Big Brands Breached, Governments Hacked, and Zero-Days Doing Laps

A total of 29 breach events were found and analysed resulting in 127,604,212 exposed accounts containing a total of 34 different data types of personal datum. The breaches found publicly and freely available included Under Armour, SoundCloud, Stealer Log - Divine Stallion Part 1, Salesfloor and Panera Bread. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

Big names like Under Armour, SoundCloud, and Panera Bread made an appearance, proving once again that no brand is too beefy to be breached. For third-party companies, it’s another red flag: even if your systems are squeaky clean, your employees' credentials could be drifting around the dark web, waiting to be misused. And for the individuals caught in the middle? It's the usual grim prize, account compromise, identity theft, and a flood of spam or scams. The cybercriminal buffet is open, and business is brisk.

Cyber Update

This week kicks off in Nigeria, where the Ministry of Trade, Industry, and Investment found itself on the wrong end of a cybercrime gang’s to do list. The attackers are demanding a tidy $15,000 ransom, payable in Monero, because nothing says “trust us” like a privacy first cryptocurrency. Fail to pay, and they’re threatening to dump 64GB of stolen data, reportedly including 265,000 Commerce ID cards.

The compromised site isn’t some dusty corner of government IT either. It’s a central portal supporting Nigeria’s business ecosystem, market traders, artisans, hawkers, and small enterprises that rely on it for registration and commercial legitimacy. Disrupting that isn’t just a breach; it’s a direct hit on the country’s economic plumbing. The gang behind it has also been busy elsewhere, racking up breaches across multiple regions like it’s collecting passport stamps.

Zooming out, an infamous cybercrime crew, now leaning hard into ransomware, has had a very productive week. Confirmed victims include SoundCloud, Panera Bread, and Bumble, because apparently no sector is sacred anymore. But they weren’t done there. Fresh posts on their data-leak site claim breaches at two major US universities. One allegedly involves over one million records containing personal identity data, while the other boasts 1.2 million records, including sensitive donor information. Academia may love transparency, but not like this.

Wrapping up Cyber Watch with a bit of geopolitical spice, the hacking group Cyber 4vengers, believed to be backed by the Iranian government, released a statement claiming they’ve infiltrated an American industrial factory. Their message was blunt: any further provocation will be met with sabotage, promising damage “twice the losses” inflicted on Iran’s Nobitex cryptocurrency exchange earlier this year.

For context, Nobitex was previously breached by a pro-Israeli hacking group, with around $90 million stolen and deliberately sent to so-called dead addresses, permanently destroying the funds. The result was financial chaos and political embarrassment inside Iran, and now, apparently, a vow of digital revenge.

Finally, because no cyber week is complete without a facepalm, the FBI managed to fumble the release of documents related to the Epstein files. In an astonishing oversight, a photo was published containing Jeffrey Epstein’s email address and password, handwritten and partially visible in the corner of the image. Predictably, multiple individuals accessed the account shortly afterwards and shared screenshots online. For an organisation built on evidence handling and operational security, this was… not their finest hour.

Software Vulnerabilities

Atlassian Confluence (CVE-2023-22527): A critical unauthenticated template injection bug enabling remote code execution on Confluence Data Center/Server. Attackers quickly weaponised this OGNL injection flaw with public exploits, even dropping cryptominers on unpatched servers. One compromised Confluence server can turn collaboration into crypto-mining calamity.

Ivanti VPN Zero‑Days (CVE-2024-21887/21888): A suite of vulnerabilities in Ivanti Connect Secure (formerly Pulse Secure) VPN, including an authentication bypass and command injection chain. Actively exploited as zero‑days by multiple threat actors to drop webshells and steal credentials. Patches were delayed and attackers found workarounds to initial mitigations. Unpatched Ivanti gateways are basically welcome mats for intruders, bring your own webshell.

Roundcube Webmail (CVE-2023-43770): A medium-severity (CVSS 6.1) persistent XSS vulnerability in Roundcube’s handling of email link references. Requires no more than viewing a malicious email to be exploited, allowing attackers to steal session data and emails. CISA added it to the Known Exploited list after reports of active abuse by threat actors. One poisoned email is all it takes for Roundcube to go round the bend and leak your inbox.

“KeyTrap” DNSSEC DoS (CVE-2023-50387): A 20-year-old design flaw in DNSSEC can let a single malicious DNS response packet exhaust a DNS server’s CPU. Nicknamed KeyTrap, this vulnerability (CVSS 7.5) makes it trivial to knock DNS resolvers offline until patched, potentially disrupting large swaths of the internet’s name resolution. One bad packet to rule them all… and in the darkness bind your DNS server.

Zoom for Windows (CVE-2024-24691): A critical (CVSS 9.6) input validation flaw in Zoom’s Windows client that allows an unauthenticated user with network access to escalate privileges. It affects Zoom’s desktop, VDI, Rooms clients and SDK prior to fixed versions. No in the wild exploits reported, but users were urged to patch ASAP. Zoom failed the security meeting, patch now or “You’ve been Zoomed” might take on a whole new meaning.

Data & Privacy Headlines

Amazon Fined by CNIL (France): France’s privacy regulator CNIL slapped Amazon’s French logistics arm with a €32 million fine for an “excessively intrusive” warehouse employee surveillance system. Amazon was tracking workers’ idle time and speed-scanning rates, far beyond what’s necessary, a violation of employee privacy rights. French regulators taught Amazon that Big Brothering your staff can cost big bucks.

Yahoo’s Cookies Crumble in France: CNIL also fined Yahoo €10 million over its cookie consent practices. The watchdog found Yahoo had been ignoring users’ refusal to accept cookies and made it overly hard to opt out, especially in Yahoo Mail. This enforcement highlights Europe’s impatience with manipulative cookie banners. Yahoo got a not so sweet reminder that “reject all” means all, mes amis.

Italy vs. ChatGPT’s Data Practices: Italy’s Garante privacy authority concluded its probe into OpenAI’s ChatGPT and found violations in data collection and child safety. The chatbot was accused of lacking a legal basis for using personal data and failing to keep kids under 13 off the platform. The Italians gave OpenAI 30 days to fix it, including implementing age checks and running a public awareness campaign, or face a € possible fine. ChatGPT might be an AI whiz, but Italy just taught it a lesson in “privacy 101” human edition.

UK Telemarketers Fined for Cold Calls: Britain’s ICO fined two home improvement companies, Poxell (£150k) and Skean Homes (£100k), for blasting millions of unsolicited marketing calls to people on the “Do Not Call” list. These firms harassed households (including vulnerable individuals) with aggressive sales calls and tried to evade detection by using multiple phone lines. The UK’s message to spam callers: drop the phone, or we’ll drop the hammer (and a hefty fine).

Smarter Protection Starts with Awareness

Third-party exposure is now a first-order risk. You can’t patch what you can’t see.
Free Data Breach Exposure Scan: Check any domain in seconds: https://breachaware.com/scan