A total of 15 breaches were found and analysed resulting in 2,096,737 leaked accounts containing a total of 29 different data types. The breaches found publicly and freely available included Mexican Citzen Database, Tout, SweClockers, Q-Depot and Autogedal. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

Back in 2016, the UK government introduced the Investigatory Powers Act, better known as the Snooper’s Charter, and for good reason. This piece of legislation has been quietly gnawing away at British citizens' privacy for years. But last week, the government took things up a notch by setting its sights on Apple’s Advanced Data Protection (ADP) tool for iCloud.

The Snooper’s Charter gives authorities the power to strong-arm private companies into weakening security, either by slipping in a sneaky backdoor or disabling encryption altogether. Oh, and they’re also banned from telling anyone about it. Fortunately, a whistleblower decided that transparency is still a thing, which is the only reason we even know about this latest overreach.

Authorities always claim that surveillance is only used for “legitimate purposes,” but history tells a different story. Once a government builds a surveillance tool, it’s never just used as originally intended. Remember the Clipper Chip fiasco of the 90s? Or the Dual EC DRBG backdoor that ended up being a catastrophic security nightmare? Weakening encryption is like leaving your front door wide open, it’s only a matter of time before someone walks in.

Apple’s ADP tool gives users full control over their encryption keys, meaning not even Apple can access your data. But UK citizens won’t be able to use it anymore, Apple has pulled the feature in Britain to avoid a legal showdown. Now, government agencies can snoop through your files if they feel like it. Meanwhile, you can bet the National Crime Agency won’t be giving up their own encryption anytime soon.

Britain has been a surveillance state for years, but only now are people starting to wake up to just how bad it is. Those who trade liberty for security deserve neither, and if you don’t want your personal data to be fair game, it’s time to start managing your own encrypted backups.

-----

Houston PD Gets Owned by UnicornLover67 (Or... Someone Pretending to Be Them?)

The Houston Police Department (HPD) just had an incredibly bad week, courtesy of a cybercriminal with a flair for comedy. A hacker known as UnicornLover67 tried to extort them, demanding a ransom. When HPD refused to pay up, the threat actor made a counteroffer: pay in Fortnite's in-game currency, Icespice.

HPD, apparently not in the mood for video game micro-transactions, declined again, which resulted in their sensitive files getting dumped online. To really drive the point home, the hacker edited one of HPD’s training videos, adding dramatic cuts and playing “Kill the Police – Destroy the System” over the footage. (Subtle.)

To make things even weirder, VX Underground, the malware research group, got an anonymous message saying: "UnicornLover67 is not the real UnicornLover67, but someone else using the moniker UnicornLover67."

Which raises the question—was the real UnicornLover67 framed, or did they just make a terrible username choice? Either way, HPD is probably reconsidering their cybersecurity budget right about now.

-----

World’s Largest Crypto Exchange Has a “Security Incident” (aka, $1.6 Billion Disappears).

The world’s largest cryptocurrency exchange just got hit with something massive. Blockchain sleuth ZachXBT noticed that on February 21st, over $1.6 billion mysteriously flowed out of the exchange, which is never a good sign.

ZachXBT later confirmed: “My sources confirm it’s a security incident.”

That’s a pretty big “incident.” No details yet, but we’ll keep you updated as the story unfolds. If history is anything to go by, someone is either hiding a colossal screw-up or getting ready to make a run for it.

VULNERABILITY CHAT

The Qualys Threat Research Unit (TRU) has uncovered two vulnerabilities in OpenSSH, the widely used open-source implementation of the Secure Shell (SSH) protocol, which enables encrypted communications over insecure networks.

A critical SQL injection flaw has been identified in the Exim mail transfer agent, allowing attackers to compromise email systems and manipulate underlying databases. The Exim development team responded swiftly, releasing patched versions within 72 hours.

Microsoft has issued security updates to address two critical vulnerabilities in Bing and Power Pages, one of which has already been actively exploited in the wild. Microsoft credited its own employee, Raj Kumar, for flagging the flaw and has classified it under an "Exploitation Detected" assessment, confirming at least one instance of real-world exploitation.

IBM has patched multiple high-severity vulnerabilities in its OpenPages Governance, Risk, and Compliance (GRC) platform. These flaws could have allowed attackers to hijack user sessions, steal authentication credentials, and manipulate critical enterprise data.

A zero-day vulnerability in Parallels Desktop virtualisation software has been disclosed after seven months of unresolved reporting. This flaw enables attackers to escalate privileges to the root level on macOS systems, posing a significant security risk.

Security researchers have also detailed a command injection vulnerability in F5’s BIG-IP Traffic Management Shell (TMSH) command-line interface. The flaw allows authenticated attackers with low privileges to bypass security restrictions, execute arbitrary commands, and gain root-level access to affected systems.

Cloud Software Group has issued urgent patches for a high-severity vulnerability affecting its NetScaler Console (formerly NetScaler ADM) and NetScaler Agent. While self-managed NetScaler deployments are somewhat shielded due to the NetScaler Agent’s role, unpatched systems remain vulnerable to credential-based attacks.

5 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including:
- Palo Alto Networks; PAN-OS
- SonicWall; SonicOS
- Craft CMS; Craft CMS
- Microsoft; Power Pages
See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 591 vulnerabilities last week, making the 2025 total 6,568. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

Google's Threat Intelligence Group has uncovered new techniques developed by Russia-backed hacking groups to compromise encrypted messaging services, including Signal, WhatsApp, and Telegram. These attacks pose a significant risk to journalists, politicians, and activists deemed of interest to Russian intelligence. Dan Black, Principal Analyst at Google Threat Intelligence, stated he would be “absolutely shocked” if these attacks did not expand beyond Ukraine and target other encrypted platforms globally.

A report from the Commission on Seamless and Secure Travel (CSST) highlights the need for modernising U.S. travel infrastructure through increased reliance on biometrics, artificial intelligence, and advanced data analytics. While aimed at improving security and efficiency, civil liberties groups, including the ACLU and the Brennan Center for Justice, warn that expanding biometric tracking at airports could set a dangerous precedent for government surveillance.

Japan's Personal Information Protection Commission is considering removing the requirement for prior consent when obtaining sensitive personal data for AI development. Cabinet Secretary Yoshimasa Hayashi acknowledged the need to balance personal rights with technological advancements, stating that the government is studying the issue carefully.

Apple is facing a lawsuit from France’s Ligue des droits de l’Homme, which accuses the company of misleading users about Siri’s data collection practices. The lawsuit alleges Apple secretly recorded and stored user data without proper disclosure. Apple has denied any wrongdoing and maintains that Siri is designed with privacy protections in place.

Amazon is facing a potential class-action lawsuit in Washington, alleging that its advertising network illegally collected and used consumer health data without consent. The lawsuit claims Amazon’s embedded ad services in mobile apps harvested sensitive data in violation of state privacy laws. An Amazon spokesperson denied the allegations, emphasising that customer privacy remains a priority.

South Korea's data protection watchdog has confirmed that DeepSeek unlawfully transferred user data to ByteDance, TikTok’s parent company, without proper disclosure. The investigation revealed that DeepSeek transmitted personal data to a third party, violating South Korean law, which requires explicit user consent for such transfers.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan