CyberSecurity news

FlagThis - #dataleak

@siliconangle.com //
References: electrek.co , malware.news , ciso2ciso.com ...
A significant data leak has exposed the location data of approximately 800,000 Volkswagen electric vehicles, including models from VW, Audi, Seat, and Skoda. This breach was a result of a cloud misconfiguration within Volkswagen's software subsidiary, Cariad, which stores data on Amazon Web Services. The leaked data included real-time GPS locations, with some being accurate to within ten centimeters, along with other sensitive information. The issue came to light after a whistleblower alerted the German newspaper Der Spiegel, and security researchers from the Chaos Computer Club also helped uncover the leak.

The exposed data potentially allows for the tracking of vehicle locations and could be linked to vehicle owners, their names, and contact details. This raises serious privacy concerns, and in some instances, it was possible to even determine the travel patterns of individuals, including two German politicians. The incident highlights the critical importance of robust cloud security practices by automotive manufacturers and their software subsidiaries. While Volkswagen claims accessing the data required bypassing security mechanisms, it underscores the severe consequences of mishandling sensitive customer information.

Recommended read:
References :
  • electrek.co: Massive data leak at Volkswagen exposes locations of 800,000 EV drivers, for months
  • malware.news: Almost 800K electric cars' data exposed by Cariad
  • Techzine Global: Volkswagen data breach highlights major privacy risks
  • ciso2ciso.com: CISO2CISO article about exposed cloud server tracking 800,000 Volkswagen, Audi, and Skoda EVs.
  • The Verge: The Verge report on Volkswagen leak exposing location data for 800,000 electric cars.
  • Electrek: Electrek article about massive data leak at Volkswagen exposing locations of 800,000 EV drivers.
  • Latest from TechRadar: TechRadar article about over 800,000 electric car owners and drivers having private info exposed online.
  • Cybernews: 800,000 Volkswagen owners' data was left unprotected and exposed. What are your thoughts? Read more⤵️
  • ciso2ciso.com: Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs – Source:hackread.com
  • arstechnica.com: whistleblower-finds-unencrypted-location-data-for-800000-vw-evs
  • techcrunch.com: TechCrunch reports on a Volkswagen leak that exposed precise location data.
  • www.engadget.com: Engadget reports huge Volkswagen data leak exposed the locations of 460,000 EV drivers.
  • www.scworld.com: Almost 800K electric cars' data exposed by Cariad
  • pxlnv.com: Volkswagen Subsidiary Left Vehicle Location Data Unprotected in Amazon Storage
  • siliconangle.com: Location data from 800,000 Volkswagen vehicles exposed by cloud misconfiguration
  • Pixel Envy: Volkswagen Subsidiary Left Vehicle Location Data Unprotected in Amazon Storage
  • www.carscoops.com: VW Group had sensitive info, including GPS coordinates, of 800K+ electric vehicles exposed on an unprotected AWS database for months before it was alerted
  • Ars OpenForum: Whistleblower finds unencrypted location data for 800,000 VW EVs
  • SiliconANGLE: Location data from 800,000 Volkswagen vehicles exposed by cloud misconfiguration
  • Techmeme: VW Group had sensitive info, including GPS coordinates, of 800K+ electric vehicles exposed on an unprotected AWS database for months before it was alerted (Thanos Pappas/Carscoops)
  • toot.majorshouse.com: Why do they need the location data in the first place? Why does any company need this data? Volkswagen leak exposed location data for 800,000 electric cars
  • Dataconomy: A data leak exposed the location data of approximately 800,000 Volkswagen (VW) electric vehicles (EVs) for several months, impacting vehicles from VW, Audi, Seat, and Skoda, as reported by Der Spiegel.
  • Mashable: Volkswagen leak exposed location of 800,000 electric car drivers for months
  • Miguel Afonso Caetano: Connected cars are great—at least until some company leaves unencrypted location data on the Internet for anyone to find.
  • TechSpot: Volkswagen leak exposes private information of 800,000 EV owners, including location data
  • discuss.techlore.tech: Volkswagen leak exposed location data for 800,000 electric cars
  • Techlore: Volkswagen leak exposed location data for 800,000 electric cars
  • jbz: Cariad has since patched the vulnerability, which had revealed data about the usage of Skodas, Audis, and Seats, as well as what Motor1 calls "incredibly detailed data" for VW ID.3 and ID.4 owners. The data set also included pinpoint location data for 460,000 of the vehicles, which Der Spiegel said could be used to paint a picture of their owners' lives and daily activities
  • DMR News: Volkswagen Data Leak Exposed Location Data for 800,000 Electric Cars
  • osint10x.com: Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs
  • Osint10x: Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs
  • Alex Jimenez: Volkswagen leak exposed location data for 800,000 electric cars The leak also included the emails, addresses, and phone numbers of drivers in some cases, Der Spiegel reports.

Pierluigi Paganini@securityaffairs.com //
A new ransomware group named Arkana Security is claiming responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers. Arkana Security also claims the hack of US telco provider WideOpenWest (WOW!). This nascent ransomware gang’s breach purportedly compromised over 403,000 WOW! user accounts, pilfering data, including full names, usernames, salted passwords, email addresses, login histories, and security questions and answers.



The attackers boast of full backend control and have even created a music video montage to demonstrate their level of access. Additionally, they claim to have exfiltrated a separate CSV file with 2.2 million records, including names, addresses, phone numbers, and devices. While WOW! has yet to acknowledge Arkana Security's claims, threat researchers traced the attack's origins to an infostealer infection in September last year that enabled access to WOW!'s critical systems.

Recommended read:
References :
  • Cyber Security News: The largest US internet provider, WideOpenWest (WOW!), is allegedly compromised by Arkana Security, a recently discovered ransomware group.
  • securityaffairs.com: Arkana Security, a new ransomware group, claims to have breached the telecommunications provider WideOpenWest (WOW!), stealing customer data.
  • www.scworld.com: WideOpenWest purportedly breached by nascent ransomware gang
  • CyberInsider: Arkana ransomware group has claimed responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers.
  • BleepingComputer: The new ransomware group Arkana Security claims to have hacked US telecom provider WOW!, stealing customer data.
  • Information Security Buzz: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US. The malicious actors boasted they had full backend control and even put a music video montage together to illustrate exactly how much access they had.
  • DataBreaches.Net: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)
  • PCMag UK security: Hacking group Arkana Security gives WideOpenWest (WOW!) until 5 p.m. PST today to pay a ransom, or it will sell customer data to the highest bidder. WOW! says it's investigating.
  • The Register - Security: Cyber-crew claims it cracked American cableco, releases terrible music video to prove it
  • www.csoonline.com: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US.
  • Talkback Resources: Arkana Security group claims the hack of US telco provider WideOpenWest (WOW!)

Dissent@DataBreaches.Net //
Leaked internal chat logs from the Black Basta ransomware group have provided unprecedented insight into the tactics, planning, and operational methods of cybercriminals. The Veriti Research team analyzed these communications, uncovering the group's favored exploits, the security measures they routinely bypass, and the defenses they fear most. The leak, rivals that of the Conti ransomware gang, exposes Black Basta's meticulous study of potential victims and their sophisticated phishing and malware campaigns.

The analysis reveals Black Basta's focus on exploiting vulnerabilities in VMware ESXi, Microsoft Exchange, Citrix VPNs, and Fortinet firewalls. They actively discuss bypassing EDR, SIEM, and firewall protections to maintain persistence within compromised networks, leveraging cloud services for malware hosting and command-and-control infrastructure. Despite their skills, Black Basta members express frustration when EDRs, firewalls, and IP reputation monitoring disrupt their operations. A key member of Black Basta contended they had been able to elude law enforcement in mid-2024 with help from influential people.

Recommended read:
References :
  • VERITI: Inside the Minds of Cybercriminals: A Deep Dive into Black Basta’s Leaked Chats
  • DataBreaches.Net: Black Basta exposed: A look at a cybercrime data leak and a key member, “Trampâ€�
  • www.csoonline.com: Ransomware access playbook: What Black Basta’s leaked logs reveal
  • Information Security Buzz: VulnCheck Exposes CVEs from Black Bastas’ Chats
  • Risky Business Media: Risky Business Talks interview with Will Thomas on the Black Basta leaks
  • bsky.app: New research has uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups utilizing the same social engineering attacks and the BackConnect proxy malware for post-exploitation access to corporate networks.
  • Virus Bulletin: Trend Micro researchers discuss how the Black Basta and Cactus ransomware groups utilized the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines.
  • www.bleepingcomputer.com: Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware
  • Secure Bulletin: Black Basta and CACTUS ransomware: shared BackConnect module signals affiliate transition
  • flare.io: On February 20, 2025, the cybersecurity community received an unexpected stroke of luck as internal strife seemingly spread within the infamous Black Basta ransomware group.

@www.the420.in //
A significant leak of internal chat logs from the Black Basta ransomware gang has surfaced online, exposing the group's inner workings. TechCrunch obtained a copy of the chat logs, which reveal internal strife, financial disputes, and operational details spanning from September 2023 to September 2024. The exposed communications shed light on the gang's key members, targeted organizations, exploits, and even their fears of government intervention, with one leaker alleging the group "crossed the line" by targeting Russian domestic banks.

The leaked chat logs provide insights into Black Basta's structure, including administrators and hackers linked to the Qakbot botnet. One member, known as "Trump" or "AA" and "GG," is believed to be Oleg Nefedovaka, potentially the group's main boss with connections to the defunct Conti ransomware group. The leak has also exposed Black Basta's phishing templates, victim credentials, and cryptocurrency addresses. The exposure of this sensitive information could significantly disrupt the gang's operations and assist cybersecurity professionals in understanding and mitigating Black Basta's tactics.

Recommended read:
References :
  • techcrunch.com: A huge trove of chat logs from the Black Basta ransomware gang have leaked online. TechCrunch obtained a copy.
  • cyberinsider.com: A major leak of internal chat logs from the Black Basta ransomware gang has exposed deep internal conflicts, failed operations, and financial disputes.
  • www.scworld.com: Purported Black Basta internal communications exposed
  • www.the420.in: A massive leak of internal chat logs from the BlackBasta ransomware group has exposed the inner workings of the notorious cybercriminal organization, revealing internal conflicts, financial disputes, and the group’s eventual disbanding.
  • Zack Whittaker: New, w/ : A huge trove of chat logs from the Black Basta ransomware gang have leaked online. TechCrunch obtained a copy. The logs reveal new details on the group's members (including a 17-year-old), which organizations it targeted, their exploits, and their fears of being vanned by the Russian government. More:
  • socradar.io: Black Basta’s Internal Chats Leak: Everything You Need to Know
  • CyberInsider: Black Basta Ransomware Chats Leaked Exposing Internal Chaos
  • threatmon.io: The Implosion of Black Basta: A Deep Dive into the Leaked Chat Logs and Operational Collapse The recent leak of internal chat logs from the Black Basta ransomware syndicate has provided unprecedented visibility into the operations, conflicts, and eventual disintegration of one of the most prolific cybercriminal groups of the past three years.
  • Blog: New Details on Black Basta Operations via Leaked Chats on Telegram
  • ThreatMon: The Implosion of Black Basta: A Deep Dive into the Leaked Chat Logs and Operational Collapse
  • Carly Page: A trove of chat logs allegedly belonging to the prolific Black Basta ransomware group has leaked online, revealing unprecedented insights into the gang's operations The logs, seen by TechCrunch, also name several previously unknown targeted organizations
  • bsky.app: Article reporting on the leak of Black Basta ransomware gang's internal chat logs.
  • www.bleepingcomputer.com: Article on the Black Basta ransomware gang's internal chat logs leak.
  • BleepingComputer: The article reports on the leak of internal communications from the Black Basta ransomware group.
  • arstechnica.com: Report sheds new light on the tactics allowing Black Basta and other attackers to move at breakneck speed.
  • mastodon.social: A significant leak of internal chat logs from the Black Basta ransomware group revealed significant operational details.
  • securityaffairs.com: Leaked Black Basta chat logs reveal internal conflicts, exposing member details and hacking tools as the gang reportedly falls apart.
  • Kali Linux Tutorials: BlackBasta Chat : The Inner Workings Of A Notorious Ransomware Group
  • socradar.io: Seraph Stealer Malware Hits the Market, Black Basta’s Internal Chaos, New Data Leak Claims
  • thecyberexpress.com: Black Basta Chat Logs Reveal Ransomware Group’s TTPs, IoCs
  • DataBreaches.Net: DataBreaches.net reporting Black Basta exposed: A look at a cybercrime data leak and a key member, “Trampâ€�.
  • blog.bushidotoken.net: BushidoToken analysis of BlackBasta Leaks: Lessons from the Ascension Health attack
  • VERITI: Veriti's analysis of Black Basta's Leaked Chats.

Amar Ćemanović@CyberInsider //
Have I Been Pwned (HIBP) has recently integrated a massive dataset of 23 billion rows of stolen credentials from the ALIEN TXTBASE stealer logs. This integration has exposed 284 million unique email addresses that were compromised through infostealer malware. The data, which includes 244 million previously unseen passwords, was originally shared on the Telegram channel ALIEN TXTBASE. HIBP users who are signed up to be notified when their emails appear in a database dump will receive a notification email. All users can also check manually via the service’s website.

