Dec 26, 2024 5:30 AM From Chinese cyberspies breaching US telecoms to ruthless ransomware gangs disrupting health care for millions of people, 2024 saw some of the worst hacks, breaches, and data leaks ever.  ILLUSTRATION: GRAPHICS BY JAMES MARSHALL; WIRED STAFF; GETTY Every year has its own mix of digital security debacles, from the absurd to the sinister, but 2024 was particularly marked by hacking sprees in which cybercriminals and state-backed espionage groups repeatedly exploited the same weakness or type of target to fuel their frenzy. For attackers, the approach is ruthlessly efficient, but for compromised institutions—and the individuals they serve—the malicious rampages had very real consequences for people's privacy, safety, and security. As political turmoil and social unrest intensify around the world, 2025 will be a complicated—and potentially explosive—year in cyberspace. But first, here's WIRED's look back on this year's worst breaches, leaks, state-sponsored hacking campaigns, ransomware attacks, and digital extortion cases. Stay alert, and stay safe out there. [China's Salt Typhoon Telecom Breaches](https://www.wired.com/story/senators-warn-pentagon-salt-typhoon-china-hacking/) ----------------------------------------------------------------------------------------------------------------------- Espionage operations are a fact of life, and relentless Chinese campaigns have been a constant in cyberspace for years now. But the China-linked espionage group Salt Typhoon carried out a particularly noteworthy operation this year, infiltrating a slew of US telecoms including Verizon and AT&T (plus others around the world) for months. And US officials told reporters earlier this month that many victim companies are still actively attempting to remove the hackers from their networks. The attackers surveilled a small group of people—less than 150 by current count—but they include individuals who were already subject to US wiretap orders as well as state department officials and members of both the Trump and Harris presidential campaigns. Additionally, texts and calls from other people who interacted with the Salt Typhoon targets were inherently also caught up in the espionage scheme. [Snowflake Customer Breaches](https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/) ------------------------------------------------------------------------------------------------------------ Throughout the summer, attackers were on a tear, breaching prominent companies and organizations that were all customers of the cloud data storage company Snowflake. The spree barely qualifies as hacking, since cybercriminals were simply using stolen passwords to log in to Snowflake accounts that didn't have two-factor authentication turned on. The end result, though, was an extraordinary amount of data stolen from victims including Ticketmaster, Santander Bank, and Neiman Marcus. Another prominent victim, the telecom giant AT&T, [said in July that “nearly all” records relating to its customers' calls and texts](https://www.wired.com/story/att-phone-records-breach-110-million/) from a seven-month stretch in 2022 were stolen in a Snowflake-related intrusion. The security firm Mandiant, which is owned by Google, [said in June](https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion) that the rampage impacted roughly 165 victims. In July, Snowflake added a feature so account administrators could make two-factor authentication mandatory for all of their users. In November, suspect Alexander “Connor” Moucka was [arrested by Canadian law enforcement for allegedly leading the hacking spree](https://www.wired.com/story/connor-moucka-snowflake-hack-arrest-extradition/). He was indicted by the US Department of Justice for the Snowflake tear and faces extradition to the US. [John Erin Binns](https://www.wired.com/story/atandt-paid-hacker-300000-to-delete-stolen-call-records/), who was arrested in Turkey for an indictment related to a 2021 breach of the telecom T-Mobile, was also indicted on charges related to the Snowflake customer breaches. [Change Healthcare Ransomware Attack](https://www.wired.com/story/blackcat-ransomware-disruptions-comebacks/) ------------------------------------------------------------------------------------------------------------- At the end of February, the medical billing and insurance processing company Change Healthcare was hit with a ransomware attack that caused disruptions at hospitals, doctor's offices, pharmacies, and other health care facilities around the US. The attack is one of the all-time largest breaches of medical data, impacting more than 100 million people. The company, which is owned by UnitedHealth, is a dominant medical billing processor in the US. It said days after the attack started that it believed ALPHV/BlackCat, a notorious Russian-speaking ransomware gang, was behind the assault. Personal data stolen in the attack included patient phone numbers, addresses, banking and other financial information, and health records including diagnoses, prescriptions, and treatment details. The company [paid a $22 million ransom to ALPHV/BlackCat](https://www.wired.com/story/alphv-change-healthcare-ransomware-payment/) at the beginning of March in an attempt to contain the situation. The payment seemingly [emboldened attackers to hit health care targets](https://www.wired.com/story/change-healthcare-22-million-payment-ransomware-spike/) at an even greater rate than usual. With ongoing, rolling notifications to more than 100 million victims—with more still being discovered—lawsuits and other blowback has been mounting. This month, for example, the state of [Nebraska sued Change Healthcare](https://techcrunch.com/2024/12/18/nebraska-sues-change-healthcare-over-security-failings-that-led-to-medical-data-breach-of-over-100-million-americans/), alleging that “failures to implement basic security protections” made the attack much worse than it should have been. [Russia's Midnight Blizzard Hit Microsoft](https://www.wired.com/story/microsoft-hpe-midnight-blizzard-email-breaches/) ----------------------------------------------------------------------------------------------------------------------- Microsoft [said](https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/) in January that it had been breached by Russia's “Midnight Blizzard” hackers in an incident that compromised company executives' email accounts. The group is tied to the Kremlin's SVR foreign intelligence agency and is specifically linked to SVR's APT 29, also known as Cozy Bear. After an initial intrusion in November 2023, the attackers targeted and compromised historic Microsoft system test accounts that then allowed them to access what the company said were “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” From there, the group exfiltrated “some emails and attached documents.” Microsoft said that the attackers seemed to be looking for information about what the company knew about them—in other words, Midnight Blizzard doing reconnaissance on Microsoft's research into the group. Hewlett-Packard Enterprise (HPE) also said in January that it had suffered a corporate email breach attributed to Midnight Blizzard. [National Public Data](https://www.wired.com/story/national-public-data-breach-leak/) ------------------------------------------------------------------------------------- The background check company National Public Data suffered a breach in December 2023, and data from the incident started showing up for sale on cybercriminal forums in April 2024. Different configurations of the data cropped up again and again over the summer, culminating in public confirmation of the breach by the company in August. The stolen data included names, Social Security numbers, phone numbers, addresses, and dates of birth. Since National Public Data didn't confirm the breach until August, speculation about the situation grew for months and included theories that the data included tens or even hundreds of millions of Social Security numbers. Though the breach was significant, the true number of impacted individuals seems to be, mercifully, much lower. The company [reported in a filing](https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/25289ca5-a211-4abc-9e29-cbe8d9d5b0e6.html) to officials in Maine that the breach affected 1.3 million people. In October, National Public Data's parent company, Jerico Pictures, [filed for Chapter 11 bankruptcy](https://therecord.media/national-public-data-bankruptcy-cyberattack) reorganization in the Southern District of Florida, citing state and federal investigations into the breach as well as a number of lawsuits that the company is facing over the incident. Honorable Mention: North Korean Cryptocurrency Theft ---------------------------------------------------- A lot of people [steal a lot of cryptocurrency](https://www.wired.com/story/meet-zachxbt-243-million-crypto-theft/) every year, including North Korean [cybercriminals](https://www.wired.com/story/north-korea-apt43-crypto-mining-laundering/) who have a [mandate to help fund](https://www.wired.com/story/north-korea-cryptocurrency-theft-ethereum/) the hermit kingdom. A [report](https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2025/) from the cryptocurrency tracing firm Chainalysis released this month, though, underscores just how aggressive Pyongyang-backed hackers have become. The researchers found that in 2023, hackers affiliated with North Korea stole more than $660 million across 20 attacks. This year, they stole roughly $1.34 billion across 47 incidents. The 2024 figures represent 20 percent of total incidents Chainalysis tracked for the year and a whopping 61 percent of the total funds stolen by all actors. The sheer domination is impressive, but the researchers emphasize the seriousness of the crimes. “US and international officials have assessed that Pyongyang uses the crypto it steals to finance its weapons of mass destruction and ballistic missiles programs, endangering international security,” Chainalysis wrote.

Feb 1, 2025 6:30 AM Plus: WhatsApp discloses nearly 100 targets of spyware, hackers used the AT&T breach to hunt for details on US politicians, and more.  Research has found that hacking groups are using AI chatbots like Google Gemini in attacks on the US.Photograph: Gabby Jones/Getty Images The rapid rise of [DeepSeek](https://www.wired.com/tag/deepseek/), a Chinese generative AI platform, heightened concerns this week over the United States’ AI dominance as Americans increasingly adopt Chinese-owned digital services. With ongoing criticism over alleged security issues posed by TikTok’s relationship to China, DeepSeek’s own privacy policy confirms that it [stores user data on servers in the country](https://www.wired.com/story/deepseek-ai-china-privacy-data/). Meanwhile, security researchers at Wiz discovered that DeepSeek [left a critical database exposed online](https://www.wired.com/story/exposed-deepseek-database-revealed-chat-prompts-and-internal-data/), leaking over 1 million records, including user prompts, system logs, and API authentication tokens. As the platform promotes its cheaper R1 reasoning model, security researchers tested 50 well-known jailbreaks against DeepSeek’s chatbot and found [lagging safety protections](https://www.wired.com/story/deepseeks-ai-jailbreak-prompt-injection-attacks/) as compared to Western competitors. Brandon Russell, the 29-year-old cofounder of the Atomwaffen Division, a neo-Nazi guerrilla organization, [is on trial this week](https://www.wired.com/story/brandon-russell-baltimore-trial/) over an alleged plot to knock out Baltimore’s power grid and trigger a race war. The trial provides a look into federal law enforcement’s investigation into a disturbing propaganda network aiming to inspire mass casualty events in the US and beyond. An informal group of West African fraudsters calling themselves the Yahoo Boys are [using AI-generated news anchors to extort victims](https://www.wired.com/story/scammers-are-creating-fake-news-videos-to-blackmail-victims/), producing fabricated news reports falsely accusing them of crimes. A WIRED review of Telegram posts reveals that these scammers create highly convincing fake news broadcasts to pressure victims into paying ransoms by threatening public humiliation. That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there. [Hackers Are Using Google’s Gemini in Attacks on the US](https://www.wsj.com/tech/ai/chinese-and-iranian-hackers-are-using-u-s-ai-products-to-bolster-cyberattacks-ff3c5884?st=SaEfSM&reflink=desktopwebshare_permalink) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ According to a report by The Wall Street Journal, hacking groups with known ties to China, Iran, Russia, and North Korea are leveraging AI chatbots like Google Gemini to assist with tasks such as writing malicious code and researching potential attack targets. While Western officials and security experts have long warned about AI's potential for malicious use, the Journal, citing a Wednesday report from Google, noted that the dozens of hacking groups across more than 20 countries are primarily using the platform as a research and productivity tool—focusing on efficiency rather than developing sophisticated and novel hacking techniques. Iranian groups, for instance, used the chatbot to generate phishing content in English, Hebrew, and Farsi. China-linked groups used Gemini for tactical research into technical concepts like data exfiltration and privilege escalation. In North Korea, hackers used it to draft cover letters for remote technology jobs, reportedly in support of the regime’s effort to place spies in tech roles to fund its nuclear program. This is not the first time foreign hacking groups have been found using chatbots. Last year, OpenAI disclosed that five such groups had used ChatGPT in similar ways. [WhatsApp Reveals Targets of Paragon Spyware](https://www.theguardian.com/technology/2025/jan/31/whatsapp-israel-spyware) ------------------------------------------------------------------------------------------------------------------------- On Friday, WhatsApp disclosed that nearly 100 journalists and civil society members were targeted by spyware developed by the Israeli firm Paragon Solutions. The Meta-owned company alerted affected individuals, stating with “high confidence” that at least 90 users had been targeted and “possibly compromised,” according to a statement to The Guardian. WhatsApp did not reveal where the victims were located, including whether any were in the United States. The attack appears to have used a “zero-click” exploit, meaning victims were infected without needing to open a malicious link or attachment. Once a phone is compromised, the spyware—known as Graphite—grants the operator full access, including the ability to read end-to-end encrypted messages sent via apps like WhatsApp and Signal. While it remains unclear who orchestrated the attack, Paragon’s spyware is marketed to government clients, and is similar to that of NSO Group, the controversial Israeli firm behind the Pegasus spyware. In October, [WIRED reported](https://www.wired.com/story/ice-paragon-solutions-contract/) that US Immigration and Customs Enforcement had signed a $2 million contract with the Israeli firm. After our reporting, ICE later [issued a stop-work order](https://www.wired.com/story/ice-paragon-contract-white-house-review/) to review whether the deal complied with a Biden administration executive order restricting the use of spyware to limited circumstances. That 2023 executive order remains in effect, despite the Trump administration rescinding dozens of Biden-era policies in Trump’s first two weeks in office. [Hackers Used AT&T Breach Data to Hunt for Info on US Politicians](https://www.404media.co/hackers-mined-at-t-breach-for-data-on-trumps-family-kamala-harris/) -------------------------------------------------------------------------------------------------------------------------------------------------------------- Hackers behind last year’s massive AT&T data breach sifted through stolen records in search of information linked to high-profile figures, including members of the Trump family, Vice President Kamala Harris, and Jeanette Rubio, the wife of Senator Marco Rubio, according to 404 Media. In April 2024, [hackers breached AT&T’s instance of Snowflake](https://www.wired.com/story/atandt-paid-hacker-300000-to-delete-stolen-call-records/), a widely used data warehousing tool, gaining access to 50 billion records of calls and text messages. According to 404Media, the hackers then enriched the dataset using publicly available tools, appending names to phone numbers to make the records more identifiable as part of a plant to launch a lookup tool that would allow anyone to search the stolen records—for a fee. Two individuals have been identified as allegedly responsible for the breach: Connor Riley Moucka, a Canadian national who was [arrested in November](https://www.wired.com/story/connor-moucka-snowflake-hack-arrest-extradition/); and John Binns, an American hacker residing in Turkey who was previously arrested for a 2021 breach of T-Mobile. They are linked to a [loosely connected online network of criminals](https://www.wired.com/story/764-com-child-predator-network/) called the Com. [Mystery Drones Over New Jersey Were ‘Authorized,’ White House Says](https://www.theguardian.com/us-news/2025/jan/28/karoline-leavitt-new-jersey-drones) -------------------------------------------------------------------------------------------------------------------------------------------------------- At the first press briefing of Donald Trump’s second administration, White House press secretary Karoline Leavitt addressed the [surge of unexplained drones](https://www.wired.com/story/new-jersey-drone-mystery-maybe-not-drones/) spotted over New Jersey and other parts of the East Coast late last year. Leavitt said President Trump personally briefed her on the issue in the Oval Office, stating, “After research and study, the drones that were flying over New Jersey in large numbers were authorized to be flown by the FAA for research and various other reasons.” Leavitt downplayed [concerns about a foreign threat](https://www.wired.com/story/us-military-mystery-drones-response/), adding, “In time, it got worse due to curiosity. This was not the enemy.” The wave of sightings began just before Thanksgiving, with witnesses reporting unidentified drones flying in formation night after night. Some were spotted hovering over military installations and water reservoirs. Within weeks, the FBI received more than 5,000 reports of drone activity—only about 100 cases warranted further investigation. Despite mounting public pressure, officials offered few definitive answers. By mid-December, a coalition of federal agencies—including the Department of Homeland Security, the FBI, and the Department of Defense—issued a joint statement concluding that the reported aerial objects were a mix of lawful drones, airplanes, helicopters, and stars.

Do you develop on GitHub? You can keep using GitHub but automatically [**sync your GitHub releases to SourceForge**](https://sourceforge.net/p/forge/documentation/GitHub%20Importer/) quickly and easily with **[this tool](https://sourceforge.net/p/import_project/github/)** so your projects have a backup location, and get your project in front of SourceForge's nearly 20 million monthly users. It takes less than a minute. Get new users downloading your project releases today! × 176186105 story [](//it.slashdot.org/index2.pl?fhfilter=chrome)[ ](//it.slashdot.org/index2.pl?fhfilter=security)[](//it.slashdot.org/index2.pl?fhfilter=it) Posted by msmash on Tuesday February 11, 2025 @03:15PM from the potential-game-changer dept. Google's Chrome browser might soon get a useful security upgrade: detecting passwords used in data breaches and [then generating and storing a better replacement](https://arstechnica.com/gadgets/2025/02/google-chrome-may-soon-use-ai-to-detect-leaked-passwords-and-replace-them/). From a report: _Google's preliminary copy suggests it's an "AI innovation," though exactly how is unclear. Noted software digger Leopeva64 on X found a new offering in the AI settings of a very early build of Chrome. The option, "Automated password Change" (so, early stages -- as to not yet get a copyedit), is described as, "When Chrome finds one of your passwords in a data breach, it can offer to change your password for you when you sign in." Chrome already has a feature that warns users if the passwords they enter have been identified in a breach and will prompt them to change it. As noted by Windows Report, the change is that now Google will offer to change it for you on the spot rather than simply prompting you to handle that elsewhere. The password is automatically saved in Google's Password Manager and "is encrypted and never seen by anyone," the settings page claims._

The US genetic testing company 23andMe has filed for bankruptcy protection in the US to help sell itself, as its chief executive quit to pursue a bid for the business after several unsuccessful attempts. 23andMe said late on Sunday that it had started voluntary Chapter 11 proceedings in the US Bankruptcy Court for the Eastern District of Missouri to “facilitate a sale process to maximise the value of its business”. The loss-making company, which provides saliva-based test kits to customers to help them track their ancestry, added that it was operating as usual throughout the sale process. “There are no changes to the way the company stores, manages, or protects customer data,” it said. The San Francisco-based company said its chief executive and co-founder Anne Wojcicki was stepping down. She has been pushing for a buyout since April last year but was rebuffed by 23andMe’s board. The company is still reeling from a huge data breach in 2023 that [affected the data of nearly 7 million people](https://www.theguardian.com/technology/2023/dec/05/23andme-hack-data-breach), about half of its customers. Revenues have fallen as many of its 15 million customers [scramble](https://www.npr.org/2024/10/03/g-s1-25795/23andme-data-genetic-dna-privacy) to delete their DNA data from the company’s archives. Over the weekend, the California attorney general, Rob Bonta, urged the company’s users to ask it to “delete your data and destroy any samples of genetic material held by the company”. “After a thorough evaluation of strategic alternatives, we have determined that a court-supervised sale process is the best path forward to maximise the value of the business,” said Mark Jensen, the company’s chair. “We are committed to continuing to safeguard customer data and being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction.” Fighting for survival, [23andMe has laid off 200 people](https://www.theguardian.com/technology/2024/nov/12/23andme-layoffs), amounting to 40% of its workforce, and stopped development of all its therapies in November. Wojcicki’s ambition has been to turn the company into a drug developer. Wojcicki will be replaced by its chief financial officer, Joe Selsavage, until a permanent replacement is found but she is staying on the 23andMe board. She co-founded the business in 2006 with Linda Avey and Paul Cusenza. In a [post on X](https://x.com/annewoj23/status/1904036140077969563), she said she was “disappointed” by the bankruptcy filing and that her bid to take the company private was rejected. She explained she had resigned “so I can be in the best position to pursue the company as an independent bidder”. She added: “If I am fortunate enough to secure the company’s assets through the restructuring process, I remain committed to our long-term vision of being a global leader in genetics.” [skip past newsletter promotion](https://www.theguardian.com/lifeandstyle/2025/mar/24/dna-testing-firm-23andme-bankruptcy-ceo-anne-wojcicki-data#EmailSignup-skip-link-12) Sign up to Business Today Get set for the working day – we'll point you to all the business news and analysis you need every morning **Privacy Notice:** Newsletters may contain info about charities, online ads, and content funded by outside parties. For more information see our [Privacy Policy](https://www.theguardian.com/help/privacy-policy). We use Google reCaptcha to protect our website and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. after newsletter promotion Wojcicki offered to pay $0.41 (£0.32) a share earlier this month, down by 84% from an offer in February. Her private equity partner walked away after the board’s rejection of that bid. Her latest offer valued 23andMe at $11m, below its current market value of just under $48m, and a long way from its $5.8bn peak in February 2021 after its stock market float on the Nasdaq exchange. Last autumn, 23andMe agreed to pay $30m and give three years of security monitoring to [settle a lawsuit](https://www.theguardian.com/technology/2024/feb/15/23andme-hack-data-genetic-data-selling-response) accusing it of failing to protect the privacy of 6.9 million customers whose personal information was exposed in the data breach. 23andMe said it had received a commitment for debtor-in-possession financing of up to $35m from the Los Angeles-based private equity firm JMB Capital Partners, to support the business in the months ahead.

Slashdot reader [itwbennett](/~itwbennett) writes: _Personal health information on 4.7 million Blue Shield California subscribers was [unintentionally shared](https://news.blueshieldca.com/notice-of-data-breach) between Google Analytics and Google Ads between April 2021 and January 2025 due to a misconfiguration error. Security consultant and SANS Institute instructor Brandon Evans points to two lessons to take from this debacle:_ * _Read the documentation of any third party service you sign up for, to understand the security and privacy controls;_ * Know what data is being collected from your organization, and what you don't want shared. "If there is a concern by the organization that Google Ads would use this information, they should really consider whether or not they should be using a platform like Google Analytics in the first place," Evans says in the article. "Because from a technical perspective, there is nothing stopping Google from sharing the information across its platform... "Google definitely gives you a great bunch of controls, but technically speaking, that data is within the walls of that organization, and it's impossible to know from the outside how that data is being used."

By [Lily Hay Newman](https://www.wired.com/author/lily-hay-newman/) and [Dhruv Mehrotra](https://www.wired.com/author/dhruv-mehrotra/) May 17, 2025 6:30 AM Plus: 12 more people are indicted over a $263 million crypto heist, and a former FBI director is accused of threatening Donald Trump thanks to an Instagram post of seashells.  Photo-Illustration: WIRED Staff/Getty Images As analysts and governments around the world continue to [call attention to North Korean digital fraud](https://www.wired.com/story/north-korea-stole-your-tech-job-ai-interviews/), researchers this week [published 1,000 email addresses they claim are linked to North Korean IT worker scams](https://www.wired.com/story/north-korean-it-worker-scams-exposed/) perpetrated against Western companies, along with photos of people allegedly involved in the fraud. Xinbi Guarantee, a marketplace and platform used by Chinese-speaking crypto scammers for money laundering [grew into an $8.4 billion hub before a crackdown by Telegram this week](https://www.wired.com/story/xinbi-guarantee-crypto-scam-hub/). And following a WIRED inquiry, messaging app [Telegram banned thousands of accounts used for money laundering in cryptocurrency scams](https://www.wired.com/story/the-internets-biggest-ever-black-market-shuts-down-after-a-telegram-purge/). The takedowns included prominent names like Haowang Guarantee, a black market known for enabling $27 billion in transactions. The acting director of the Consumer Financial Protection Bureau, Russell Vought, quietly [eliminated a plan to more tightly regulate the sale of Americans’ sensitive personal data](https://www.wired.com/story/cfpb-quietly-kills-rule-to-shield-americans-from-data-brokers/). CFPB had [originally launched the initiative](https://www.wired.com/story/cfpb-fcra-data-broker-oversight/) in response to increasingly far reaching and reckless behavior from data brokers. And with the rise of widely available generative AI services—and corresponding fraud—people are [increasingly looking for ways to verify and vet their digital interaction online](https://www.wired.com/story/paranoia-social-engineering-real-fake/). Meanwhile, ahead of Google’s Android 16 launch next week, the company announced [expanded capabilities for its Android Scam Detection tool](https://www.wired.com/story/google-io-on-device-ai-scam-texts/) that uses local AI analysis to flag potential scam texts in Google Messages. The company also [launched a new, extra-secure mode for Android 16, Advanced Protection](https://www.wired.com/story/google-advanced-protection-vulnerable-users-lockdown-android-16/), that will allow vulnerable or highly targeted users to lock their devices down and utilize advanced scanning features for catching potentially suspicious activity. But there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there. [Coinbase Discloses Costly Data Breach Impacting Less Than 1 Percent of Monthly Users](https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cryptocurrency exchange Coinbase said this week that it suffered a data breach in which attackers stole data including customers’ names, physical and email addresses, phone numbers, government IDs like driver’s licenses and passports, last four digits of Social Security numbers, and other financial information. The company said that “criminals targeted our customer support agents overseas. They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1 percent of Coinbase monthly transacting users.” The company said the attackers’ goal was to collect customer data to then contact those Coinbase users, impersonate Coinbase, and trick them into giving away their cryptocurrency. The attackers also contacted the company and attempted to extort the company for $20 million. Coinbase currently has about [9.7 million total users](https://www.sec.gov/ix?doc=/Archives/edgar/data/0001679788/000167978825000089/coin-20250331.htm). The company said in an Securities and Exchange Commission [breach disclosure notification](https://www.sec.gov/Archives/edgar/data/1679788/000167978825000094/coin-20250514.htm?7194ef805fa2d04b0f7e8c9521f97343) that it expects that it will cost between $180 million and $400 million to remediate the breach and reimburse customers for stolen funds. [12 More Indicted Over Crypto Heist Worth $263 Million](https://www.justice.gov/usao-dc/pr/additional-12-defendants-charged-rico-conspiracy-over-263-million-cryptocurrency-thefts) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- A four-count superseding indictment charged 12 additional people this week in an [alleged criminal spree including more than $263 million in cryptocurrency theft](https://www.wired.com/story/meet-zachxbt-243-million-crypto-theft/), money laundering, and even physical break-ins. Several suspects were arrested this week in California in connection with the case. The indictment accuses the defendants of using stolen cryptocurrency for things like $500,000 nights out at clubs, hundreds of thousands of dollars spent on luxury handbags, watches, and clothes, private jet rentals, and “a fleet of at least 28 exotic cars ranging in value from $100,000 to $3.8 million.” The superseding indictment also alleges that some defendants used shell companies to register their “exotic cars” and “shipped bulk cash through US mail to members of the enterprise hidden in squishmallow stuffed animals.” [James Comey Investigated for Instagram Post of Seashells](https://www.bbc.com/news/articles/c70nqk9rlxpo) ---------------------------------------------------------------------------------------------------------- On Thursday, former FBI director James Comey posted and then deleted an Instagram photo of seashells arranged to spell out the numbers “8647” captioned: “Cool shell formation on my beach walk.” Within hours, Republicans fixated on the post, claiming it was a call to violence against Donald Trump, the United States’ 47th president. Now, the Department of Homeland Security and the Secret Service are investigating. If you’ve ever worked in a restaurant, you’ve probably heard someone in the kitchen shout that an item is “86’d”—a colloquialism meaning the kitchen is out of a particular menu item, like a cheeseburger. While most people don’t interpret that as a threat of violence against the cheeseburger, that’s apparently not how the president and his allies understood Comey’s post. On Thursday, Department of Homeland Security secretary Kristi Noem [wrote on X](https://x.com/Sec_Noem/status/1923141313005785365) that both the DHS and Secret Service were investigating. “Disgraced former FBI Director James Comey just called for the assassination of @POTUS Trump,” she wrote. Later that night on Fox News, Director of National Intelligence Tulsi Gabbard [accused](https://www.cnn.com/2025/05/16/politics/comey-interviewed-secret-service) Comey of “issuing a hit” on Trump and argued he should be “put behind bars.” "That meant assassination, and it says it loud and clear," Trump told Fox News in an interview referring to the post, on Friday. Trump survived two assassination attempts last year. Comey addressed the backlash in a follow-up post on Instagram, writing: “I didn't realize some folks associate those numbers with violence. It never occurred to me, but I oppose violence of any kind, so I took the post down.” Comey served as FBI director from 2013 until he was fired by President Trump in 2017 during an ongoing investigation into Russian interference in the 2016 election.

[Matt Burgess](https://www.wired.com/author/matt-burgess/) [Lily Hay Newman](https://www.wired.com/author/lily-hay-newman/) May 22, 2025 6:00 AM A trove of breached data, which has now been taken down, includes user logins for platforms including Apple, Google, and Meta. Among the exposed accounts are ones linked to dozens of governments.  Photo-Illustration: Wired Staff/Getty Images The possibility that data could be inadvertently exposed in a [misconfigured](https://www.wired.com/story/amazon-s3-data-exposure/) or [otherwise unsecured](https://www.wired.com/story/confidant-health-therapy-records-database-exposure/) [database](https://www.wired.com/story/ntmc-bangladesh-database-leak/) is a longtime privacy nightmare that has been difficult to fully address. But the new discovery of a massive trove of 184 million records—including Apple, Facebook, and Google logins and credentials for accounts connected to multiple governments—underscores the risks of recklessly compiling sensitive information in a repository that could become a single point of failure. In early May, longtime data-breach hunter and security researcher Jeremiah Fowler discovered an [exposed Elastic database](https://www.websiteplanet.com/news/infostealer-breach-report/) containing 184,162,718 records across more than 47 GB of data. Typically, Fowler says, he is able to gather clues about who controls an exposed database from its contents—details about the organization, data related to its customers or employees, or other indicators that suggest why the data is being collected. This database, however, didn’t include any clues about who owns the data or where it may have been gathered from. The sheer range and massive scope of the login details, which include accounts connected to a large array of digital services, indicate that the data is some sort of compilation, possibly kept by researchers investigating a data breach or other cybercriminal activity or owned directly by attackers and stolen by [infostealer](https://www.wired.com/story/infostealer-malware-password-theft/) [malware](https://www.wired.com/story/lumma-stealer-takedown-disrupted/). “This is probably one of the weirdest ones I’ve found in many years,” Fowler says. “As far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal’s dream working list.” Each record included an ID tag for the type of account, a URL for each website or service, and then usernames and plaintext passwords. Fowler notes that the password field was called “Senha,” the Portuguese word for password. In a sample of 10,000 records analyzed by Fowler, there were 479 Facebook accounts, 475 Google accounts, 240 Instagram accounts, 227 Roblox accounts, 209 Discord accounts, and more than 100 each of Microsoft, Netflix, and PayPal accounts. That sample—just a tiny fraction of the total exposure—also included Amazon, Apple, Nintendo, Snapchat, Spotify, Twitter, WordPress, and Yahoo logins, among many others. A keyword search of the sample by Fowler returned 187 instances of the word “bank” and 57 of “wallet.” Fowler, who did not download the data, says he contacted a sample of the exposed email addresses and heard back from some that they were genuine accounts. Aside from individuals, the exposed data also presented potential national security risks, Fowler says. In the 10,000 sample records there were 220 email addresses with .gov domains. These were linked to at least 29 countries, including the United States, Australia, Canada, China, India, Israel, New Zealand, Saudi Arabia, and the United Kingdom. While Fowler could not identify who had put the database together or where the login details originally came from, he reported the data exposure to World Host Group, the hosting company it was linked to. Access to the database was quickly shut down, Fowler says, although World Host Group did not respond to the researcher until after it was contacted by WIRED. Seb de Lemos, CEO of World Host Group, tells WIRED in a statement that the company operates systems for more than 2 million websites. The database Fowler found, though, is “an unmanaged server” hosted on World Host Group’s infrastructure and fully controlled by a customer. “It appears a fraudulent user signed up and uploaded illegal content to their server,” de Lemos wrote in the statement. “The system has since been shut down. Our legal team is reviewing any information we have that might be relevant for law enforcement.” De Lemos says that the company is in touch with Fowler and has made improvements to its reporting system. “Whilst we cannot share customer-specific details with WIRED, we will fully cooperate with the appropriate law enforcement authorities and, where appropriate, share all relevant customer data with them.” Though the database has now been secured—and ultimately taken down entirely—it is not clear whether anyone other than Fowler accessed the trove while it was still live. As with any exposed database, the concern is that sensitive data could be stolen and abused. And in this case, there is a particularly urgent risk of logins being exploited in fraud, to steal additional information, or even to breach other organizations. Fowler says that while he does not know for certain, he suspects that the data was compiled by attackers using an [infostealer](https://www.wired.com/story/infostealer-malware-password-theft/). “It is highly possible that this was a cybercriminal,” he says. “It’s the only thing that makes sense, because I can’t think of any other way you would get that many logins and passwords from so many services all around the world.”

Every year, massive [data breaches harm the public](https://www.fastcompany.com/91342102/lexisnexis-data-breach-hack-ss-social-security-numbers-personal-info). The targets are email service providers, retailers and [government agencies](https://www.fastcompany.com/91317303/major-baks-data-sharing-office-of-the-comptroller-of-the-currency) that store information about people. Each breach includes sensitive personal information such as credit and debit card numbers, home addresses, and account usernames and passwords from hundreds of thousands—and sometimes millions—of people. When [National Public Data](https://support.microsoft.com/en-us/topic/national-public-data-breach-what-you-need-to-know-843686f7-06e2-4e91-8a3f-ae30b7213535#:%7E:text=In%20early%202024%2C%20National%20Public,and%20Canada%20(Bloomberg%20Law).), a company that does online background checks, was breached in 2024, criminals gained the names, addresses, dates of birth, and national identification numbers such as Social Security numbers of 170 million people in the U.S., U.K., and Canada. The same year, hackers [who targeted Ticketmaster](https://www.rollingstone.com/music/music-news/ticketmaster-sued-class-action-massive-data-breach-1235133657/) stole the financial information and personal data of more than 560 million customers. As a criminologist who [researches cybercrime](https://scholar.google.com/citations?user=j-DECAsAAAAJ&hl=en&oi=ao), I study the ways that hackers and cybercriminals [steal and use](https://www.doi.org/10.1057/978-1-137-58904-0) people’s personal information. Understanding the people involved helps us to better recognize the ways that hacking and data breaches are intertwined. In so-called stolen data markets, hackers sell personal information they illegally obtain to others, who then use the data to engage in fraud and theft for profit. Every piece of personal data [captured in a data breach](https://www.hipaajournal.com/healthcare-data-breach-statistics/)—a passport number, Social Security number, or login for a shopping service—has inherent value. Offenders can use the information in [different ways](https://doi.org/10.1093/bjc/azu106). They can assume someone else’s identity, make a fraudulent purchase, or [steal services](https://doi.org/10.1007/978-3-319-78440-3_37) such as streaming media or music. The quantity of information, whether Social Security numbers or credit card details, that can be stolen through data breaches is more than any one group of criminals can efficiently process, validate, or use in a reasonable amount of time. The same is true for the millions of email account usernames and passwords, or access to streaming services that data breaches can expose. This quantity problem has enabled the sale of information, including personal financial data, as part of the larger [cybercrime online economy](https://www.gasa.org/post/alarming-17-3m-trade-in-stolen-personal-data-on-the-dark-web). The sale of data, [also known as carding](https://www.investopedia.com/terms/c/carding.asp), references the misuse of stolen credit card numbers or identity details. These illicit data markets began in the mid-1990s through the use of [credit card number generators](https://www.lambdatest.com/free-online-tools/credit-card-number-generator) used by hackers. They shared programs that randomly generated credit card numbers and details and then checked to see whether the fake account details matched active cards that could then be used for fraudulent transactions. As more financial services were created and banks allowed customers to access their accounts through the internet, it became easier for hackers and cybercriminals to steal personal information through data breaches and phishing. Phishing involves sending convincing emails or SMS text messages to people to [trick them into giving up](https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams#recognize) sensitive information such as logins and passwords, often by clicking a false link that seems legitimate. One of the [first phishing schemes](https://www.historyofinformation.com/detail.php?entryid=1682) targeted America Online users to get their account information to use their internet service at no charge. The large amount of information criminals were able to steal from such schemes led to more vendors offering stolen data to others through different online platforms. In the late 1990s and early 2000s, offenders used [Internet Relay Chat](https://www.radware.com/security/ddos-knowledge-center/ddospedia/irc-internet-relay-chat/), or IRC channels, to sell data. IRC was effectively like modern instant messaging systems, letting people communicate in real time through specialized software. Criminals used these channels to [sell data and hacking services](https://www.tuscaloosanews.com/story/news/2003/07/14/irc-seen-as-tool-to-teach-credit-card-theft/27843349007/) in an efficient place. In the early 2000s, vendors transitioned to web forums where individuals advertised their services to other users. Forums quickly gained popularity and became successful businesses with vendors selling stolen credit cards, malware, and related goods and services to misuse personal information and enable fraud. One of the more prominent forums from this time was [ShadowCrew](https://darknetdiaries.com/episode/128/), which formed in 2002 and operated until being taken down by a joint law enforcement operation in 2004. Their members trafficked [more than 1.7 million credit cards](https://www.justice.gov/archive/opa/pr/2004/October/04_crm_726.htm) in less than three years. Forums continue to be popular, though vendors transitioned to running their own web-based shops on the open internet and dark web, which is an encrypted portion of the web that can be accessed only through specialized browsers like TOR, starting [in the early 2010s](https://krebsonsecurity.com/2016/05/carding-sites-turn-to-the-dark-cloud/). These shops have their own web addresses and [distinct branding](https://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/) to attract customers, and they work in the same way as other e-commerce stores. More recently, vendors of stolen data have also begun to operate on messaging platforms such as [Telegram and Signal](https://cybersecuritynews.com/telegram-as-1-messenger-used-by-cybercriminals/) to quickly connect with customers. Many of the people who supply and operate the markets appear to be cybercriminals from [Eastern Europe and Russia](https://doi.org/10.17863/CAM.112996) who steal data and then sell it to others. Markets have also been [observed in Vietnam](https://doi.org/10.1007/s12117-021-09422-1) and other parts of the world, though they do not get the same visibility in the global cybersecurity landscape. The customers of stolen data markets may [reside anywhere in the world](https://krebsonsecurity.com/?s=carding+forum), and their demands for specific data or services may [drive data breaches](https://krebsonsecurity.com/2019/11/sale-of-4-million-stolen-cards-tied-to-breaches-at-4-restaurant-chains/) and cybercrime to provide the supply. Stolen data is usually available in [individual lots](https://www.scworld.com/perspective/the-dark-web-where-stolen-data-becomes-currency), such as a person’s credit or debit card and all the information associated with the account. These pieces are individually priced, with costs differing depending on the type of card, the victim’s location and the amount of data available related to the affected account. Vendors frequently offer [discounts and promotions](https://cybersixgill.com/news/articles/millions-of-stolen-cards-carding-market-celebrates-anniversary-with-massive-giveaway) to buyers to attract customers and keep them loyal. This is often done with credit or debit cards that are about to expire. Some vendors also offer distinct products such as credit reports, Social Security numbers and login details for different paid services. The price for pieces of information varies. A [recent analysis](https://blog.knowbe4.com/1170-is-how-much-youre-worth-on-the-dark-web#:%7E:text=%22According%20to%20the%20Dark%20Web%20Market%20Price,enough%20of%20your%20relevant%20information%20were%20there.&text=A%20separate%20Experian%20estimate%20from%202017%20has,can%20sell%20for%20as%20little%20as%20$1.) found credit card data sold for $50 on average, while Walmart logins sold for $9. However, the pricing can vary widely across vendors and markets. Vendors typically accept payment through [cryptocurrencies](https://www.investopedia.com/terms/c/cryptocurrency.asp) such as [Bitcoin](https://doi.org/10.1257/jep.29.2.213) that are difficult for law enforcement to trace. Once payment is received, the vendor releases the data to the customer. Customers [take on a great deal of the risk](https://www.scworld.com/native/the-scammers-who-scam-scammers-on-cybercrime-forums-part-1) in this market because they cannot go to the police or a market regulator to complain about a fraudulent sale. Vendors may send customers dead accounts that are unable to be used or give no data at all. Such scams are common in a market where buyers can depend only on [signals of vendor trust](https://doi.org/10.1093/cybsec/tyw007) to increase the odds that the data they purchase will be delivered, and if it is, that it pays off. If the data they buy is functional, they can use it to make fraudulent purchases or financial transactions for profit. The rate of return [can be exceptional](https://doi.org/10.1080/01639625.2015.1026766). An offender who buys 100 cards for $500 can recoup costs if only 20 of those cards are active and can be used to make an average purchase of $30. The result is that [data breaches are likely to continue](https://threatpost.com/dark-web-markets-stolen-data/164626/) as long as there is demand for illicit, profitable data. _This article is part of a series on data privacy that explores who collects your data, what and how they collect, who sells and buys your data, what they all do with it, and what you can do about it._ _[Thomas Holt](https://theconversation.com/profiles/thomas-holt-244241) is a professor of criminal justice at [Michigan State University](https://theconversation.com/institutions/michigan-state-university-1349)_. _This article is republished from_ [The Conversation](https://theconversation.com/) _under a Creative Commons license. Read the [original article](https://theconversation.com/how-illicit-markets-fueled-by-data-breaches-sell-your-personal-information-to-criminals-251586)._ _ The final deadline for Fast Company’s [Next Big Things in Tech Awards](https://www.fastcompany.com/apply/next-big-things-in-tech) is Friday, June 20, at 11:59 p.m. PT. [Apply today.](https://www.fastcompany.com/apply/next-big-things-in-tech) _

Major food wholesaler United Natural Foods (UNFI) [announced Monday](https://ir.unfi.com/news/press-release-details/2025/statement/default.aspx) that it experienced “unauthorized activity” on its IT systems, prompting the company to take some services offline while an investigation is underway. As a leading food distributor, UNFI is the primary supplier to Whole Foods Market, an Amazon subsidiary. Last year the two companies [extended their partnership](https://ir.unfi.com/news/press-release-details/2024/United-Natural-Foods-Inc.-Extends-Distribution-Partnership-with-Whole-Foods-Market-to-2032/default.aspx) through 2032. A Whole Foods spokesperson says the company is “working to restock our shelves as quickly as possible and apologizes for any inconvenience this may have caused for customers.” According to a Securities and Exchange Commission report, UNFI became aware of the cyberattack last Thursday and immediately implemented containment measures. “As soon as we discovered the activity, an investigation was initiated with the help of leading forensics experts, and we have notified law enforcement,” a company spokesperson tells _Fast Company._ “We are assessing the unauthorized activity and working to restore our systems to safely bring them back online. As we work through this issue, our customers, suppliers, and associates are our highest priority. We are working closely with them to minimize disruption as much as possible.” The full scope and impact of the breach remain unclear. However, shares of UNFI, a $1.5 billion company, dropped by at least 8.6% at the time of publishing, and social media users have begun reporting disruptions. “Came in at 5 a.m. today and was told there will be no UNFI truck today due to issues on their end,” a Reddit [user shared](https://www.reddit.com/r/wholefoods/comments/1l5gu0e/unfi_issues_today/?share_id=7zHw6TBRERYirHo4O0dTG&utm_content=1&utm_medium=ios_app&utm_name=ioscss&utm_source=share&utm_term=1) on r/wholefoods. A user claiming to be a UNFI employee added in the same thread: “We literally cannot do anything network-related. At a complete standstill. This is catastrophic to the business.” The UNFI breach adds to a growing list of cybersecurity concerns, particularly in the retail sector. U.K. retailers have recently faced a wave of cyberattacks, and the chief analyst for Google’s Threat Intelligence Group [told NBC News](https://www.nbcnews.com/tech/security/cybercrime-spree-hobbled-british-retailers-now-aimed-us-google-says-rcna206862) that U.S. companies were already in the crosshairs. Beyond retail, recent cyber incidents have [also hit the social media platform X](https://abcnews.go.com/Business/multiple-outages-caused-massive-cyberattack-musk/story?id=119641433), the [Office of the Comptroller of the Currency](https://www.fastcompany.com/91317303/major-baks-data-sharing-office-of-the-comptroller-of-the-currency) (which led major banks to halt sensitive data sharing), and the [car rental company Hertz](https://www.fastcompany.com/91317152/hertz-says-hackers-stole-customer-data-in-vendor-breach). _ The final deadline for Fast Company’s [Next Big Things in Tech Awards](https://www.fastcompany.com/apply/next-big-things-in-tech) is Friday, June 20, at 11:59 p.m. PT. [Apply today.](https://www.fastcompany.com/apply/next-big-things-in-tech) _ Maria Jose Gutierrez Chavez is the editorial fellow at Inc. and Fast Company [More](https://www.fastcompany.com/user/maria-jose-gutierrez-chavez)

Photo: SOPA Images (Getty) Health insurance giant Aflac [reveale](https://newsroom.aflac.com/2025-06-20-Aflac-Incorporated-Discloses-Cybersecurity-Incident)d that it had been the victim of a cybersecurity breach on Friday, but that it had been dealt with within hours. It’s the latest in a series of hacks targeting the insurance industry, following cyberattacks earlier this week on [Erie Insurance](https://www.goerie.com/story/news/local/2025/06/17/erie-insurance-online-systems-working-says-not-ransomware/84245918007/), which suffered a weeklong outage, and [Philadelphia Insurance Companies](https://www.theinsurer.com/cyber-risk/news/exclusive-philadelphia-insurance-companies-facing-major-ransomware-attack-2025-06-12/), also downed for days. Aflac, which bills itself as the “No. 1 provider of supplemental health insurance products” in the U.S., has approximately 50 million customers. The company said that it was too early to tell how many users were affected in the breach. Earlier this week, the Google Threat Assessment Group warned that “multiple intrusions in the U.S.” bear the marks of [Scattered Spider](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a), a ransomware group that targeted Marks & Spencer and other retailers, and is most famous for [hacking](https://qz.com/mgm-resorts-computers-back-up-after-10-days-as-analysts-1850858296) Las Vegas casinos in September 2023. Chief Google analyst John Hultquist told [The Register](https://www.theregister.com/2025/06/16/scattered_spider_targets_insurance_firms/), an enterprise technology news outlet, that the cybercrime group usually focuses on one sector at a time, and that “the insurance industry should be on high alert, especially for social engineering schemes, which target their help desks and call centers." Social engineering is when a hacker poses as a tech-support worker to acquire security information. Aflac said social engineering caused their hack, although the breach did not involve ransomware, and they did not name Scattered Spider in their statement, instead referring to “a sophisticated cybercrime group.” The [largest](https://qz.com/the-massive-health-care-hack-is-now-being-investigated-1851333266) breach in U.S. healthcare history happened in February 2024, to Change Healthcare, which affected more than million users, [according](https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html) to the Department of Health and Health Services. Stolen data in any such incident include not just medical records, but credit card numbers, Social Security Numbers, driver’s licenses, and more. Aflac reassured its customers that the problem had been dealt with by cyber-incident response protocols, and that customer service would not be affected.

Researchers at cybersecurity outlet Cybernews say that billions of login credentials have been leaked and compiled into datasets online, giving cybercriminals “unprecedented access” to accounts consumers use each day NEW YORK -- Researchers at cybersecurity outlet Cybernews say that billions of login credentials have been leaked and compiled into datasets online, giving criminals “unprecedented access” to accounts consumers use each day. According to a [report published](https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/) this week, Cybernews researchers have recently discovered 30 exposed datasets that each contain a vast amount of login information — amounting to a total of 16 billion compromised credentials. That includes user passwords for a range of popular platforms including Google, Facebook and Apple. Sixteen billion is roughly double the [amount of people on Earth](https://apnews.com/article/science-africa-pollution-climate-and-environment-1c70df435acda74301ff2df96a86dd43) today, signaling that impacted consumers may have had credentials for more than one account leaked. Cybernews notes that there are most certainly duplicates in the data and so “it's impossible to tell how many people or accounts were actually exposed.” It's also important to note that the leaked login information doesn't span from a single source, such as one breach targeting a company. Instead, it appears that the data was stolen through multiple events over time, and then compiled and briefly exposed publicly, which is when Cybernews reports that its researchers discovered it. Various infostealers are most likely the culprit, Cybernews noted. Infostealers are a form of malicious software that breaches a victim's device or systems to take sensitive information. Many questions remain about these leaked credentials, including whose hands the login credentials are in now. But, as data breaches become more and more common in today's world, experts continue to stress the importance of [maintaining key “cyber hygiene.”](https://apnews.com/article/tech-tip-data-breach-91461eb71bdfa5f29158740efe5fb692) If you're worried about your account data potentially being exposed in a recent breach, the [first thing you can do](https://apnews.com/article/tech-tip-data-breach-91461eb71bdfa5f29158740efe5fb692) is change your password — and avoid using the same or similar login credentials on multiple sites. If you find it too hard to memorize all your different passwords, consider a [password manager](https://apnews.com/article/how-to-use-password-managers-tech-tip-fbf9d9ed8ccfe97bae6fae5c34697440) or [passkey](https://apnews.com/article/google-apple-passkey-password-cybersecurity-e058dbdd304ff90c9b49499cd121bb88). And also add multifactor authentication, which can serve as a second layer of verification through your phone, email or USB authenticator key.

Internet users have been told to change their passwords and upgrade their digital security after researchers claimed to have revealed the scale of sensitive information – 16bn login records – potentially available to cybercriminals. Researchers at Cybernews, an [online tech publication](https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/), said they had found 30 datasets stuffed with credentials harvested from malicious software known as “infostealers” and leaks. The researchers said the datasets were exposed “only briefly” but amounted to 16bn login records, with an unspecified number of overlapping records – meaning it is difficult to say definitively how many accounts or people have been exposed. Cybernews said the credentials could open access to services including Facebook, Apple and Google – although there had been no “centralised data breach” at those companies. Bob Diachenko, the Ukrainian cybersecurity specialist behind the research, said the datasets had become temporarily available after being poorly stored on remote servers – before being removed again. Diachenko said he was able to download the files and would aim to contact individuals and companies that had been exposed. “It will take some time of course because it is an enormous amount of data,” he said. However, other cybersecurity experts said the data was likely to have [already been in circulation](https://www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/) and contain multiple repetitions. One expert, speaking on condition of anonymity, said: “We’re sceptical of the data, particularly how much of it is just repetition of the same information. It’s difficult to verify it without having the data.” [ Hit by a cyber-attack? Seven ways to protect yourself ](https://www.theguardian.com/money/2025/jun/10/cyber-attack-ways-to-protect-passwords-two-step-authentication) Diachenko said the information he had seen in infostealer logs included login URLs to Apple, Facebook and Google login pages. Apple and Facebook’s parent, Meta, have been contacted for comment. A Google spokesperson said the data reported by Cybernews did not stem from a Google data breach – and recommended people use tools such as Google’s password manager to protect their accounts. Internet users are also able to check if their email has been compromised in a data breach by using the website haveibeenpwned.com. Cybernews said the information seen in the datasets followed a “clear structure: URL, followed by login details and a password”. Diachenko said the data appeared to be “85% infostealers” and about 15% from historical data breaches such as a leak suffered by LinkedIn. Experts said the research underlined the need to update passwords regularly and adopt tough security measures such as multifactor authentication – or combining a password with another form of verification such as a code texted from a phone. Other recommended measures include passkeys, a password-free method championed by Google and Facebook’s owner, Meta. “While you’d be right to be startled at the huge volume of data exposed in this leak it’s important to note that there is no new threat here: this data will have already likely have been in circulation,” said Peter Mackenzie, the director of incident response and readiness at the cybersecurity firm Sophos. Mackenzie said the research underlined the scale of data that can be accessed by online criminals. “What we are understanding is the depth of information available to cybercriminals.” He added: “It is an important reminder to everyone to take proactive steps to update passwords, use a password manager and employ multifactor authentication to avoid credential issues in the future.” Toby Lewis, the global head of threat analysis at the cybersecurity firm Darktrace, said the data flagged in the research is hard to verify but infostealers – the malware reportedly behind the data theft – are “very much real and in use by bad actors”. He said: “They don’t access a user’s account but instead scrape information from their browser cookies and metadata. If you’re following good practice of using password managers, turning on two-factor authentication and checking suspicious logins, this isn’t something you should be greatly worried about.” Cybernews said none of the datasets have been reported previously barring one revealed in May with 184m records. It described the datasets as a “blueprint for mass exploitation” including “account takeover, identity theft, and highly targeted phishing”. The researchers added: “The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data.” Alan Woodward, a professor of cybersecurity at Surrey University, said the news was a reminder to carry out “password spring cleaning”. He added: “The fact that everything seems to be breached eventually is why there is such a big push for zero trust security measures.”

An anonymous reader quotes a report from TechCrunch: _A security vulnerability in a stealthy Android spyware operation called Catwatchful has [exposed thousands of its customers, including its administrator](https://techcrunch.com/2025/07/02/data-breach-reveals-catwatchful-stalkerware-spying-on-thousands-android-phones/). The bug, which was [discovered](https://ericdaigle.ca/posts/taking-over-60k-spyware-user-accounts/) by security researcher Eric Daigle, spilled the spyware app's full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims. \[...\] According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims' devices. Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows. The Catwatchful database also revealed the identity of the spyware operation's administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers. Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service [Have I Been Pwned](https://haveibeenpwned.com/). _The stalkerware operation uses a custom API and Google's Firebase to collect and store victims' stolen data, including photos and audio recordings. According to Daigle, the API was left unauthenticated, exposing sensitive user data such as email addresses and passwords. The hosting provider temporarily suspended the spyware after TechCrunch disclosed this vulnerability but it returned later on HostGator. Despite being notified, Google has yet to take down the Firebase instance but updated Google Play Protect to detect Catwatchful. While Catwatchful claims it "cannot be uninstalled," you can dial "543210" and press the call button on your Android phone to reveal the hidden app. As for its removal, TechCrunch has a [general how-to guide for removing Android spyware](https://techcrunch.com/2022/02/22/remove-android-spyware/) that could be helpful.

All it can take is a phone call. That’s what [Qantas learned this week](https://www.theguardian.com/business/2025/jul/02/qantas-confirms-cyber-attack-exposes-records-of-up-to-6-million-customers) when the personal information of up to 6 million customers was stolen by cybercriminals after attackers targeted an offshore IT call centre, enabling them to access a third-party system. It is the latest in a series of cyber-attacks on large companies in Australia involving the personal information of millions of Australians, after the [attack on Optus](https://www.theguardian.com/business/2022/sep/29/optus-data-breach-everything-we-know-so-far-about-what-happened), [Medibank](https://www.theguardian.com/australia-news/article/2024/jun/17/medibank-hack-data-breach-federal-court-case) and, most recently, [Australia’s $4t superannuation sector](https://www.theguardian.com/australia-news/2025/apr/04/australian-super-funds-compromised-cybersecurity-data-breach-hack). The [Qantas attack](https://www.theguardian.com/australia-news/2025/jul/03/qantas-cyber-attack-data-breach-what-was-taken-what-should-i-do) came just days after US authorities warned the airline sector had been targeted by a group known as [Scattered Spider](https://www.theguardian.com/technology/2025/may/01/how-native-english-scattered-spider-group-linked-to-ms-attack-operate), using social engineering techniques, including impersonating employees or contractors to deceive IT help desks into granting access, and bypassing multi-factor authentication. New technology brings old methods --------------------------------- While companies may spend millions keeping their systems secure and software up-to-date to plug known vulnerabilities, hackers can turn to this form of attack to target, often, the weakest link – humans. Social engineering is not new. It predates the internet, involving tricking someone into providing compromising information. The most common way people would see social engineering in practice is through phishing attacks – emails that are designed to look official to lure unsuspecting people into providing their login and passwords. The phone-call version of social engineering, known as [vishing](https://www.theguardian.com/business/2025/jul/04/australias-privacy-watchdog-warns-vishing-on-the-rise-as-qantas-strengthens-security-after-cyber-attack), can be more complicated for the attacker, requiring research into a company and its employees, and tactics to sound convincing over the phone to get the unwitting worker to let them in. * **[Sign up for Guardian Australia’s breaking news email](https://www.theguardian.com/email-newsletters?CMP=copyembed)** The arrival of easy-to-use artificial intelligence products, including voice cloning, will only make this easier for attackers. The Office of the Australian Information Commissioner’s [most recent data breaches report](https://www.theguardian.com/business/2025/jul/04/australias-privacy-watchdog-warns-vishing-on-the-rise-as-qantas-strengthens-security-after-cyber-attack), covering the second half of 2024, noted a significant rise in reports of breaches caused by social engineering attacks, with government agencies reporting the most, followed by finance and health. The [Qantas](https://www.theguardian.com/business/qantas) breach – that compromised information including names, email addresses, phone numbers, dates of birth and frequent flyer numbers – in isolation might not lead to financial loss, but the growing number of data breaches in Australia means hackers are able to collate data collected across the breaches and potentially launch attacks on unsuspecting new targets. Data breaches causing more data breaches ---------------------------------------- In April, the nation’s superannuation funds became aware of the dangers of hackers collecting compromised login details from other breaches to [gain access to super accounts](https://www.theguardian.com/australia-news/2025/apr/04/australian-super-funds-compromised-cybersecurity-data-breach-hack), in what is termed credential stuffing. The industry was fortunate only a handful of customers suffered losses, together approximately $500,000 – likely a combination of the funds locking down systems, and the high proportion of fund holders who have yet to reach the age where they can access their super. [ $500,000 stolen in Australian super fund data breach ](https://www.theguardian.com/australia-news/2025/apr/04/australian-super-funds-compromised-cybersecurity-data-breach-hack) The Albanese government, however, has been warned that the attack was a canary in the coalmine for the financial sector. In [advice to the incoming government in May](https://www.apra.gov.au/sites/default/files/2025-06/Incoming%20Government%20Brief%20%E2%80%93%20May%202025..pdf) – released this week under freedom of information laws – the Australian Prudential Regulation Authority (Apra) warned super assets were at risk. “Cyber-attacks at large superannuation funds, that look likely to increase in scope and frequency, highlight that capability in the management of cyber and operational risks must improve,” Apra said. “While the number of member accounts that had funds fraudulently withdrawn was small, the incident highlighted the need for this sector to uplift its cybersecurity and operational resilience maturity. “This need will only grow as the sector increases in size, more members enter retirement and the sector takes on greater systemic significance with inter-linkages to the banking sector.” [skip past newsletter promotion](https://www.theguardian.com/business/2025/jul/06/qantas-attack-reveals-one-phone-call-is-all-it-takes-to-crack-cybersecuritys-weakest-link-humans#EmailSignup-skip-link-21) Sign up to Breaking News Australia Get the most important news as it breaks **Privacy Notice:** Newsletters may contain info about charities, online ads, and content funded by outside parties. For more information see our [Privacy Policy](https://www.theguardian.com/help/privacy-policy). We use Google reCaptcha to protect our website and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. after newsletter promotion Apra had warned the sector in 2023 of the importance of multi-factor authentication – something some of the funds had failed to implement before the April attack. The regulator said there were also sustained cyber-attacks on banking and insurance businesses, and third-party providers that were “continuing to test resilience and defences as attackers develop new technologies and approaches”. Who is most at risk? -------------------- Healthcare, finance, technology and critical infrastructure, such as telecommunications, were most at risk from cyber threats, according to Craig Searle, global leader of cyber advisory at global cybersecurity firm Trustwave. “The technology sector is uniquely exposed due to its central role in digital infrastructure and interconnected supply chains,” he said. “An attack on a single tech provider can cascade to hundreds or thousands of downstream clients, as seen in recent high-profile supply chain breaches. “Overall, the sectors most at risk are those with high-value data, complex supply chains, and critical service delivery.” Searle said attackers like Scattered Spider deliberately targeted third-party systems and outsourced IT support, as seen in the Qantas breach, representing a risk for large companies. “The interconnected nature of digital supply chains means a vulnerability or misconfiguration in a partner or contractor can trigger a domino effect, exposing sensitive data and operations far beyond the initial breach,” he said. Christiaan Beek, senior director for threat analytics at cybersecurity firm Rapid7, said third-party systems had become an integral part of many organisations’ business operations and, as a result, were increasingly targeted by threat actors. “It’s essential for organisations to apply the right levels of due diligence in assessing the security posture of such third-party systems to reduce the risk of their information being compromised.” Searle said organisations needed to shift from reactive to proactive cybersecurity, apply software patches promptly and enforce strong access control such as multi-factor authentication. Beek agreed organisations needed to be proactive, with executives held accountable for cybersecurity in their organisations, as well as board oversight. “The novel tactics observed by modern-day cybercrime groups escape the typical confines of security management programmes,” he said. “The no-limits approach of these criminals pushes us to rethink the typical boundary of defence, in particular surrounding social engineering and the ways in which we can be taken advantage of.”

An anonymous reader quotes a report from 404 Media: _Users from 4chan claim to have [discovered an exposed database hosted on Google's mobile app development platform](https://www.404media.co/women-dating-safety-app-tea-breached-users-ids-posted-to-4chan/), Firebase, belonging to the newly popular women's dating safety app Tea. Users say they are rifling through peoples' personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media. In a statement to 404 Media, Tea confirmed the breach also impacted some direct messages but said that the data is from two years ago. Tea, which claims to have more than 1.6 million users, reached the top of the App Store charts this week and has tens of thousands of reviews there. The app aims to provide a space for women to exchange information about men in order to stay safe, and verifies that new users are women by asking them to upload a selfie._ _"Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It's a public bucket," a post on 4chan providing details of the vulnerability reads. "DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!" The thread says the issue was an exposed database that allowed anyone to access the material. \[...\] "The images in the bucket are raw and uncensored," the user wrote. Multiple users have created scripts to automate the process of collecting peoples' personal information from the exposed database, according to other posts in the thread and copies of the scripts. In its [terms of use](https://www.teaforwomen.com/terms?ref=404media.co), Tea says "When you first create a Tea account, we ask that you register by creating a username and including your location, birth date, photo and ID photo."_ _ After publication of this article, Tea confirmed the breach in an email to 404 Media. The company said on Friday it "identified unauthorized access to one of our systems and immediately launched a full investigation to assess the scope and impact." The company says the breach impacted data from more than two years ago, and included 72,000 images (13,000 selfies and photo IDs, and 59,000 images from app posts and direct messages). "This data was originally stored in compliance with law enforcement requirements related to cyber-bullying prevention," the email continued. "We have engaged third-party cybersecurity experts and are working around the clock to secure our systems. At this time, there is no evidence to suggest that current or additional user data was affected. Protecting our users' privacy and data is our highest priority. We are taking every necessary step to ensure the security of our platform and prevent further exposure." _

The women-only app Tea now "faces two class action lawsuits filed in California" in response to a recent breach," [reports NPR](https://www.npr.org/2025/08/02/nx-s1-5483886/tea-app-breach-hacked-whisper-networks) — even as the company is now boasting it has more than 6.2 million users. A spokesperson for Tea [told the CBC](https://www.cbc.ca/news/canada/women-dating-app-tea-hacked-1.7598356) it's "working to identify any users whose personal information was involved" in a [breach of 72,000 images](https://yro.slashdot.org/story/25/07/25/1934249/women-dating-safety-app-tea-breached-users-ids-posted-to-4chan?sdsrc=rel) (including 13,000 verification photos and images of government IDs) and a later [breach of 1.1 million private messages](https://yro.slashdot.org/story/25/07/28/210244/a-second-tea-breach-reveals-users-dms-about-abortions-and-cheating). Tea said they will be offering those users "free identity protection services." _The company said it removed the ID requirement in 2023, but data that was stored before February 2024, when Tea migrated to a more secure system, was accessed in the breach... \[Several sites have pointed out Tea's current privacy policy is telling users selfies are "deleted immediately."\]_ _Tea was [reportedly](https://www.instagram.com/p/DMtK2ijSNjC/) intended to launch in Canada on Friday, according to information previously posted on the App Store, but as of this week the launch date is now in February 2026. Tea didn't respond to CBC's questions about the apparent delay. Yet even amid the current turmoil, Tea's waitlist has ballooned to 1.5 million women, all eager to join, the [company posted on Wednesday](https://www.instagram.com/theteapartygirls/p/DMwTCEPx3xF/?img_index=1). A day later, Tea posted in its Instagram stories that it had approved "well over" 800,000 women into the app that day alone._ _ So, why is it so popular, despite the drama and risks? _ Tea tapped into a perceived weakness of ther dating apps, according to an associate health studies professor at Ontario's Western University interviewed by the CBC, who thinks users should avoid Tea, at least until its security is restored. [Tech blogger John Gruber](https://daringfireball.net/linked/2025/07/28/tea-breach-worsens) called the incident "yet another data point for the argument that any 'private messaging' feature that doesn't use E2EE isn't actually private at all." (And later [Gruber notes](https://daringfireball.net/2025/07/tea_number_3_app_store) Tea's apparent absence at the top of the charts in Google's Play Store. "I strongly suspect that, although Google hasn't removed Tea from the Play Store, they've delisted it from discovery other than by searching for it by name or following a direct link to its listing.") Besides anonymous discussions about specific men, Tea also allows its users to perform background and criminal record checks, [according to NPR](https://www.npr.org/2025/08/02/nx-s1-5483886/tea-app-breach-hacked-whisper-networks), as well as reverse image searches. But the recent breach, besides threatening the safety of its users, also "laid bare the anonymous, one-sided accusations against the men in their dating pools." The [CBC points out](https://www.cbc.ca/news/canada/women-dating-app-tea-hacked-1.7598356) there's a men's rights group on Reddit now urging civil lawsuits against tea as part of a plan to get the app shut down. And "Cleveland lawyer Aaron Minc, who specializes in cases involving online defamation and harassment, [told The Associated Press](https://apnews.com/article/tea-app-data-breach-leak-4chan-c95d5bb2cabe9d1b8ec0ca8903503b29) that his firm has received hundreds of calls from people upset about what's been posted about them on Tea." Yet in response to Tea's latest Instagram post, "The comments were almost entirely from people asking Tea to approve them, so they could join the app."

[Dell Cameron](https://www.wired.com/author/dell-cameron/) [Andrew Couts](https://www.wired.com/author/andrew-couts/) Aug 9, 2025 6:30 AM Plus: Instagram sparks a privacy backlash over its new map feature, hackers steal data from Google's customer support system, and the true scope of the Columbia University hack comes into focus.  Photo-Illustration: Wired Staff/Getty Images This is the week of [Black Hat](https://www.wired.com/tag/black-hat/) and [Defcon](https://www.wired.com/tag/defcon/), which means a flood of news coming out of the Las Vegas security conferences. As you might expect, artificial intelligence was one popular topic—specifically, using AI chatbots to cause mischief. One team of researchers, from Tel Aviv University, created a clever attack that allowed them to [take over a target’s smart home devices using a “poisoned” Google Calendar invite](https://www.wired.com/story/google-gemini-calendar-invite-hijack-smart-home/). It’s the first known attack method that used AI to impact physical devices. Another researcher used a poisoned document that included a malicious prompt to [trick ChatGPT into leaking a user’s private information](https://www.wired.com/story/poisoned-document-could-leak-secret-data-chatgpt/) when it’s connected to a Google Drive. In non-AI news, an end-to-end encryption algorithm recommended for radio communications used by police and military around the world [can be easily cracked, according to new research](https://www.wired.com/story/encryption-made-for-police-and-military-radios-may-be-easily-cracked-researchers-find/). The researchers warn that weak implementations of the encryption algorithm could allow eavesdroppers to listen in—or even transmit their own messages. Speaking of weaknesses, a security researcher found that misconfigured APIs in some streaming platforms used for company meetings and sports livestreams [can allow someone to watch the streams without logging in](https://www.wired.com/story/corporate-livestreams-exposed-search-tool/). And a teen hacker discovered that an internet-connected smoke and vape detector in his high school’s bathroom contained microphones—[and can be exploited for secret spying](https://www.wired.com/story/school-bathroom-vape-detector-audio-bug/). A [leaked trove of data has exposed how teams of suspected North Korean IT scam workers operate](https://www.wired.com/story/leaked-data-reveals-the-workaday-lives-of-north-korean-it-scammers/), from their meticulous record keeping to the after-work activities—and their near-constant surveillance by people running the schemes. Finally, in the last of our Black Hat- and Defcon-related news (so far), a pair of security researchers [discovered a backdoor in an electronic lock used in at least eight brands of safes](https://www.wired.com/story/securam-prologic-safe-lock-backdoor-exploits/), and created a way to open the locks in seconds. They also found another vulnerability that allows them to figure out a safe’s unlock code. We also took [a deep dive into the US military’s slot machine program](https://www.wired.com/story/us-military-on-base-slot-machines-gambling-addiction/), [spoke with experts who say it’s inevitable that AI will become part of nuclear weapons systems](https://www.wired.com/story/nuclear-experts-say-mixing-ai-and-nuclear-weapons-is-inevitable/), and [revealed a string of break-ins of National Guard armories in Tennessee](https://www.wired.com/story/mysterious-crime-spree-targeted-national-guard-equipment-stashes/) that experts say is part of a disturbing trend. And that’s not all. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there. [Hack of US Court System Exposed Sealed Records, FBI Says](https://www.politico.com/news/2025/08/06/federal-court-filing-system-pacer-hack-00496916) ---------------------------------------------------------------------------------------------------------------------------------------------------- A previously unreported cyberattack breached the federal judiciary’s electronic case filing system, potentially exposing the identities of confidential informants and compromising sealed court records across multiple US states, [Politico reports](https://www.politico.com/news/2025/08/06/federal-court-filing-system-pacer-hack-00496916). The breach was discovered around July 4 and affects the CM/ECF—or “case management/electronic case files”—system used by courts to manage sensitive documents. Sources told Politico the hack may have impacted criminal dockets, arrest warrants, and sealed indictments, raising concerns that cooperating witnesses could be at risk. The actor behind the intrusion has not been exposed. The Administrative Office of the US Courts and FBI declined to provide Politico with a comment. In response to recent cyberattacks, the [federal judiciary said](https://www.uscourts.gov/data-news/judiciary-news/2025/08/07/cybersecurity-measures-strengthened-light-attacks-judiciarys-case-management-system) its been in the process of implementing new safeguards to address the judiciary’s ongoing exposure to “constant and sophisticated” cyber threats. The incident highlights longstanding warnings that the judiciary’s systems are outdated and vulnerable. A top federal judge told Congress in June that CM/ECF and PACER face “unrelenting security threats” and need urgent replacement. [Instagram’s New Map Feature Triggers Privacy Backlash](https://www.cnbc.com/2025/08/07/instagrams-map-feature-spurs-user-backlash-over-privacy-concerns.html) -------------------------------------------------------------------------------------------------------------------------------------------------------------- Instagram’s latest feature—a searchable map showing user-posted content tagged to specific locations—has sparked a wave of privacy concerns, [CNBC reports](https://www.cnbc.com/2025/08/07/instagrams-map-feature-spurs-user-backlash-over-privacy-concerns.html). Rolled out this week, the feature lets users explore photos and videos by browsing a visual map interface. But users quickly raised alarms about the potential for stalking, harassment, and data misuse, especially for influencers and others posting real-time content from identifiable locations. “Instagram randomly updating their app to include a maps feature without actually alerting people is so incredibly dangerous to anyone who has a restraining order and actively making sure their abuser can’t stalk their location online,” one [viral post](https://www.threads.com/@authormichelekhalil/post/DNDJpb0R5_R?hl=en) warned. Instagram said the feature only shows content from public accounts and reiterated that users can turn off location tagging. Still, the backlash echoes broader concerns about how tech platforms rapidly aggregate and expose personal data in ways that outpace users’ expectations and consent. [Hackers Breached Google’s Salesforce Database, Stole Customer Data](https://techcrunch.com/2025/08/06/google-says-hackers-stole-its-customers-data-in-a-breach-of-its-salesforce-database/) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Hackers stole data from Google’s customer support system in a breach linked to a compromised Salesforce account, [TechCrunch reports](https://techcrunch.com/2025/08/06/google-says-hackers-stole-its-customers-data-in-a-breach-of-its-salesforce-database/). The intrusion, disclosed Wednesday, affected an undisclosed number of Google customers and involved unauthorized access to data such as contact details and “related notes for small and medium-sized businesses.” The attackers reportedly targeted the data through Salesforce cloud systems. Google’s Threat Intelligence Group pinned the attack [on ShinyHunters](https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion?rev=7194ef805fa2d04b0f7e8c9521f97343), a hacking group known for targeting large companies’ cloud-based databases, including Salesforce systems. The breach affecting Google follows similar attacks on Cisco, Qantas, and Pandora, where attackers used voice phishing to trick employees into granting access. Google says the group may be preparing a leak site to extort victims and is linked to other cybercriminal collectives like The Com, which has a history of hacking and extortion. [Columbia University Hack Exposed Data of 870,000 People](https://www.bloomberg.com/news/articles/2025-08-08/columbia-hack-affected-870-000-people-included-some-health-data) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- A cyberattack on Columbia University compromised the personal information of nearly 870,000 individuals, including students, applicants, and possibly staff, [Bloomberg reports](https://www.bloomberg.com/news/articles/2025-08-08/columbia-hack-affected-870-000-people-included-some-health-data). The stolen data includes contact information, academic records, financial aid details, and some health and insurance information, according to draft letters, intended for victims, obtained by the news outlet. The breach, which dates back to mid-May, was only publicly acknowledged after Columbia filed reports with state attorneys general in California and Maine. A university official previously claimed the perpetrator was politically motivated. The school claims it has implemented new safeguards and continues to notify affected individuals. The incident preceded a campus-wide IT outage in June. The school [reportedly](https://www.bloomberg.com/news/articles/2025-06-24/columbia-investigating-possible-cyberattack-after-website-outage) suspected a potential cyberattack at the time.

Aug 14, 2025 6:20 AM The breach of the US Courts records system came to light more than a month after the attack was discovered. Details about what was exposed—and who’s responsible—remain unclear.  Photo-Illustration: Wired Staff/Getty Images The second Trump administration has its first federal cybersecurity debacle to deal with. A breach of the United States federal judiciary’s electronic case filing system, discovered around July 4, has pushed some courts onto backup paper-filing plans after the [hack](https://www.wired.com/category/security/cyberattacks-hacks/) compromised sealed court records and possibly exposed the identities of confidential informants and cooperating witnesses across multiple US states. More than a month after the discovery of the breach—and in spite of recent reports from [The New York Times](https://www.nytimes.com/2025/08/12/us/politics/russia-hack-federal-court-system.html) and [Politico](https://www.politico.com/news/2025/08/12/federal-courts-hack-security-flaw-00506392) that Russia was involved in perpetrating the hack—it is still unclear exactly what happened and which data and systems were affected. Politico [first reported](https://www.politico.com/news/2025/08/06/federal-court-filing-system-pacer-hack-00496916) the breach of the “case management/electronic case files,” or CM/ECF, system, which may have impacted criminal dockets, arrest warrants, and sealed indictments. The CM/ECF system also suffered a breach in 2020 during the first Trump administration, and Politico [reported](https://www.politico.com/news/2025/08/12/federal-courts-hack-security-flaw-00506392) on Tuesday that, in the recent attack, hackers exploited software vulnerabilities that remained unaddressed after being discovered five years ago in response to that first incident. Security researchers say that gaps in public information about the situation are concerning, particularly when it comes to lack of clarity on what data was affected. “We're more than a month into detecting this intrusion and still don't have a full accounting of what's impacted,” says Jake Williams, a former NSA hacker and current vice president of research and development at Hunter Strategy. “If we don't have sufficient logging to reconstruct attack activity, that would be extremely disappointing, because this system has been repeatedly targeted over the years.” In response to a request for comment, the United States Courts referred WIRED to [its August 7 statement](https://www.uscourts.gov/data-news/judiciary-news/2025/08/07/cybersecurity-measures-strengthened-light-attacks-judiciarys-case-management-system), which says the federal judiciary “is taking additional steps to strengthen protections for sensitive case documents” and “further enhancing security of the system.” The courts also mention that the “vast majority of documents filed with the Judiciary’s electronic case management system are not confidential and indeed are readily available to the public,” while conceding that “some filings contain confidential or proprietary information that are sealed from public view.” The Department of Justice did not immediately respond to requests for comment about the scope of the breach or who perpetrated it. Reports this week that Russia was involved in the attack or may be the sole perpetrator have been difficult to interpret, given other indications that espionage actors backed by multiple countries—and possibly organized crime syndicates—may have been involved in or piggybacking on the breach for their own exfiltration. John Hultquist, chief analyst in Google's Threat Intelligence Group, says it is not uncommon to see multiple actors poking at a sensitive, and potentially vulnerable, system. “Investigations are regularly targeted by cyberespionage actors from several countries,” he says. News of the breach comes as the Trump administration has continued to slash the federal workforce, including combing intelligence and cybersecurity agencies to [remove officials](https://www.wired.com/story/national-science-foundation-february-2025-firings/) or pressure them to resign. “I think federal investigators probably know who was behind the attack, but given the climate, I would suspect that no one wants to say with certainty,” Hunter Strategy's Williams says. Multiple administrations have struggled to get a handle on insidious espionage operations, particularly campaigns perpetrated by Chinese and Russian actors. But researchers emphasize that vulnerabilities enabling the attack on CM/ECF should have been addressed after the 2021 breach. “Enforcing policies to require that sealed or highly sensitive documents be handled via air-gapped systems or secure isolated networks rather than through CM/ECF or PACER would have dramatically limited exposure. And this was actually recommended post-2021,” says Tim Peck, senior threat researcher at the cybersecurity firm Securonix. “Instituting consistent, centralized logging—among other things—across all disparate CM/ECF instances could have enabled earlier detection and rapid mitigation before data exfiltration escalated as far as it did.” In other words, highly targeted systems like those of the US Courts are likely going to suffer breaches. But the best way to reduce the likelihood and severity of these attacks is to make sure you fix the flaws after they're exploited the first time around.

After the Tea dating-advice app leaked information on its users, [the BBC found two online maps](https://www.bbc.com/news/articles/ce87rer52k3o) "purporting to represent the locations of women who had signed up for Tea... showing 33,000 pins spread across the United States." The maps were hosted on Google Maps. (Notified by the BBC, Google deleted the maps, saying they violated their harassment policies.) "Since the breach, more than 10 women have filed class actions against the company which owns Tea," the article points out, noting that leaked content is also spreading around social media: _Since the breach, the BBC has found websites, apps and even a "game" featuring the leaked data... The "game" puts the selfies submitted by women head-to-head, instructing users to click on the one they prefer, with leaderboards of the "top 50" and "bottom 50"... \[And one researcher calculates more than 12,000 posts on 4Chan referenced the Tea app over the three weeks after the leak.\]_ _It is unsurprising that the leak was exploited. The app had drawn criticism ever since it had grown in popularity. Defamation, with the spread of unproven allegations, and doxxing, when someone's identifying information is published without their consent, were real possibilities. Men's groups had wanted to take the app down — and when they found the data breach, they saw it as a chance for retribution._ They weren't the only ones with a gripe against Tea. Back in 2023 the fiance of Tea's CEO founder approached the administrator of a collection of Facebook groups called "Are We Dating the Same Guy?" to see if she'd be the "face" of the Tea app, [reports 404 Media](https://www.404media.co/how-teas-founder-convinced-millions-of-women-to-spill-their-secrets-then-exposed-them-to-the-world/). But they add that after Tea failed to recruit her, Tea "shifted tactics" to raid her Facebook groups instead: _Tea paid influencers to undermine Are We Dating the Same Guy and created competing Facebook groups with nearly identical names. 404 Media also identified a number of seemingly hijacked Facebook accounts that spammed the real Are We Dating The Same Guy groups with links to Tea app._ Reviews for the Tea app show several women later thought the app was affiliated with their trusted Facebook groups, the reporter said this week [on a 404 Media podcast](https://www.youtube.com/watch?v=vRFaNoU-cGI). And they add that founder Sean Cook took over the "Tara" personna that his fiance has used for technical support. "So he's on the app pretend to be a woman, talking to other women who are on the app in order to weed out men who are being deceptive..." _Thanks to Slashdot reader [samleecole](https://www.slashdot.org/~samleecole) for sharing the article._

178861752 story [](//it.slashdot.org/index2.pl?fhfilter=security)[](//it.slashdot.org/index2.pl?fhfilter=privacy) Posted by [BeauHD](https://www.linkedin.com/in/beauhd/) on Monday August 25, 2025 @08:20PM from the another-day-another-breach dept. Farmers Insurance [disclosed a breach affecting 1.1 million customers](https://www.bleepingcomputer.com/news/security/farmers-insurance-data-breach-impacts-11m-people-after-salesforce-attack/) after attackers exploited Salesforce in a widespread campaign involving ShinyHunters and allied groups. According to BleepingComputer, the hackers stole personal data such as names, birth dates, driver's license numbers, and partial Social Security numbers. From the report: _The company disclosed the data breach in an advisory on its website, saying that its database at a third-party vendor was breached on May 29, 2025. "On May 30, 2025, one of Farmers' third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor's databases containing Farmers customer information (the "Incident")," reads the [data breach notification](https://www.farmers.com/content/dam/farmers/marketing/digital/aem/pdfs/disclosures/notice-of-incident.pdf) (PDF) on its website. "The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor. After learning of the activity, Farmers immediately launched a comprehensive investigation to determine the nature and scope of the Incident and notified appropriate law enforcement authorities." The company says that its investigation determined that customers' names, addresses, dates of birth, driver's license numbers, and/or last four digits of Social Security numbers were stolen during the breach. Farmers began sending data breach notifications to impacted individuals on August 22, with a sample notification \[1, 2\] shared with the Maine Attorney General's Office, stating that a combined total of 1,111,386 customers were impacted. While Farmers did not disclose the name of the third-party vendor, BleepingComputer has learned that the data was stolen in the widespread Salesforce data theft attacks that have impacted numerous organizations this year. _**Further reading:** [Google Suffers Data Breach in Ongoing Salesforce Data Theft Attacks](https://tech.slashdot.org/story/25/08/06/1556252/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks)

Hackers have stolen data from customers of the luxury fashion group Kering, whose brands include Gucci, Balenciaga and [Alexander McQueen](https://www.theguardian.com/fashion/alexander-mcqueen). Cyber-attackers have stolen data of potentially millions of customers, including the names, phone numbers and email addresses of customers of the fashion group, it has emerged. Paris-based Kering said the breach happened in June and that no financial information – such as bank account numbers, credit card information, or government-issued identification numbers – was taken. The attackers have been identified as a ransom-seeking group, Shiny Hunters. Kering said on Monday: “In June 2025, we identified that an unauthorised third party gained temporary access to our systems and accessed limited customer data from some of our \[fashion\] houses. “Our houses immediately disclosed the breach to the relevant authorities and notified customers according to local regulations.” “The breach was promptly identified, and appropriate actions have been taken to secure the affected systems and prevent such incidents in the future,” the company added, without naming which brands had been affected. According to one website tracking hacks, [DataBreaches.net](http://datbreaches.net/), Shiny Hunters this last month posted samples of the data breach on Telegram channels showing names, email addresses and dates of birth of some Gucci customers. The BBC, which first reported Kering’s confirmation of the breach, said samples of the details showed how much some of the customers were spending in stores – in some cases up to $86,000 (£63,000). Shiny Hunters told the BBC it breached the brands in April. [skip past newsletter promotion](https://www.theguardian.com/business/2025/sep/15/hackers-data-gucci-balenciaga-alexander-mcqueen-kering#EmailSignup-skip-link-9) Sign up to Business Today Get set for the working day – we'll point you to all the business news and analysis you need every morning **Privacy Notice:** Newsletters may contain information about charities, online ads, and content funded by outside parties. If you do not have an account, we will create a guest account for you on [theguardian.com](https://www.theguardian.com/) to send you this newsletter. You can complete full registration at any time. For more information about how we use your data see our [Privacy Policy](https://www.theguardian.com/help/privacy-policy). We use Google reCaptcha to protect our website and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. after newsletter promotion In July, another luxury brand, Louis Vuitton, [said it had been targeted by hackers](https://www.theguardian.com/technology/2025/jul/11/louis-vuitton-uk-customer-data-stolen-cyber-attack) who had taken customer data. The attacks follow [serious breaches](https://www.theguardian.com/technology/cybercrime) of British companies including M&S, the Co-op and Harrods. Production remains halted at Jaguar Land Rover car factories for the third week after [a cyber-attack forced it to shut down its computer systems](https://www.theguardian.com/business/jaguar-land-rover).