CyberSecurity news
FlagThis - #dataleak
|
@cybersecuritynews.com
//
A hacker using the alias "Satanic" has claimed responsibility for a significant data breach affecting WooCommerce, a widely used eCommerce platform. The breach, said to have occurred on April 6, 2025, reportedly compromised over 4.4 million user records. According to the hacker's posts on Breach Forums, the data was not directly extracted from WooCommerce's core infrastructure but from systems closely linked to websites utilizing the platform, potentially through third-party integrations such as CRM or marketing automation tools. The alleged breach has raised concerns about the security of third-party integrations within the WooCommerce ecosystem.
The compromised database reportedly includes an extensive array of sensitive information. This includes 4,432,120 individual records, 1.3 million unique email addresses, and 998,000 phone numbers. It also encompasses metadata on corporate websites, such as technology stacks and payment solutions. A sample of the stolen data reveals records from prominent organizations like the National Institute of Standards and Technology (NIST), Texas.gov, NVIDIA Corporation, the New York City Department of Education, and Oxford University Press. Each record contains detailed information typically found in marketing databases, including estimated revenue, marketing platforms, hosting providers, and social media links. Adding to the woes of WooCommerce users, a separate security threat has emerged with the discovery of a malicious Python package named "disgrasya" on PyPI. This package, detected by the Socket Research Team, contains an automated carding script specifically designed to target WooCommerce stores using CyberSource as their payment gateway. The malware simulates legitimate user behavior to avoid detection while exfiltrating stolen credit card data. Organizations are advised to enable fraud protection rules, monitor for suspicious patterns, implement CAPTCHA or bot protection, and rate limit checkout and payment endpoints to mitigate the risk of automated carding attacks. Recommended read:
References :
@cyberalerts.io
//
The Port of Seattle, the U.S. government agency responsible for Seattle's seaport and airport, is currently notifying approximately 90,000 individuals about a significant data breach. The breach occurred after a ransomware attack in August 2024, where personal information was stolen from previously used port systems. The compromised data includes names, dates of birth, Social Security numbers, driver’s licenses, ID cards, and some medical information. The organization runs Seattle-Tacoma International Airport, parks, and container terminals. Of those affected, about 71,000 are Washington state residents.
The August 24 incident severely damaged the systems used by the city’s port and airport, forcing workers to take extraordinary measures to help travelers. The ransomware attack caused considerable disruption, knocking out the airport’s Wi-Fi, and employees had to resort to using dry-erase boards for flight and baggage information. Screens throughout the facility were down, and some airlines had to manually sort through bags. Legacy systems utilized for employee data were specifically targeted, and the post-mortem revealed that encryptions and system disconnections impacted services like baggage handling, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking. Following the attack, the Rhysida ransomware group claimed responsibility and demanded a ransom. However, port officials confirmed in September that they refused to pay, with executive director Steve Metruck explaining that “paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars.” The Port is offering one year of free credit monitoring services to the victims and has posted the breach notice online for those without available mailing addresses. The agency emphasizes that the attack did not affect the proprietary systems of major airline and cruise partners or the systems of federal partners like the Federal Aviation Administration, Transportation Security Administration, and U.S. Customs and Border Protection. Recommended read:
References :
@The DefendOps Diaries
//
A vulnerability in Verizon's Call Filter feature exposed customers' incoming call history, allowing unauthorized access to call logs. Security researcher Evan Connelly discovered the flaw in the Verizon Call Filter iOS app, revealing that it was possible to access the incoming call logs for any Verizon Wireless number through an unsecured API request. The vulnerability was reported to Verizon on February 22, 2025, and acknowledged by the company two days later. The flaw was subsequently fixed by March 25, 2025.
The vulnerability was rooted in the backend API used by the Verizon Call Filter app, which failed to verify that the phone number requested for call history matched the authenticated user’s number. An attacker with a valid JSON Web Token (JWT) could manipulate the request header and retrieve call logs for any Verizon customer. This oversight allowed modification of the phone number being sent, and data could be received back for Verizon numbers not associated with the signed-in user, raising significant privacy and safety concerns for Verizon Wireless customers. Recommended read:
References :
@upguard.com
//
API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, according to researchers at UpGuard, who discovered the exposed database on March 5th, 2025. UpGuard notified APIsec, and the database was secured the same day. APIsec claims to be used by 80% of the Fortune 100.
The exposed Elasticsearch database contained over three terabytes of data, including configuration information for private scanning instances, results of API scans for customers’ endpoints, and personal information for users collected during scanning. This data provided extensive information about the attack surfaces of APIsec's customers. The database contained indices for executing the APIsec test suites against customer APIs and storing the results, with data spanning from 2018 to 2025. The APIsec platform helps companies secure their APIs by running tests for common weaknesses. The exposed data included information about which tests were being performed, allowing attackers to potentially look for issues not being tested. The index "fx-accounts" included usernames and credentials for services like AWS, Slack, and GitHub. The index "fx-clusters" contained configuration data for APIsec scanning instances, some of which contained the same AWS access key as the record in "fx-accounts." Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A new ransomware group named Arkana Security is claiming responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers. Arkana Security also claims the hack of US telco provider WideOpenWest (WOW!). This nascent ransomware gang’s breach purportedly compromised over 403,000 WOW! user accounts, pilfering data, including full names, usernames, salted passwords, email addresses, login histories, and security questions and answers.
The attackers boast of full backend control and have even created a music video montage to demonstrate their level of access. Additionally, they claim to have exfiltrated a separate CSV file with 2.2 million records, including names, addresses, phone numbers, and devices. While WOW! has yet to acknowledge Arkana Security's claims, threat researchers traced the attack's origins to an infostealer infection in September last year that enabled access to WOW!'s critical systems. Recommended read:
References :
Dissent@DataBreaches.Net
//
Leaked internal chat logs from the Black Basta ransomware group have provided unprecedented insight into the tactics, planning, and operational methods of cybercriminals. The Veriti Research team analyzed these communications, uncovering the group's favored exploits, the security measures they routinely bypass, and the defenses they fear most. The leak, rivals that of the Conti ransomware gang, exposes Black Basta's meticulous study of potential victims and their sophisticated phishing and malware campaigns.
The analysis reveals Black Basta's focus on exploiting vulnerabilities in VMware ESXi, Microsoft Exchange, Citrix VPNs, and Fortinet firewalls. They actively discuss bypassing EDR, SIEM, and firewall protections to maintain persistence within compromised networks, leveraging cloud services for malware hosting and command-and-control infrastructure. Despite their skills, Black Basta members express frustration when EDRs, firewalls, and IP reputation monitoring disrupt their operations. A key member of Black Basta contended they had been able to elude law enforcement in mid-2024 with help from influential people. Recommended read:
References :
|