CyberSecurity news

FlagThis - #securitybreach

Pierluigi Paganini@Security Affairs //

Hacker Stole Data From Modified Signal Provider - TeleMessage, a modified Signal clone used by U.S. government officials, was hacked, exposing archived messages and data and highlighting security risks associated with modifying secure messaging platforms.
A hacker has successfully breached TeleMessage, an Israeli company that provides modified versions of secure messaging apps such as Signal, WhatsApp and Telegram to the U.S. government. The breach resulted in the exfiltration of sensitive data, including archived messages from these modified apps. TeleMessage has suspended all services and is currently investigating the incident. The breach highlights the vulnerabilities associated with modifying secure messaging applications, especially concerning the preservation of end-to-end encryption.

The compromised data includes the contents of direct messages and group chats, as well as contact information for government officials. 404 Media reported that the hack exposed data related to U.S. Customs and Border Protection (CBP), the cryptocurrency exchange Coinbase, and several other financial institutions. The hacker claimed the entire process of accessing TeleMessage’s systems took only 15-20 minutes, underscoring the ease with which the security was circumvented. Despite the breach, there are reports that messages from top US government officials and cabinet members were not compromised.

TeleMessage, which was recently in the spotlight after former U.S. National Security Advisor Mike Waltz was seen using their modified version of Signal, offers archiving services for messages. However, the hack revealed that the archived chat logs were not end-to-end encrypted between the modified app and the ultimate archive destination controlled by the TeleMessage customer. Smarsh, the parent company of TeleMessage, has engaged an external cybersecurity firm to support the investigation and has temporarily suspended all TeleMessage services as a precaution. A Coinbase spokesperson stated that the company is closely monitoring the situation, but has not found any evidence of sensitive customer information being accessed or accounts being at risk.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov
  • Talkback Resources: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov [app]
  • www.techradar.com: TeleMessage, the Signal-esque app used by the Trump administration, has been hacked
  • www.metacurity.com: A hacker stole content from the Telemessage system used by the US government
  • TechCrunch: TeleMessage, a modified Signal clone used by US govt. officials, has been hacked
  • The DefendOps Diaries: TeleMessage Breach: Unveiling the Risks of Modified Secure Messaging Apps
  • techcrunch.com: TeleMessage, a modified Signal clone used by US government officials, has been hacked
  • Risky Business Media: Trump admin’s Signal clone gets hacked, messages exposed
  • The Register - Security: Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
  • siliconangle.com: The security of U.S. government officials’ communications has come under the spotlight again after a modified Signal app used to archive data from third-party messaging apps was hacked in less than 30 minutes.
  • WIRED: Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked
  • CyberInsider: Signal Clone App Used by Trump Officials Breached in Minutes
  • Metacurity: Criminal scam network run by Darcula exposed by journalists, DragonForce takes credit for Co-op attack, NoName attacked Romanian gov't websites on election day, US indicts Black Kingdom ransomware dev, Trump wants to slash nearly $500m from CISA, Qilin claims Cobb Co. attack, much more
  • arstechnica.com: TeleMessage, a company that provides modified versions of Signal for message archiving, has suspended its services after a reported hack, exposing communications from U.S. government officials.
  • hackread.com: TM SGNL, a chat app by US-Israeli firm TeleMessage used by Trump officials, halts operations after a breach…
  • www.404media.co: A hacker has exploited a vulnerability in TeleMessage, a company that provides modified versions of encrypted messaging apps, to extract archived messages and data related to U.S. government officials and companies that used the service, according to a report by 404 Media.
  • www.csoonline.com: The Israeli company behind the obscure messaging app former US national security advisor Mike Waltz was photographed using on his iPhone last week was recently hacked, it has been alleged.
  • Metacurity: You ask yourself how the Trump administration's insane messing around with the Signal app and its clones could get any worse, and then the universe tells you how. The Signal Clone the Trump Admin Uses Was Hacked
  • Dropsafe: US Gov’t Signal-clone with backdoor for message retention, hacked, messages leaked | …I really hope #Ofcom are watching re: the impact of proposed client side scanning
  • BleepingComputer: Unofficial Signal app used by Trump officials investigates hack
  • arstechnica.com: Signal clone used by Trump official stops operations after report it was hacked
  • securityaffairs.com: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov
  • go.theregister.com: Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
  • iHLS: Israeli Encrypted Messaging Archiving Platform Used by U.S. Officials Compromised in Cyberattack
  • www.insicurezzadigitale.com: Clonazione di Signal: sospesa dopo hacking un’app utilizzata da un ex funzionario dell’amministrazione Trump
  • bsky.app: TeleMessage, the Signal clone used by US government officials, suffers hack
  • Privacy ? Graham Cluley: TeleMessage, the Signal clone used by US government officials, suffers hack
  • WIRED: The Signal clone Mike Waltz Was Caught Using Has Direct Access to User Chats
  • www.wired.com: Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked
  • WIRED: Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage
  • Metacurity: TeleMessage suspends service following reported hack
jane.mccallion@futurenet.com (Jane@itpro.com //

Security Expert Troy Hunt's Mailing List Compromised - Troy Hunt, owner of Have I Been Pwned, was a victim of a phishing attack that compromised his email subscriber list after attackers gained access to his Mailchimp account.
Security expert Troy Hunt, the creator of the data breach notification site Have I Been Pwned, has fallen victim to a sophisticated phishing attack. The incident, which occurred on March 25, 2025, resulted in the compromise of his email subscriber list, affecting approximately 16,000 current and past subscribers to his personal blog. The attackers gained access to Hunt's Mailchimp account after he clicked on a malicious link in an email disguised as a legitimate notice from the email marketing provider.

Hunt immediately disclosed the breach, emphasizing the importance of transparency and acknowledging his frustration with falling for the scam. The phishing email exploited a sense of urgency by claiming a spam complaint had triggered a temporary suspension of his account, prompting him to enter his credentials and one-time passcode. While 2FA was enabled on his Mailchimp account, the phish still managed to get the one time passcode. Industry experts have said the incident underscores how even seasoned cybersecurity professionals can be vulnerable to social engineering tactics that prey on human weaknesses, such as tiredness and a sense of urgency.

Recommended read:
References :
  • haveibeenpwned.com: In March 2025, . The exported list contained 16k email addresses and other data automatically collected by Mailchimp including IP address and a derived latitude, longitude and time zone.
  • PCMag UK security: Creator of HaveIBeenPwned Data Breach Site Falls for Phishing Email
  • www.itpro.com: Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
  • Malwarebytes: Security expert Troy Hunt hit by phishing attack
  • gbhackers.com: Mozilla is working to patch the vulnerability, tracked as CVE-2025-2857, with security updates for Firefox 136.0.4 and Firefox ESR versions 128.8.1 and 115.21.1.
  • securityaffairs.com: Mozilla addressed a critical vulnerability, tracked as CVE-2025-2857, impacting its Firefox browser for Windows.
  • The DefendOps Diaries: Mozilla warns of a critical Firefox vulnerability allowing sandbox escapes, posing significant security risks to Windows users.
jane.mccallion@futurenet.com (Jane@itpro.com //

Infosec Pro Troy Hunt Falls for Sneaky Phish - A phishing attack compromised Troy Hunt's Mailchimp account, exposing the email addresses of 16,000 subscribers after he was socially engineered into revealing his credentials.
Infosec veteran Troy Hunt, the creator of HaveIBeenPwned, has been compromised in a Mailchimp phishing attack. The incident resulted in the theft of data belonging to over 16,000 newsletter subscribers. Hunt, who is usually known for helping people check if their credentials have been compromised, unfortunately became a victim himself. The attack highlights how even security experts can fall prey to sophisticated phishing schemes, and Hunt has blogged about the incident, providing details of the phishing email.

The attackers employed a well-crafted phishing email, designed to create a sense of urgency. The email informed Hunt that he was unable to send updates to his subscribers until he reviewed his account due to a spam complaint. Hunt entered his credentials and one-time passcode, but quickly realized his error. Although he changed his password, the attackers managed to export the mailing list in under two minutes. The stolen data included records of both active and former email subscribers.

Recommended read:
References :
  • bsky.app: Have I Been Pwned creator Troy Hunt says the data of over 16,000 newsletter subscribers has been stolen after he fell for a Mailchimp phishing attack
  • cyberinsider.com: Details the phishing attack on Troy Hunt's Mailchimp account, exposing subscriber data.
  • The Register - Security: Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish
  • DataBreaches.Net: Troy Hunt, owner of HaveIBeenPwned.com, writes: You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the...
  • PCMag UK security: Creator of HaveIBeenPwned Data Breach Site Falls for Phishing Email.
  • Information Security Buzz: Security consultant and founder of the popular Troy Hunt, a security consultant who runs the popular data-breach search service Have I Been Pwned?, has disclosed that he has become a victim of a phishing attack that exposed the email addresses of 16,000 subscribers to his blog troyhunt.com.   “Every active subscriber on my list will shortly [...]
  • www.itpro.com: Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
  • www.csoonline.com: Even anti-scammers get scammed: security expert Troy Hunt pwned by phishing email
  • www.techradar.com: HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
  • heise Security: Have I Been Pwned: Projektbetreiber Troy Hunt gepwned Der Betreiber von Have I Been Pwned wurde selbst Opfer eines Phishing-Angriffs. Die E-Mails der Newsletter-Mailingliste wurden gestohlen.
  • Malwarebytes: Security expert Troy Hunt hit by phishing attack
  • bsky.app: Troy Hunt's mailing list got phished. Commiserations to him. If it can happen to Troy, it can probably happen to you.
@itpro.com //

