Malware Makers Arrested, Fake CAPTCHAs Get Thirsty, and Teen Ransomware Falls Apart Instantly.

A total of 21 breach events were found and analysed resulting in 12,901,859 exposed accounts containing a total of 28 different data types of personal datum. The breaches found publicly and freely available included ULP 0035, MyVidster, TurkNet, César Vallejo University and Wbia. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

This breach group reflects a cross-section of risks spanning telecom, education, media-sharing platforms, and data processing environments, showing how personal information is being exposed across everyday digital touchpoints. The inclusion of MyVidster points to the ongoing vulnerability of social and sharing platforms, where leaked email and login details can be used to compromise additional linked accounts. Meanwhile, TurkNet and other telecom related exposures are especially concerning, as phone numbers, account identifiers, and service details can support SIM swap fraud and highly targeted phishing. The exposure involving César Vallejo University adds an academic dimension where student and faculty data can be used in identity fraud, employment impersonation, or harassment, while Wbia suggests that organisations focused on data storage or analytics may be contributing to secondary exposure via weak internal governance. With 28 different data types involved, attackers gain just enough personal context to create convincingly tailored attacks without needing deep profiling.

For the affected organisations, the implications are less about a single failure and more about the systemic sprawl of data across platforms and vendors. Educational institutions and telecom providers, in particular, face heightened expectations around data handling, especially where minors, young adults, or identity critical customer information is involved. The recurring appearance of ULP files across breach sets highlights the continued issue of poorly secured or forgotten data exports being indexed or passed around publicly. For these organisations, restoring trust will require more than notifications and password resets, it means mapping where sensitive data lives, minimising what is stored, and ensuring that internal data sharing, staging environments, and vendor integrations are governed with the same rigour as core infrastructure. These breaches reinforce that modern risk management is not just about firewalls, it’s about knowing your data, where it flows, and why it exists in the first place.

Cyber Spotlight

Ransomware operators over in Moscow had a very unwelcome knock at the door recently. Local police, hand-in-hand with Russia’s Department for Combating Cybercrime (UBK), arrested three people accused of running the Meduza info-stealer operation.

Meduza is your classic Malware-as-a-Service operation, kind of like Netflix, but instead of watching TV you get to steal passwords, browser cookies, crypto wallets, and anything that looks vaguely valuable. Customers simply pay a subscription fee to join the villain club. Very modern. Very scalable. Very “disruptive tech founder energy.”

However, and this is important, there’s an unspoken rule among Russian cybercriminals: You do not hack Russians. It’s their version of the Pirate Code.

Many strains of malware literally check for a Russian keyboard and self-destruct out of patriotism (or maybe fear). But Meduza’s operators apparently missed this day of hacker preschool, because they hit an institution in Astrakhan, southern Russia.

Cue sirens. Cue boots through doors. Cue three individuals now looking at up to 5 years in prison or hard labour. Moral of the story: Crime doesn’t pay. Or rather, it does, until you accidentally rob your next-door neighbour.

There’s a malicious website going around pretending to be a polished tech news site. Nice layout. Legit fonts. Probably even a dark mode. But the moment you visit, a “captcha” pops up, asking you to prove you're human.

So far, normal. Except this captcha then instructs Mac users to open their Terminal and paste in a command. I mean… Even Siri would tell you no.

This is the cybersecurity equivalent of a stranger in a van yelling, “Hey, could you just hand me your house keys and your mother’s maiden name real quick?” If your CAPTCHA requires command-line execution, congratulations, you’re not protecting your site from bots, you are the botnet.

In the UK, two 17-year-old boys were arrested after forming a new ransomware group called Radiant. Their first big target? A children’s nursery. Yes. A nursery. Of all the possible targets… they chose snack time and nap time HQ. They demanded £600,000 in Bitcoin. The nursery told them to go kick rocks.

So the teens escalated in the worst possible way: They leaked some of the stolen data, including photos of the children, and even called parents, encouraging them to pressure the nursery to pay.

This did not go well.

The public backlash hit harder than a toddler with a juice box sugar rush. Realising they’d just committed the world’s least sympathetic cybercrime, they issued an apology, took the data down, and probably considered changing their names and moving to the woods.

But the police were already watching. And that’s how Radiant’s career went from “promising young cybercriminal startup” to “well, that was a short pilot episode.”

Vulnerability Chat

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent global warning about a critical Linux kernel vulnerability that’s now being actively exploited. The flaw is a memory corruption bug that allows attackers who already have a foothold on a system to escalate their privileges to root, effectively giving them full control. Threat actors are using this to deploy ransomware in advanced attack campaigns, so organisations running Linux servers are being urged to patch immediately.

Separately, security researchers have uncovered two major vulnerabilities in King Addons for Elementor, a popular commercial WordPress plugin that adds extra widgets and templates for website builders. The weaknesses allow attackers to take complete control of affected websites, putting both site owners and visitor data at risk. Website administrators using the plugin should apply the latest update as soon as possible.

Security agencies are also sounding the alarm over continued exploitation of a critical vulnerability in Cisco IOS XE devices, where attackers are deploying a malicious implant known as BADCANDY. The implant is being used to maintain persistent, covert access to compromised networking equipment. The concern is significant, since IOS XE is widely used in enterprise and government networks, particularly where the web UI is enabled.

Meanwhile, researchers at the Counter Threat Unit (CTU) have observed a sophisticated campaign by the Chinese state-sponsored group BRONZE BUTLER (also known as Tick). The group leveraged a zero-day in Motex LANSCOPE Endpoint Manager to steal confidential data. This isn’t the first time the group has gone after Japanese enterprise management software, they previously used a zero-day in SKYSEA Client View in 2016. The activity follows a long running trend of targeting corporate IT management systems to quietly harvest sensitive information.

4 Common Vulnerability and Exposures (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including:
- Dassault Systèmes, DELMIA Apriso
- Broadcom, VMware Aria Operations and VMware Tools
- XWiki; Platform

See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 443 vulnerabilities during the last week, making the 2025 total 39,189. For more information visit https://nvd.nist.gov/vuln/search/

View the latest critical vulnerabilities, exploited vulnerabilities and EU CSIRT coordinated vulnerabilities from the European Union Agency for Cybersecurity (ENISA) "Vulnerability Database" here: https://euvd.enisa.europa.eu/homepage

Information Privacy Headlines

Meta is facing pushback from privacy advocates over a new proposal to use conversations people have with its AI chatbots across Facebook, Instagram, and WhatsApp as training data. The company says these interactions are designed to feel friendly and casual, but critics say turning them into behavioural data for ad targeting crosses a line. The concern is that people may not realise their chats could directly shape the ads they see.

In the UK, ministers are under scrutiny after it emerged that child benefit payments were suspended for thousands of families based on faulty Home Office travel data. Legal experts say this may amount to a privacy violation. In some cases, families who had simply taken a holiday, even years ago, were wrongly flagged as having left the country permanently. Some even had payments cut after leaving and then returning through the same airport.

Meanwhile, the cyber insurance market is shifting. After years of competitive pricing and widening coverage, insurers are now tightening the scope of what they’ll cover, especially around privacy issues. According to Beth Gidicsin of Lockton, the change is being driven by a surge in privacy lawsuits, sparked by new regulations in the U.S. and abroad. Unlike traditional breach-driven claims, many of these new cases don’t require a data breach at all, companies can be sued simply for how they use or mishandle personal data. As a result, insurers are rethinking how cyber and privacy protections should be structured.

Smarter Protection Starts with Awareness
Data Breach Exposure Scan, Check Any Domain for Free https://breachaware.com/scan