Risk
-
Lovesac confirms data breach after ransomware attack; notices indicate data exposure and recovery steps
Lovesac disclosed a data breach after a March 2025 ransomware intrusion, exposing personal data of an undisclosed number of individuals. The company discovered the breach on Feb. 28, 2025, and offered 24-month credit monitoring through Experian while noting no current evidence of misuse. A Vermont AG notice and a GlobeneNewswire release provide context on the…
-
Noisy Bear Linked to Kazakh Energy Sector in Operation BarrelFire, Seqrite Says
Security researchers attribute a new campaign, Operation BarrelFire, to the Noisy Bear group, targeting Kazakhstan’s KazMunayGas with phishing lures and a DLL-based implant designed to deliver a reverse shell, amid broader regional cyberactivity and training-misinterpreted reports.
-
Qantas cuts executive bonuses by 15% after data breach
Qantas cut senior executive short-term bonuses by 15% after a late-June data breach that exposed millions of customers, reducing CEO Vanessa Hudson’s bonus by A$250,000 and five other executives’ bonuses by a combined A$550,000 while noting overall executive pay rose and the airline posted an A$2.4 billion underlying pre-tax profit.
-
Wealthsimple reports data breach affecting under 1% of customers; breach tied to third‑party software in suspected supply‑chain attack
Wealthsimple disclosed a data breach affecting less than 1% of its customers, with attackers accessing personal data but not funds or passwords. The breach is linked to a compromised third-party software package and is being treated as part of a broader Salesloft supply-chain attack. The firm is offering two years of free credit monitoring and…
-
VirusTotal flags 44 undetected SVGs in Colombian phishing campaign; hundreds of SVGs detected in the wild
VirusTotal has flagged a new malware campaign using 44 undetected SVG files to phish as Colombia’s Fiscalía General de la Nación, injecting a Base64-encoded HTML page and triggering a hidden ZIP download. Overall SVG detections in the wild have reached 523, with earliest samples dating to August 14, 2025.
-
Chess.com discloses data breach linked to third-party file-transfer app; around 4,500 users affected
Chess.com says a data breach tied to a third-party file-transfer app affected about 4,500 of its 100 million users, with potential exposure of names and other PII but no financial data, and says law enforcement was notified and monitoring continues.
-
Bridgestone confirms cyberattack affecting North American manufacturing; company says containment achieved
Bridgestone Americas said a limited cyber incident affected some North American manufacturing facilities, but it contained the threat early and did not indicate customer data was breached, as reports spread from South Carolina to Quebec.
-
France fines Google €325 million and Shein €150 million for cookie violations, CNIL says
France’s CNIL fined Google €325 million and Shein €150 million for cookie-consent violations, ordering compliance within six months, as U.S. authorities push parallel privacy actions and other firms face related penalties.
-
Misissued TLS certificates tied to Cloudflare’s 1.1.1.1 DNS service raise internet-security concerns
Security researchers disclosed mis-issued TLS certificates tied to Cloudflare’s 1.1.1.1 DNS service, a flaw that could enable impersonation and traffic interception. With the issuer and responsible parties not fully disclosed, the episode underscores ongoing vulnerabilities in the certificate authority system and the role of Certificate Transparency in detecting mis-issuances.
-
Threat actors weaponize HexStrike AI to exploit recently disclosed vulnerabilities, Check Point warns
Threat actors are weaponizing HexStrike AI, an AI-driven offensive security tool, to exploit recently disclosed vulnerabilities, prompting Check Point to urge immediate patching and hardening of affected systems.