This staggering collection of information is a result of likely millions of people's computers being infected by one or more data-stealing malware strains. This addition of stolen credentials highlights the scale of unstoppable infostealer malware. HIBP has also added 244 million new compromised passwords to Pwned Passwords.

Recommended read:
References :
  • The Register - Security: With millions upon millions of victims, scale of unstoppable info-stealer malware laid bare
  • CyberInsider: HIBP Adds 284 Million Stolen Credentials from Infostealer Logs
  • heise online English: Data leak search website Have I Been Pwned increased by 284 million accounts Mail addresses and passwords captured by Infostealer malware were shared in the Telegram channel ALIEN TXTBASE. This data is now integrated into HIBP.
  • Help Net Security: Is your email or password among the 240+ million compromised by infostealers?
  • gbhackers.com: Have I Been Pwned Reports Huge Data Leak, Adds 284 Million Stolen Accounts
  • Blog: HIBP adds over 284 million leaked credentials to its database

@www.cnbc.com //
DeepSeek AI, a rapidly growing Chinese AI startup, has suffered a significant data breach, exposing a database containing over one million log lines of sensitive information. Security researchers at Wiz discovered the exposed ClickHouse database was publicly accessible and unauthenticated, allowing full control over database operations without any defense mechanisms. The exposed data included user chat histories, secret API keys, backend details, and other highly sensitive operational metadata. This exposure allowed potential privilege escalation within the DeepSeek environment.

The Wiz research team identified the vulnerability through standard reconnaissance techniques on publicly accessible domains and by discovering unusual, open ports linked to DeepSeek. The affected database was hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000. Researchers noted the ease of discovery of the exposed data and the potential for malicious actors to have accessed it. DeepSeek has been contacted by security researchers, and has now secured the database after the discovery, however, it remains unclear if unauthorized third-parties were also able to access the information.

Recommended read:
References :
  • NewsGuard's Reality Check: NewsGuard: with news-related prompts, DeepSeek's chatbot repeated false claims 30% of the time and provided non-answers 53% of the time, giving an 83% fail rate (NewsGuard's Reality Check)
  • www.theregister.com: Upgraded China's DeepSeek, which has rattled American AI makers, has limited new signups to its web-based interface
  • Pyrzout :vm:: Social.skynetcloud.site post about DeepSeek's database leak
  • www.wired.com: Wiz: DeepSeek left one of its critical databases exposed, leaking more than 1M records including system logs, user prompt submissions, and users' API keys (Wired)
  • ciso2ciso.com: Guess who left a database wide open, exposing chat logs, API keys, and more? Yup, DeepSeek
  • The Hacker News: DeepSeek AI Database Exposed: Over 1 Million Log Lines, Secret Keys Leaked
  • Wiz Blog | RSS feed: Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History | Wiz Blog
  • www.theverge.com: News about DeepSeek's data security breach.
  • www.wired.com: Wired article discussing DeepSeek's AI jailbreak.
  • arstechnica.com: Report: DeepSeek's chat histories and internal data were publicly exposed.

@www.bleepingcomputer.com //
Hotel management platform Otelier has suffered a significant data breach, compromising the personal information and hotel reservations of millions of guests. The breach occurred after threat actors gained access to Otelier's Amazon S3 cloud storage. This allowed them to steal a large amount of sensitive data, reportedly close to eight terabytes. The affected hotel brands include major names like Marriott, Hilton, and Hyatt, raising concerns about widespread impact.

The stolen data includes personally identifiable information and reservation details, which could potentially expose guests to identity theft and various types of fraud. Otelier has confirmed the data breach and stated that they are communicating with their impacted customers. The initial breach is said to have started in July 2024 and continued through October of the same year. This extended access allowed the attackers to exfiltrate the substantial amount of data that they are now believed to have.

Recommended read:
References :

Pierluigi Paganini@Security Affairs //
References: securityaffairs.com , The420.in ,
The LockBit ransomware group has targeted newly appointed FBI Director Kash Patel with an alleged "birthday gift" consisting of leaked classified documents. LockBitSupp, the group's alleged leader, posted a message on February 25, 2025, mocking Patel and claiming the group possesses sensitive data that could "destroy" the FBI. This incident raises serious cybersecurity concerns about potential data breaches targeting high-profile individuals and agencies.

The post, found on LockBit's dark leak blog, describes an "archive of classified information" containing over 250 folders of materials dating back to May 29, 2024. This stolen data is presented as a "guide, roadmap, and some friendly advice" to the new FBI Director. The ransomware cartel's actions represent a bold threat, highlighting the increasing sophistication and audacity of cybercriminals targeting government entities and their leadership.

Recommended read:
References :
  • securityaffairs.com: LockBit taunts FBI Director Kash Patel with alleged “Classifiedâ€� leak threat
  • The420.in: LockBit Targets FBI Director with Alleged Classified Leak
  • iHLS: In a chilling message posted on February 25, 2025, the alleged leader of the notorious LockBit ransomware group, LockBitSupp, issued a disturbing “birthday giftâ€� to Kash Patel, the newly appointed Director of the FBI.

@cyberinsider.com //
B1ack's Stash, an illicit carding marketplace, released a dataset containing over 1 million stolen credit and debit cards on a dark web forum on February 19, 2025. Experts are warning that the release of over 1 million unique credit and debit cards by the carding website B1ack’s Stash appears to be a marketing strategy to attract new customers and gain notoriety within the cybercrime ecosystem. Other underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data.

The cybersecurity community is on high alert. It has been reported that the leaked data includes PAN, expiration date, CVV2, cardholders' personal details, email address, IP address, and User-Agent, obtained through e-skimming. Banking institutions are being advised to monitor the dark web for the offering of credit and debit cards to prevent fraudulent activities.

Recommended read:
References :
  • cyberinsider.com: On February 19, 2025, the illicit carding marketplace B1ack's Stash released a dataset containing over 1 million stolen credit and debit cards on a dark web forum.
  • securityaffairs.com: Experts warn that the carding website B1ack’s Stash released a collection of over 1 million unique credit and debit cards.
  • Talkback Resources: Carding website B1acks Stash released over 1 million credit and debit cards to attract customers, while underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data, prompting banks to monitor the dark web for fraudulent activities.
  • CyberInsider: On February 19, 2025, the illicit carding marketplace B1ack's Stash released a dataset containing over 1 million stolen credit and debit cards on a dark web forum.
  • ciso2ciso.com: B1ack’s Stash released 1 Million credit cards
  • Talkback Resources: Carding website B1acks Stash released over 1 million credit and debit cards to attract customers, while underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data, prompting banks to monitor the dark web for fraudulent activities.
  • Talkback Resources: Carding website B1acks Stash released over 1 million credit and debit cards to attract customers, while underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data, prompting banks to monitor the dark web for fraudulent activities.
  • Talkback Resources: Carding website B1acks Stash released over 1 million credit and debit cards to attract customers, while underground marketplaces like Joker Stash and BidenCash facilitate the sale of payment card data, prompting banks to monitor the dark web for fraudulent activities.

Stefan Hostetler, Julian Tuin, Trevor Daher, Jon Grimm, Alyssa Newbury, Joe Wedderspoon, and Markus @Arctic Wolf //
References: ciso2ciso.com , Kevin Beaumont , ...
A new hacking group, known as Belsen Group, has leaked configuration files and VPN credentials for over 15,000 FortiGate firewall devices. The data, which includes full configuration dumps, device management certificates and even some plain text passwords, was made freely available on the dark web. Security researcher Kevin Beaumont first brought the issue to light, later confirmed by CloudSEK, and noted the vulnerability primarily affected Fortigate 7.0.x and 7.2.x devices.

The Belsen Group is believed to have been active since 2022, despite only recently appearing on social media and cybercrime forums. The leaked data was likely collected using a zero-day exploit in 2022, specifically CVE-2022-40684, and has only been released in January 2025. This means even organizations that have since patched may still be vulnerable if their configurations were captured by Belsen Group in 2022. The exposure of the data, which includes firewall rules, poses a significant security risk to affected organizations.

Recommended read:
References :
  • ciso2ciso.com: Ciso2Ciso news about new hacking group leaks configuration of 15,000 Fortinet Firewalls.
  • Kevin Beaumont: Cyberplace.Social post by GossiTheDog about Fortigate config data leak.
  • www.bleepingcomputer.com: BleepingComputer Article about hackers leak configs and VPN credentials for 15,000 FortiGate devices.
  • : RT @S0ufi4n3: “2022 zero day was used to raid Fortigate firewall configs. Somebody just released them.“
  • www.theregister.com: 15,000 FortiGate Firewall Configurations Leaked by Belsen Group