bleepingcomputer.com By Lawrence Abrams August 25, 2025 -
U.S. insurance giant Farmers Insurance has disclosed a data breach impacting 1.1 million customers, with BleepingComputer learning that the data was stolen in the widespread Salesforce attacks.
Farmers Insurance is a U.S.-based insurer that provides auto, home, life, and business insurance products. It operates through a network of agents and subsidiaries, serving more than 10 million households nationwide.
The company disclosed the data breach in an advisory on its website, saying that its database at a third-party vendor was breached on May 29, 2025.
"On May 30, 2025, one of Farmers' third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor's databases containing Farmers customer information (the "Incident")," reads the data breach notification on its website.
"The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor. After learning of the activity, Farmers immediately launched a comprehensive investigation to determine the nature and scope of the Incident and notified appropriate law enforcement authorities."
The company says that its investigation determined that customers' names, addresses, dates of birth, driver's license numbers, and/or last four digits of Social Security numbers were stolen during the breach.
Farmers began sending data breach notifications to impacted individuals on August 22, with a sample notification [1, 2] shared with the Maine Attorney General's Office, stating that a combined total of 1,111,386 customers were impacted.
While Farmers did not disclose the name of the third-party vendor, BleepingComputer has learned that the data was stolen in the widespread Salesforce data theft attacks that have impacted numerous organizations this year.
BleepingComputer contacted Farmers with additional questions about the breach and will update the story if we receive a response.
The Salesforce data theft attacks
Since the beginning of the year, threat actors classified as 'UNC6040' or 'UNC6240' have been conducting social engineering attacks on Salesforce customers.
During these attacks, threat actors conduct voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company's Salesforce instances.
Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email.
The extortion demands come from the ShinyHunters cybercrime group, who told BleepingComputer that the attacks involve multiple overlapping threat groups, with each group handling specific tasks to breach Salesforce instances and steal data.
"Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer.
"They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake."
Other companies impacted in these attacks include Google, Cisco, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
bitdefender.com 19.08.2025 - A hack of the Netherlands' Public Prosecution Service has had an unusual side effect - causing some speed cameras to be no longer capturing evidence of motorists breaking the rules of the road.
Last month, Dutch media reports confirmed that Openbaar Ministerie (OM), the official body responsible for bringing suspects before the criminal court in the Netherlands, had suffered a security breach by hackers.
The National Cybersecurity Centre (NCSC) and data protection regulators in The Netherlands were informed that a data breach had potentially occurred, and an internal memo from the organisation's director of IT warned of the risks of reconnecting systems to the internet without knowing that the hackers had been expelled from the network.
And it is the disconnection of systems which has left many speed cameras in a non-functioning state - news that will bemuse cybercriminals, delight errant motorists, but is unlikely to be welcomed by those who care about road safety.
Local media reports claim that fixed speed cameras, average speed checks, and portable speed cameras that are usually in one location for about two months before relocation are impacted by the outage - with the only type to escape the problem being those which look out for motorists who are using their mobile phone while driving.
According to evidence seen by journalists, the Public Prosecution Service took itself offline on July 17, following suspicions that hackers had exploited vulnerabilities in Citrix devices to gain unauthorised access.
The organisation's disconnection from the internet left workers still able to email each other internally, but any communications or documents that were needed outside the organisation had to be printed out on paper.
Marthyne Kunst, a member of the crisis team dealing with the hack, told the media that this meant messages were having to be sent by post, lawyers were having to bring paperwork to their cases.
The consequence? Cases may be prevented from going ahead in a timely fashion.
"Unfortunately, it all takes more time," said Kunst.
And as for the speed cameras? Well, apparently it is not possible to reactivate them while the prosecution service's systems are down.
So this isn't a case of police cameras being hacked (although that has happened before), but it is another example of how all manner of connected systems can be impacted in the aftermath of a cyber attack.
The outage of speed cameras in the Netherlands is a timely reminder to us that cyber attacks do not just steal data - they can cause repercussions in sometimes strange and dangerous ways. In this instance, a hack hasn't only slowed down court cases and forced lawyers back to their filing cabinets, it has also blinded cameras designed to keep roads safe.
itnews.com.au - TPG Telecom has revealed that iiNet’s order management system was breached by an unknown attacker who abused legitimate credentials to gain access.
The telco said [pdf] that it “appears” that a list of email addresses and phone numbers was extracted from the system.
“Based on current analysis, the list contained around 280,000 active iiNet email addresses and around 20,000 active iiNet landline phone numbers, plus inactive email addresses and numbers,” TPG said.
“In addition, around 10,000 iiNet usernames, street addresses and phone numbers and around 1700 modem set-up passwords, appear to have been accessed.”
The order management system is used to create and track orders for iiNet services.
TPG Telecom said that the system does not store “copies or details of identity documents, credit card or banking information.”
The telco apologised “unreservedly” for the incident and said it would contact all iiNet customers, both those impacted as well as “all non-impacted iiNet customers to confirm they have not been affected.”
Investigations so far have not uncovered any escalation of the breach by the attacker beyond the order management system.
TPG Telecom has advised relevant government agencies of the incident.
edition.cnn.com | CNN Business - Millions of AT&T customers can file claims worth up to $7,500 in cash payments as part of a $177 million settlement related to data breaches in 2024.
The telecommunications company had faced a pair of data breaches, announced in March and July 2024, that were met with lawsuits.
Here’s a breakdown.
What happened?
On March 30, 2024, AT&T announced it was investigating a data leak that had occurred roughly two weeks prior. The breach had affected data until 2019, including Social Security numbers, and the information of 73 million former and current customers was found in a dataset on the dark web.
Four months later, the company blamed an “illegal download” on a third-party cloud platform that it learned about in April for a separate breach. This leak included telephone numbers of “nearly all” of AT&T cellular customers and customers of providers that used the AT&T network between May 1 and October 31, 2022, the company said.
The class-action settlement includes a $149 million cash fund for the first breach and a $28 million payout for the second breach.
Am I eligible for a claim?
AT&T customers whose data was involved in either breach, or both, will be eligible. Customers eligible to file a claim will receive an email notice, according to the settlement website.
AT&T said Kroll Settlement Administration is notifying current and former customers.
How do I file a claim?
The deadline to submit a claim is November 18. The final approval hearing for the settlement is December 3, according to the settlement website, and there could be appeals following an approval “and resolving them can take time.”
“Settlement Class Member Benefits will begin after the Settlement has obtained Court approval and the time for all appeals has expired,” the website states.
How much can I claim?
Customers impacted by the March incident are eligible for a cash payment of up to $5,000. Claims must include documentation of losses that happened in 2019 or later, and that are “fairly traceable” to the AT&T breach.
CERT-AGID cert-agid.gov.it - È stata recentemente rilevata l’attività di vendita illegale di documenti d’identità trafugati da hotel operanti sul territorio italiano. Si tratta di decine di migliaia di scansioni ad alta risoluzione di passaporti, carte d’identità e altri documenti di riconoscimento utilizzati dai clienti durante le operazioni di check-in.
Secondo quanto dichiarato dallo stesso attore malevolo “mydocs“ – che ha posto in vendita il materiale su un noto forum underground – i documenti sarebbero stati sottratti tra giugno e luglio 2025 tramite accesso non autorizzato nei confronti di tre strutture alberghiere italiane.
Aggiornamento del 08/08/2025: nella giornata odierna, lo stesso autore ha reso disponibile sul medesimo forum una nuova raccolta di 17.000 documenti d’identità, sottratti a un’ulteriore struttura ricettiva italiana.
Aggiornamento del 11/08/2025: il medesimo attore malevolo, durante il fine settimana del 9-10 agosto, ha pubblicato nuovi post nei quali pone in vendita ulteriori collezioni, per un ammontare – secondo le sue dichiarazioni – di oltre 70.000 nuovi documenti d’identità dichiarati, esfiltrati a quattro differenti hotel italiani.
Aggiornamento del 13/08/2025: nella tarda serata di ieri, l’attaccante “mydocs” ha pubblicato sul medesimo forum un nuovo annuncio di vendita relativo a documenti d’identità sottratti a due ulteriori strutture alberghiere. Secondo quanto dichiarato, si tratterebbe di circa 3.600 unità. Con quest’ultima rivendicazione, il totale degli hotel italiani coinvolti salirebbe a dieci. Non si esclude che possano emergere ulteriori casi nei prossimi giorni.
Aggiornamento del 13/08/2025: nella tarda serata di ieri, l’attaccante “mydocs” ha pubblicato sul medesimo forum un nuovo annuncio di vendita relativo a documenti d’identità sottratti a due ulteriori strutture alberghiere. Secondo quanto dichiarato, si tratterebbe di circa 3.600 unità. Con quest’ultima rivendicazione, il totale degli hotel italiani coinvolti salirebbe a dieci. Non si esclude che possano emergere ulteriori casi nei prossimi giorni.
Aggiornamento del 14/08/2025: la scorsa notte, il noto attore malevolo ha messo in vendita, sempre sullo stesso forum, ulteriori documenti d’identità relativi a due nuove strutture ricettive, per un totale dichiarato di circa 9.300 scansioni.
I documenti personali – in questo caso ottenuti tramite compromissione dei dati appartenenti a strutture ricettive, ma più comunemente attraverso attività di phishing – possono rappresentare un asset di grande valore per gli attori malevoli, che li utilizzano per mettere in atto diverse tipologie di truffe sempre più sofisticate:
creazione di documenti falsi basati su identità reali;
apertura di conti bancari o linee di credito fraudolente;
attività di social engineering per colpire le vittime o le loro cerchie personali e professionali;
furto di identità digitale con ripercussioni legali o economiche per le persone coinvolte.
Sebbene episodi analoghi fossero già emersi nel maggio 2025, l’incremento delle vendite illecite di documenti di identità conferma l’urgenza di rafforzare la consapevolezza e le misure di protezione, tanto da parte delle organizzazioni che li gestiscono quanto da parte dei cittadini.
Conclusioni
Considerata la frequenza crescente di queste attività illecite, è sempre più evidente quanto sia fondamentale che le strutture che raccolgono e gestiscono documenti d’identità adottino misure rigorose per la protezione e la sicurezza delle informazioni, garantendo non solo un corretto trattamento dei dati, ma anche la salvaguardia dei propri sistemi e portali digitali da accessi non autorizzati.
In tale contesto, anche i cittadini hanno un ruolo fondamentale nella protezione della propria identità. È importante verificare periodicamente che non ci siano segnali di utilizzi indebiti dei propri dati – come richieste di credito o apertura di conti non autorizzati – ed evitare la condivisione di copie dei documenti personali su canali non sicuri o non necessari. In caso di sospetti abusi o furti d’identità, è sempre opportuno segnalare tempestivamente l’accaduto alle autorità competenti.
bleepingcomputer.com - Hackers have released stolen data belonging to US insurance giant Allianz Life, exposing 2.8 million records with sensitive information on business partners and customers in ongoing Salesforce data theft attacks.
Last month, Allianz Life disclosed that it suffered a data breach when the personal information for the "majority" of its 1.4 million customers was stolen from a third-party, cloud-based CRM system on July 16th.
While the company did not name the provider, BleepingComputer first reported the incident was part of a wave of Salesforce-targeted thefts carried out by the ShinyHunters extortion group.
Over the weekend, ShinyHunters and other threat actors claiming overlap with "Scattered Spider" and "Lapsus$" created a Telegram channel called "ScatteredLapsuSp1d3rHunters" to taunt cybersecurity researchers, law enforcement, and journalists while taking credit for a string of high-profile breaches.
Many of these attacks had not previously been attributed to any threat actor, including the attacks on Internet Archive, Pearson, and Coinbase.
One of the attacks claimed by the threat actors is Allianz Life, for which they proceeded to leak the complete databases that were stolen from the company's Salesforce instances.
These files consist of the Salesforce "Accounts" and "Contacts" database tables, containing approximately 2.8 million data records for individual customers and business partners, such as wealth management companies, brokers, and financial advisors.
The leaked Salesforce data includes sensitive personal information, such as names, addresses, phone numbers, dates of birth, and Tax Identification Numbers, as well as professional details like licenses, firm affiliations, product approvals, and marketing classifications.
BleepingComputer has been able to confirm with multiple people that their data in the leaked files is accurate, including their phone numbers, email addresses, tax IDs, and other information contained in the database.
BleepingComputer contacted Allianz Life about the leaked database but was told that they could not comment as the investigation is ongoing.
The Salesforce data-theft attacks
The Salesforce data theft attacks are believed to have started at the beginning of the year, with the threat actors conducting social engineering attacks to trick employees into linking a malicious OAuth app with their company's Salesforce instances.
Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email.
Extortion demands were sent to the companies via email and were signed as coming from ShinyHunters. This notorious extortion group has been linked to many high-profile attacks over the years, including those against AT&T, PowerSchool, and the SnowFlake attacks.
While ShinyHunters is known to target cloud SaaS applications and website databases, they are not known for these types of social engineering attacks, causing many researchers and the media to attribute some of the Salesforce attacks to Scattered Spider.
However, ShinyHunters told BleepingComputer the "ShinyHunters" group and "Scattered Spider" are now one and the same.
"Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer.
"They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake."
It is also believed that many of the group's members share their roots in another hacking group known as Lapsus$, which was responsible for numerous attacks in 2022-2023, before some of their members were arrested.
Lapsus$ was behind breaches at Rockstar Games, Uber, 2K, Okta, T-Mobile, Microsoft, Ubisoft, and NVIDIA.
Like Scattered Spider, Lapsus$ was also adept at social engineering attacks and SIM swap attacks, allowing them to run over billion and trillion-dollar companies' IT defenses.
Over the past couple of years, there have been many arrests linked to all three collectives, so it's not clear if the current threat actors are old threat actors, new ones who have picked up the mantle, or are simply utilizing these names to plant false flags.
arstechnica.com - Disclosure comes two months after Google warned the world of ongoing spree.
In June, Google said it unearthed a campaign that was mass-compromising accounts belonging to customers of Salesforce. The means: an attacker pretending to be someone in the customer's IT department feigning some sort of problem that required immediate access to the account. Two months later, Google has disclosed that it, too, was a victim.
The series of hacks are being carried out by financially motivated threat actors out to steal data in hopes of selling it back to the targets at sky-high prices. Rather than exploiting software or website vulnerabilities, they take a much simpler approach: calling the target and asking for access. The technique has proven remarkably successful. Companies whose Salesforce instances have been breached in the campaign, Bleeping Computer reported, include Adidas, Qantas, Allianz Life, Cisco, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
Better late than never
The attackers abuse a Salesforce feature that allows customers to link their accounts to third-party apps that integrate data with in-house systems for blogging, mapping tools, and similar resources. The attackers in the campaign contact employees and instruct them to connect an external app to their Salesforce instance. As the employee complies, the attackers ask the employee for an eight-digit security code that the Salesforce interface requires before a connection is made. The attackers then use this number to gain access to the instance and all data stored in it.
Google said that its Salesforce instance was among those that were compromised. The breach occurred in June, but Google only disclosed it on Tuesday, presumably because the company only learned of it recently.
“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” the company said.
Data retrieved by the attackers was limited to business information such as business names and contact details, which Google said was “largely public” already.
Google initially attributed the attacks to a group traced as UNC6040. The company went on to say that a second group, UNC6042, has engaged in extortion activities, “sometimes several months after” the UNC6040 intrusions. This group brands itself under the name ShinyHunters.
“In addition, we believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” Google said. “These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches.”
With so many companies falling to this scam—including Google, which only disclosed the breach two months after it happened—the chances are good that there are many more we don’t know about. All Salesforce customers should carefully audit their instances to see what external sources have access to it. They should also implement multifactor authentication and train staff how to detect scams before they succeed.
La série noire continue. C’est au tour de Pandora de prévenir ses clients d’une « violation de données personnelles ». La communication du joaillier danois est pour le moins surprenante puisqu’elle se dit victime « d'une attaque de cybersécurité » (sic).
Quoi qu’il en soit, « certaines données clients ont été consultées via une plateforme tierce ». Pandora parle de « données courantes […] copiées par l'attaquant, à savoir votre nom, date de naissance, et adresse e-mail ». La société se veut rassurante : « aucun mot de passe, numéro de carte bancaire ou autre donnée confidentielle similaire n’a été concerné par cet incident ».
Pandora affirme que, selon ses vérifications, « rien n’indique que ces données aient été partagées ou publiées ». La société rappelle que la protection de la vie privée est « une priorité absolue » et qu’elle prend cette « situation très au sérieux ».
Ce qui ne l’empêche pas de se cacher derrière ses camarades, rappelant que ce type d’incident est « devenu malheureusement plus courant ces dernières années, en particulier chez les entreprises internationales ». Il est vrai que les fuites se multiplient, mais cela n’en fait pas une bonne raison d’être victime d’une cyberattaque, avec le vol de données personnelles.
Le risque est toujours le même : « des tentatives d’hameçonnage (phishing) menées par des tiers se faisant passer pour Pandora » afin de récupérer davantage d’informations.
next.ink -
Bouygues Telecom prévient actuellement pas moins de 6,4 millions de clients d’un accès non autorisé à certaines de leurs données personnelles… mais aussi bancaires. Attention donc aux risques de phishing et de prélèvements sur vos comptes.
Après une fin d’année 2024 et un début 2025 sur les chapeaux de roues pour les fuites de données, la situation s’était un peu calmée, mais ce fut de courte durée. L’été est chargé, avec des incidents cyber chez Louis Vuitton, France Travail, Allianz Life, Pandora et maintenant Bouygues Telecom.
On y retrouve des informations personnelles telles que les coordonnées, des données contractuelles liées à votre abonnement, des données d'état civil ou celles de l'entreprise si vous êtes un professionnel, ainsi que les IBAN sur la partie bancaire. Toutefois, « les numéros de cartes bancaires et les mots de passe de vos comptes Bouygues Telecom ne sont pas impactés ».
En octobre, Free aussi avait été victime d’une fuite de données personnelles, avec des IBAN. Quelques semaines auparavant, c’était RED by SFR, là aussi avec des données bancaires.
Les risques liés à la fuite d’IBAN
L’IBAN (International Bank Account Number) est l’identifiant international de votre compte bancaire, rattaché à une institution financière dans un pays (il commence par FR pour France, DE pour Allemagne…).
Selon la Banque de France, « communiquer son RIB n’est pas risqué en soi ». Mais « comme pour tout document contenant des informations personnelles, il convient de bien identifier la personne à laquelle vous communiquez un RIB. Un escroc pourrait utiliser ces informations de manière malveillante (ex : usurpation d’identité) », ajoute l'institution.
De son côté, Bouygues Telecom assure qu’une « personne qui détient un numéro IBAN ne pourrait pas émettre de virement sans votre accord ». À juste titre, l’opérateur prend soin d’ajouter que, concernant les prélèvements, c’est plus compliqué : « il est normalement nécessaire que le titulaire du compte signe un mandat SEPA, mais on ne peut pas exclure qu'un fraudeur parvienne à réaliser une telle opération en se faisant passer pour vous ».
En effet, lorsque la signature consiste en un SMS ou un email, une usurpation d’identité est facile à mettre en place.
Bouygues Telecom conseille donc à ses clients de vérifier les prélèvements et d'appeler la banque en cas de doute : « Sachez que la règlementation bancaire prévoit que vous puissiez vous opposer pendant 13 mois à tous les prélèvements effectués sans votre accord sur votre compte bancaire ».
Les cyberattaques sont « très fréquentes et n'épargnent » personne
L’opérateur ne donne pas de détails sur la cyberattaque. Il précise simplement avoir bloqué l'accès, renforcé la surveillance « et mis en œuvre des mesures complémentaires nécessaires ». L’entreprise rappelle aussi que les cyberattaques sont « très fréquentes et n'épargnent aucune entreprise »… un argument repris récemment par Pandora, dans une communication pour le moins surprenante.
Comme l’y oblige la loi, la CNIL a été informée de la situation. De plus, une plainte a été déposée auprès des autorités judiciaires.
Le risque en pareille situation, sans parler des prélèvements sur votre compte, est d’être la cible de phishing. Des pirates peuvent utiliser les données récoltées pour se faire passer pour Bouygues Telecom ou votre banque, afin de récupérer des données supplémentaires.
theregister.com - European airline giants Air France and KLM say they are the latest in a string of major organizations to have their customers' data stolen by way of a break-in at a third party org.
The airlines, which share a parent company, Air France-KLM Group, said in a joint statement that they "detected unusual activity on an external platform we use for customer service," which led to attackers accessing customer data.
"Our IT security teams, along with the relevant external party, took immediate action to stop the unauthorized access," the statement read. "Measures have also been implemented to prevent recurrence. Internal Air France and KLM systems were not affected.
"No sensitive data such as passwords, travel details, Flying Blue miles, passport, or credit card information was stolen."
The airlines did not publicly specify the types of data that were stolen, but the exclusion of sensitive data suggests basic personal information was involved.
However, customer notifications circulating online noted that first and family names, along with contact details, Flying Blue numbers and tier levels, and the subject lines of service request emails were accessed.
KLM and Air France advised customers to be on heightened alert for phishing attempts. Both said they had referred themselves to the Dutch and French data protection authorities, respectively.
The customer notice from Barry ter Voert, chief experience officer at KLM, read: "We recommend staying alert when receiving messages or other communication using your personal information, and to be cautious of any suspicious activity. The data involved in this breach could be used to make phishing messages appear more credible. If you receive unexpected messages or phone calls, especially asking for personal information or urging you to take action, please check their authenticity.
"We understand the concern this may cause, and we deeply regret any inconvenience this may have caused you."
The Register approached the companies for additional information but they did not comment beyond the public statement.
The attack marks the latest in a string of data lapses at major organizations that also blamed a third party.
In recent weeks, luxury retailers Dior, Chanel, and Pandora all reported similar leaks at third party providers, as did Google, Qantas, and Allianz.
All of the above declined to identify the third party in question except for Google, which said this week that one of its Salesforce instances was raided.
None of the victims have attributed their attacks to any group – yet – but the prime suspect behind all of these intrusions is the ShinyHunters cybercrime crew, which is perhaps best known for its role in last year's attacks on Snowflake customers.
Scattered Spider also changed its focus toward airlines earlier this year, and some researchers said it could be behind the attack on Hawaiian Airlines in June.
Check Point said last month that the attacks on Qantas and WestJet, which all occurred within three weeks of one another, bore hints of Scattered Spider's involvement, mainly due to the tradecraft that led to the intrusions.
databreaches.net - Chatox and Brosix are communications platforms that advertise for personal use and team use. They are owned by Stefan Chekanov.
The only statement Chatox makes about its data security is “Chatox employs encryption across all communications, making it an extremely secure communication and collaboration platform.”
Brosix Enterprise advertises its security:
Brosix provides you with an efficient and secure communication environment, and Text Chat is a central element of this. With this feature you can instantly send, and receive, text messages to your network contacts. Better yet, all messages sent with Brosix are fully encrypted using end-to-end encryption technology, guaranteeing that your communication remains secure.
Brosix uses AES (Advanced Encryption Standard, used by US government) with 256 bit keys. Which means the encryption can’t be broken in a reasonable time.
All communication channels are direct, peer-to-peer, between the users and are not routed through Brosix servers. In some cases, if user firewalls do not allow direct connection, data is routed through Brosix servers. In these rare cases, the channels through the servers are built in a way that Brosix cannot decrypt and see the user data that flows.
So why did a researcher find a lot sensitive chats in plain text with individuals’ first and last names, username, password, IP address, chat message, and attached files — all unencrypted?
What to Know
A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files.
There was a total of 980,972 entries in the users’ tables, with entries going back to 2006.
The researcher first logged the backup as exposed in late April. From the logs, the researcher stated that the files in question were exposed from at least May 11th 2024 – July 4th 2025 . Because logging only began in late April, the server could have been exposed before then.
The top email domains for each of the two platforms are listed below:
Brosix Enterprise Database Chatox Database
14826 gmail.com
5472 yahoo.com
2086 hotmail.com
1805 mail.ru
1111 allstate.com
679 rankinteractive.com
633 yandex.ru
582 issta.co.il
376 outlook.com
353 gp-servicedirect.com 63291 mail.ru
48075 gmail.com
20099 yandex.ru
13789 yahoo.com
7868 hotmail.com
6734 bk.ru
4541 allstate.com
3316 rambler.ru
3297 inbox.ru
3204 list.ru
san.com - Data stolen by a ransomware gang has exposed highly sensitive information from a Louisiana sheriff’s office, including the names, telephone numbers and Social Security numbers of confidential informants in criminal investigations. Straight Arrow News obtained a copy of the data from DDoSecrets, a non-profit that archives hacked and leaked documents in the public interest.
Medusa, a suspected Russian cybercrime group, said on its Dark Web blog in April 2024 that it had pilfered more than 90 gigabytes of data from the East Baton Rouge Sheriff’s Office.
The sheriff’s office initially claimed the intrusion had been quickly detected and stopped, allowing the hackers to obtain only a limited amount of data, such as “screenshots of file folders and still images from video files, WBRZ-TV reported.
65,000 files
A sample of the stolen files shared at the time by Medusa included payroll information, showing that the breach was more substantial than first claimed by the sheriff’s office. Medusa threatened to release all of the data, which contains over 65,000 files, unless the sheriff’s office paid $300,000. There’s no indication the ransom was ever paid.
The East Baton Rouge Sheriff’s Office did not respond to a request for comment from SAN.
SAN’s analysis of the full data cache provides an insight into just how damaging the breach was. Given the sensitivity of the data, DDoSecrets is only sharing it with approved journalists, researchers and defense attorneys practicing in Baton Rouge.
The data covers both the banal day-to-day operations of a law enforcement agency and the potentially life-and-death details of drug cases and other criminal investigations.
“The East Baton Rouge Sheriff’s Office data is an extraordinary example of the inner workings of a police department, down to Internal Affairs investigations and details about the use of confidential informants,” DDoSecrets co-founder Emma Best told SAN. “While the police are obviously of public interest and deserve no privacy, their targets and victims do. With that in mind, we’re refraining from republishing the full data to the public while encouraging journalists and civil rights advocates to engage with it.”
Best said the data cache was posted by Medusa to the messaging app Telegram, but that their channels were repeatedly shut down. The contents of the breach have not been extensively reported on until now.
Law enforcement entities are common targets for ransomware gangs. In 2021, the Metropolitan Police Department in Washington, D.C., was hacked by a Russian-speaking ransomware group known as Babuk, resulting in the leak of 250 gigabytes of data after the department refused to pay a ransom. The data also included sensitive information on informants and police officers.
Confidential informants
Contracts signed by 34 confidential informants in 2023 are among the exposed data from Louisiana.
A document titled “CI Information” lists the names, dates of birth and Social Security numbers of 200 confidential informants involved in narcotics investigations. Names of deputies overseeing informants and case numbers are included, as well as whether the informants are still active. Deactivation dates, indicating when an informant’s work ended, range from 2020 to 2023.
A folder titled “C.I. G.P.S. routes” contains numerous images of maps detailing the movements of informants across Baton Rouge.
Seized devices
A document last edited in August 2023 lists devices seized by the sheriff’s office, primarily mobile phones. The document notes whether a warrant had been requested or obtained, as well as additional steps that may have been needed to access a device’s contents.
Several phones were turned over to the FBI, the data indicates. Some files mention that cellphone hacking tools were needed to pull data from the devices. Files refer to both Cellebrite, an Israeli company that produces tools for extracting data from mobile devices, and GrayKey, a mobile forensics tool developed by the US-based company Grayshift that similarly unlocks and extracts data from phones.
The data also shows that the Drug Enforcement Agency sought access to historical location data and other information from a target’s cell phone.
Cell phone surveillance
Pen trap and trace search warrants — court orders that allow law enforcement to collect cell phone metadata such as numbers dialed — were issued to cellular service providers T-Mobile, AT&T and Verizon.
Many of the warrants mention the use of a “cell site simulator,” also known as an IMSI catcher, to reveal a suspect’s whereabouts. Cell site simulators, commonly referred to as Stingrays, are devices that mimic cell phone towers and can be used to pinpoint the location of specific phones.
Sock puppet accounts
A presentation about online investigations advises officers to create “sock puppet accounts,” a term used to describe a false online identity created to conceal an individual’s real one.
For instance, deputies were told to use a free VPN browser add-on for Google Chrome to hide their IP addresses. The website thisxdoesnotexist.com is also listed as a resource for deputies to create AI-generated images of everything from fake people to resumes.
Hidden cameras and drones
A folder titled “Tech” includes brochures listing an array of surveillance technology, such as GPS trackers and hidden cameras that can be placed inside items such as clothing, vape pens and Newport menthol cigarette packs.
A list of hidden cameras contains IP addresses, login credentials for remote access and identifying information for both the devices and SIM cards used.
One list shows 19 drones operated by the sheriff’s office, the majority of which are made by the Chinese manufacturer DJI. The drones are used by several divisions of the sheriff’s office, including SWAT and narcotics, for suspect apprehension and search and rescue missions.
A PowerPoint presentation in the data cache shows the default password used to access the internal system for logging drone usage. A folder titled “Operation Photos & Videos” shows both surveillance of criminal suspects as well as overhead images of sheriff’s deputies at a shooting range.
Internal affairs
Internal affairs data, including complaints made against the sheriff’s office, accuse deputies of racial profiling, unwarranted searches and excessive force.
Incidents range from a deputy being reprimanded for letting his 10- and 12-year-old children drive his patrol vehicle to another being arrested for battery and suspended for 30 days after being involved in a “road rage-type” episode.
Polygraph results
Other files detail the results of polygraph tests given to both deputies and suspects.
One file graphically details an alleged sexual assault and concludes that the person being tested had been deceitful. A deputy was also accused of being deceitful after being asked whether he’d referred to homosexuals as “disgusting” when discussing a fellow deputy believed to be gay.
nbcnews.com - Hackers have breached the Tea app, which went viral as a place for women to talk about men, and tens of thousands of women’s photos have now been leaked online.
A spokesperson confirmed the hack Friday afternoon. The company estimates that 72,000 images, including 13,000 verification photos and images of government IDs, were accessed.
Tea is designed to function as a virtual whisper network for women, allowing them to upload photos of men and search for them by name. Users can leave comments describing specific men as a “red flag” or “green flag,” and share other information about them.
It’s recently gained such popularity that it became the top free app in the Apple App Store this week. The app claimed Thursday to have recently gained nearly a million new signups.
Signing up for Tea requires users to take selfies, which the app says are deleted after review, to prove they are women. All users who get accepted are promised anonymity outside of the usernames they choose. Taking screenshots of what’s in the app is also blocked.
The hacker accessed a database from more than two years ago, the Tea spokesperson said, adding that “This data was originally stored in compliance with law enforcement requirements related to cyberbullying prevention.”
The Tea spokesperson said that the company has hired third-party cybersecurity experts and is “working around the clock to secure our systems.”
bleepingcomputer.com - The House of Dior (Dior) is sending data breach notifications to U.S. customers informing them that a May cybersecurity incident compromised their personal information.
The House of Dior (Dior) is sending data breach notifications to U.S. customers informing them that a May cybersecurity incident compromised their personal information.
Dior is a French luxury fashion house, part of the LVMH (Moët Hennessy Louis Vuitton) group, which is the world's largest luxury conglomerate.
The Dior brand alone generates an annual revenue of over $12 billion, operating hundreds of boutiques worldwide.
The security incident occurred on January 26, 2025, but the company only became aware of it on May 7, 2025, launching internal investigations to determine its scope and impact.
"Our investigation determined that an unauthorized party was able to gain access to a Dior database that contained information about Dior clients on January 26, 2025," reads the notice sent to affected individuals.
"Dior promptly took steps to contain the incident, and we have no evidence of subsequent unauthorized access to Dior systems."
Based on the findings of the investigation, the following information has been exposed:
Full names
Contact details
Physical address
Date of birth
Passport or government ID number (in some cases)
Social Security Number (in some cases)
The company clarifies that no payment details, such as bank account or payment card information, were contained in the compromised database, so this information remains safe.
bankinfosecurity.com - Hacker Claims to Have Exploited Flaw in Oracle WebLogic Server, Sold Stolen Data
A hacker claims to have stolen and sold the personal data of clients of Seychelles Commercial Bank. The bank, which provides personal and corporate services on Seychelles, one of the world's smallest countries, notified customers of a hack, but said only personal information - not money - was stolen.
The archipelago nation in the Indian Ocean, located northeast of Madagascar, sports 98,000 inhabitants, ranks as the richest country in Africa and has a reputation for being a tax haven.
Seychelles Commercial Bank on Friday said it "recently identified and contained a cybersecurity incident, which has resulted in its internet banking services being temporarily suspended," and requested customers "make use of our ATMs or visit one of our branches during normal banking hours."
In its breach notification, the bank told customers: "SCB regrets to inform that this cyber incident resulted in unintentional exposure of personal information of internet banking customers only. The bank reassures all its internet banking customers that no funds have been accessed."
theguardian.com - Conservative government used superinjuction to hide error that put Afghans at risk and led to £2bn mitigation scheme.
Thousands of Afghans relocated to UK under secret scheme after data leak
Conservative government used superinjuction to hide error that put Afghans at risk and led to £2bn mitigation scheme
What we know about the secret Afghan relocation scheme
Afghan nationals: have you arrived in the UK under the Afghan Response Route?
Dan Sabbagh and Emine Sinmaz
Tue 15 Jul 2025 22.07 CEST
Share
Conservative ministers used an unprecedented superinjunction to suppress a data breach that led the UK government to offer relocation to 15,000 Afghans in a secret scheme with a potential cost of more than £2bn.
The Afghan Response Route (ARR) was created in haste after it emerged that personal information about 18,700 Afghans who had applied to come to the UK had been leaked in error by a British defence official in early 2022.
Panicked ministers and officials at the Ministry of Defence learned of the breach in August 2023 after data was posted to a Facebook group and applied to the high court for an injunction, the first sought by a British government – to prevent any further media disclosure.
It was feared that publicity could put the lives of many thousands of Afghans at risk if the Taliban, who had control of the country after the western withdrawal in August 2021, were to become aware of the existence of the leaked list and to obtain it.
The judge in the initial trial, Mr Justice Knowles, granted the application “contra mundum” – against the world – and ruled that its existence remain secret, resulting in a superinjunction which remained in place until lifted on Tuesday.
The gagging order meant that both the data breach and the expensive mitigation scheme remained hidden despite its size and cost until the near two-year legal battle was brought to a close in the high court.
At noon on Tuesday, the high court judge Mr Justice Chamberlain said it was time to end the superinjuction, which he said had the effect of concealing discussions about spending “the sort of money which makes a material difference to government spending plans and is normally the stuff of political debate”.
A few minutes later, John Healey, the defence secretary, offered a “sincere apology” for the data breach. In a statement to the Commons, he said he had felt “deeply concerned about the lack of transparency” around the data breach and “deeply uncomfortable to be constrained from reporting to this house”.
securityweek.com - Nippon Steel Solutions has disclosed a data breach that resulted from the exploitation of a zero-day in network equipment.
Japan-based Nippon Steel Solutions on Tuesday disclosed a data breach that resulted from the exploitation of a zero-day vulnerability.
Nippon Steel Solutions, also called NS Solutions, offers cloud, cybersecurity and other IT solutions. The company is a subsidiary of Japanese steel giant Nippon Steel, which recently acquired US Steel in a controversial deal.
Nippon Steel Solutions said in a statement posted on its Japanese-language website that it detected suspicious activity on some servers on March 7.
An investigation showed that hackers had exploited a zero-day flaw in unspecified network equipment, and gained access to information on customers, partners and employees.
In the case of customers, the attackers may have stolen information such as name, company name and address, job title, affiliation, business email address, and phone number.
The exposed information in the case of partners includes names and business email addresses, while in the case of employees the attackers may have obtained names, business email addresses, job titles, and affiliation.
Nippon Steel Solutions said the information may have been exfiltrated, but to date it has found no evidence of a data leak on the dark web or elsewhere.
The notorious ransomware group BianLian claimed to have stolen hundreds of gigabytes of data from Nippon Steel USA in mid-February, including files related to finances, employees, and production.
The cybercriminals at the time threatened to leak all of the stolen data, but the group went dark a few weeks later.
Nippon Steel does not appear to have confirmed a data breach in response to BianLian’s claims and it’s unclear if the two incidents are related.
SecurityWeek has reached out to NS Solutions for clarifications and will update this
Bitcoin Depot, an operator of Bitcoin ATMs, is notifying customers of a data breach incident that has exposed their sensitive information.
In the letter sent to affected individuals, the company informs that it first detected suspicious activity on its network last year on June 23.
Although the internal investigation was completed on July 18, 2024, a parallel investigation by federal agencies dictated that public disclosure of the incident should be withheld until it was completed.
“On July 18, 2024, the investigation was complete, and we identified your personal information contained within documents related to certain of our customers that the unauthorized individual obtained,” explains Bitcoin Depot in the letter.
“Unfortunately, we were not able to inform you sooner due to an ongoing investigation. Federal law enforcement requested that Bitcoin Depot wait to provide you notice until after they completed the investigation.”
The type of data that has been exposed in this incident varies from individual to individual and may include:
Full name
Phone number
Driver’s license number
Address
Date of birth
Email address
Bitcoin Depot is one of the largest Bitcoin ATM networks in the United States, operating 8,800 machines in the U.S., Canada, and Australia.
techradar.com - 4 july
Almost a year later, the company comes forward with more details
The organization confirmed the news after an extensive investigation that took almost a year, noting in a data breach notification letter sent earlier to affected individuals the attack most likely took place on October 4 2024, when cybercriminals accessed its network and stole sensitive information on current and former employees, current and former support service contractors, and their dependents.
We don’t know exactly how many people were affected by this attack, or what the nature of the data is. IdeaLab just said the attackers took people’s names, in combination with “variable data”.
Building automation giant Johnson Controls is notifying individuals whose data was stolen in a massive ransomware attack that impacted the company's operations worldwide in September 2023.
Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, HVAC systems, and fire safety equipment for buildings. The company employs over 100,000 people through its corporate operations and subsidiaries across 150 countries, reporting sales of $27.4 billion in 2024.
As BleepingComputer first reported, Johnson Controls was hit by a ransomware attack in September 2023, following a breach of the company's Asian offices in February 2023 and subsequent lateral movement through its network.
"Based on our investigation, we determined that an unauthorized actor accessed certain Johnson Controls systems from February 1, 2023 to September 30, 2023 and took information from those systems," the company says in data breach notification letters filed with California's Attorney General, redacted to conceal what information was stolen in the attack.
"After becoming aware of the incident, we terminated the unauthorized actor's access to the affected systems. In addition, we engaged third-party cybersecurity specialists to further investigate and resolve the incident. We also notified law enforcement and publicly disclosed the incident in filings on September 27, 2023; November 13, 2023; and December 14, 2023."
