CyberSecurity news

FlagThis - #dataleak

@cybersecuritynews.com //
A hacker using the alias "Satanic" has claimed responsibility for a significant data breach affecting WooCommerce, a widely used eCommerce platform. The breach, said to have occurred on April 6, 2025, reportedly compromised over 4.4 million user records. According to the hacker's posts on Breach Forums, the data was not directly extracted from WooCommerce's core infrastructure but from systems closely linked to websites utilizing the platform, potentially through third-party integrations such as CRM or marketing automation tools. The alleged breach has raised concerns about the security of third-party integrations within the WooCommerce ecosystem.

The compromised database reportedly includes an extensive array of sensitive information. This includes 4,432,120 individual records, 1.3 million unique email addresses, and 998,000 phone numbers. It also encompasses metadata on corporate websites, such as technology stacks and payment solutions. A sample of the stolen data reveals records from prominent organizations like the National Institute of Standards and Technology (NIST), Texas.gov, NVIDIA Corporation, the New York City Department of Education, and Oxford University Press. Each record contains detailed information typically found in marketing databases, including estimated revenue, marketing platforms, hosting providers, and social media links.

Adding to the woes of WooCommerce users, a separate security threat has emerged with the discovery of a malicious Python package named "disgrasya" on PyPI. This package, detected by the Socket Research Team, contains an automated carding script specifically designed to target WooCommerce stores using CyberSource as their payment gateway. The malware simulates legitimate user behavior to avoid detection while exfiltrating stolen credit card data. Organizations are advised to enable fraud protection rules, monitor for suspicious patterns, implement CAPTCHA or bot protection, and rate limit checkout and payment endpoints to mitigate the risk of automated carding attacks.

Recommended read:
References :
  • Cyber Security News: CyberPress article on WooCommerce Allegedly Breached
  • hackread.com: Hackread article on WooCommerce data breach
  • Cyber Security News: Hackers Allegedly Claiming WooCommerce Breach, 4.4 Million Customer Details Stolen
  • hackread.com: Hacker Claims WooCommerce Data Breach, Selling 4.4 Million User Records
  • cyberpress.org: WooCommerce Allegedly Breached, 4.4 Million Customer Details Exposed

@cyberalerts.io //
The Port of Seattle, the U.S. government agency responsible for Seattle's seaport and airport, is currently notifying approximately 90,000 individuals about a significant data breach. The breach occurred after a ransomware attack in August 2024, where personal information was stolen from previously used port systems. The compromised data includes names, dates of birth, Social Security numbers, driver’s licenses, ID cards, and some medical information. The organization runs Seattle-Tacoma International Airport, parks, and container terminals. Of those affected, about 71,000 are Washington state residents.

The August 24 incident severely damaged the systems used by the city’s port and airport, forcing workers to take extraordinary measures to help travelers. The ransomware attack caused considerable disruption, knocking out the airport’s Wi-Fi, and employees had to resort to using dry-erase boards for flight and baggage information. Screens throughout the facility were down, and some airlines had to manually sort through bags. Legacy systems utilized for employee data were specifically targeted, and the post-mortem revealed that encryptions and system disconnections impacted services like baggage handling, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking.

Following the attack, the Rhysida ransomware group claimed responsibility and demanded a ransom. However, port officials confirmed in September that they refused to pay, with executive director Steve Metruck explaining that “paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars.” The Port is offering one year of free credit monitoring services to the victims and has posted the breach notice online for those without available mailing addresses. The agency emphasizes that the attack did not affect the proprietary systems of major airline and cruise partners or the systems of federal partners like the Federal Aviation Administration, Transportation Security Administration, and U.S. Customs and Border Protection.

