Bidencash Seized, Brutecat’s Google Hack, Wazuh Exploited.

A total of 17 breach events were found and analysed resulting in 6,296,420 exposed accounts containing a total of 26 different data types of personal datum. The breaches found publicly and freely available included ULP 0025, ULP Alien TxT File - Episode 16, Instituto Nacional de Transporte Terrestre (INTT), Infusion Mobile and Epsilor. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Analysis

The breaches labelled ULP 0025 and ULP Alien TxT File - Episode 16 are classic examples of infostealer dumps. This data is widely traded or freely posted, creating risks of mass credential stuffing, identity theft, and corporate account breaches.

The Instituto Nacional de Transporte Terrestre (INTT), Venezuela’s national transport authority, is a government entity responsible for vehicle registrations and driver licensing. A breach here could expose citizens’ personal identification numbers, licence details, and contact information, making individuals vulnerable to fraud or impersonation.

Infusion Mobile operates in the mobile app or tech solutions space. Breaches in such companies often involve user accounts, device IDs, and potentially back-end system credentials, posing risks to both customers and downstream partners if attackers exploit access to mobile ecosystems.

Epsilor, a developer of advanced battery packs and energy storage solutions, works with sectors like defence, aerospace, and industrial power. Exposure of internal credentials or client data could have serious implications, including supply chain attacks or intellectual property theft.

Taken together, this batch illustrates how stolen credentials and diverse personal records feed the underground economy. For individuals and employers alike, this increases the threat of targeted phishing, fraud, and infiltration of business systems unless proactive monitoring and security controls are in place.

Spotlight

The feds just chalked up another victory in the endless war on credit card fraud. Bidencash, a notorious carding bazaar infamous for brazenly dumping millions of stolen card numbers, has been seized in a joint op by the Dutch police and the FBI.

Operating both on the clear net and Tor, Bidencash made headlines back in 2022 when they celebrated their grand opening with a twisted promo: 1 million stolen cards, free for all. For their recent birthday? They did it again, but bigger, dumping 2 million more.

Their pricing scheme made credit card theft disturbingly accessible: from premium cards with “guaranteed cash-outs” to dirt-cheap dumps for as little as 13 pence per card. The feds estimate the marketplace raked in over $17 million before the takedown. In the seizure, they grabbed 145 domains and effectively nuked the site’s footprint, at least for now.

However, while the infrastructure is gone, no arrests have been reported. The site’s user base, estimated at 177,000 strong, is now scattered and watching their backs, until someone inevitably spins up Bidencash 2.0.

A researcher named Brutecat just uncovered a shockingly simple, and devastating, hole in Google’s account recovery flow. The trick?

Google’s recovery page typically uses JavaScript to limit or obfuscate brute forcing attempts. But Brutecat found a non-JavaScript version, which let them automate massive requests with rotating IPs, likely using a proxy chain.

All an attacker needs:
- The victim’s full name
- Their email address

From there, the brute force script cracks the phone number field in 5 seconds to a few minutes, allowing a swap and hijack of the Google account. For exposing this hole, Google handed Brutecat a $5,000 bug bounty, a fraction of what criminals could rake in if this exploit hit the wild. One slip in your personal info, and your entire Google ecosystem is toast.

In another blow to privacy, a well known crypto on-ramp and off-ramp site has suffered a brutal KYC data breach. A ransomware gang claims credit for leaking the files, which are now freely circulating on dark web forums.

Each leaked folder includes:
- Government IDs
- Selfies holding the ID
- Multiple facial angles

Hundreds of these ID packs are now effectively open season for identity theft, downloadable by anyone shady enough to poke around darknet marketplaces. The exchange hasn’t commented publicly yet, but for the users caught in this breach, the damage is immediate: their verified identities are likely already in the hands of scammers, fraudsters, and shady marketplaces.

Vulnerability Chat

Security researcher Michael Heinzl has discovered a worrying flaw in the MicroDicom DICOM Viewer, a tool commonly used for viewing medical images. The vulnerability can be exploited remotely with minimal effort and, if successful, allows attackers to run their own code on a victim’s system. The catch? The user still needs to click or interact for the exploit to work.

Meanwhile in Ecuador, independent hardware security researcher Danilo Erazo found that KIA-branded aftermarket keyless entry systems there are stuck using outdated tech. This makes vehicles susceptible to classic replay attacks and signal cloning. Even more troubling, Erazo found that attackers can sneak in backdoor codes on the vehicle’s receiver, effectively programming their own keys to unlock and start someone else’s car.

IBM is in the spotlight too: a security oversight in its Backup, Recovery, and Media Services (BRMS) for IBM i could open the door for privilege escalation attacks in enterprise environments. The issue comes from how the system references certain libraries, without secure paths, meaning anyone with permission to compile or restore programs could redirect calls to malicious code instead.

On the patching front, Tenable has rolled out version 10.8.5 of its Agent software to fix three critical vulnerabilities on Windows hosts. If left unpatched, these flaws could let a regular, non-admin user grab SYSTEM-level privileges, which could spell major trouble for affected machines.

Over in open source, Akamai’s Security Intelligence and Response Team has confirmed that threat actors are actively exploiting a remote code execution flaw in Wazuh, a popular cybersecurity monitoring platform. Akamai’s researchers noted that botnet operators are moving faster than ever, often weaponising new vulnerabilities within days of disclosure.

Finally, GitLab has urged all self-managed users to upgrade ASAP following the discovery of a series of security holes in both its Community Edition (CE) and Enterprise Edition (EE). Left unpatched, these vulnerabilities could let attackers take over entire accounts and potentially compromise whole development pipelines. The good news: GitLab.com has already rolled out the fixes on its hosted service.

4 Common Vulnerability and Exposures (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including:
- Roundcube; Webmail
- Erlang; Erlang/OTP
- Web Distributed Authoring and Versioning; Web Distributed Authoring and Versioning (WebDAV)
- Wazuh; Wazuh Server

See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 931 vulnerabilities during the last week, making the 2025 total 21,818. For more information visit https://nvd.nist.gov/vuln/search/

View the latest critical vulnerabilities, exploited vulnerabilities and EU CSIRT coordinated vulnerabilities from the European Union Agency for Cybersecurity (ENISA) "Vulnerability Database" here: https://euvd.enisa.europa.eu/homepage

Information Privacy Headlines

Deutsche Telekom, Alibaba Cloud, STC Bahrain, and Vodafone’s Pairpoint are taking a hands-on approach with Nillion’s blind computation network. They’re not just writing checks or putting out press releases, they’re actually running nodes themselves. That means they’re directly handling encrypted data and testing how blind computation could work in real-world enterprise settings.

Over in the UK, the Competition and Markets Authority (CMA) is asking the public for feedback about whether it should release Google from previous commitments. This follows Google’s announcement in April that it’s dropping its plans to make Chrome users actively choose whether to block third-party cookies, a move that could reshape how online tracking happens in the browser.

Meanwhile, TechCrunch’s Amanda Silberling highlighted a privacy twist with Meta’s AI assistant. If you ask Meta AI something, you can share that interaction with others, but many users don’t seem to realise they’re posting these chats, voice clips, or images publicly. Worse, Meta doesn’t clearly show where this content is going or how public it really is. So if your Instagram account is set to public and you log into Meta AI with it, your AI conversations can be public too.

Meta is also back to flirting with facial recognition, this time for its AI-powered Ray-Ban smart glasses. The idea is that the glasses could help wearers discreetly recognise people in social settings. While some say this could spare folks the embarrassment of forgetting names, privacy advocates are sounding alarms about the ethics of scanning strangers’ faces without asking first.

And in New Zealand, Privacy Commissioner Michael Webster has green lit a facial recognition trial by supermarket giant Foodstuffs. This is part of a bigger wave: major retailers like Briscoes, Bunnings, Farmers, Mitre 10, Michael Hill, One NZ, Spark, and The Warehouse are all preparing to roll out biometric surveillance in stores. They say it’s about cutting down retail crime, but it’s certain to spark fresh debates about balancing safety and privacy.

Smarter Privacy Starts with Awareness
Data Breach Scan, Check Any Domain for Free https://breachaware.com/scan