'%3e%3cg id='Final-Copy-2_2_' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st0' d='M7.4,12.8h6.8l3.1-11.6H7.4C4.2,1.2,1.6,3.8,1.6,7S4.2,12.8,7.4,12.8z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg id='final---dec.11-2020'%3e%3cg id='_x30_208-our-toggle' transform='translate(-1275.000000, -200.000000)'%3e%3cg id='Final-Copy-2' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st1' d='M22.6,0H7.4c-3.9,0-7,3.1-7,7s3.1,7,7,7h15.2c3.9,0,7-3.1,7-7S26.4,0,22.6,0z M1.6,7c0-3.2,2.6-5.8,5.8-5.8 h9.9l-3.1,11.6H7.4C4.2,12.8,1.6,10.2,1.6,7z'/%3e%3cpath id='x' class='st2' d='M24.6,4c0.2,0.2,0.2,0.6,0,0.8l0,0L22.5,7l2.2,2.2c0.2,0.2,0.2,0.6,0,0.8c-0.2,0.2-0.6,0.2-0.8,0 l0,0l-2.2-2.2L19.5,10c-0.2,0.2-0.6,0.2-0.8,0c-0.2-0.2-0.2-0.6,0-0.8l0,0L20.8,7l-2.2-2.2c-0.2-0.2-0.2-0.6,0-0.8 c0.2-0.2,0.6-0.2,0.8,0l0,0l2.2,2.2L23.8,4C24,3.8,24.4,3.8,24.6,4z'/%3e%3cpath id='y' class='st3' d='M12.7,4.1c0.2,0.2,0.3,0.6,0.1,0.8l0,0L8.6,9.8C8.5,9.9,8.4,10,8.3,10c-0.2,0.1-0.5,0.1-0.7-0.1l0,0 L5.4,7.7c-0.2-0.2-0.2-0.6,0-0.8c0.2-0.2,0.6-0.2,0.8,0l0,0L8,8.6l3.8-4.5C12,3.9,12.4,3.9,12.7,4.1z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
ShinyHunters’ Fake Retirement, Baphomet Returns, and New Mega-Flaws.
22 September 2025BREACHAWARE HQ
A total of 35 breach events were found and analysed resulting in 14,577,201 exposed accounts containing a total of 36 different data types of personal datum. The breaches found publicly and freely available included ULP Alien TxT File - Episode 24, ULP 0032, Stealer Log 0541, Yellowpages Directory and College Dekho. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Technology, Contact, Digital Behaviour, Finance, Commerce, National Identifiers, Geolocation, Career, Sociodemographic, Public, Relationships, Unstructured, Communication Logs, Academic.
Data Breach Impact
This breach series illustrates how both structured corporate data and unstructured malware-driven leaks are converging into a single, persistent threat stream. The exposure of Yellowpages Directory and College Dekho points to risks in professional and educational ecosystems, where contact information and career-related data can be leveraged for large-scale phishing, recruitment scams, or reputational harm. The recurring presence of ULP Alien TxT Files and stealer logs like 0541 shows how everyday infections and poorly secured repositories continue to generate massive amounts of leaked personal data, often with no direct “hack” required. With 36 data types in play, adversaries gain multidimensional insight into individuals’ lives, making downstream attacks both easier and more precise.For organisations implicated, the implications extend beyond the typical compliance narrative. Directories and education platforms, often seen as low-risk environments, are now high-value targets because of the freshness and utility of their data in social engineering. The persistence of ULP and stealer log exposures reflects operational blind spots, systems and endpoints outside of core enterprise protections are leaking continuously, yet still carrying highly sensitive customer data. Companies tied to these breaches must recognise that resilience isn’t just about defending their main networks, it’s about mapping and securing every corner of their digital footprint, from endpoint devices to third-party integrations. Otherwise, even relatively small breaches will continue to snowball into public trust issues and long-term brand damage.
Cyber Spotlight
Remember last week when ShinyHunters announced they were retiring? Yeah… turns out “retirement” meant a two-day weekend. They’re already back, causing chaos across Telegram. To their credit, Telegram has been whacking their channels left and right, but this is a game of digital whack-a-mole, and the Hunters are winning. Five new channels popped up in the past couple of days alone.What’s actually on these channels? Let’s just say a staffer who trawled through them described the content as “not safe for work” and “pretty outrageous.” (Translation: you probably shouldn’t check them out during office hours unless you want HR breathing down your neck.)
One of their latest boasts? They claim to have compromised something linked to John Brennan, yes, the former CIA Director from 2013–2017, judging by the dox and screenshots they’ve posted. If true, that’s a bold move. If not, it’s still the kind of trolling that’ll get three-letter agencies sharpening their pencils.
Elsewhere, a sneaky threat actor has spun up a phishing clone of a well-known Russian hacking forum recently seized by Europol and the French cyber brigade. To sell the scam, they’ve even bought old, high-reputation accounts and are parading them around to lure in would-be victims.
The catch? The real forum is still alive and well. Meaning anyone who falls for the fake has basically admitted they don’t know their way around the COM, and that’s about as embarrassing as it gets in hacker circles.
And finally, a comeback story. Baphomet, yes, that Baphomet, former co-admin of BreachForums, has returned after months of being MIA. Now, in the real world, MIA means someone’s physically disappeared, didn’t show up to work, skipped family dinners, neighbours start asking questions. In the COM world? It just means the guy didn’t log into his forum for a while.
Naturally, many assumed he’d been arrested, especially since his disappearance came right after PomPompurin’s arrest and the BreachForums takedown by the FBI. But no, Baphomet says he just “needed a break” after watching the forum get seized. He’s now back, armed with his original PGP keys to prove his identity. Which either means it really is him… or someone’s running the greatest identity theft trick in COM history.
Vulnerability Chat
Security researcher Dirk-Jan Mollema has uncovered a flaw that’s raising eyebrows across the cybersecurity world. It turns out that with just a single “Actor token” from a test or lab tenant, an attacker could leapfrog their way into full administrative control of every Microsoft Entra ID (Azure AD) customer worldwide. What’s particularly shocking is how simple the exploit chain is, no zero-day, no elaborate phishing campaigns, and no multi-stage backdoors, just access to a test lab account.Over in the AI space, Radware has pulled the curtain back on a zero-click flaw in ChatGPT’s Deep Research agent, which they’ve dubbed ShadowLeak. This one is especially unnerving: it quietly exfiltrates sensitive data without the user ever clicking, seeing, or even suspecting a thing. “There is no user action required, no visible cue, and no way for victims to know their data has been compromised,” warned Radware CTO David Aviv. Everything happens silently, through autonomous agent actions on OpenAI’s cloud servers.
Telecom giant Nokia is also facing heat after a critical authentication bypass vulnerability was discovered in its CloudBand Infrastructure Software (CBIS) and Container Service (NCS) Manager API. By slipping in specially crafted HTTP headers, attackers could sidestep authentication entirely and gain full access to restricted API endpoints, no credentials needed.
And finally, firewall maker WatchGuard has issued security updates for a serious remote code execution vulnerability affecting its Firebox firewalls. The bug, an out-of-bounds write issue in the Fireware OS iked process, could let unauthenticated attackers execute arbitrary code remotely. Both mobile user VPN with IKEv2 and branch office VPNs using IKEv2 with dynamic gateway peers are at risk. WatchGuard is urging admins to patch immediately.
0 Common Vulnerability and Exposures (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week.
See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 1,516 vulnerabilities during the last week, making the 2025 total 34,548. For more information visit https://nvd.nist.gov/vuln/search/
View the latest critical vulnerabilities, exploited vulnerabilities and EU CSIRT coordinated vulnerabilities from the European Union Agency for Cybersecurity (ENISA) "Vulnerability Database" here: https://euvd.enisa.europa.eu/homepage
Information Privacy Headlines
After three years of digging, privacy commissioner Carly Kind has come down hard on Australian retailer Kmart for its use of facial recognition technology. Her investigation found the practice was disproportionate and that Kmart never obtained proper consent from shoppers. The retailer has now been ordered to stop using the tech and, within 30 days, publish a statement on its website laying out exactly how it used FRT, and why the regulator ruled against it.In the U.S., law firm Schubert Jonckheer & Kolbe LLP has launched an investigation into a data breach at Prosper Funding, LLC, the California-based peer-to-peer lending platform. Prosper admitted that an unauthorised third party managed to break into its systems and access files containing customers’ sensitive information, raising serious concerns about data security for its users.
Meanwhile, Apple is clashing publicly with EU regulators over the Digital Markets Act. The company’s executives have accused the legislation of stifling innovation, pointing out that requirements for third-party app store access are delaying features like AirPods’ Live Translation. Apple also argues the rules undermine privacy and security, warning that the very safeguards users rely on could be weakened in the name of “openness.”
Smarter Protection Starts with Awareness
Data Breach Exposure Scan, Check Any Domain for Free https://breachaware.com/scan
