LockBit Gets Hacked (Again), $45M Vanishes from Coinbase, and Bootleg Signal Apps Blow Up.

A total of 19 breaches were found and analysed resulting in 34,462,844 leaked accounts containing a total of 28 different data types. The breaches found publicly and freely available included VNG Corporation, Pluto TV, ULP Alien TxT File - Episode 12, NextGenUpdate and CNZZ. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

The hunter has become the hunted. LockBit, one of the most prolific ransomware gangs in the world, has been hacked again, this time, by an anonymous threat actor who compromised their dark web affiliate panel. Visitors to the site were greeted with a cheeky farewell:

“Don’t do crime. CRIME IS BAD xoxo from Prague.” And a link to a SQL dump.

The leak includes data on over 59,000 Bitcoin wallets, ransomware configuration files, build versions, and direct negotiation messages with victims. Most embarrassingly, 75 passwords were in plain text, not a good look for a gang that’s supposed to be operational security royalty. The Lockbit admin "lockbitsupp" acknowledged the breach but claimed that no critical data or private keys were lost. Still, with the recent law enforcement takedowns and now this… it’s starting to look like the wheels might be coming off.

Crypto sleuth ZachXBT is back with a grim update: over $45 million was siphoned off from Coinbase users in just one week, all through classic social engineering. Victims were tricked into handing over access via SIM-swaps, phishing links, and impersonation scams. Zach notes that over the past few months, a nine figure sum has likely been lifted from unsuspecting traders.

Adding insult to injury, Zach revealed that he received interview offers from what appeared to be the New York Post Telegram channel. Turns out, that account had also been compromised. Just another reminder that even "verified" sources can be weaponised.

New details have emerged about the infamous Signal group chat leak involving Trump administration officials. Many were quick to point fingers at Signal itself, but the truth is more chaotic. The officials weren’t using the real Signal app, they were using a bootleg version developed by an Israeli company called TeleMessage, which is used to archive government communications for legal compliance.

This modified version, not available through normal app stores, was marketed as offering “Signal-level security” with backend logging. Unfortunately, that backend wasn’t very secure. A lone hacker claimed they accessed the control panel in 15–20 minutes, uncovering plaintext usernames and passwords, as well as unencrypted debugging logs with names and contact details.

Rather than going to TeleMessage (and getting ghosted or buried), the threat actor dropped the info to 404 Media. Another major dent in the myth of "secure" comms, especially when they're Frankensteined by third-party vendors.

VULNERABILITY CHAT

Forescout Vedere Labs has traced a wave of cyberattacks exploiting a recently disclosed vulnerability in SAP NetWeaver to a threat actor associated with China, operating under the codename Chaya_004. According to threat intelligence firm Onapsis, the attacks have compromised hundreds of SAP systems globally, with victims spread across sectors ranging from energy, manufacturing, and retail, to government and pharmaceuticals, highlighting the widespread impact of this campaign.

Google has rolled out fixes for 47 security vulnerabilities in Android, including one zero-day flaw currently being exploited in the wild. The patches are applicable to Android versions 13, 14, and 15, and users can confirm protection by checking for patch level 2025-05-05 or later, which denotes the security issues have been resolved.

Cisco has issued a critical security update to address a vulnerability in the Switch Integrated Security Features (SISF) of various software platforms, warning that unauthenticated attackers could exploit the flaw to trigger denial-of-service conditions. Additionally, Cisco’s semiannual IOS and IOS XE advisory bundle includes patches for 35 vulnerabilities, 26 of which form part of this major update cycle.

Researchers Andreas Vikerup and Dan Rosenqvist from Shelltrail have disclosed a set of three XML External Entity injection vulnerabilities affecting SysAid IT support software. These flaws could allow attackers to perform remote code execution and privilege escalation without authentication, leading to server-side request forgery and broader intrusion risks.

IBM has released a security bulletin addressing two high-severity vulnerabilities in its Cognos Analytics platform, warning of risks ranging from unauthorised file uploads to data leakage and potential denial-of-service scenarios if left unpatched.

A once-theoretical vulnerability in Samsung’s digital signage management platform has now become a live threat as attackers exploit the flaw to upload malicious files to vulnerable systems. The vulnerability allows unauthenticated access and paves the way for full system compromise in active exploitation campaigns.

A critical vulnerability in IXON’s popular VPN client has placed Windows, Linux, and macOS systems at risk, as it allows local privilege escalation. Security researchers warn that non-privileged users can exploit the flaw to gain elevated root or SYSTEM-level access, turning this client-side vulnerability into a serious enterprise security concern.

4 Common Vulnerability and Exposures (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including:
- GeoVision; Multiple Devices
- FreeType; FreeType
- Langflow; Langflow
See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 703 vulnerabilities during the last week, making the 2025 total 17,542. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

The Bluetooth Special Interest Group (SIG) has introduced Bluetooth Core Specification 6.1, unveiling new features that include enhanced device privacy through randomised updates to Resolvable Private Addresses (RPA). By varying the timing of address changes, the update significantly reduces the ability of third parties to track or link device activity over extended periods, marking a notable improvement in user anonymity.

In a major legal settlement, Google has agreed to pay almost $1.4 billion to the state of Texas over allegations that it violated residents' data privacy rights. Texas Attorney General Ken Paxton stated that the tech giant had been covertly tracking users’ movements, searches, voiceprints, and even facial geometry. “I fought back and won,” he declared. Google, however, emphasised that the settlement does not include any admission of wrongdoing or liability, as clarified by company spokesman Jose Castaneda.

Meanwhile, Portugal has joined a select group of European nations, including Switzerland, Austria, and Luxembourg, in implementing a complete ban on dash cams. The country has taken a particularly hardline stance, as not only is using dash cams prohibited, but merely possessing one can result in legal consequences. This has raised alarms among tourists and summer travellers who may inadvertently run afoul of some of the continent's most stringent privacy regulations.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan