Dark Web Busts, CLOP Hits Ivy League & Global Exploits Erupt.

A total of 7 breach events were found and analysed resulting in 342,933 exposed accounts containing a total of 19 different data types of personal datum. The breaches found publicly and freely available included Queen Mary University of London, France Casse, Artists and Clients, Refer Life and e-Retail. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

This group of breaches shows how even modest sized exposures can still create meaningful risk when they involve institutions and platforms that people inherently trust. The inclusion of Queen Mary University of London is particularly notable, as academic institutions often hold a blend of personal, financial, and sometimes research related information that can be leveraged for targeted scams against students, faculty, and alumni. Platforms like Artists and Clients and e-Retail illustrate how creative marketplaces and smaller digital storefronts continue to be vulnerable, often due to lean security budgets and reliance on third party tools. Meanwhile, France Casse and Refer Life add a commercial and membership based dimension that could expose contact details, account credentials, or transactional histories. Even with just 19 data types in play, the diversity of the affected platforms means individuals may face tailored phishing attempts, account takeover risks, or scams exploiting their academic, artistic, retail, or membership interactions.

For the organisations involved, the breach implications revolve around maintaining trust in communities that are relationship driven and reputation sensitive. Universities, in particular, can face scrutiny from regulators and donors if their handling of student or staff information appears inadequate. Creative and retail platforms must balance operational recovery with reassuring users that they still provide a safe environment to transact or collaborate. Many of these entities likely suffer from under resourced cybersecurity capabilities, which means even small misconfigurations or outdated systems can lead to exposures that ripple far beyond their size. Strengthening data governance, improving identity protections, and establishing routine monitoring of leak sites will be essential. In environments where users often operate with personal passion, education, art, entrepreneurship, restoring confidence is not just a compliance responsibility; it’s fundamental to keeping these communities active and engaged.

Cyber Spotlight

An investigation that kicked off back in August 2022 has finally wrapped up, and not in a way the suspect was hoping for. Dutch servers tied investigators to a 21 year old British man who was allegedly helping run Bohemia Dark, a marketplace that mainly dealt in drugs but also moonlighted in various criminal services. Not exactly the part time job you list on your CV.

He was arrested at Schiphol Airport, presumably thinking he was going on holiday instead of straight into custody. Authorities found plenty linking him to the marketplace, including a neat stash of 31 Bitcoin, worth around £2 million or $2.7 million. A bold carry on item.

Bohemia Dark itself was seized on October 9th, 2024, and to make matters significantly worse for him, investigators say they uncovered CSAM on his personal Telegram account, a very serious, very separate criminal offence. A court in Rotterdam will be deciding his fate, and based on the charges, the judge won’t be offering a loyalty discount.

The CLOP ransomware gang has popped up again, this time after compromising the University of Pennsylvania through an exploited vulnerability in Oracle’s E-Business Suite. Over 1,400 individuals’ personal data was impacted. For CLOP, this is just another stamp in their academic passport, Ivy League institutions have been hit repeatedly in the past few years, proving that even the best schools occasionally fail their cybersecurity homework.

The university has since patched the vulnerability and notified those affected. CLOP, meanwhile, continues its long-running hobby of making IT departments across the world reconsider their life choices.

A well-known cryptocurrency tumbler has been seized by law enforcement, and judging by the tone of privacy advocates online, it’s been described somewhere between “tragic” and “the end of the internet as we know it.”

CryptoMixer, which held $25 million USD in cryptocurrency at the time of the takedown, had its domain seized following a coordinated operation by German and Swiss authorities with Europol support. Servers in Zurich were raided, resulting in a hefty 12 terabytes of data being taken into evidence. The mixer had been running since 2016, processing roughly €1.3 billion worth of bitcoin over its lifetime.

The seizure page now features a bright green, alien themed background that looks like a 2004 hacking movie screensaver, proudly listing the seven law enforcement agencies behind Operation Olympia. If there’s one thing police love, it’s a dramatic splash page, and honestly, they nailed it.

Vulnerability Chat

Amazon’s threat intelligence teams report that within hours of the public disclosure of the React2Shell vulnerability, multiple China, nexus threat groups, including Earth Lamia and Jackpot Panda, began actively attempting to exploit it. Using AWS’s MadPot honeypot infrastructure, analysts observed both known adversaries and previously unidentified clusters probing for the flaw, signalling rapid adoption of the exploit across state linked operations.

The Apache Software Foundation has also disclosed a significant security issue in Apache Tika, a tool used to detect and extract metadata and text from over a thousand file formats. Because Tika is embedded in search engines, document management systems, and various security platforms, successful exploitation may have wide ranging impacts depending on how it is deployed within downstream applications.

Aikido Security has revealed a new class of vulnerabilities, dubbed PromptPwnd, affecting GitHub Actions and GitLab CI/CD pipelines when they rely on AI agents such as Gemini CLI, Claude Code, OpenAI Codex, or GitHub AI Inference. According to the researchers, this marks the first real world demonstration that AI prompt injection can be weaponised to compromise CI/CD workflows.

Meanwhile, researchers at GreyNoise have detected a large, coordinated campaign targeting Palo Alto Networks and SonicWall VPN environments. The activity, involving sustained login attempts over several months, appears to use consistent tooling across shifting infrastructure, indicating a well organised brute force or credential stuffing operation.

Finally, Firebox firewall users have been warned of ten newly disclosed vulnerabilities, several of them critical. The most severe issues allow authenticated attackers to execute arbitrary code due to out of bounds write flaws affecting the management CLI and certificate daemon, placing exposed devices at significant risk if not promptly patched.

1 Common Vulnerability and Exposures (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including:
- Android; Framework
- OpenPLC; ScadaBR
- Meta; React Server Components

See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 903 vulnerabilities during the last week, making the 2025 total 43,642. For more information visit https://nvd.nist.gov/vuln/search/

View the latest critical vulnerabilities, exploited vulnerabilities and EU CSIRT coordinated vulnerabilities from the European Union Agency for Cybersecurity (ENISA) "Vulnerability Database" here: https://euvd.enisa.europa.eu/homepage

Information Privacy Headlines

India’s government has walked back its plan to force smartphone makers to preload a state run cybersecurity app on all new devices. The order was scrapped after a wave of backlash from politicians, privacy advocates, and major tech companies, all of whom raised alarms about the potential for increased surveillance.

OVHcloud found itself in the spotlight this week after GrapheneOS announced it would no longer use the company’s servers. The decision came down to concerns about France’s broader stance on digital privacy, especially its support for the proposed EU “Chat Control” legislation. Critics warn the law could require providers to build backdoors that let authorities scan user content.

In Switzerland, Privatim, the Conference of Swiss Data Protection Officers, passed a resolution urging government agencies to rethink their reliance on international cloud services for sensitive data. Their message was clear: if agencies plan to use international SaaS platforms, they should be encrypting the data themselves before handing it over.

Meanwhile, an investigation by Futurism has raised serious questions about the free web version of Grok. Reporters entered the names of 33 non-public individuals with only minimal prompting, and in ten cases Grok returned accurate, up to date home addresses. It also frequently volunteered additional personal details such as phone numbers, emails, employment info, and even the names and addresses of family members, including children. A follow up test found that Grok would actively assist in stalking individuals once their details were provided. When the same prompts were tried with ChatGPT, Gemini, Claude, and Meta AI, all of those models refused to help.

Smarter Protection Starts with Awareness

Data Breach Exposure Scan, Check Any Domain for Free https://breachaware.com/scan