LeakBase Admin Arrested, Forums Exposed & Exploits Run Wild.

A total of 23 breach events were found and analysed resulting in 13,313,327 exposed accounts containing a total of 42 different data types of personal datum. The breaches found publicly and freely available included Vietnam Consumer Database, Repediu, Telegram Scrape, Stealer Log 0557 and Apoia. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

Not the biggest volume we’ve seen, but don’t be fooled. With a chunky 42 types of personal data in circulation, the quality of what’s leaked more than makes up for the quantity. From scraped platforms to stealer logs and regional databases, it’s a mixed bag with real bite. For third-party organisations, it’s another reminder that employee data doesn’t need a direct breach to end up exposed. And for individuals? More data points mean more ways to be profiled, targeted, and ultimately exploited. Smaller numbers, sharper risks.

Cyber Update

Following the recent seizure of LeakBase, we now have confirmation that its admin, known as Chucky, has been arrested in Taganrog, Russia.

Russian media wasted no time releasing the highlight reel: law enforcement turning up in force, armed to the teeth, rolling in with unmarked vehicles like it’s a low-budget action film. There’s even a brief cameo of the 33-year-old himself, presumably having a very bad day.

But here’s where it gets interesting. Just three days after the seizure, LeakBase popped back up under a new domain: Leakbase.bz. Because in cybercrime, nothing says resilience like spinning the server back up and pretending nothing happened.

Chucky had been relying on DDoS-Guard, a well-known Russian bulletproof hosting provider, the kind that’s supposed to ignore takedown requests and politely decline to cooperate with anyone flashing a badge.

Except… this time, not so bulletproof.

An investigation by TriTrace reportedly supplied intelligence that led directly to Chucky’s arrest. Whether through compromise, leakage, or a quiet slip-up, something pointed back to him, and that was enough.

He’s expected to face charges under Article 272.1 (Parts 3 & 6) in Russia, with early chatter suggesting a sentence in the region of 6–8 years. Not exactly a lifetime, but certainly enough time to reconsider career choices.

In a separate moment of unintentional comedy, a well-known cybercrime forum, accessible only via Tor, has reportedly been leaking its real IP address. Yes. A hidden service… that isn’t very hidden.

A prominent cybercrime analyst flagged the issue on Telegram, noting that backlash had already been brewing internally before the public call-out. Which suggests someone, somewhere, realised the problem, just a bit too late. For a community built on anonymity, accidentally exposing your infrastructure is the digital equivalent of hosting a masked ball and handing out name tags.

Meanwhile, ShinyHunters have officially had enough of the BreachForums soap opera. After walking away from the platform following its seizure in October 2025, they’ve now made their position crystal clear:

“Maintaining such an ecosystem is a waste of our time.” Translation: forums are out, ransomware blogs are in.

But they didn’t stop there. Across multiple Telegram channels, they issued a warning that reads less like a statement and more like a threat wrapped in inevitability: “All the current forums are fake… If they continue to exist, we’ll leak all the BF backups — private messages, emails, IP addresses, everything.”

They also casually mentioned having exploits for MyBB 1.8, which, if true, makes any forum running that software feel like it’s built on wet cardboard.

And Right on Cue… The Leaks Begin. At least three BreachForums variants are currently limping along across various domains. So far, one has already been hit.

A dataset containing over 339,000 unique email addresses, passwords, and associated data has been dumped onto the dark web, freely available, no paywall, no ceremony.

Which leaves forum admins in a rather awkward position:
• Stay online and risk being exposed by ShinyHunters
• Shut down and admit defeat

Neither option is particularly appealing. Because while law enforcement pressure is one thing, predictable, procedural, slow-moving, ShinyHunters operate on a different playbook entirely.

No rules. No timelines. No polite warnings.

Software Vulnerabilities

CrushFTP, authentication bypass / RCE chain (actively exploited, KEV). File transfer software is once again doing its best impression of an open door. A critical CrushFTP vulnerability chain allowing authentication bypass and remote code execution has been actively exploited, earning its place in KEV. Attackers love file transfer tools because they’re usually internet-facing and full of sensitive data, a two-for-one deal.
What to do: patch immediately, review logs for suspicious admin access, and check for data exfiltration patterns.

Microsoft Exchange, legacy attack surface refuses to die (KEV update). Exchange continues its long goodbye tour. Older vulnerabilities are still being exploited in environments that never quite got the memo (or the patches). This week reinforced that unpatched on-prem Exchange is less “email server” and more “community resource for attackers.”
What to do: patch, restrict exposure, or seriously consider whether it’s time to retire it.

SAP NetWeaver, deserialisation flaw (active exploitation). Enterprise backbone software getting popped is always a bad day at the office. A deserialisation issue in SAP NetWeaver has been flagged with signs of exploitation, giving attackers a route into some of the most business-critical systems around.
What to do: apply SAP security notes urgently and monitor for unusual application activity.

Cisco IOS XE, web UI exploitation resurfaces. Cisco’s IOS XE web interface vulnerabilities made a comeback, with renewed exploitation attempts targeting organisations that didn’t fully remediate earlier issues. The lesson here is simple: “partially fixed” is attacker for “still vulnerable.”
What to do: verify remediation steps were fully completed, not just patched halfway, and check for persistence.

JetBrains TeamCity, supply chain favourite still under pressure. TeamCity vulnerabilities continue to attract attention due to their position in CI/CD pipelines. While not brand new, exploitation activity persists, particularly where instances remain exposed. If attackers get into your build pipeline, they don’t just compromise you, they compromise everything you ship.
What to do: patch, restrict access, and audit build processes for tampering.

Data & Privacy Headlines

Europe edges closer to tighter AI enforcement. Regulators across the EU continued sharpening their stance on AI, particularly around transparency and data usage. The tone has shifted from “guidance” to “we’re watching closely,” which in regulatory language usually means “start fixing things before we start fining things.”

More scrutiny on biometric data collection. Biometric verification systems (face scans, ID checks, voice recognition) are under increasing pressure, with regulators questioning proportionality and storage practices. The general mood: just because you can scan someone’s face doesn’t mean you should build a database of it.

Data breach disclosures getting faster (and messier). Organisations are disclosing breaches more quickly, partly due to regulation, partly because attackers are beating them to it. The result is a growing number of “we’re investigating” statements that feel more like damage control than clarity.

Third-party risk continues to bite. A recurring theme this week: breaches and incidents tied to vendors, partners, and service providers. Supply chain risk is no longer a niche concern, it’s the main event. If your vendor gets compromised, congratulations, so do you.

Privacy fatigue vs reality. There’s a growing sense of fatigue around privacy notices, consent banners, and data policies, but regulators are moving in the opposite direction. The gap between what users tolerate and what regulators demand is widening, and businesses are stuck awkwardly in the middle.

Smarter Protection Starts with Awareness

Third-party exposure is now a first-order risk. You can’t patch what you can’t see.
Free Data Breach Exposure Scan: Check any domain in seconds: https://breachaware.com/scan