A total of 21 breaches were found and analysed resulting in 3,896,922 leaked accounts containing a total of 29 different data types. The breaches found publicly and freely available included Amai, Gift Flora, Religare Broking, Stealer Log 0503 and PnP. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A new and highly sophisticated Android malware, Fire Scam, is making waves by posing as a pirated version of Telegram Premium. Distributed via phishing sites and even the RU Store—an Android app store created by VK in Russia—the malware entices users with the promise of avoiding the subscription fee for Telegram Premium. Once installed, an info stealer deploys on the victim’s device, scanning for sensitive data such as passwords, private keys, and token sessions. This data is then exfiltrated to a Fire Scam server. The malware employs advanced evasion techniques to bypass antivirus detection, including the use of DexGuard—a legitimate tool often used by game developers for anti-cheat mechanisms, which makes applications harder to analyse or tamper with.

Meanwhile, DDoS Secrets has escalated its operations, making 30 million leaked messages from Andrew Tate’s Real World Hustler University fully searchable on an easy-to-navigate section of their website. This unprecedented move allows employers and others to quickly check if an individual has made statements in connection to Tate's university and view the content of their messages.

In another incident, an up-and-coming marketing agency—complete with a glossy website boasting motivational taglines like “Unlocking the next phase of your business growth” and “You’ve got growth goals. We’ll deliver the roadmap”—has suffered a data breach. The breach, attributed to a well-known threat actor, resulted in the agency’s data being dumped for free on various dark web forums as a New Year’s "gift" to the hacking community.

VULNERABILITY CHAT

Hackers have begun targeting deployments of Ivanti Inc. software products using a newly discovered security vulnerability, according to a blog post from Google LLC’s Mandiant cybersecurity unit. First exploited in mid-December, the vulnerability bypasses the authentication mechanism of affected Ivanti products, allowing attackers to gain access without needing login credentials.

The UK internet domain registry, Nominet, has confirmed an “unauthorised intrusion” into their network, reportedly caused by a “zero-day vulnerability” in the Virtual Private Network (VPN) software they use. In a statement to ISPreview, Nominet revealed, “The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely.”

A Google Project Zero researcher has disclosed a major zero-click vulnerability affecting certain Samsung devices. This exploit enables attackers to gain full control over a target device without requiring any interaction from the user, raising significant security concerns.

In another revelation, security researcher @wh1te4ever has released a proof-of-concept exploit for a critical vulnerability in macOS. The flaw allows malicious applications to escape the macOS Sandbox, a security feature designed to confine app operations within strict boundaries.

Threat actors have been luring security researchers with a fake proof-of-concept (PoC) exploit for a critical Microsoft vulnerability, according to Trend Micro. The attackers set up a malicious repository containing the fake PoC. Once executed, the malware exfiltrates sensitive computer and network information, targeting unsuspecting researchers.

IBM has disclosed a vulnerability in its watsonx.ai platform, potentially exposing users to cross-site scripting (XSS) attacks. The flaw allows authenticated users to embed arbitrary JavaScript code in the Web UI when using unauthorised third-party LLM prompts. IBM has since addressed the issue and strongly urges users to upgrade to the latest version of the affected products.

4 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Mitel (MiCollab). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 1,024 vulnerabilities last week, making the 2025 total 1,425. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

The EU General Court has ruled that the European Commission must compensate a German citizen for violating its own data protection regulations. The case stemmed from the individual using the Sign in with Facebook option on the EU login webpage to register for a conference. This action led to the unauthorised transfer of the user’s IP address to Meta Platforms in the U.S., breaching EU data protection laws.

The Consumer Financial Protection Bureau (CFPB) has announced plans to seek public feedback on enhancing privacy protections in digital payment systems. A recent Government Accountability Office (GAO) report underscored the inadequacy of existing frameworks, citing outdated privacy notices and low consumer opt-out rates that fail to align with modern data-sharing practices.

In Texas, Attorney General Ken Paxton is investigating tech companies’ compliance with the state’s Securing Children Online through Parental Empowerment Act (SCOPE). Companies like Rumble, Quora, and WeChat are among 15 firms being questioned about their data collection and usage practices for individuals under the age of 18.

A new report reveals that advertisers have found ways to circumvent Apple’s App Tracking Transparency (ATT) feature to monetise iPhone user data. Popular apps such as Candy Crush, Tinder, and MyFitnessPal are allegedly being exploited by rogue actors within the advertising industry to collect sensitive location data on a massive scale.

In Thailand, consumers are raising concerns over Fineasy, a pre-installed app on Oppo and Realme devices, accused of accessing personal data without user consent. Oppo and Realme have since issued apologies, confirming the removal of the app’s loan feature and pledging to stop pre-installing similar applications.

A federal judge in California has denied Google’s motion to dismiss a class-action lawsuit alleging it violated the privacy of both Android and non-Android users. In response, Google stated, “Privacy controls have long been built into our service, and the allegations here are a deliberate attempt to mischaracterise the way our products work. We will continue to make our case in court against these patently false claims.”

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan