discord.com

Discord
October 3, 2025

At Discord, protecting the privacy and security of our users is a top priority. That’s why it’s important to us that we’re transparent with them about events that impact their personal information.

Discord recently discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers.
This incident impacted a limited number of users who had communicated with our Customer Support or Trust & Safety teams.
This unauthorized party did not gain access to Discord directly.
No messages or activities were accessed beyond what users may have discussed with Customer Support or Trust & Safety agents.
We immediately revoked the customer support provider’s access to our ticketing system and continue to investigate this matter.
We’re working closely with law enforcement to investigate this matter.
We are in the process of emailing the users impacted.
‍

At Discord, protecting the privacy and security of our users is a top priority. That’s why it’s important to us that we’re transparent with them about events that impact their personal information.

Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. The unauthorized party then gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams.

As soon as we became aware of this attack, we took immediate steps to address the situation. This included revoking the customer support provider’s access to our ticketing system, launching an internal investigation, engaging a leading computer forensics firm to support our investigation and remediation efforts, and engaging law enforcement.

We are in the process of contacting impacted users. If you were impacted, you will receive an email from noreply@discord.com. We will not contact you about this incident via phone – official Discord communications channels are limited to emails from noreply@discord.com.

What happened?
An unauthorized party targeted our third-party customer support services to access user data, with a view to extort a financial ransom from Discord.

What data was involved?
The data that may have been impacted was related to our customer service system. This may include:

Name, Discord username, email and other contact details if provided to Discord customer support
Limited billing information such as payment type, the last four digits of your credit card, and purchase history if associated with your account
IP addresses
Messages with our customer service agents
Limited corporate data (training materials, internal presentations)
The unauthorized party also gained access to a small number of government‑ID images (e.g., driver’s license, passport) from users who had appealed an age determination. If your ID may have been accessed, that will be specified in the email you receive.

What data was not involved?
Full credit card numbers or CCV codes
Messages or activity on Discord beyond what users may have discussed with customer support
Passwords or authentication data
What are we doing about this?
Discord has and will continue to take all appropriate steps in response to this situation. As standard, we will continue to frequently audit our third-party systems to ensure they meet our security and privacy standards. In addition, we have:

Notified relevant data protection authorities.
Proactively engaged with law enforcement to investigate this attack.
Reviewed our threat detection systems and security controls for third-party support providers.
Taking next steps
Looking ahead, we recommend impacted users stay alert when receiving messages or other communication that may seem suspicious. We have service agents on hand to answer questions and provide additional support.

We take our responsibility to protect your personal data seriously and understand the inconvenience and concern this may cause.

We are writing to provide an update regarding a security incident related to a specific GitLab environment used by our Red Hat Consulting team. Red Hat takes the security and integrity of our systems and the data entrusted to us extremely seriously, and we are addressing this issue with the highest priority.

What happened
We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance.

We have now implemented additional hardening measures designed to help prevent further access and contain the issue.

Scope and impact on customers
We understand you may have questions about whether this incident affects you. Based on our investigation to date, we can share:

Impact on Red Hat products and supply chain: At this time, we have no reason to believe this security issue impacts any of our other Red Hat services or products, including our software supply chain or downloading Red Hat software from official channels.
Consulting customers: If you are a Red Hat Consulting customer, our analysis is ongoing. The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, and internal communications about consulting services. This GitLab instance typically does not house sensitive personal data. While our analysis remains ongoing, we have not identified sensitive personal data within the impacted data at this time. We will notify you directly if we believe you have been impacted.
Other customers: If you are not a Red Hat Consulting customer, there is currently no evidence that you have been affected by this incident.
For clarity, this incident is unrelated to a Red Hat OpenShift AI vulnerability (CVE-2025-10725) that was announced yesterday.

Our next steps
We are engaging directly with any customers who may be impacted.

Thank you for your continued trust in Red Hat. We appreciate your patience as we continue our investigation.

Message officiel – Bugnard SA bugnard.ch

Chers clients, chers partenaires,

Le 24 septembre 2025 en fin de journée, nous avons détecté une intrusion dans l'infrastructure informatique de Bugnard SA par le ransomware Akira. Cette attaque a affecté nos serveurs ainsi que notre site internet.
Par mesure de sécurité, nous avons immédiatement interrompu l’accès à la plateforme afin de protéger l’intégrité de vos données et de nos systèmes.
Notre équipe informatique est mobilisée sur place et travaille avec la plus haute priorité pour rétablir la situation. Si nécessaire, nous restaurerons notre dernier backup afin de remettre le site en service dans les plus brefs délais.
À ce stade, nous estimons que la remise en ligne pourra intervenir entre mercredi et vendredi de cette semaine.
Nous sommes pleinement conscients que 72% de notre activité passe par notre site et faisons tout pour que vous puissiez à nouveau passer vos commandes rapidement et en toute sécurité.
En attendant, notre équipe commerciale reste à votre disposition par téléphone et par e-mail pour répondre à vos besoins urgents.
Nous vous tiendrons informés de l’évolution de la situation et vous remercions pour votre compréhension et votre confiance.

Avec mes salutations les meilleures,
Christian Degouy
CEO

Alert: A malicious npm package named 'postmark-mcp' was impersonating Postmark to steal user emails. Postmark is not affiliated with this fraudulent package.

We recently became aware of a malicious npm package called "postmark-mcp" on npm that was impersonating Postmark and stealing user emails. We want to be crystal clear: Postmark had absolutely nothing to do with this package or the malicious activity.

Here's what happened: A malicious actor created a fake package on npm impersonating our name, built trust over 15 versions, then added a backdoor in version 1.0.16 that secretly BCC’d emails to an external server.

What you should know:

This is not an official Postmark tool. We have not published our Postmark MCP server on npm prior to this incident
We didn't develop, authorize, or have any involvement with the "postmark-mcp" npm package
The legitimate Postmark API and services remain secure and unaffected by this incident
If you've used this fake package:

Remove it immediately from your systems
Check your email logs for any suspicious activity
Consider rotating any credentials that may have been sent via email during the compromise period
This situation highlights why we take our API security and developer trust so seriously. When you integrate with Postmark, you're working directly with our official, documented APIs—not third-party packages that claim to represent us. If you are not sure what official resources are available, you can find them via the links below, which are always available to our customers:

Our official resources:

Official Postmark MCP - Github
API documentation
Official libraries and SDKs
Support channels or email security@activecampaign.com if you have questions

The DFIR Report - thedfirreport.com/2025/09/29 September 29, 2025

Key Takeaways
The intrusion began with a Lunar Spider linked JavaScript file disguised as a tax form that downloaded and executed Brute Ratel via a MSI installer.
Multiple types of malware were deployed across the intrusion, including Latrodectus, Brute Ratel C4, Cobalt Strike, BackConnect, and a custom .NET backdoor.
Credentials were harvested from several sources like LSASS, backup software, and browsers, and also a Windows Answer file used for automated provisioning.
Twenty days into the intrusion data was exfiltrated using Rclone and FTP.
Threat actor activity persisted for nearly two months with intermittent command and control (C2) connections, discovery, lateral movement, and data exfiltration.
This case was featured in our September 2025 DFIR Labs Forensics Challenge and is available as a lab today here for one time access or included in our new subscription plan. It was originally published as a Threat Brief to customers in Feb 2025

Case Summary
The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This JavaScript file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32.

The Brute Ratel loader subsequently injected Latrodectus malware into the explorer.exe process, and established command and control communications with multiple CloudFlare-proxied domains. The Latrodectus payload was then observed retrieving a stealer module. Around one hour after initial access, the threat actor began reconnaissance activities using built-in Windows commands for host and domain enumeration, including ipconfig, systeminfo, nltest, and whoami commands.

Approximately six hours after initial access, the threat actor established a BackConnect session, and initiated VNC-based remote access capabilities. This allowed them to browse the file system and upload additional malware to the beachhead host.

On day three, the threat actor discovered and accessed an unattend.xml Windows Answer file containing plaintext domain administrator credentials left over from an automated deployment process. This provided the threat actor with immediate high-privilege access to the domain environment.

On day four, the threat actor expanded their activity by deploying Cobalt Strike beacons. They escalated privileges using Windows’ Secondary Logon service and the runas command to authenticate as the domain admin account found the prior day. The threat actor then conducted extensive Active Directory reconnaissance using AdFind. Around an hour after this discovery activity they began lateral movement. They used PsExec to remotely deploy Cobalt Strike DLL beacons to several remote hosts including a domain controller as well as file and backup servers.

They then paused for around five hours. On their return, they deployed a custom .NET backdoor that created a scheduled task for persistence and setup an additional command and control channel. They also dropped another Cobalt Strike beacon that had a new command and control server. They then used a custom tool that used the Zerologon (CVE-2020-1472) vulnerability to attempt additional lateral movement to a second domain controller. After that they then tried to execute Metasploit laterally to that domain contoller via a remote service. However they were unable to establish a command and control channel from this action.

On day five, the threat actor returned using RDP to access a new server that they then dropped the newest Cobalt Strike beacon on. This was then followed by an RDP logon to a file share server where they also deployed Cobalt Strike. Around 12 hours after that they returned to the beachhead host and replaced the BruteRatel file used for persistence with a new BruteRatel badger DLL. After this there was a large gap before their next actions.

Fifteen days later, the 20th since initial access, the threat actor became active again. They deployed a set of scripts to execute a renamed rclone binary to exfiltrate the data from the file share server. This exfiltration used FTP to send data over a roughly 10 hour period to the threat actor’s remote host. After this concluded there was another pause in threat actor actions.

On the 26th day of the intrusion the threat actor returned to the backup server and used a PowerShell script to dump credentials from the backup server software. Two days later on the backup server they appeared again and dropped a network scanning tool, rustscan, which they used to scan subnets across the environment. After this hands on activity ceased again.

The threat actor maintained intermittent command and control access for nearly two months following initial compromise, leveraging BackConnect VNC capabilities and multiple payloads, including Latrodectus, Brute Ratel, and Cobalt Strike, before being evicted from the environment. Despite the extended dwell time and comprehensive access to critical infrastructure, no ransomware deployment was observed during this intrusion.

cyberscoop.com

By
Matt Kapko

September 17, 2025

SonicWall said it confirmed an attack on its MySonicWall.com platform that exposed customers’ firewall configuration files.

The company confirmed to CyberScoop that an unidentified cybercriminal accessed SonicWall’s customer portal through a series of brute-force attacks.

SonicWall said it confirmed an attack on its MySonicWall.com platform that exposed customers’ firewall configuration files — the latest in a steady stream of security weaknesses impacting the besieged vendor and its customers.

The company’s security teams began investigating suspicious activity and validated the attack “in the past few days,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop. “Our investigation determined that less than 5% of our firewall install base had backup firewall preference files stored in the cloud for these devices accessed by threat actors.”

While SonicWall customers have been repeatedly bombarded by actively exploited vulnerabilities in SonicWall devices, this attack marks a new pressure point — an attack on a customer-facing system the company controls.

This distinction is significant because it indicates systemic security shortcomings exist throughout SonicWall’s product lines, internal infrastructure and practices.

“Incidents like this underscore the importance of security vendors — not just SonicWall — to hold themselves to the same or higher standards that they expect of their customers,” Mauricio Sanchez, senior director of enterprise security and networking research at Dell’Oro Group, told CyberScoop.

“When the compromise occurs in a vendor-operated system rather than a customer-deployed product, the consequences can be particularly damaging because trust in the vendor’s broader ecosystem is at stake,” he added.

SonicWall acknowledged the potential downstream risk for customers is severe. “While the files contained encrypted passwords, they also included information that could make it easier for attackers to potentially exploit firewalls,” Fitzgerald said.

“This was not a ransomware or similar event for SonicWall, rather this was a series of account-by-account brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors,” he added.

SonicWall did not identify or name those responsible for the attack, adding that it hasn’t seen evidence of any online leaks of the stolen files. The company said it disabled access to the backup feature, took steps across infrastructure and processes to bolster the security of its systems and initiated an investigation with assistance from an incident response and consulting firm.

Sanchez described the breach as a serious issue. “These files often contain detailed network architecture, rules, and policies that could provide attackers with a roadmap to exploit weaknesses more efficiently,” he said. “While resetting credentials is a necessary first step, it does not address the potential long-term risks tied to the information already in adversaries’ hands.”

SonicWall said it has notified law enforcement, impacted customers and partners. Customers can check if impacted serial numbers are listed in their MySonicWall account, and those determined to be at risk are advised to reset credentials, contain, remediate and monitor logs for unusual activity.

Many vendors allow customers to store configuration data in cloud-managed portals, a practice that introduces inherent risks, Sanchez said.

