Hackers, Law Enforcement DMs & Phishing at Infrastructure Scale.

A total of 23 breach events were found and analysed resulting in 29,575,403 exposed accounts containing a total of 40 different data types of personal datum. The breaches found publicly and freely available included Pitney Bowes, Cruise Corporation, ADT, Cal AI and Marcus & Millichap, Inc.. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

With names spanning logistics, security services, and real estate, it’s a mixed bag with wide reaching impact. For third-party organisations, it’s another reminder that you don’t need to be the one breached to feel the heat, employee data caught up in these leaks can quickly become a gateway for attackers. And for individuals, it’s the familiar story: more exposed data means more opportunities for phishing, fraud, and identity misuse. Not quite chaos at full volume, but still loud enough to cause trouble.

Cyber Update

In what might be the boldest outreach strategy of the week, Europol reportedly slid into ShinyHunters’ messages with a rather direct question: “Are you the founder of the forum BF.(redacted)?” No small talk. Straight to business.

ShinyHunters, seemingly unfazed, replied: “Yes — what do you need?” And here’s where it gets interesting.

Europol allegedly asked for identifying information on specific user accounts, citing ongoing investigations into data breaches and coordination with Interpol. They even floated the idea of compensation in exchange for useful intel.

Now, asking a cybercrime group to hand over their own users is… optimistic. These aren’t exactly your neighbourhood community moderators. Unsurprisingly, the response was a firm: “No matter how much you offer, that’s not something we will ever do.” So, what was this really?
- A genuine attempt to gather intelligence?
- A probing tactic to see if anyone might cooperate?
- Or just a long shot worth taking?

Either way, it’s not every day you see law enforcement trying their luck in the DMs like that.

Over in Germany, things got a bit more serious. Officials within the Bundestag, along with military personnel, politicians, and journalists, have been targeted in a highly sophisticated phishing campaign delivered via Signal. Important detail: Signal itself wasn’t compromised. This wasn’t a technical failure, it was a human one. Victims received messages that appeared to come from:
- Signal support,
- Or more worryingly, trusted contacts.

Which suggests careful reconnaissance and targeted impersonation. Reports indicate that hundreds of accounts may have been compromised, making this less of a scattergun campaign and more of a precision strike. Attribution? Officials have hinted at possible Russian involvement, but stopped short of confirming anything, likely due to the usual lack of hard proof. The response has been swift:
- Bundestag members are being urged to move to Wire,
- A Berlin based, enterprise focused encrypted platform,
- Approved for VS-NfD (Restricted) communications,
- GDPR compliant and capable of self-hosting within EU infrastructure.

The logic being: harder to impersonate support, tighter controls, fewer weak points. Because at this level, the weakest link isn’t encryption, it’s trust.

And finally, over in Toronto, things got… creative. Police have arrested three individuals linked to the use of an “SMS blaster” essentially a rogue mobile base station mounted in a car. Think less James Bond, more “boot of a hatchback with a battery and some questionable life choices.”

Here’s how it works:
- A software-defined radio setup mimics a legitimate cell tower.
- Nearby phones automatically connect to it.
- The device blasts out phishing SMS messages.
- Messages impersonate banks, delivery services, etc.
- Victims are redirected to convincing malicious websites.

It’s the same underlying principle as a Stingray (used by law enforcement), just flipped for criminal use. The scale? Reportedly up to 13 million devices disrupted, including potential impact on emergency services. That’s not just nuisance level, that’s infrastructure interference.

The investigation was launched after a cybersecurity partner detected a rogue cell tower operating in downtown Toronto. From there, it didn’t take long for police to track it down. Charges include:
- Mischief.
- Mischief endangering life.
- Personation with intent to gain advantage.
- Use of a computer system to commit an offence.

Safe to say, this wasn’t your average phishing campaign.

Software Vulnerabilities

Critical auth bypass in enterprise VPN appliances.
A newly disclosed vulnerability in widely used enterprise VPN gateways allowed attackers to bypass authentication entirely under specific configurations. Translation: no password, no MFA… just vibes and access. This isn’t theoretical, these boxes sit on the edge of corporate networks. Exploitation = instant foothold.

Trend watch: Edge devices continue to be the soft underbelly of enterprise security.
Cloud misconfig + token abuse combo attacks. Researchers highlighted a surge in attacks chaining:
- Exposed cloud storage buckets.
- With over-privileged API tokens.

Attackers aren’t hacking in, they’re logging in with what you left lying around. This is the evolution of “misconfiguration risk” into full-blown attack playbooks.

Open-source package poisoning gets sneakier.
A fresh campaign targeted developer ecosystems by uploading malicious packages mimicking legitimate libraries, but with cleaner code, better naming, and fewer obvious red flags. Less “dodgy script”, more “respectable imposter”. Impact = Compromised builds → downstream supply chain exposure → everyone has a bad day.

Zero-day exploitation in the wild (desktop OS).
A previously unknown OS-level vulnerability was observed being exploited in targeted attacks before a patch was available. Details were limited (as they usually are when it’s spicy), but exploitation involved:
- Privilege escalation,
- Stealthy persistence.

Zero-days aren’t just nation-state toys anymore, they’re creeping into broader criminal use.

MFA fatigue attacks evolving (again).
Attackers refined push bombing techniques by:
- Timing requests more strategically.
- Pairing them with social engineering calls.

“Hi, this is IT — just approve that login.” MFA isn’t broken. But humans… remain patchy.

Data & Privacy Headlines

Major healthcare data exposure (millions affected).
A healthcare provider disclosed a breach impacting millions of patient records, including:
- Medical histories,
- Insurance details,
- Personal identifiers.

Why this hits differently: You can change a password. You can’t change your medical history.

Location data quietly harvested via mobile apps.
Investigations revealed multiple apps collecting granular location data and sharing it with third parties, often buried in “legitimate interest” clauses. Your phone knows where you’ve been. Turns out… so do quite a few companies you’ve never heard of.

E-commerce profiling datasets resurface.
Large datasets containing:
- Purchase histories,
- Behavioural profiles,
- Contact details.

…reappeared on underground forums. Not a new breach, a new life cycle. Old data + new tooling (AI, automation) = renewed exploitation potential.

Insider-driven data exposure (corporate).
A fresh case emerged of an employee exporting customer data sets for personal use, not espionage, just poor judgement with serious consequences. Reality check: Not every breach is sophisticated. Some are just… human.

AI training data concerns escalate.
Scrutiny increased around how organisations are sourcing training data for AI models, with concerns that:
- Personal data is being ingested without consent,
- Individuals have no visibility or recourse.

This isn’t a breach in the traditional sense, it’s privacy erosion at scale, by design.

Smarter Protection Starts with Awareness

Third-party exposure is now a first-order risk. You can’t patch what you can’t see.
Free Data Breach Exposure Scan: Check any domain in seconds: https://breachaware.com/scan