A total of 13 breaches were found and analysed resulting in 9,885,988 leaked accounts containing a total of 23 different data types. The breaches found publicly and freely available included Job and Talent [2], XP Game Plus, Prixet Technology, Stealer Log 0502 and Maxxecom. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

The year 2024 set a troubling benchmark for ransomware incidents, with reported cases rising by 9.6% compared to 2023, according to DB Digest. The total number of attacks surged from 4,954 in 2023 to a staggering 5,482 in 2024.

India, a global leader in outsourcing, services, and industry, now finds itself at the epicenter of an escalating ransomware crisis. The country experienced a 50% spike in ransomware attacks from the previous year, raising alarms about the potential disruption to global supply chains.

Emerging as the most prolific ransomware group of the year, RansomHub dominated the landscape. Despite launching operations only in February 2024, this group quickly outpaced LockBit—one of the most established names in cybercrime—to become the most active and devastating threat actor of the year.

One company, despite substantial investments in its operations, faced a domain compromise a mere three weeks after its creation. Meanwhile, the U.S. healthcare sector continues to be a prime target for cybercriminals. Ascension, one of the nation’s largest healthcare systems, confirmed that a ransomware attack earlier in the year compromised the personal data of approximately 5.6 million patients and employees.

Across the Atlantic, Italy also faced cybercriminal activity during the holiday season. Hackers reportedly breached a database containing one million newly registered mobile numbers. Fresh mobile phone data, being unflagged and untested, offers cybercriminals greater opportunities for exploitation, higher success rates, and significantly more lucrative payouts compared to older or already flagged data.

VULNERABILITY CHAT

Amazon Web Services (AWS) has come under scrutiny for repeatedly introducing the same remote code execution (RCE) vulnerability in its Neuron SDK—three times over the past four years. This highlights critical lapses in securing the Python package installation processes. Despite multiple warnings and previous fixes, Giraffe Security’s latest investigation in December 2024 revealed that AWS had once again reintroduced this vulnerability.

In another development, Wiz’s engineering team uncovered a critical vulnerability in Nuclei, a widely used open-source security tool developed by ProjectDiscovery. Guy Goldenberg, a senior software engineer at Wiz, explained that this vulnerability arises when organisations run untrusted or community-contributed templates without proper validation or isolation, creating a dangerous attack vector.

At the Chaos Computer Club (CCC), Thomas Lambertz demonstrated a way to exploit an old, supposedly resolved vulnerability in Microsoft's BitLocker encryption technology. Dubbed "bitpixie," this BitLocker Security Feature Bypass Vulnerability allows attackers to sidestep many security protections, compromising even fully updated Windows 11 systems.

Meanwhile, Cariad, a Volkswagen Group subsidiary responsible for software, reportedly exposed location data for 800,000 electric vehicles due to a security oversight. A whistleblower revealed the vulnerability to German news magazine Der Spiegel and the European hacking association Chaos Computer Club (CCC), raising significant privacy concerns.

1 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Palo Alto Networks (PAN-OS). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 541 vulnerabilities last week, making the 2024 grand total 40,011 and the 2025 total 401. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

Privacy experts have raised concerns over Apple’s new Enhanced Visual Search feature, which was reportedly introduced without proper user notification or consent. Matthew Green, a privacy expert and cryptography professor at Johns Hopkins University, expressed frustration: “It’s very frustrating when you learn about a service two days before New Year and find that it’s already been enabled on your phone.”

Apple has also agreed to a $95 million settlement (pending judicial approval) to resolve claims that its voice-activated assistant, Siri, inadvertently recorded users' private conversations without consent for over a decade. The controversy stems from a 2019 whistleblower revelation that Siri was frequently triggered accidentally, resulting in the unintended recording of private interactions.

In Amsterdam, plans to implement smart traffic lights have been abandoned over privacy and data protection concerns. These intelligent systems, intended to alleviate congestion by connecting with mobile phones and GPS apps to manage traffic flow, have been deemed too risky in terms of privacy and security.

India’s new draft rules under the Digital Personal Data Protection Act, 2023, are poised to challenge businesses with stringent requirements for data breach reporting timelines and data transfers. The proposed rules cover critical areas such as personal data breaches, protecting children's data, a consent manager framework, and the establishment of a data protection board, increasing the compliance burden on Indian companies.

The Nigeria Data Protection Commission (NDPC) has issued a stern warning to institutions mishandling citizens' data, pledging strict penalties starting in 2025. The NDPC specifically calls for heightened security in key sectors: Financial Institutions, Healthcare Providers, Telecom Companies and Educational Institutions.

In Vietnam, the Law on Data is set to take effect in the second half of 2025. Comprising five chapters and 46 articles, the law governs all aspects of digital data, including its development, protection, processing, administration, and use.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan