Hackers Doxed, $82M Bitcoin Heist, and BreachForums’ Final Death.

A total of 21 breach events were found and analysed resulting in 363,354,424 exposed accounts containing a total of 22 different data types of personal datum. The breaches found publicly and freely available included !.1KKK USA, Moscow IT Department, Huntio, O2 - UK and Singapore Eye & Vision. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

The sheer size of this exposure is staggering, over 363 million accounts compromised, making it up there with the most consequential breach clusters we’ve seen. The presence of large-scale combo files like !.1KKK USA suggests mass credential aggregation, where previously stolen records are repackaged and redistributed, compounding risks for individuals through credential stuffing and long-tail account compromise. The involvement of public institutions such as the Moscow IT Department and healthcare-related platforms like Singapore Eye & Vision raises the stakes: we’re no longer looking at just consumer data, but also potentially sensitive health and civic information. Combined with corporate exposures like O2 UK and threat intelligence platforms such as Huntio, the picture is one of systemic, cross-sector data leakage that can fuel everything from fraud to espionage.

For the organisations implicated, the implications extend far beyond regulatory fines. Telecom providers like O2 face not only reputational damage but also the real possibility of downstream attacks against their customer base, eroding trust in critical infrastructure. Healthcare exposures carry heightened compliance and ethical scrutiny, while government linked leaks risk geopolitical fallout and exploitation by hostile actors. The recurrence of freely available combo files demonstrates how once sensitive data quickly becomes commoditised, leaving organisations with little control once it escapes their perimeter. To recover, these entities will need to do more than issue breach notices, they’ll need to show stakeholders that they can meaningfully contain systemic weaknesses, enforce data minimisation, and rebuild trust in environments where massive breach events are increasingly the norm.

Cyber Spotlight

The hacker underground has once again proved it’s less “Ocean’s Eleven” and more “schoolyard brawl.” A fairly well-known threat actor has just been doxed after falling out with another hacker. And by “falling out,” we mean someone gleefully posted his full name, IP address, and mobile number in a Telegram channel. If law enforcement were watching, their job just got easier. Instead of chasing shadows across onion domains, they can now just scroll through Telegram like the rest of us. Oh, dear indeed.

Meanwhile, one unlucky Trezor hardware wallet user has learned the hard way that the weakest part of crypto security is always the human. Threat actors pulled off a brutal social engineering attack, posing as both a crypto exchange and the hardware wallet manufacturer. The result? A devastating haul of 782 Bitcoin, that’s about £65 million ($82m) gone in a puff of digital smoke. Not a trip, not a fall, just a financial black hole. Somewhere out there, a scammer is sipping cocktails while the victim is trying to remember how breathing works.

After endless drama, resurrections, and fakes, BreachForums is officially dead. Cue the sad violin for cybercriminals, and a sigh of relief for law enforcement. The admin, ShinyHunters, made a final post that reads like the season finale of a hacker soap opera. In it, they claimed the latest revival of BreachForums was actually a law enforcement honeytrap, with the “Founder” account secretly operated by federal agents. Meaning: every PM, plaintext password, IP address, and email logged since the reboot? All in the hands of the feds. Ouch.

ShinyHunters also dropped some spicy intel “To clear out long-standing confusion… Anastasia and Hollow administrator accounts were always controlled by me.” That’s awkward, because law enforcement previously announced the arrest of Hollow and Anastasia. So either ShinyHunters is flexing, or the feds were putting on a Broadway-level performance to spook the underground.

The message wrapped with a warning: BreachForums will not be returning under legitimate operation. Any reappearance should be assumed to be a law enforcement trap. Translation: if you see BreachForums “back” again, it’s probably the FBI cosplaying as a cybercriminal.

Vulnerability Chat

Apple has rushed out security updates for iPhones, iPads, and Macs to patch a zero-day flaw that’s already being exploited in targeted attacks. The bug, an out-of-bounds write vulnerability, allows attackers to tamper with memory they shouldn’t have access to. Apple says even something as simple as a maliciously crafted image could trigger the exploit, leading to memory corruption.

The FBI, meanwhile, has issued an advisory on malicious activity linked to Russia’s Federal Security Service, specifically its Center 16 unit. The warning highlights how the group is targeting outdated devices running an unpatched vulnerability in Cisco’s Smart Install software. According to the FBI, the threat actors have been caught collecting configuration files from thousands of networking devices tied to U.S. critical infrastructure.

Over in the browser wars, Brave’s Artem Chaikin and Shivan Kaul Sahib uncovered a serious flaw in Perplexity’s AI-powered web browser, Comet. The vulnerability, now fixed, made it possible for attackers to hijack a user’s account by exfiltrating their email address and one-time password during authentication. The researchers said the attack emphasises just how easily AI assistants can be manipulated into bypassing long-standing web security safeguards, and why new protections are needed for agentic browsers.

Microsoft has also had to address a worrying oversight in Copilot for M365. A newly discovered vulnerability allowed insiders, including potentially malicious ones, to access and interact with sensitive files without leaving a trace in the audit logs. While the flaw has since been patched, Microsoft opted not to issue a CVE or formally notify customers.

And finally, security researchers Paras Jain and Yakov Shafranovich at Amazon have disclosed a vulnerability in Apache Tika’s PDF parser module. The bug, present in versions 1.13 through 3.2.1, could let attackers extract sensitive data or send malicious requests to internal systems by embedding specially crafted XML Forms Architecture files inside PDFs.

2 Common Vulnerability and Exposures (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including:
- Trend Micro; Apex One
- Apple; iOS, iPadOS, and macOS

See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 862 vulnerabilities during the last week, making the 2025 total 30,271. For more information visit https://nvd.nist.gov/vuln/search/

View the latest critical vulnerabilities, exploited vulnerabilities and EU CSIRT coordinated vulnerabilities from the European Union Agency for Cybersecurity (ENISA) "Vulnerability Database" here: https://euvd.enisa.europa.eu/homepage

Information Privacy Headlines

The U.S. Treasury is weighing a controversial idea: baking identity checks directly into DeFi smart contracts. Supporters argue it could curb anonymous criminal activity, while critics say it would tear apart the very foundation of permission-less finance. Fraser Mitchell, Chief Product Officer at SmartSearch, told Cointelegraph such measures could “unmask the anonymous transactions that make these networks so attractive to criminals.” But not everyone is convinced. Mamadou Kwidjim Toure, CEO of Ubuntu Tribe, likened the proposal to “putting cameras in every living room.”

Meta, meanwhile, is facing new accusations from a former insider. Samujjal Purkayastha, once a product manager at the company, claims Meta artificially inflated a key advertising metric by nearly 20 percent and deliberately sidestepped Apple’s privacy rules to squeeze more revenue from iPhone users. He also alleges Meta secretly tied user data to off-platform browsing activity without consent. In response, the company said it had no “interest in retaliating” against Purkayastha’s unfair dismissal claim, which he has lodged with the Central London Employment Tribunal.

Google has agreed to pay $30 million to settle a lawsuit accusing it of illegally collecting children’s personal data on YouTube and using it for targeted advertising. Parents of 34 children alleged Google violated dozens of state laws by letting content creators lure kids with cartoons, nursery rhymes, and other child-friendly videos as a pretext to harvest personal information, this despite a 2019 settlement meant to curb such practices. While agreeing to pay, Google denied any wrongdoing.

Johnson & Johnson’s former consumer division is also moving to put a legal fight behind it, agreeing to settle a class action lawsuit over the Neutrogena Skin360 app. The suit alleged the skincare app secretly stored facial scans used in its AI-powered analysis tool, which recommended products based on users’ skin profiles.

In Australia, Victoria’s deputy information commissioner has ruled that the University of Melbourne breached privacy laws when it used its campus wifi network to track students and staff during a pro-Palestine protest in May. Investigators found the university combined wifi location data, student ID photos, and CCTV footage to identify 22 students who refused to leave the Arts West building during the demonstration.

And in one of the stranger privacy stories of late, an anonymous sleuth claims they’ve been quietly scraping Spotify accounts belonging to celebrities, politicians, and journalists since mid-2024. The result is Panama Playlists, a website that lays bare the listening habits of high-profile figures. Among them: Sam Altman’s playlist featuring tracks by David Guetta, OneRepublic, Dixon Dallas, and Nicki Minaj; U.S. Vice President JD Vance; Anduril CEO Palmer Luckey; White House press secretary Karoline Leavitt; and U.S. Attorney General Pam Bondi.

Smarter Protection Starts with Awareness
Data Breach Exposure Scan, Check Any Domain for Free https://breachaware.com/scan