“Vendors must continuously weigh the convenience provided against the potential consequences of compromise, and customers should hold them accountable to strong transparency and remediation practices when incidents occur,” he added.

Organizations using SonicWall firewalls have confronted persistent attack sprees for years, as evidenced by the vendor’s 14 appearances on CISA’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a recent wave of about 40 Akira ransomware attacks.

Fitzgerald said SonicWall is committed to full transparency and the company will share updates as its investigation continues.

https://www.sonicwall.com/support/
Updated
September 22, 2025

Description

SonicWall’s security teams recently detected suspicious activity targeting the cloud backup service for firewalls, which we confirmed as a security incident in the past few days.

Our investigation found that threat actors accessed backup firewall preference files stored in the cloud for fewer than 5% of our firewall install base. While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall.

We are not presently aware of these files being leaked online by threat actors. This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.

TIP: Learn more by watching this helpful video guide here
Affected Products:

SonicWall Firewalls with preference files backed up in MySonicWall.com

Due to the sensitivity of the configuration files, we highly encourage customers to take the following steps immediately:

Log in to your MySonicWall.com account and verify if cloud backups exist for your registered firewalls: 
    If fields are blank (Figure 1): You are NOT at risk.
    A screenshot of a computer AI-generated content may be incorrect.
    Figure 1 – Does Not Contain Backup

    If fields contain backup details (Figure 2): Please continue reading.
    Image
    Figure 2 – Contains Backups

Verify whether impacted serial numbers are listed in your account. Upon login, navigate to Product Management | Issue List, the affected serial numbers will be flagged with information such as Friendly Name, Last Download Date and Known Impacted Services.
Image

    If Serial Numbers are shown: the listed firewalls are at risk and should follow the containment and remediation guidelines: Essential Credential Reset
    NOTE: Impacted Services should be used for general guidance only.  The services listed were identified as being enabled and should be immediately reviewed.  ALL SERVICES WITH CREDENTIALS THAT WERE ENABLED AT, OR BEFORE, THE TIME OF BACKUP SHOULD BE REVIEWED FOR EACH SERIAL NUMBER LISTED. 
    If you have used the Cloud Backup feature but no Serial Numbers are shown or only some of your registered Serial Numbers: 
            SonicWall will provide additional guidance in coming days to determine if your backup files were impacted.
            Please check back on this page for this additional information: MySonicWall Cloud Backup File Incident

Technical Containment and Mitigation Documentation can be found at:

Essential Credential Reset
Remediation Playbook

NOTE: Use the SonicWall Online Tool to identify services that require remediation. Follow the on-screen instructions to proceed. (UPE Mode is not supported.)

We have a dedicated support service team available to help you with any of these changes. If you need any assistance, please login to your MySonicWall account and open a case with our Support team. You can access your account at: https://www.mysonicwall.com/muir/login.
Change Log:

2025-9-17 4:40 AM PDT: Initial publish.
2025-9-17 2:45 PM PDT: Minor formatting update.
2025-9-17 8:45 PM PDT: Revised incident disclosure text to clarify scope (<5% of firewalls), encrypted credentials, no known leaks, and brute-force (not ransomware) attack.
2025-9-18  5:38 AM PDT: Changed formatting and provided detailed steps with screenshots.
2025-9-18  9:19 AM PDT: Updated guidance steps, navigation screenshots, and note clarifying review of impacted services.
2025-9-18 4:30 PM PDT: Updated KB text and image to clarify affected products, provide step-by-step backup verification instructions, and replace figures showing when backups are or are not present.
2025-9-19 1:15 PM PDT: No updates at this time.
2025-9-20 9:15 AM PDT: Added a Tip with a video guide and a Note linking to the SonicWall online tool for firewall configuration analysis and remediation guidance.
2025-9-22 8:20 AM PDT: No updates at this time.

Salesloft Trust Portal September 13, 2025 at 1:19 AM

Important Update Regarding Drift Security
The following provides additional information to our trust site post on September 6, 2025, regarding our current Drift remediation and fortification efforts and those going forward. We are continuing our efforts on remediation and additional security controls.

We are focused on the ongoing hardening of the Drift Application environment. This process includes rotating credentials, temporarily disabling certain parts of the Drift application and strengthening security configurations.

Furthermore, we are implementing new multi-factor authentication processes and further refining limitations to the application environment. These measures are complemented by an ongoing analysis of available logs and configuration settings, as well as the remediation of secrets within the environment and GitHub hardening activities.

As a part of this process, we have systems that will be turned on over the weekend that may send you automated notifications originating from Drift. Please disregard these notifications as they are part of our security testing process. Until we provide you with a definitive update that the Drift application has been restored and re-enabled, it will remain inaccessible to customers and third party integrations.

All of this is focused on continuing to harden the Drift environment prior to and after re-enabling the Drift application — which we expect to be soon.

September 11, 2025 at 12:30 AM
Drift Status Update
Most Recent: We want to provide you with an update regarding the status of the Drift application while it is temporarily offline.

On Sept 6, we posted a trust site update detailing the initial results of our investigation and remediation efforts to date. While Drift is offline, Salesloft is working to confirm the root cause of the security incident and implement additional security measures to avoid similar incidents in the future and to restore the application as soon as possible. We hope to be able to provide an ETA soon for getting Drift back online.

At this time, we are advising all Drift customers to treat any and all Drift integrations and related data as potentially compromised.

The security of your data and operations remains our highest priority, and we are committed to providing a safe and secure platform for all users. Thank you for your patience during this time.

For ongoing updates, please subscribe to trust.salesloft.com.

September 07, 2025 at 9:20 PM
Salesforce/Salesloft Integration Is Restored
We are pleased to report that the integration between the Salesloft platform and Salesforce is now restored.

Salesforce users can once again leverage the full capabilities and integrations of the Salesloft platform with confidence. For more information, read our most recent trust site update.

While the connection between systems was disabled, both Salesloft and Salesforce continued to run independently. The Salesloft Customer Success team will be reaching out to you directly to help you with data reconciliation before we can re-enable your Salesforce sync. Once we connect with you, the restoration should be relatively quick.

The step-by-step process for re-syncing your data and activities between Salesloft and Salesforce can be found in this help article.

The security of your data and operations remains our highest priority, and we remain committed to providing a safe and secure platform for all users. Thank you for your patience during this time and for your continued partnership.

For assistance, please contact Customer Support at help.salesloft.com.
For ongoing updates, please subscribe to our trust site (trust.salesloft.com)

September 07, 2025 at 2:00 AM
Update on Mandiant Drift and Salesloft Application Investigations
On August 28, 2025, Salesloft retained Mandiant to investigate the compromise of the Drift platform and its technology integrations. The objectives of the investigation are to determine the root cause, scope of the incident, and assist Salesloft with containment and remediation. Mandiant was subsequently engaged to examine the Salesloft environment to determine if it was compromised and verify the segmentation between the Drift and Salesloft environments.

The following is an update as of September 6, 2025:

What Happened:

Mandiant’s investigation has determined the threat actor took the following actions:

In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows.

The investigation noted reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments.
The analysis has not found evidence beyond limited reconnaissance related to the Salesloft application environment.
The threat actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations.

The threat actor used the stolen OAuth tokens to access data via Drift integrations.
Response and Remediation Activities:

As part of a comprehensive response, Salesloft performed containment and eradication activities, validated by Mandiant, in the Drift and Salesloft application environments, including but not limited to:

Drift Application Environment:
Isolated and contained the Drift infrastructure, application, and code.
The Drift Application has been taken offline.
Rotated impacted credentials
Salesloft Application Environment:
Rotated credentials in the Salesloft environment.
Performed proactive threat hunting of the environment and noted no additional Indicators of Compromise (“IOCs”) found.
Rapidly hardened Salesloft environment against the known methods used by the threat actor during the attack.
Threat hunting based on Mandiant Intelligence across Salesloft infrastructure and technologies:
IOC analysis.
Analysis of events associated with at-risk credentials based on threat actor activity.
Analysis of events associated with activity that would permit the threat actor to circumvent Salesloft security controls.
Mandiant has verified the technical segmentation between Salesloft and Drift applications and infrastructure environments.
Based on the Mandiant investigation, the findings support the incident has been contained. The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review.

salesforce.com Eoghan Casey
August 27, 2025

Learn how to detect, investigate, and respond to Salesforce security incidents with logs, permissions, and backups.

A guide to investigating Salesforce security incidents with logs, permissions, and backups to strengthen response and resilience.

I am increasingly asked by customers how to investigate potential security incidents in their Salesforce environments. Common questions are: What did a specific user do during that time? and What data was impacted? Every organization and incident is unique, and the answer to these questions depends on the specific situation, but there is some general guidance I can provide.

Three key sources of information for investigating a security incident in Salesforce environments are activity logs, user permissions, and backup data.

darkreading.com
Robert Lemos, Contributing Writer
August 22, 2025

Some insurers look to limit payouts to companies that don't remediate serious vulnerabilities in a timely manner. Unsurprisingly, most companies don't like those restrictions.

Cyber insurers are testing out new ways to hold policyholders accountable for outdated security, limiting payouts when policyholders fall prey to attacks that use older vulnerabilities or take advantage of holes in the organizations' defenses.

Potential risk-limiting approaches include a sliding scale of accountability — and payouts — based on an unpatched vulnerability's half-life, or whether a company failed to fix a critical vulnerability within a certain number of days, according to a blog post penned by cyber insurer Coalition, which does not support such approaches. Dubbed CVE exclusions, after the Common Vulnerabilities and Exposures (CVE) system widely used to assign identifiers to software security issues, the tactic is not yet widely adopted, and most examples are from insurers outside the US, the firm stated.

The limits could start showing up in companies' policies, however, if demand for cyber insurance continues to grow, creating a seller's market, says John Coletti, head of cyber underwriting at Coalition

"While we will not name names, there are specific examples of this occurring within the industry," he says. "A company should be highly skeptical of buying a policy with a CVE exclusion."

Cyber-insurance firms are struggling to find different ways to limit their vulnerability to large breaches and campaigns that hit a large number of policyholders. Following NotPetya, when companies used business insurance to cover disruptions to operations, efforts to deny payouts based on warlike-act exclusion clauses largely failed but led to enhanced wording in subsequent policies. Increasingly, cyber-insurance firms used data from policyholders or gleaned from cybersecurity assessments, or information from their own managed security services offerings to better determine risk.

Blame the Victim?
Yet requiring all companies to manage major vulnerabilities is a tall order. Currently, the software industry is on track to disclose more than 46,000 vulnerabilities in 2025, up from nearly 40,000 in 2024, according to the National Vulnerability Database (NVD). Of those, likely 30% would be considered of high or critical severity, typically defined as a Common Vulnerability Scoring System (CVSS) score of 8.0 or higher.

Hackers have tried to break into the email accounts of a select number of Washington Post journalists, according to an internal Washington Post memo obtained by CNN.

The Post discovered the “possible targeted” hack of its email system last Thursday, prompting the newspaper to reset login credentials for all its employees on Friday, Washington Post Executive Editor Matt Murray said in a memo Sunday to employees.

“Although our investigation is ongoing, we believe the incident affected a limited number of Post journalists accounts, and we have contacted those whose accounts have been impacted,” Murray said.

“We do not believe this unauthorized intrusion impacted any additional Post systems or has had any impact for our customers,” he added.

It was not immediately clear who was responsible for the hack. Journalists are regular targets for both state-backed spies, who are interested in tracking their reporting before it becomes public, and cybercriminals, who are interested in extorting news organizations.

A spokesperson for The Post declined to comment when asked who might be responsible for the hack.

On May 29, 2025, SentinelOne experienced a global service disruption affecting multiple customer-facing services. During this period, customer endpoints remained protected, but security teams were unable to access the management console and related services, which significantly impacted their ability to manage their security operations and access important data. We apologize for the disruption caused by this service interruption.

The root cause of the disruption was a software flaw in an infrastructure control system that removed critical network routes, causing widespread loss of network connectivity within the SentinelOne platform. It was not a security-related event. The majority of SentinelOne services experienced full or partial downtime due to this sudden loss of network connectivity to critical components in all regions.

We’d like to assure our commercial customers that their endpoints were protected throughout the duration of the service disruption and that no SentinelOne security data was lost during the event. Protected endpoint systems themselves did not experience downtime due to this incident. A core design principle of the SentinelOne architecture is to ensure protection and prevention capabilities continue uninterrupted without constant cloud connectivity or human dependency for detection and response – even in the case of service interruptions, of any kind, including events like this one.

Victoria’s Secret hit by outages as it battles security incident
Fashion retail giant Victoria’s Secret said it is addressing a “security incident,” as its website and online orders face ongoing disruption.

Victoria’s Secret posted the brief statement on its website Wednesday. The company’s outages began earlier on Monday, as users have reported not being able to access the Victoria’s Secret website.

“We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in store services as a precaution,” a spokesperson for Victoria’s Secret said in response to TechCrunch’s inquiries. The spokesperson did not provide their name nor describe the nature of the cybersecurity incident.

“We are working to quickly and securely restore operations,” the spokesperson said. The company said its stores remain open.

Victoria’s Secret closed down 7% on the news of the security incident.

Dear Friends, Neighbors, and Valued Cellcom/Nsight Customers,

Over the past five days, many of you have been impacted by a service disruption — and I want to begin by saying something simple, and deeply meant: I’m here.

While I’ve been closely involved from the very beginning, this is the first time I’m writing to you directly. That wasn’t because I didn’t want to — it was because I truly believed we’d be past this quickly. I stayed focused on the fix, confident that we’d be able to restore service fast.

We’ve always believed in being present, open, and accountable to the people we serve. That’s what this letter is about.

We experienced a cyber incident. While this is unfortunate, it’s not something we were unprepared for. We have protocols and plans in place for exactly this kind of situation. From the start, we’ve followed those plans — including engaging outside cybersecurity experts, notifying the FBI and Wisconsin officials, and working around the clock to bring systems safely back online.

The incident was concentrated on an area of our network separate from where we store sensitive information related to you, our Cellcom/Nsight family. We have no evidence that personal information related to you, your name, your addresses, your financial information, is impacted by this event.

Thanks to an incredible amount of hard work and tenacity, we achieved a major milestone last night. We are building on that success and expect to have the rest of service restored this week. Every part of this recovery is being handled with care and precision — we will not rush anything that compromises safety, security or trust.

For 115 years, as a company that began as a local telephone provider, we've understood that connection is everything. Generations of my family have had the privilege of serving generations of yours. We've grown and changed with the times, but our purpose has always remained the same: helping you stay connected to what matters most. We know this disruption has caused frustration and, for some, real hardship — and for that, I am truly sorry.

In the midst of it all, I’ve witnessed what makes this company special. Across the organization, people put mission ahead of role, put pride aside, and put the community first. We saw teams find creative solutions, take personal initiative, and step outside the bounds of job descriptions to make things right. That spirit — of care, urgency and accountability — has defined our response and will continue to shape our path forward.

To our employees — thank you. Your heart and grit during these trying days make me proud beyond words.

To our customers — thank you. Your patience, understanding and kindness mean the world to us. We’ve felt your support every step of the way, and we don’t take it for granted.

We know that gratitude alone isn’t enough — we’re taking responsibility. We’re covering the time you were without service, and then some.

Please know that we hear you, we appreciate you, and you have the very best team in the world on the case. I know we will be a better and stronger Cellcom/Nsight for this experience.

Warmly,

Brighid Riordan in cursive
Brighid Riordan

Luxury department store is forced to shut some systems but website and shops continue to operate.
Harrods has been hit by a cyber-attack, just days after Marks & Spencer and the Co-op were targeted.

The luxury department store is understood to have been forced to shut down some systems, but said its website and all its stores, including the Knightsbridge flagship, H beauty and airport outlets, continued to operate. It is understood the retailer first realised it was being targeted earlier this week.

Harrods said in a statement: “We recently experienced attempts to gain unauthorised access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.”

The retailer said it was not asking customers to take any action, indicating that it did not suspect data had been accessed. It added: “We will continue to provide updates as necessary.”

On April 26, an unauthorized user exploited a vulnerability with a GitHub workflow to gain unauthorized access to tokens, all of which have now been invalidated. At this time, our investigation has found no evidence of code modifications, unauthorized access to production systems, exposure of customer data, or access to personal information.

This update outlines what happened, what we’ve done so far, and the actions we are taking to prevent it from happening in the future.

Le réseau informatique de l'UCBA a été la cible d'une cyberattaque. L'association a immédiatement mis en place les mesures de sécurité nécessaires et a saisi les autorités compétentes. Une analyse approfondie sur les faits est en cours.

Key Takeaways The threat actor gained initial access by a fake Zoom installer that used d3f@ckloader and IDAT loader to drop SectopRAT. After nine days of dwell time, the SectopRAT malware dropped …

Zapier is notifying customers about a “security incident,” which involved an unauthorized user gaining access to the company’s code repositories and “certain custom information.”