Risk
-
PornHub targeted by ShinyHunters after Premium member activity data reportedly stolen
PornHub says it is being extorted by the ShinyHunters gang after activity data for some Premium members was reportedly stolen in a Mixpanel-related incident; Mixpanel says it can find no indication the records were taken in its November 2025 incident.
-
ABA says deepfakes and generative AI are eroding court evidence and procedures
The American Bar Association’s report warns that generative AI and deepfakes are undermining legal procedures and evidence while also offering efficiency gains; the ABA has convened a task force to develop guidance on authenticity, liability and courtroom use.
-
Researchers: Popular Chrome VPN extension collected AI chatbot prompts and responses
Security researchers reported that the Chrome extension Urban VPN Proxy was observed collecting prompts and responses from multiple AI chatbots, sending captured conversation data to external servers; researchers linked the behavior to a July 9, 2025 update and raised concerns about downstream sharing with affiliated data firms.
-
700Credit breach exposes data of 5.8 million dealership customers
700Credit said a breach that originated at an integration partner exposed personal data of more than 5.8 million vehicle dealership customers, including Social Security numbers; the company is notifying affected individuals and offering TransUnion monitoring.
-
CISA orders immediate patching after active exploitation of critical GeoServer XXE flaw
CISA has ordered federal agencies to patch a critical unauthenticated XML External Entity flaw in GeoServer (CVE-2025-58360) that is being actively exploited; researchers warn the bug can disclose files and enable SSRF, and public scans show thousands of exposed instances.
-
France interior ministry confirms cyberattack on e-mail servers
France’s Interior Ministry confirmed a cyberattack on its e-mail servers that allowed access to some files; investigators have not confirmed whether data was stolen and are probing motives including foreign interference, activists and cybercrime.
-
Researchers Flag Four New Phishing Kits That Automate Credential Theft and MFA Bypass
Security firms have identified four phishing kits — BlackForce, GhostFrame, InboxPrime AI and Spiderman — that automate credential theft, bypass multi-factor authentication and mass-produce phishing emails, with researchers warning the tools lower barriers for large-scale attacks.
-
U.S. sues former Accenture manager over alleged false claims on Army cloud security
The U.S. has sued Danielle Hillmer, a former senior manager tied to Accenture, accusing her of misleading auditors about the security of the NIFMS cloud platform and falsely claiming FedRAMP High and DoD Impact Level compliance while work on Army contracts proceeded.
-
CISA sets Dec. 12 deadline to patch React2Shell RSC flaw amid widespread exploitation
CISA has set a December 12 deadline for federal agencies to patch the critical React2Shell RSC vulnerability CVE-2025-55182 after widespread exploitation was observed; security firms report rapid, opportunistic scans and attacks against Next.js and other internet-facing services.
-
Global privacy laws strengthen rights but enforcement and outcomes remain uneven
A 35-year review by researchers at Dakota State University finds that global privacy laws have expanded rights and obligations but enforcement and measurable reductions in harm are uneven; the study highlights uneven fines and compliance rates, growing technology-driven pressures, cross-border uncertainty and the need for metrics to track outcomes.
