Violence-as-a-Service Emerges, ShinyHunters Escalate, and New Mega-Flaws.

A total of 9 breach events were found and analysed resulting in 5,897,816 exposed accounts containing a total of 21 different data types of personal datum. The breaches found publicly and freely available included Bouygues Telecom, American Income Life, Wagner Technical Services, Coinbase (sample data) [2] and Chinese Adult Forum. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

This cluster of breaches, while smaller in volume compared to some of the larger events, still carries outsized risks due to the nature of the organisations involved. Exposures tied to Bouygues Telecom and Coinbase (sample data) point directly to the telecom and crypto sectors, two industries where compromised data can quickly translate into account takeovers, SIM swaps, and financial theft. The inclusion of American Income Life and Wagner Technical Services highlights the insurance and business services angle, where leaked records may contain policy, employment, or client data that can be leveraged for fraud or targeted spear-phishing. Meanwhile, the appearance of a Chinese Adult Forum introduces reputational and blackmail risks, as sensitive affiliations can be exploited against individuals for coercion or harassment. With 21 types of data exposed, attackers gain enough detail to mount highly targeted campaigns, even if the number of accounts is smaller than in mega-breaches.

For the affected organisations, the implications are significant. Telecom and crypto companies, in particular, operate in highly regulated environments and face immediate scrutiny when customer trust is shaken. Insurers and technical service providers risk reputational damage if clients perceive that their personal or business data has been handled carelessly, while breaches involving adult forums raise unique ethical and social risks that can tarnish a platform’s credibility. Even when labeled as “sample data,” the existence of corporate and sector-specific exposures signals systemic weaknesses in how data is secured, stored, and monitored across industries. For these companies, responding isn’t just about compliance—it’s about proactively demonstrating that they can contain fallout, rebuild customer trust, and close the gaps in peripheral systems that attackers increasingly exploit.

Cyber Spotlight

The COM scene took a very dark turn this week after video surfaced of Ayleis “Earth2Star”, a known member of the Scattered Spider ransomware gang, getting violently attacked in his own home. The attackers showed up dressed as police officers, complete with a fake warrant, tied up his family, and then beat him before allegedly making off with his entire crypto stash, rumoured to be worth over $10 million.

To make it even more surreal, the attackers filmed the whole thing on bodycams (yes, like a low-budget Netflix crime doc) and released a short clip of Earth2Star apologising to another threat actor known as Katunse.

Meanwhile, in a separate but suspiciously timed incident, an elderly woman in her 80s near Manchester had her home trashed in a break-in. She was left with bruises while the attackers ransacked the place looking for a young man. Both incidents are suspected to be linked to VAAS: Violence as a Service. Basically, the underground’s newest gig economy: pay someone to beat up your enemies. Forget ransomware as a service, this is Uber with brass knuckles.

As if they weren’t already on every agency’s most wanted list, the ShinyHunters have been escalating their antics. Not content with selling access to Malaysian government gateways, they’ve now crossed a line so bold it almost feels cartoonish:

They’ve offered a $1 million bounty for the murder of a man in China. The post included a full dox, government ID, phone number, exact workplace down to the room. It’s no longer “cybercrime” at this point, it’s a Bond villain job posting. If law enforcement weren’t already breathing down their necks, they definitely are now.

On a lighter (?) note, members of the ODDICA cybercrime crew thought one of their own had been taken out by Italian police after going MIA for several weeks. Turns out… it was just computer problems. (Insert IT Crowd “Have you tried turning it off and on again?” joke here.) ODDICA hasn’t exactly been quiet, though. They’ve been busy breaching targets like Cancer Care & Research Centres in Oman and the St. John Ambulance Service in Canada. Nothing says “we’re back” like kicking off a spree against healthcare providers.

Vulnerability Chat

Researchers at Noma Security have uncovered a critical flaw in Salesforce’s Agentforce platform that could be exploited through indirect prompt injection. Dubbed “ForcedLeak,” the bug allowed the AI agent to spill sensitive CRM data. While Salesforce has patched the issue, Noma warns that the implications stretch far beyond just this one vulnerability.

Meanwhile, Rapid7 has flagged a worrying problem for OnePlus users. Malicious apps running on Oxygen OS versions 12, 14, and 15 can quietly access SMS and MMS data without permission, interaction, or even notification—opening the door to message snooping and the bypassing of SMS-based security checks.

Over in Europe, Italian email security company Libraesva has confirmed its Email Security Gateway was exploited by what it believes to be a state sponsored actor. The company has pushed out a fix and admitted that at least one confirmed incident of abuse has been tied to the vulnerability.

Firmware isn’t safe either. Binarly researchers have disclosed two flaws in Supermicro’s baseboard management controller (BMC) firmware. Their advice is simple but urgent: verify sources, check firmware integrity, patch quickly, and enable Root of Trust security when the hardware allows.

Apache Airflow users are also at risk. Version 3.0.3 contains a bug that lets anyone with standard READ permissions access sensitive connection details via both the API and the web UI, a clear breach of confidentiality controls.

And Cisco is sounding alarms of its own. The company is urging customers to patch two security flaws affecting the VPN web server in its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software. Cisco says attackers have already been spotted exploiting the bugs in the wild.

3 Common Vulnerability and Exposures (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including:
- Cisco; Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense
- Google; Chromium V8

See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 618 vulnerabilities during the last week, making the 2025 total 35,166. For more information visit https://nvd.nist.gov/vuln/search/

View the latest critical vulnerabilities, exploited vulnerabilities and EU CSIRT coordinated vulnerabilities from the European Union Agency for Cybersecurity (ENISA) "Vulnerability Database" here: https://euvd.enisa.europa.eu/homepage

Information Privacy Headlines

Canada’s privacy commissioner, Philippe Dufresne, has found TikTok falling short when it comes to protecting kids. The investigation concluded that the company’s safeguards against children using the app, and its handling of their personal data, were inadequate. TikTok has agreed to step up its protections and be clearer about how data may be used. A spokesperson for the company said it welcomed the scrutiny and noted that Canadian officials had signed off on several of its proposals to strengthen the platform.

OpenAI’s CEO, Sam Altman, is still pushing for AI chatbots like ChatGPT to be given the same privacy protections as doctors, lawyers, and therapists, so they can avoid being forced to hand over sensitive user conversations in court. A joint study by OpenAI and Harvard researchers shed light on how people are actually using ChatGPT: around 77% of conversations focus on practical tasks, writing help, and general information, while only 1.9% touch on relationships or emotional topics.

In Singapore, Brave and researchers from the National University have developed a new type of attack, dubbed CAMIA (Context-Aware Membership Inference Attack). Unlike previous attempts, CAMIA is the first to successfully exploit the generative nature of modern AI models, raising new questions about whether your personal data was used to train them.

Ireland’s data protection commission has launched an investigation into data brokers after a bombshell report by public broadcaster RTE. Journalists were able to buy precise phone location data, including that of military staff and political aides, and even trace it back to private residential addresses.

Meanwhile, Dutch regulators are sounding the alarm for LinkedIn users. The privacy watchdog Autoriteit Persoonsgegevens is urging people in the Netherlands to review their account settings and opt out by November 3 if they don’t want their data used to train AI models.

And in the U.S., two major settlements have been reached over reproductive health data. Google will pay $48 million, while menstrual tracking app Flo Health has agreed to $8 million, after both were accused of sharing users’ sensitive health information without consent. Google’s deal covers users who entered reproductive health data between November 2016 and February 2019.

Smarter Protection Starts with Awareness
Data Breach Exposure Scan, Check Any Domain for Free https://breachaware.com/scan