Recommended read:
References :
  • BleepingComputer: ​Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack.
  • The DefendOps Diaries: Ransomware Breach at Port of Seattle: An In-Depth Analysis
  • www.bleepingcomputer.com: Port of Seattle says ransomware breach impacts 90,000 people
  • bsky.app: ​Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack.
  • therecord.media: Port of Seattle says 90,000 people impacted in 2024 ransomware attack
  • securityaffairs.com: SecurityAffairs article discussing Port of Seattle data breach impacts 90,000 people
  • Talkback Resources: Port of Seattle August data breach impacted 90,000 people [mal]
  • Cybernews: Port of Seattle has informed approximately 90,000 individuals about a data breach that happened last year.
  • www.scworld.com: Officials at the Port of Seattle confirmed that nearly 90,000 individuals, most of whom are from Washington state, had their data stolen following an August attack by the Rhysida ransomware operation, reports Security Affairs.

@The DefendOps Diaries //
A vulnerability in Verizon's Call Filter feature exposed customers' incoming call history, allowing unauthorized access to call logs. Security researcher Evan Connelly discovered the flaw in the Verizon Call Filter iOS app, revealing that it was possible to access the incoming call logs for any Verizon Wireless number through an unsecured API request. The vulnerability was reported to Verizon on February 22, 2025, and acknowledged by the company two days later. The flaw was subsequently fixed by March 25, 2025.

The vulnerability was rooted in the backend API used by the Verizon Call Filter app, which failed to verify that the phone number requested for call history matched the authenticated user’s number. An attacker with a valid JSON Web Token (JWT) could manipulate the request header and retrieve call logs for any Verizon customer. This oversight allowed modification of the phone number being sent, and data could be received back for Verizon numbers not associated with the signed-in user, raising significant privacy and safety concerns for Verizon Wireless customers.

Recommended read:
References :
  • bsky.app: A vulnerability in Verizon's Call Filter feature allowed customers to access the incoming call logs for another Verizon Wireless number through an unsecured API request.
  • The DefendOps Diaries: Understanding the Verizon Call Filter API Vulnerability
  • BleepingComputer: Verizon Call Filter API flaw exposed customers' incoming call history
  • DataBreaches.Net: Security researcher Evan Connelly recently identified a security vulnerability in the Verizon Call Filter iOS app which made it possible for a malicious actor to leak call history logs of Verizon Wireless customers.
  • securityonline.info: Verizon Call Filter App Vulnerability Exposed Call Records of Millions
  • CyberInsider: Verizon Call Filter App Flaw Exposed Call Logs of Millions of Customers
  • www.itpro.com: Verizon Call Filter API flaw could’ve exposed millions of Americans’ call records
  • Malwarebytes: Flaw in Verizon call record requests put millions of Americans at risk
  • Talkback Resources: TalkBack.sh: Flaw in Verizon call record requests put millions of Americans at risk
  • securityaffairs.com: A flaw in Verizon’s iOS Call Filter app exposed call records of millions

@upguard.com //
API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, according to researchers at UpGuard, who discovered the exposed database on March 5th, 2025. UpGuard notified APIsec, and the database was secured the same day. APIsec claims to be used by 80% of the Fortune 100.

The exposed Elasticsearch database contained over three terabytes of data, including configuration information for private scanning instances, results of API scans for customers’ endpoints, and personal information for users collected during scanning. This data provided extensive information about the attack surfaces of APIsec's customers. The database contained indices for executing the APIsec test suites against customer APIs and storing the results, with data spanning from 2018 to 2025.

The APIsec platform helps companies secure their APIs by running tests for common weaknesses. The exposed data included information about which tests were being performed, allowing attackers to potentially look for issues not being tested. The index "fx-accounts" included usernames and credentials for services like AWS, Slack, and GitHub. The index "fx-clusters" contained configuration data for APIsec scanning instances, some of which contained the same AWS access key as the record in "fx-accounts."

Recommended read:
References :
  • Zack Whittaker: New: API security testing firm APIsec exposed an internal database to the internet without a password. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, per researchers at UpGuard, which found it.
  • techcrunch.com: API testing firm APIsec exposed customer data during security lapse
  • www.upguard.com: Watching the Watcher: How a Security Company Leaked Customer Data | UpGuard
  • CyberInsider: Security Firm APIsec Exposed 3TB of Sensitive Customer Data

Pierluigi Paganini@securityaffairs.com //
A new ransomware group named Arkana Security is claiming responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers. Arkana Security also claims the hack of US telco provider WideOpenWest (WOW!). This nascent ransomware gang’s breach purportedly compromised over 403,000 WOW! user accounts, pilfering data, including full names, usernames, salted passwords, email addresses, login histories, and security questions and answers.



