Vendors
-
Have I Been Pwned reports 17.6 million addresses affected in Prosper data breach
Prosper, a peer-to-peer lending marketplace, disclosed a breach detected on Sept. 2. Data breach service Have I Been Pwned reported 17.6 million unique email addresses were exposed and said the stolen records include Social Security numbers and other personal data. Prosper said it has not found evidence of account or fund access and is investigating…
-
Sotheby’s reports July breach that exposed Social Security numbers and financial data
Sotheby’s said a July 24 cyber intrusion stole an unspecified amount of data, including Social Security numbers and financial account information; a filing with the Maine attorney general confirmed two Maine residents were affected and the company is offering 12 months of TransUnion monitoring.
-
CISA adds Adobe AEM flaw to Known Exploited Vulnerabilities list
CISA added CVE-2025-54253, a critical Adobe Experience Manager Forms misconfiguration that can allow remote code execution, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation; Adobe has released a patch and federal agencies were told to apply fixes by Nov. 5, 2025.
-
Phishing campaign lures LastPass and Bitwarden users to install remote-access tools
A phishing campaign impersonating LastPass and Bitwarden is distributing a binary that installs the Syncro RMM agent and deploys ScreenConnect for remote access, researchers reported; LastPass says it was not breached and users are advised to ignore unsolicited alerts and verify notices on official channels.
-
MANGO notifies customers after marketing vendor data breach
Spanish retailer MANGO said on Oct. 14, 2025 that an external marketing service suffered unauthorized access exposing first name, country, postal code, email and telephone numbers; MANGO said last names, payment data and IDs were not compromised and its IT systems were unaffected.
-
UK regulator fines Capita £14m over 2023 cyberattack that exposed 6.6m people
The UK Information Commissioner’s Office has fined Capita £14 million after a 2023 cyberattack exposed data on about 6.6 million people; the ICO said failures in detection and privileged account controls allowed attackers to exfiltrate roughly 1 TB and deploy ransomware.
-
Researchers disclose two CVSS 10.0 flaws in Red Lion Sixnet RTUs
Security researchers have disclosed two CVSS 10.0 vulnerabilities (CVE-2023-40151 and CVE-2023-42770) in Red Lion Sixnet RTUs that can allow unauthenticated attackers to execute commands as root; vendors and agencies advise patching, enabling authentication and blocking TCP access.
-
Critical ICTBroadcast flaw (CVE-2025-2611) exploited to deploy reverse shells
A critical input-validation flaw in ICTBroadcast (CVE-2025-2611, CVSS 9.3) allows unauthenticated command injection via a session cookie; researchers including VulnCheck say the bug is being exploited to run reverse shells on exposed servers, and no patch information is currently available.
-
AMD issues fixes for ‘RMPocalypse’ flaw that can break SEV‑SNP protections
AMD has released fixes for a vulnerability termed RMPocalypse that researchers say can let a malicious hypervisor corrupt the Reverse Map Paging table during initialization and defeat SEV‑SNP protections; AMD has assigned CVE‑2025‑0033 and lists affected EPYC processors.
-
Researchers describe “Pixnapping” Android side‑channel that can steal 2FA codes
A team of academic researchers disclosed “Pixnapping,” a side‑channel pixel‑stealing technique that can recover on‑screen data including two‑factor codes on Android by exploiting rendering APIs and graphical operations, and Google has issued patches under CVE‑2025‑48561 while some issues remain unpatched.