GitHub Actions Supply Chain Attack Leaks Secrets - A supply chain attack targeting the popular GitHub Action ‘tj-actions/changed-files-action’ resulted in the leakage of secrets from numerous repositories.
References: Rescana , Wiz Blog | RSS feed , Dan Goodin ...
A supply chain attack has targeted the widely used GitHub Action 'tj-actions/changed-files-action,' leading to the leakage of secrets from numerous repositories. This incident, first reported by Step Security, involved the compromise of the action, allowing attackers to inject malicious code into CI workflows. This code was designed to dump CI runner memory, potentially exposing sensitive information like API keys and passwords in public repository workflow logs. The compromised 'tj-actions/changed-files' repository and the GitHub gist hosting the malicious script have since been removed to mitigate further exploitation.

This vulnerability, assigned CVE-2025-30066, affected all versions of 'tj-actions/changed-files' as of March 15, 2025. The malicious code was introduced through a spoofed commit from the Renovate bot, enabling unauthorized access and modification of the action's code. While no external exfiltration of secrets to an attacker-controlled server has been observed, the exposure within affected repositories remains a significant risk. Impacted organizations are urged to take immediate action to mitigate the risk of credential theft and CI pipeline compromise, particularly in public repositories where secrets in workflow logs are publicly accessible.

Recommended read:
References :
  • Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
  • Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know
  • Open Source Security: tj-action/changed-files GitHub action was compromised
  • Dan Goodin: Is anyone following this breach involving the j-actions/changed-files GitHub Action? Seems pretty major, but I'm still trying to figure out exactly what's going on, who's affected, and what people (and how many) are affected. If you can help me get up to speed please DM me on Signal -- DanArs.82, or on Mastodon
  • securityonline.info: Popular GitHub Action “tj-actions/changed-filesâ€� Compromised (CVE-2025-30066)
  • Risky Business Media: Risky Bulletin: GitHub supply chain attack leaks secrets
  • www.itpro.com: Organizations urged to act fast after GitHub Action supply chain attack
  • : Tj-actions Supply Chain Attack Exposes 23,000 Organizations
  • Latio Pulse: Understanding and Re-Creating the tj-actions/changed-files Supply Chain Attack discusses the tj-actions/changed-files supply chain attack.
  • The Register - Security: GitHub supply chain attack spills secrets from 23,000 projects
  • BleepingComputer: Supply chain attack on popular GitHub Action exposes CI/CD secrets
  • www.cybersecuritydive.com: Supply chain attack against GitHub Action triggers massive exposure of secrets
  • Metacurity: A GitHub Action used in 23,000 repos was compromised in a supply chain attack
  • gbhackers.com: Supply Chain Attack Targets 23,000 GitHub Repositories
  • hackread.com: Malicious Code Hits ‘tj-actions/changed-files’ in 23,000 GitHub Repos
  • www.infoworld.com: Thousands of open source projects at risk from hack of GitHub Actions tool
  • bsky.app: Bsky Social - A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.
  • Wiz Blog | RSS feed: New GitHub Action supply chain attack: reviewdog/action-setup
  • unit42.paloaltonetworks.com: Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files
  • Legit Security Blog: Github Actions tj-actions/changed-files Attack
  • Security Risk Advisors: TB2025318 – GitHub Action “tj-actions/changed-filesâ€� Compromised to Leak Secrets for Repositories Using the CI/CD Workflow
  • securityaffairs.com: GitHub Action tj-actions/changed-files was compromised in supply chain attack
  • bsky.app: A cascading supply chain attack that began with the compromise of the "reviewdog/action-setup@v1" GitHub Action is believed to have led to the recent breach of "tj-actions/changed-files" that leaked CI/CD secrets.
  • blog.gitguardian.com: Compromised tj-actions/changed-files GitHub Action: A look at publicly leaked secrets
  • Kaspersky official blog: Supply chain attack via GitHub Action | Kaspersky official blog
  • Risky Business Media: Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects
  • thecyberexpress.com: CISA Warns of Exploited GitHub Action CVE-2025-30066 – Users Urged to Patch
  • The DefendOps Diaries: Understanding the GitHub Action Supply Chain Attack
  • Sam Bent: GitHub Action Vulnerability: Supply Chain Attack Exposes Limited Secrets, Raises Broader Concerns
  • Schneier on Security: Critical GitHub Attack
  • Aembit: GitHub Action tjactions/changed-files Supply Chain Breach Exposes NHI Risks in CI/CD
  • www.cybersecurity-insiders.com: GitHub Supply Chain Attack Raises Awareness Across The Cybersecurity Community
  • tl;dr sec: [tl;dr sec] #271 - Threat Modeling (+ AI), Backdoored GitHub Actions, Compromising a Threat Actor's Telegram

Posts

Blogs

Research Tools