Patches, Psyops & Paranoia.

A total of 14 breaches were found and analysed resulting in 5,870,230 leaked accounts containing a total of 23 different data types. The breaches found publicly and freely available included Alien TxT File - Episode 10, ULP 0014, Alshaya Group, Stealer Log 0522 and Puppy Finder. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

4chan, the infamous image board known for internet meme culture, celebrity leaks, weaponised trolling, and the occasional psyop, has suffered a major data breach. The platform, running since 2003 and still pulling over 22 million monthly visitors as of 2022, was compromised after its admin failed to update PHP, classic mistake.

The exploit was pulled off by Soyjak Party, a rival message board group, who gained access via the subdomain '/team.4chan.org'. Once inside, they reportedly got access to backend tools like shell, phpMyAdmin, and internal maintenance panels. The breach included a full list of 4chan staff, internal messages, personal emails, and even janitor IP addresses. Staff have been doxxed, and Soyjak Party now has bragging rights for one of the more chaotic breaches in recent years.

BreachForums was up and running smoothly last week with their new hands-off escrow system. This week? Total radio silence. On April 16th, the site went dark with a “server not found” message.

Immediately, a new site popped up, BreachForumsV4 (cpanel.breachforums.im), charging $250 in Monero just to join. Naturally, this raised more red flags than a North Korean parade. Around the same time, a Telegram account named “BF V4” dropped a cryptic message:
“breachforums.st seized. Intelbroker was arrested. No other info yet. Stay tuned, I'll share some good info.”

For those unfamiliar, Intelbroker is a major player in the threat actor scene. The next day, the same account posted:
“Since I'm already in the spotlight with 40K+ visitors today, let me announce that this domain is for sale.”
A pretty casual way to announce you might be running a honeypot.

Adding fuel to the fire, the hacktivist group Dark Storm claimed responsibility for taking down BreachForums via DDoS, just for laughs. These guys also claimed the takedown of X (formerly Twitter) and operate a DDoS-for-hire service, so if it was them, it wouldn’t be the first time.

Meanwhile, a supposed FBI document surfaced on a Russian hacking forum, claiming BreachForums was seized in mid-March and has been run as a honeypot ever since.

A day after that, things got even sketchier. A Telegram post from someone claiming to be a BreachForums staff member stated:
“Shiny deleted his Telegram without saying anything to any of the Moderators. Hollow was online yesterday but ignored any messages and changed his last seen settings. At this point both Shiny and Hollow should be considered Sus until more information comes out.”

It’s a mess. Either the forum's compromised, its key figures are ghosting, or this is the biggest double-bluff in cybercrime history. We’ll be watching this space closely.

VULNERABILITY CHAT

A security flaw has been discovered in PyTorch, the open-source machine learning framework, that enables attackers to remotely execute arbitrary code on systems that load AI models. The vulnerability has been addressed in version 2.6.0, which is now available via pip for users to update.

An Advanced Persistent Threat (APT) operation dubbed Larva-24005, attributed to the Kimsuky threat group, has been observed actively exploiting critical vulnerabilities in both Remote Desktop Protocol (RDP) and Microsoft Office applications. Security analysts have tied the campaign to coordinated and targeted efforts.

Meanwhile, the AhnLab Security Intelligence Center (ASEC) has published an in-depth analysis of the campaign tactics associated with the ongoing threat.

A critical vulnerability in Windows 11 has been uncovered, allowing attackers to escalate from a low-privilege user to full system administrator access in just 300 milliseconds. The flaw affects systems with the “Mobile devices” feature enabled, which links phones to PCs for webcam use. Microsoft has since issued a fix as part of its March 2025 security updates.

The Cybersecurity and Infrastructure Security Agency (CISA) has announced a renewed funding agreement for a widely used software vulnerability program, reinforcing a vital resource for the infosec community.

4 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including:
- SonicWall; SMA100 Appliances
- Microsoft; Windows
- Apple; Multiple Products
See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 1,180 vulnerabilities during the last week, making the 2025 total 15,176. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

Precise TV has officially announced the launch of PACE, the Precise Audience Content Evaluator, a new solution designed for targeting and measuring audiences under 18. What sets PACE apart is that it doesn’t rely on or collect any personally identifiable information, a design choice that Precise TV asserts ensures compliance with major child focused privacy regulations in both the US and Europe.

Apple is doubling down on its privacy first approach, continuing to rely on synthetic data, constructed data meant to simulate user behaviour and differential privacy to refine features through its AI learning models. This includes capabilities like summarising emails, all without needing access to personal emails or messages. The system is now rolling out in beta with iOS 18.5, iPadOS 18.5, and macOS 15.5.

In a notable development, Google’s Play Services update 25.14 introduces an automatic restart for Android devices that have been locked for three consecutive days. This triggers a return to the Before First Unlock (BFU) state, where data encryption is strongest and biometric logins like facial or fingerprint recognition are disabled until a passcode is entered. This seemingly simple reboot has serious implications, especially in the context of criminal investigations and intelligence operations, where missing the AFU window could render the device inaccessible as evidence.

The National Institute of Standards and Technology (NIST) has drafted a new version of the NIST Privacy Framework, aiming to better address today’s privacy risk management challenges. The update also maintains alignment with the recently refreshed Cybersecurity Framework (CSF 2.0), and enhances overall usability. “This is a modest but significant update,” said Julie Chua, director of NIST’s Applied Cybersecurity Division. “The PFW can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organisations can use them together to manage the full spectrum of privacy and cybersecurity risks.” NIST is currently accepting public feedback on the draft at privacyframework@nist.gov until June 13, 2025.

Get the draft here: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.40.ipd.pdf

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan