Lumma seized, CISA fumbles, scammy forums implode, and critical vulns keep stacking.

A total of 22 breach events were found and analysed resulting in 10,356,354 exposed accounts containing a total of 30 different data types of personal datum. The breaches found publicly and freely available included ULP Alien TxT File - Episode 14, Amazon (Internal), Dow University of Health Sciences, Romano-American Mossad Political Networks and ULP 0021. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Analysis

The breach tied to Amazon (Internal) is particularly significant. Internal data leaks from major global platforms carry serious ramifications, not only in terms of user privacy but also for company operations, intellectual property, and market trust. Although details remain sensitive, any exposure of backend infrastructure, internal communications, or employee records could have lasting reputational and operational consequences.

Similarly, the Dow University of Health Sciences breach raises alarms over the security of educational and medical institutions. With a likely mixture of student, faculty, and possibly patient data at risk, the exposure increases vulnerability to identity theft, academic fraud, and misuse of sensitive health-related information.

The inclusion of Romano-American Mossad Political Networks references suggests the breaches may span geopolitical interests or targeted leaks, possibly from whistleblower platforms or coordinated information disclosures.

Across the 22 events, the diversity and breadth of impacted entities, from global tech firms to public institutions, demonstrate a widening attack surface. The exposure of over 10 million user accounts introduces numerous risks: targeted phishing campaigns, credential stuffing attacks, impersonation scams, and broader misinformation efforts.

For organisations, this collection of breaches serves as a reminder that both internal and external vectors must be rigorously secured. Transparency with affected parties, combined with robust remediation strategies, is essential in regaining control and credibility. For individuals, proactive monitoring of accounts, changing reused passwords, and enabling two-factor authentication remain key lines of defence.

Spotlight

It looks like Lumma Stealer, one of the more “premium” malware-as-a-service offerings since 2022, is finally having its curtains drawn. The U.S. Justice Department, working with cybersecurity firm Microcosm, seized its command-and-control infrastructure and blocked 2,300+ malicious domains linked to the project. Not a bad day’s work for the feds.

Lumma operated on a subscription model. Threat actors paid for access to an admin panel, regular malware updates, and in return got their hands on fresh credentials and logs scraped from infected machines. These logs are big business. While stale stealer logs are floating free all over the dark web, most have been squeezed dry. With fresh logs, you’re the first to act, whether it’s breaching emails, bypassing 2FA, or selling on dark markets.

This takedown, however, may only scratch the surface. As with other malware empires, don’t be surprised if we see a “Lumma Reborn” or “Lummaverse V2” pop up in a week, new name, same game.

In a move that caused instant facepalms across the cybersecurity community, CISA (Cybersecurity and Infrastructure Security Agency) announced it was going “social-media-first”, de-prioritising updates to its Known Exploited Vulnerabilities (KEV) catalog on its own website.

Cue chaos. Why?
- Social media accounts are routinely compromised.
- Not everyone gets their zero-day alerts from a feed full of memes and Elon simps.
- Some of us still live in bunkers, off-grid, with RSS feeds and a healthy distrust of centralised platforms.

To CISA’s credit, the backlash worked. Within 24 hours, they backtracked: the KEV updates will continue to be published through proper official channels. For now, the panic button can go back in the drawer.

If you blinked, you might’ve missed the latest corpse on the cybercrime forum battlefield. The new BreachForums clone (the ".fi" version) has officially been abandoned by its creators, who are now selling the site for a mere $1,500. Why? Because the whole thing was likely a fast-cash exit scam.

Here's how it worked:
- Spin up a fake or “revived” version of a once-popular cybercrime forum.
- Offer VIP memberships ($10–$50).
- Watch the gullible sign up.
- Pull the plug and run.

To add insult to injury, another dark web forum has now doxxed the admins of Breachforums.fi, leaking usernames, hashed passwords, and IPs of the forum’s operators, for free. Classic move in the scene: burn your rivals and earn rep points for torching a scam.

Vulnerability Chat

Bitwarden: A serious XSS vulnerability has been discovered in Bitwarden’s file handling system, exploitable via malicious PDF files. Similar XSS issues were previously found in its icon server, including SVG file handling.

Netwrix Password Secure: A critical RCE vulnerability was disclosed by 8com (May 22, 2025). Authenticated attackers can exploit the document-sharing feature to execute malicious payloads on other users’ systems.

Cisco Identity Services Engine (ISE): A high-severity DoS vulnerability allows unauthenticated remote attackers to reload the Cisco ISE system, posing serious risks to enterprise network access control.

Trimble Cityworks: Chinese-speaking group UAT-6382 exploited an RCE vulnerability to deliver Cobalt Strike and VShell using TetraLoader, a Rust-based loader derived from MaLoader.

Versa Concerto Platform: Multiple critical vulnerabilities in Versa’s network security and SD-WAN orchestration platform could lead to full instance takeover. No evidence of exploitation has been found, but patches have been issued.

GitLab AI Assistant (Duo): A prompt injection flaw could allow attackers to steal source code and inject malicious HTML into AI responses, potentially redirecting users to malicious websites.

Linux Kernel (Zero-Day): Researcher Sean Heelan discovered a new zero-day using OpenAI’s o3 model, revealing the model’s growing ability to parse and reason through large codebases, albeit not perfectly.

WSO2 Products: A critical authentication bypass lets attackers reset passwords for any user. The flaw is tied to the self-registration function, enabling full system compromise if unpatched.

The National Institute of Standards and Technology (NIST) has introduced a new metric called Likely Exploited Vulnerabilities (LEV) to help organisations prioritise which software vulnerabilities pose the greatest real-world risk. Traditional metrics like CVSS score focus on theoretical severity, but don’t always reflect real exploitation patterns. LEV aims to highlight vulnerabilities actually being exploited in the wild, which can inform better decision-making.

7 Common Vulnerability and Exposures (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including:
- ZKTeco, BioTime
- Synacor, Zimbra Collaboration Suite (ZCS)
- Srimax, Output Messenger
- MDaemon, Email Server
- Ivanti, Endpoint Manager Mobile (EPMM)
- Samsung, MagicINFO 9 Server
See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 904 vulnerabilities during the last week, making the 2025 total 19,585. For more information visit https://nvd.nist.gov/vuln/search/

View the latest critical vulnerabilities, exploited vulnerabilities and EU CSIRT coordinated vulnerabilities from the European Union Agency for Cybersecurity (ENISA) "Vulnerability Database" here: https://euvd.enisa.europa.eu/homepage

Information Privacy Headlines

Signal just made a big move to protect its users’ privacy on Windows 11. The messaging app is now blocking Microsoft’s new Recall feature from accessing content in Signal Desktop. The team said they had to enable this protection by default, even though it makes the app slightly less user-friendly, because Microsoft didn’t really leave them another choice. They’re clearly not thrilled about how Recall works, and they're doing what they can to shield conversations from potential snooping.

Over in Europe, Meta has gotten the green light from Ireland’s Data Protection Commission to start using data from European users to train its AI models. That’s despite some ongoing legal challenges. According to the DPC, they reviewed Meta’s plans and suggested changes, many of which Meta has already put in place. So, while the legal process isn’t over, Meta is cleared to begin data collection next week.

Meanwhile, Meta is also working with Thailand’s Ministry of Digital Economy and Society and the country’s data protection agency on a privacy awareness campaign. For the next six weeks, Thai users will see posts, ads, and even GIFs explaining how to manage privacy settings on Meta apps. It’s part of a broader push to improve digital literacy around personal data.

Google’s under fire again, this time for launching a version of its Gemini AI chatbot aimed at kids under 13. The rollout has privacy and children’s rights groups sounding the alarm. The biggest issue? Parents have to opt out of the program rather than opting in. Plus, Google admits the AI might show content kids shouldn’t see and that it can still make mistakes. Critics say it’s a risky move that puts kids' data and safety on the line.

And in a tech meets government story, China’s blockchain-based identity system, called RealDID, is expanding into Hong Kong. Originally built for use on the mainland, RealDID lets Chinese residents access digital services without using traditional ID. Now, a pilot program is testing it in Hong Kong, bringing up new questions about privacy, surveillance, and how digital identity might evolve in the region.

Scan Any Domain for Free https://breachaware.com/scan