www.metacurity.com: PowerSchool hackers are extorting schools despite the company's ransom payment
  • thecyberexpress.com: Toronto School Board Hit with Extortion Demand After PowerSchool Data Breach
  • Blog: PowerSchool clients now targeted directly by threat actor
  • cyberinsider.com: PowerSchool Ransom Fallout: Extortion Attempts Hit Schools Months After Data Breach
  • www.techradar.com: PowerSchool hackers return, and may not have deleted stolen data as promised
  • malware.news: Double-extortion tactics used in PowerSchool ransomware attack
  • CyberInsider: Months after paying a ransom to suppress the fallout of a major data breach, PowerSchool is facing renewed turmoil as threat actors have begun extorting individual school districts using the same stolen data.
  • Matthew Rosenquist: More extortions, same - a perfect example of how not to deal with risks. The nightmare continues for schools, students, and teachers who's private data was exposed by PowerSchool.
  • matthewrosenquist.substack.com: PowerSchool data breach round 2 extortions
  • aboutdfir.com: Reports an education tech provider paid thieves to delete stolen student, teacher data.
  • MeatMutts: The educational sector has been rocked by a significant data breach involving PowerSchool, a leading education technology provider serving over 60 million students globally.

Mandiant@Threat Intelligence //
UNC3944, a financially motivated cyber threat actor also known as Scattered Spider, has evolved from primarily conducting SIM swapping operations to focusing on ransomware and data extortion. Initially, UNC3944 targeted telecommunications organizations to facilitate SIM swaps, but since early 2023, they have shifted their focus to a broader range of industries, deploying ransomware and stealing data for extortion purposes. This transition marks a significant escalation in their tactics and impact, affecting sectors such as technology, financial services, business process outsourcing (BPO), gaming, hospitality, retail, and media & entertainment. The group has been observed conducting targeted waves of attacks against specific sectors, indicating a strategic and adaptable approach to their operations.

Despite law enforcement actions in 2024 that led to a temporary decline in UNC3944's activity, experts caution that their established connections within the cybercrime ecosystem suggest a strong potential for rapid recovery. This could involve forming new partnerships, adopting new tools to evade detection, or shifting strategies to circumvent security measures. Recent reports have indicated the use of tactics consistent with Scattered Spider in attacks against UK retail organizations, involving the deployment of DragonForce ransomware. Furthermore, the operators of DragonForce have reportedly taken control of RansomHub, a ransomware-as-a-service (RaaS) platform where UNC3944 was previously an affiliate after the shutdown of ALPHV (Blackcat) RaaS.

The retail sector has emerged as an increasingly attractive target for threat actors like UNC3944. Data from tracked data leak sites (DLS) reveals that retail organizations accounted for 11% of DLS victims in 2025, a notable increase from 8.5% in 2024. This trend is attributed to the large quantities of personally identifiable information (PII) and financial data typically held by retail companies, combined with their susceptibility to business disruption. The potential for significant financial losses resulting from ransomware attacks further incentivizes these companies to pay ransom demands, making them lucrative targets for financially motivated cybercriminals.

Recommended read:
References :
  • gbhackers.com: UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion
  • cyberpress.org: UNC3944 Hackers Transition from SIM Swapping to Ransomware and Data Extortion

@Talkback Resources //
The Co-op has confirmed a significant data breach following a cyberattack carried out by the ransomware group DragonForce. The attackers claim to have stolen sensitive data from current and former Co-op members, including names and contact details. While financial information and passwords were not compromised, the breach impacts a substantial number of individuals signed up for the Co-op's membership scheme, with DragonForce claiming access to the private information of around 20 million people. The NCSC is working with The Co-op to understand the full scope of the incident and provide expert advice.

DragonForce gained initial access to Co-op's IT networks by exploiting a vulnerability in internal communication systems, such as Microsoft Teams. They then exfiltrated large volumes of customer and employee data, using the stolen information to demand a ransom payment. Screenshots of extortion messages sent to Co-op's head of cyber security via an internal Microsoft Teams chat were shared with the BBC as proof of the breach. In response, the Co-op has implemented immediate security measures, including verifying meeting participants and requiring cameras to be turned on during calls.

The attack on Co-op is believed to be part of a broader campaign targeting major UK retailers, with similar incidents recently affecting Marks & Spencer and Harrods. These attacks are linked to affiliates of the DragonForce ransomware group, believed to be part of the Scattered Spider cybercrime community. This group is known for employing aggressive extortion tactics and sophisticated entry methods such as SIM swapping and MFA fatigue. The Co-op is currently rebuilding its Windows domain controllers and strengthening its defenses in collaboration with Microsoft DART and KPMG.

Recommended read:
References :
  • Talkback Resources: DragonForce hackers claim responsibility for cyberattack on Co-op, stealing major customer and employee data and targeting other companies with ransomware tactics.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • securityaffairs.com: DragonForce group claims the theft of data after Co-op cyberattack
  • Delinea Blog: M&S and Co-op Breaches: Lessons in Identity Security
  • phishingtackle.com: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen.

Pierluigi Paganini@Security Affairs //
A hacker has successfully breached TeleMessage, an Israeli company that provides modified versions of secure messaging apps such as Signal, WhatsApp and Telegram to the U.S. government. The breach resulted in the exfiltration of sensitive data, including archived messages from these modified apps. TeleMessage has suspended all services and is currently investigating the incident. The breach highlights the vulnerabilities associated with modifying secure messaging applications, especially concerning the preservation of end-to-end encryption.

The compromised data includes the contents of direct messages and group chats, as well as contact information for government officials. 404 Media reported that the hack exposed data related to U.S. Customs and Border Protection (CBP), the cryptocurrency exchange Coinbase, and several other financial institutions. The hacker claimed the entire process of accessing TeleMessage’s systems took only 15-20 minutes, underscoring the ease with which the security was circumvented. Despite the breach, there are reports that messages from top US government officials and cabinet members were not compromised.

TeleMessage, which was recently in the spotlight after former U.S. National Security Advisor Mike Waltz was seen using their modified version of Signal, offers archiving services for messages. However, the hack revealed that the archived chat logs were not end-to-end encrypted between the modified app and the ultimate archive destination controlled by the TeleMessage customer. Smarsh, the parent company of TeleMessage, has engaged an external cybersecurity firm to support the investigation and has temporarily suspended all TeleMessage services as a precaution. A Coinbase spokesperson stated that the company is closely monitoring the situation, but has not found any evidence of sensitive customer information being accessed or accounts being at risk.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov
  • Talkback Resources: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov [app]
  • www.techradar.com: TeleMessage, the Signal-esque app used by the Trump administration, has been hacked
  • www.metacurity.com: A hacker stole content from the Telemessage system used by the US government
  • TechCrunch: TeleMessage, a modified Signal clone used by US govt. officials, has been hacked
  • The DefendOps Diaries: TeleMessage Breach: Unveiling the Risks of Modified Secure Messaging Apps
  • techcrunch.com: TeleMessage, a modified Signal clone used by US government officials, has been hacked
  • Risky Business Media: Trump admin’s Signal clone gets hacked, messages exposed
  • The Register - Security: Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
  • siliconangle.com: The security of U.S. government officials’ communications has come under the spotlight again after a modified Signal app used to archive data from third-party messaging apps was hacked in less than 30 minutes.
  • WIRED: Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked
  • CyberInsider: Signal Clone App Used by Trump Officials Breached in Minutes
  • Metacurity: Criminal scam network run by Darcula exposed by journalists, DragonForce takes credit for Co-op attack, NoName attacked Romanian gov't websites on election day, US indicts Black Kingdom ransomware dev, Trump wants to slash nearly $500m from CISA, Qilin claims Cobb Co. attack, much more
  • arstechnica.com: TeleMessage, a company that provides modified versions of Signal for message archiving, has suspended its services after a reported hack, exposing communications from U.S. government officials.
  • hackread.com: TM SGNL, a chat app by US-Israeli firm TeleMessage used by Trump officials, halts operations after a breach…
  • www.404media.co: A hacker has exploited a vulnerability in TeleMessage, a company that provides modified versions of encrypted messaging apps, to extract archived messages and data related to U.S. government officials and companies that used the service, according to a report by 404 Media.
  • www.csoonline.com: The Israeli company behind the obscure messaging app former US national security advisor Mike Waltz was photographed using on his iPhone last week was recently hacked, it has been alleged.
  • Metacurity: You ask yourself how the Trump administration's insane messing around with the Signal app and its clones could get any worse, and then the universe tells you how. The Signal Clone the Trump Admin Uses Was Hacked
  • Dropsafe: US Gov’t Signal-clone with backdoor for message retention, hacked, messages leaked | …I really hope #Ofcom are watching re: the impact of proposed client side scanning
  • BleepingComputer: Unofficial Signal app used by Trump officials investigates hack
  • arstechnica.com: Signal clone used by Trump official stops operations after report it was hacked
  • securityaffairs.com: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov
  • go.theregister.com: Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
  • iHLS: Israeli Encrypted Messaging Archiving Platform Used by U.S. Officials Compromised in Cyberattack
  • www.insicurezzadigitale.com: Clonazione di Signal: sospesa dopo hacking un’app utilizzata da un ex funzionario dell’amministrazione Trump
  • bsky.app: TeleMessage, the Signal clone used by US government officials, suffers hack
  • Privacy ? Graham Cluley: TeleMessage, the Signal clone used by US government officials, suffers hack
  • WIRED: The Signal clone Mike Waltz Was Caught Using Has Direct Access to User Chats
  • www.wired.com: Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked
  • WIRED: Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage
  • Metacurity: TeleMessage suspends service following reported hack

Lawrence Abrams@BleepingComputer //
Ryan Kramer, a 25-year-old from California, has pleaded guilty to two criminal charges related to a significant data breach at Disney. Kramer, operating under the alias "NullBulge," admitted to illegally accessing Disney's internal Slack channels and stealing over 1.1 terabytes of confidential data. The stolen data included internal communications, sensitive information, images, source code, and credentials. The breach led Disney to switch from Slack to Microsoft Teams following the incident, which impacted over 10,000 Slack channels.

He distributed a malicious program, disguised as an AI-powered image generation tool, on platforms like GitHub. This program contained a backdoor that allowed him to access the computers of those who downloaded and executed it. According to prosecutors, a Disney employee fell victim to this poisoned project between April and May of 2024, inadvertently granting Kramer access to their network and online credentials. This initial breach then allowed Kramer to move laterally within Disney's systems, compromising various platforms and confidential data storage areas.

Armed with the stolen data, Kramer, falsely claiming affiliation with the Russian hacking group NullBulge, attempted to extort the victim. When the victim did not respond, Kramer proceeded to release their personal information, including bank, medical, and other sensitive details, across multiple platforms. While Kramer awaits sentencing, he faces a maximum of five years in federal prison for each felony count of accessing a computer to obtain information and threatening to damage a protected computer. The FBI is also investigating the extent to which data from at least two other victims who downloaded Kramer's malicious GitHub project may have been compromised.

Recommended read:
References :
  • bsky.app: Hacker 'NullBulge' pleads guilty to stealing Disney's Slack data
  • cyberinsider.com: A 25-year-old Santa Clarita man has agreed to plead guilty to hacking a Disney employee's personal computer, stealing login credentials, and exfiltrating 1.1 terabytes of confidential data from internal Slack channels used by the entertainment giant.
  • The DefendOps Diaries: Explore lessons from Disney's Slack breach, highlighting corporate cybersecurity vulnerabilities and strategies for protection.
  • BleepingComputer: Hacker 'NullBulge' pleads guilty to stealing Disney's Slack data
  • www.scworld.com: California man admits to Disney cyberattack
  • The Register - Security: Disney Slack attack wasn't Russian protesters, just a Cali dude with malware
  • www.scworld.com: Hacker pleads guilty to orchestrating Disney data heist
  • www.techradar.com: Hacker pleads guilty to illegally accessing Disney Slack channels and stealing huge tranche of data
  • The Register: Disney Slack attack wasn't Russian protesters, just a Cali dude with malware A 25-year-old California man pleaded guilty to stealing and dumping 1.1TB of data from the House of Mouse When someone stole more than a terabyte of data from Disney last year, it was believed to be the work of Russian hacktivists protesting for artist rights. We now know it was actually a 25-year-old Calif…
  • go.theregister.com: Disney Slack attack wasn't Russian protesters, just a Cali dude with malware
  • gbhackers.com: GBHackers Article: Disney Hacker Admits Guilt After Stealing 1.1TB of Internal Data
  • Talkback Resources: Disney Slack hacker was Californian, not Russian: DoJ
  • DataBreaches.Net: Disney Hacker Who Accessed 1.1 Terabytes of Data Pleads Guilty
  • CyberInsider: Disney Hacker Admits Using Malware-Laced AI Art App to Achieve Breach
  • securityonline.info: California Man to Plead Guilty in Hack of Disney Employee, Theft of 1.1TB of Confidential Slack Data

@cyble.com //
Following a series of cyberattacks targeting major UK retailers including Marks & Spencer, Co-op, and Harrods, the National Cyber Security Centre (NCSC) has issued an urgent alert, urging organizations to bolster their defenses. The attacks, which involved ransomware and data theft, have caused significant operational disruptions and data breaches, highlighting the increasing risk faced by the retail sector. The NCSC anticipates that similar attacks are likely to escalate and emphasizes that preparation is key to ensuring business continuity and minimizing financial losses.

The NCSC advises businesses to take immediate and proactive measures to mitigate risks. A key recommendation is to isolate and contain threats quickly by severing internet connectivity immediately to prevent malware from spreading further across networks. It's equally important to ensure that backup servers remain isolated and unaffected by the attack, so they can be used for disaster recovery. The security agency is also calling on firms to review their password reset policies, and in particular how IT help desks authenticate workers when they make a reset request, especially in the case of senior employees with escalated privileges.

To enhance cyber resilience, the NCSC stresses the importance of implementing multi-factor authentication (MFA) across the board. The agency also warns organizations to be constantly on the lookout for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. The Information Commissioner's Office (ICO) has similar advice warning organizations to make sure that accounts are protected by a strong password, and that passwords aren't being reused across multiple accounts. While attacks against UK retailers have rocked the industry in recent weeks, the NCSC's guidance aims to help businesses avoid falling victim to similar incidents.

Recommended read:
References :
  • DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
  • Davey Winder: Harrods is the latest major U.K. retailer to confirm a cyberattack as M&S continues to struggle with ransomware strike fallout.
  • securityaffairs.com: Luxury department store Harrods suffered a cyberattack
  • The Register - Security: British govt agents step in as Harrods becomes third mega retailer under cyberattack
  • www.itpro.com: Harrods hit by cyber attack as UK retailers battle threats
  • Graham Cluley: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a attack. No organisation is 100% safe.
  • techcrunch.com: UK retail giant Co-op warns of disruption as it battles cyberattack
  • Bloomberg Technology: DragonForce hacking gang takes credit for UK retail attacks
  • NCSC News Feed: NCSC statement: Incident impacting retailers
  • Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
  • Zack Whittaker: Bloomberg reporting that DragonForce ransomware gang "and its partners" were behind cyberattacks targeting U.K. retail giants Marks & Spencer, Co-op and Harrods. The gang also claimed to have stolen customer data.
  • doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • Metacurity: Harrods becomes the third top UK retailer to fend off a cyberattack
  • hackread.com: UK Retailer Harrods Hit by Cyber Attack After M&S, Co-op
  • NPR Topics: Technology: Harrods, the iconic luxury department store, has become the latest British retailer to fall victim to a cyberattack.
  • bsky.app: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a #ransomware attack.
  • www.bbc.co.uk: The BBC reports on DragonForce's attacks on Co-op, details data theft.
  • www.thetimes.com: The Sunday Times article details the DragonForce attack on Marks & Spencer.
  • BleepingComputer: Cybersecurity firm BleepingComputer reported the Co-op's confirmation of significant data theft, contrasting with previous downplayed assessments of the incident.
  • Help Net Security: The Co-op hack is detailed with an update of stolen data and the impact on the company's systems.
  • DataBreaches.Net: BleepingComputer reports on the escalation of the Co-op cyberattack, with hackers boasting about stealing data from millions of customers.
  • arcticwolf.com: Threat Event Timeline 22 April 2025 – Marks & Spencer released a cyber incident update on the London stock exchange website.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • Tech Monitor: The Co-op Group has acknowledged a substantial data breach in a cyberattack that was reportedly perpetrated by the DragonForce group.
  • arcticwolf.com: Threat Event Timeline 04/22/2025 – Marks & Spencer released a cyber incident update on the London stock exchange website. The incident resulted in the organization having to pause online clothing orders for six days.
  • www.techradar.com: Hackers claim to have stolen private information on 20 million Co-op shoppers
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities.
  • www.cybersecurity-insiders.com: NCSC issues alert against more ransomware attacks on retailers
  • www.itpro.com: In an official statement, addressed the situation, saying: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public.
  • cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
  • Check Point Research: Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data.
  • www.bleepingcomputer.com: Marks and Spencer breach linked to Scattered Spider ransomware attack
  • cyberinsider.com: NCSC Issues Urgent Guidance After Major UK Retailers Breached by Hackers
  • www.cybersecurity-insiders.com: New Cyber threats emerge from Cyber Attacks on UK Companies.
  • TechInformed: Recent retail cyber attacks have highlighted growing vulnerabilities in the UK sector.
  • techinformed.com: A recent spate of retail cyber attacks has highlighted growing vulnerabilities in the UK sector, with high street names including M&S, the Co-op and Harrods…
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • Malware ? Graham Cluley: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • Phishing Tackle: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen.
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
  • www.cysecurity.news: The United Kingdom’s National Cyber Security Centre (NCSC) has issued a stark warning following a wave of cyberattacks targeting some of the country’s most prominent retail chains.

@industrialcyber.co //
Nova Scotia Power and its parent company, Emera Inc., are actively responding to a cybersecurity incident that has impacted their Canadian IT network. The companies detected unauthorized access to parts of their network and servers which support certain business applications. Immediately upon discovering the intrusion, both companies activated their incident response and business continuity protocols. Top-tier third-party cybersecurity experts have been engaged to assist in isolating the affected systems and preventing any further unauthorized access.

Law enforcement agencies have been notified and an investigation is currently underway. Despite the breach, Emera and Nova Scotia Power stated that there has been no disruption to any of their Canadian physical operations. This includes Nova Scotia Power's generation, transmission, and distribution facilities, as well as the Maritime Link and the Brunswick Pipeline. The incident has not affected the utility's ability to safely and reliably serve its customers in Nova Scotia, nor has it impacted Emera's utilities in the U.S. or the Caribbean.

The IT team is working diligently with cybersecurity experts to restore the affected portions of the IT system back online. Nova Scotia Power customers can find the latest updates online. Emera is scheduled to publish its first quarter financial statements and management disclosure on May 8, 2025, as planned. Currently, the incident is not expected to have a material impact on the financial performance of the business.

Recommended read:
References :
  • industrialcyber.co: Emera, Nova Scotia Power respond to cybersecurity breach; incident response teams mobilized
  • securityaffairs.com: Canadian electric utility Nova Scotia Power and parent company Emera suffered a cyberattack
  • cyberinsider.com: Nova Scotia Power Says Cybersecurity Incident Impacting IT Systems
  • www.scworld.com: Cyberattack impacts Nova Scotia Power's systems
  • www.cybersecurity-insiders.com: Canadian electric utility Nova Scotia Power and parent company Emera are facing a cyberattack that disrupted their IT systems and networks.

Pierluigi Paganini@Data Breach //
SK Telecom, South Korea’s largest mobile carrier, has suffered a significant cyberattack resulting in a USIM data breach affecting approximately 23 to 25 million subscribers. The breach was triggered by a malware infection that exposed sensitive information tied to users’ Universal Subscriber Identity Modules (USIMs), including mobile phone numbers and IMEI numbers. This incident has raised alarms across the telecommunications industry, prompting a reassessment of cybersecurity practices and highlighting vulnerabilities within SK Telecom's network.

To address the fallout from the breach, SK Telecom is offering free SIM card replacements to its affected customers. While the company serves roughly half of the domestic mobile phone market, only 6 million replacement SIM cards are initially available through May. This initiative aims to mitigate the risks of identity theft and SIM swap attacks, which could exploit the compromised USIM data. Additionally, SK Telecom is working to restore customer trust by increasing checks on SIM card replacement activities and monitoring authentication processes for suspicious behavior.

The cyberattack has had a substantial impact on SK Telecom’s market position and financial standing. An estimated $643 million in market capitalization has been lost, accompanied by a potential exodus of subscribers seeking more secure alternatives. The South Korean Ministry of Science and ICT and the Korea Internet & Security Agency (KISA) have launched an on-site investigation at SK Telecom’s headquarters, adding further pressure on the company to effectively manage the breach's consequences.

Recommended read:
References :
  • BleepingComputer: South Korean mobile provider SK Telecom has announced free SIM card replacements to its 25 million mobile customers following a recent USIM data breach, but only 6 million cards are available through May.
  • The DefendOps Diaries: SK Telecom's cyberattack exposes telecom vulnerabilities, affecting 23M subscribers and prompting industry-wide security reevaluations.
  • www.bleepingcomputer.com: South Korean mobile provider SK Telecom has announced free SIM card replacements to its 25 million mobile customers following a recent USIM data breach, but only 6 million cards are available through May.
  • www.cysecurity.news: SK Telecom, South Korea’s top mobile carrier, has disclosed a security incident involving a malware infection that exposed sensitive information tied to users’ Universal Subscriber Identity Modules (USIMs).
  • bsky.app: South Korean mobile provider SK Telecom has announced free SIM card replacements to its 25 million mobile customers following a recent USIM data breach, but only 6 million cards are available through May
  • PrivacyDigest: Free replacements for 25 million customers mobile provider SK Telecom has announced free SIM card replacements to its 25 million mobile customers following a recent data breach
  • bsky.app: South Korean mobile provider SK Telecom has announced free SIM card replacements to its 25 million mobile customers following a recent USIM data breach, but only 6 million cards are available through May.