The attackers boast of full backend control and have even created a music video montage to demonstrate their level of access. Additionally, they claim to have exfiltrated a separate CSV file with 2.2 million records, including names, addresses, phone numbers, and devices. While WOW! has yet to acknowledge Arkana Security's claims, threat researchers traced the attack's origins to an infostealer infection in September last year that enabled access to WOW!'s critical systems.

Recommended read:
References :
  • Cyber Security News: The largest US internet provider, WideOpenWest (WOW!), is allegedly compromised by Arkana Security, a recently discovered ransomware group.
  • securityaffairs.com: Arkana Security, a new ransomware group, claims to have breached the telecommunications provider WideOpenWest (WOW!), stealing customer data.
  • www.scworld.com: WideOpenWest purportedly breached by nascent ransomware gang
  • CyberInsider: Arkana ransomware group has claimed responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers.
  • BleepingComputer: The new ransomware group Arkana Security claims to have hacked US telecom provider WOW!, stealing customer data.
  • Information Security Buzz: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US. The malicious actors boasted they had full backend control and even put a music video montage together to illustrate exactly how much access they had.
  • DataBreaches.Net: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)
  • PCMag UK security: Hacking group Arkana Security gives WideOpenWest (WOW!) until 5 p.m. PST today to pay a ransom, or it will sell customer data to the highest bidder. WOW! says it's investigating.
  • The Register - Security: Cyber-crew claims it cracked American cableco, releases terrible music video to prove it
  • www.csoonline.com: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US.
  • Talkback Resources: Arkana Security group claims the hack of US telco provider WideOpenWest (WOW!)
  • www.pcmag.com: Cybercrime Gang Says It Hacked This US ISP, Stole Info on 403K Customers
  • www.scworld.com: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)

Dissent@DataBreaches.Net //
Leaked internal chat logs from the Black Basta ransomware group have provided unprecedented insight into the tactics, planning, and operational methods of cybercriminals. The Veriti Research team analyzed these communications, uncovering the group's favored exploits, the security measures they routinely bypass, and the defenses they fear most. The leak, rivals that of the Conti ransomware gang, exposes Black Basta's meticulous study of potential victims and their sophisticated phishing and malware campaigns.

The analysis reveals Black Basta's focus on exploiting vulnerabilities in VMware ESXi, Microsoft Exchange, Citrix VPNs, and Fortinet firewalls. They actively discuss bypassing EDR, SIEM, and firewall protections to maintain persistence within compromised networks, leveraging cloud services for malware hosting and command-and-control infrastructure. Despite their skills, Black Basta members express frustration when EDRs, firewalls, and IP reputation monitoring disrupt their operations. A key member of Black Basta contended they had been able to elude law enforcement in mid-2024 with help from influential people.

Recommended read:
References :
  • VERITI: Inside the Minds of Cybercriminals: A Deep Dive into Black Basta’s Leaked Chats
  • DataBreaches.Net: Black Basta exposed: A look at a cybercrime data leak and a key member, “Trampâ€�
  • www.csoonline.com: Ransomware access playbook: What Black Basta’s leaked logs reveal
  • Information Security Buzz: VulnCheck Exposes CVEs from Black Bastas’ Chats
  • Risky Business Media: Risky Business Talks interview with Will Thomas on the Black Basta leaks
  • bsky.app: New research has uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups utilizing the same social engineering attacks and the BackConnect proxy malware for post-exploitation access to corporate networks.
  • Virus Bulletin: Trend Micro researchers discuss how the Black Basta and Cactus ransomware groups utilized the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines.
  • www.bleepingcomputer.com: Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware
  • Secure Bulletin: Black Basta and CACTUS ransomware: shared BackConnect module signals affiliate transition
  • flare.io: On February 20, 2025, the cybersecurity community received an unexpected stroke of luck as internal strife seemingly spread within the infamous Black Basta ransomware group.