The compromised personal information includes names, dates of birth, Social Security numbers, and employment-related data.
The post 42,000 Impacted by Ingram Micro Ransomware Attack appeared first on SecurityWeek.
The incident impacted the personal information of CIRO member firms and their registered employees.
The post 750,000 Impacted by Data Breach at Canadian Investment Watchdog appeared first on SecurityWeek.
Hackers stole patients’ personal, treatment, and health insurance information from the organization’s IT systems.
The post Central Maine Healthcare Data Breach Impacts 145,000 Individuals appeared first on SecurityWeek.
Hackers stole the personal and reservation information of people with a Eurail pass and those who made a seat reservation with the company.
The post Traveler Information Stolen in Eurail Data Breach appeared first on SecurityWeek.
A threat actor breached Betterment’s systems, accessed customer information, and sent scam crypto-related messages.
The post Robo-Advisor Betterment Discloses Data Breach appeared first on SecurityWeek.
The law firm Fried Frank seems to be informing high-profile clients about a recent data security incident.
The post After Goldman, JPMorgan Discloses Law Firm Data Breach appeared first on SecurityWeek.
Hackers stole complete customer information, including contact details, national identity numbers, and payment details.
The post Spanish Energy Company Endesa Hacked appeared first on SecurityWeek.
The social media platform confirmed that the issue allowed third parties to send password reset emails to Instagram users.
The post Instagram Fixes Password Reset Vulnerability Amid User Data Leak appeared first on SecurityWeek.
UH officials refused to provide key information, including which cancer research project had been affected or how much UH paid the hackers to regain access to files.
The post Hackers Accessed University of Hawaii Cancer Center Patient Data; They Weren’t Immediately Notified appeared first on SecurityWeek.
US fiber broadband company Brightspeed is investigating claims by the Crimson Collective extortion group that it stole sensitive data belonging to more than 1 million residential customers, including extensive personally identifiable information (PII), as well as account and billing details.
Brightspeed is one of the largest fiber broadband providers in the US and serves customers across 20 states.
On January 4, the Crimson Collective posted this message on its Telegram channel:
“If anyone has someone working at BrightSpeed, tell them to read their mails fast!
We have in our hands over 1m+ residential user PII’s, which contains the following:
- Customer/account master records containing full PII such as names, emails, phone numbers, billing and service addresses, account status, network type, consent flags, billing system, service instance, network assignment, and site IDs.
- Address qualification responses with address IDs, full postal addresses, latitude and longitude coordinates, qualification status (fiber/copper/4G), maximum bandwidth, drop length, wire center, marketing profile codes, and eligibility flags.
- User-level account details keyed by session/user IDs, overlapping with PII including names, emails, phones, service addresses, account numbers, status, communication preferences, and suspend reasons.
- Payment history per account, featuring payment IDs, dates, amounts, invoice numbers, card types and masked card numbers (last 4 digits), gateways, and status; some entries indicate null or empty histories.
- Payment methods per account, including default payment method IDs, gateways, masked credit card numbers, expiry dates, BINs, holder names and addresses, status flags (Active/Declined), and created/updated timestamps.
- Appointment/order records per billing account, with customer PII such as names, emails, phones, addresses, order numbers, status, appointment windows, dispatch and technician information, and install types.
Sample will be dropped on monday night time, letting them some time first to answer to us. (UTC+9, Japan is quite fun for new years while dumping company data)”
The promised sample was later made available and contains 50 entries from each of the following database tables:
In a separate Telegram message, the group also claimed it had disconnected a large number of Brightspeed customers. However, this allegation appears only in the group’s own messaging and has not been corroborated by any public reporting.
While there are some customer complaints circulating on social media, it remains unclear whether these issues are actually caused by any actions taken by the Crimson Collective.
Brightspeed told BleepingComputer:
“We take the security of our networks and protection of our customers’ and employees’ information seriously and are rigorous in securing our networks and monitoring threats. We are currently investigating reports of a cybersecurity event. As we learn more, we will keep our customers, employees and authorities informed.”
If you think you have been affected by a data breach, here are steps you can take to protect yourself:
We don’t just report on threats—we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.
US fiber broadband company Brightspeed is investigating claims by the Crimson Collective extortion group that it stole sensitive data belonging to more than 1 million residential customers, including extensive personally identifiable information (PII), as well as account and billing details.
Brightspeed is one of the largest fiber broadband providers in the US and serves customers across 20 states.
On January 4, the Crimson Collective posted this message on its Telegram channel:
“If anyone has someone working at BrightSpeed, tell them to read their mails fast!
We have in our hands over 1m+ residential user PII’s, which contains the following:
- Customer/account master records containing full PII such as names, emails, phone numbers, billing and service addresses, account status, network type, consent flags, billing system, service instance, network assignment, and site IDs.
- Address qualification responses with address IDs, full postal addresses, latitude and longitude coordinates, qualification status (fiber/copper/4G), maximum bandwidth, drop length, wire center, marketing profile codes, and eligibility flags.
- User-level account details keyed by session/user IDs, overlapping with PII including names, emails, phones, service addresses, account numbers, status, communication preferences, and suspend reasons.
- Payment history per account, featuring payment IDs, dates, amounts, invoice numbers, card types and masked card numbers (last 4 digits), gateways, and status; some entries indicate null or empty histories.
- Payment methods per account, including default payment method IDs, gateways, masked credit card numbers, expiry dates, BINs, holder names and addresses, status flags (Active/Declined), and created/updated timestamps.
- Appointment/order records per billing account, with customer PII such as names, emails, phones, addresses, order numbers, status, appointment windows, dispatch and technician information, and install types.
Sample will be dropped on monday night time, letting them some time first to answer to us. (UTC+9, Japan is quite fun for new years while dumping company data)”
The promised sample was later made available and contains 50 entries from each of the following database tables:
In a separate Telegram message, the group also claimed it had disconnected a large number of Brightspeed customers. However, this allegation appears only in the group’s own messaging and has not been corroborated by any public reporting.
While there are some customer complaints circulating on social media, it remains unclear whether these issues are actually caused by any actions taken by the Crimson Collective.
Brightspeed told BleepingComputer:
“We take the security of our networks and protection of our customers’ and employees’ information seriously and are rigorous in securing our networks and monitoring threats. We are currently investigating reports of a cybersecurity event. As we learn more, we will keep our customers, employees and authorities informed.”
If you think you have been affected by a data breach, here are steps you can take to protect yourself:
We don’t just report on threats—we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.
This blog is part of a series where we highlight new or fast-evolving threats in the consumer security landscape. This one looks at how the rapid rise of Artificial Intelligence (AI) is putting users at risk.
In 2025 we saw an ever-accelerating race between AI providers to push out new features. We also saw manufacturers bolt AI onto products simply because it sounded exciting. In many cases, it really shouldn’t have.
Agentic or AI browsers that can act autonomously to execute tasks introduced a new set of vulnerabilities—especially to prompt injection attacks. With great AI power comes great responsibility, and risk. If you’re thinking about using an AI browser, it’s worth slowing down and considering the security and privacy implications first. Even experienced AI providers like OpenAI (the makers of ChatGPT) were unable to keep their agentic browser Atlas secure. By pasting a specially crafted link into the Omnibox, attackers were able to trick Atlas into treating a URL input as a trusted command.
The popularity of AI chatbots created the perfect opportunity for scammers to distribute malicious apps. Even if the AI engine itself worked perfectly, attackers have another way in: fake interfaces. According to BleepingComputer, scammers are already creating spoofed AI sidebars that look identical to real ones from browsers like OpenAI’s Atlas and Perplexity’s Comet. These fake sidebars mimic the real interface, making them almost impossible to spot.
And then there’s this special category of using AI in products because it sounds cooler with AI or you can ask for more money from buyers.
We saw a plush teddy bear promising “warmth, fun, and a little extra curiosity” that was taken off the market after researcher found its built-in AI responding with sexual content and advice about weapons. Conversations escalated from innocent to sexual within minutes. The bear didn’t just respond to explicit prompts, which would have been more or less understandable. Researchers said it introduced graphic sexual concepts on its own, including BDSM-related topics, explained “knots for beginners,” and referenced roleplay scenarios involving children and adults.
Sometimes we rely on AI systems too much and forget that they hallucinate. As in the case where a school’s AI system mistook a boy’s empty Doritos bag for a gun and triggered a full-blown police response. Multiple police cars arrived with officers drawing their weapons, all because of a false alarm.
Alongside all this comes a surge in privacy concerns. Some issues stem from the data used to train AI models; others come from mishandled chat logs. Two AI companion apps recently exposed private conversations because users weren’t clearly warned that certain settings would result in their conversations becoming searchable or result in targeted advertising.
We’ve said it before and we’ll probably say it again: We keep pushing the limits of what AI can do faster than we can make it safe. As long as we keep chasing the newest features, companies will keep releasing new integrations, whether they’re safe or not.
As consumers, the best thing we can do is stay informed about new developments and the risks that come with them. Ask yourself: Do I really need this? What am I trusting AI with? What’s the potential downside? Sometimes it’s worth doing things the slower, safer way.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.
This blog is part of a series where we highlight new or fast-evolving threats in the consumer security landscape. This one looks at how the rapid rise of Artificial Intelligence (AI) is putting users at risk.
In 2025 we saw an ever-accelerating race between AI providers to push out new features. We also saw manufacturers bolt AI onto products simply because it sounded exciting. In many cases, it really shouldn’t have.
Agentic or AI browsers that can act autonomously to execute tasks introduced a new set of vulnerabilities—especially to prompt injection attacks. With great AI power comes great responsibility, and risk. If you’re thinking about using an AI browser, it’s worth slowing down and considering the security and privacy implications first. Even experienced AI providers like OpenAI (the makers of ChatGPT) were unable to keep their agentic browser Atlas secure. By pasting a specially crafted link into the Omnibox, attackers were able to trick Atlas into treating a URL input as a trusted command.
The popularity of AI chatbots created the perfect opportunity for scammers to distribute malicious apps. Even if the AI engine itself worked perfectly, attackers have another way in: fake interfaces. According to BleepingComputer, scammers are already creating spoofed AI sidebars that look identical to real ones from browsers like OpenAI’s Atlas and Perplexity’s Comet. These fake sidebars mimic the real interface, making them almost impossible to spot.
And then there’s this special category of using AI in products because it sounds cooler with AI or you can ask for more money from buyers.
We saw a plush teddy bear promising “warmth, fun, and a little extra curiosity” that was taken off the market after researcher found its built-in AI responding with sexual content and advice about weapons. Conversations escalated from innocent to sexual within minutes. The bear didn’t just respond to explicit prompts, which would have been more or less understandable. Researchers said it introduced graphic sexual concepts on its own, including BDSM-related topics, explained “knots for beginners,” and referenced roleplay scenarios involving children and adults.
Sometimes we rely on AI systems too much and forget that they hallucinate. As in the case where a school’s AI system mistook a boy’s empty Doritos bag for a gun and triggered a full-blown police response. Multiple police cars arrived with officers drawing their weapons, all because of a false alarm.
Alongside all this comes a surge in privacy concerns. Some issues stem from the data used to train AI models; others come from mishandled chat logs. Two AI companion apps recently exposed private conversations because users weren’t clearly warned that certain settings would result in their conversations becoming searchable or result in targeted advertising.
We’ve said it before and we’ll probably say it again: We keep pushing the limits of what AI can do faster than we can make it safe. As long as we keep chasing the newest features, companies will keep releasing new integrations, whether they’re safe or not.
As consumers, the best thing we can do is stay informed about new developments and the risks that come with them. Ask yourself: Do I really need this? What am I trusting AI with? What’s the potential downside? Sometimes it’s worth doing things the slower, safer way.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.
Flashpoint’s forward-looking threat insights for security and executive teams, provides the strategic foresight needed to prepare for the convergence of AI, identity, and physical security threats in 2026.
Table Of ContentsAs the global threat landscape accelerates its transformation, 2026 marks an inflection point requiring defensive strategies to fundamentally shift. The volatility observed in 2025 has paved the way for an era soon to be defined by AI-weaponized autonomy, information-stealing malware, systemic instability of public vulnerability systems, and the complete convergence of digital and physical risk.
Flashpoint offers a unique window into these complexities, providing organizations with the foresight needed to navigate what lies ahead. Drawing from Flashpoint’s leading intelligence and primary source collections, we highlight five key trends shaping the 2026 threat landscape. These insights aim to help organizations not only understand what’s next but also build the resilience needed to withstand and adapt to emerging challenges.
2026 will see continued evolution of AI threats, with future attacks centering on autonomy and integration. Across the deep and dark web, Flashpoint is observing threat actors move past experimentation and into operational use of illegal AI.
As attackers train custom fraud-tuned LLMs (Large Language Models) and multilingual phishing tools directly on illicit data, these AI models will become more capable. The criminal intent shaping their misuse will also become more sophisticated. Additionally, 2026 will see a greater marketplace for paid jailbreaking communities and synthetic media kits for KYC (Know Your Customer) bypass.
These advancements are enabling criminals to move beyond simple tools and engage in scaled, autonomous fraud operations, leading to two major shifts:
“The ubiquity of automation has dramatically increased attack tempo, leaving many security teams behind the curve. While automation can replace repetitive tasks across the enterprise, organizations must not make the critical mistake of substituting human judgement for AI at the intelligence level.
Josh Lefkowitz, CEO at Flashpoint
This is paramount because a critical threat in 2026 is Agentic AI autonomy weaponized against soft targets—API integrations and identity systems. The only winning defense will be human-led and AI-scaled, prioritizing purposeful use to keep organizations ahead of this exponential risk.”
These evolving AI threats will force a fundamental shift in defensive strategies. Defenders will have to shift to deploying systems around AI rather than trust them on their own.
Infostealers will become the entry point, the data broker, the reconnaissance layer, and the fuel for everything that comes after a cyberattack. This shift is already in motion and is accelerating rapidly: in just the first half of 2025, infostealers were responsible for 1.8 billion stolen credentials, an 800% spike from the start of the year. However, 2026 will redefine the malware’s role, making its most valuable output being access, rather than disruption.
Infostealers will become the upstream event that powers the rest of the attack chain. Identity and session data will be increasingly targeted, since it gives attackers immediate access into victim environments. Ransomware, fraud, data theft, and extortion will simply be downstream ways to monetize.
This upstream approach defines the new reality of the attack chain, which is already operational. Nearly every major stealer strain Flashpoint observes now exfiltrates the following:
An organization’s attack surface is no longer just composed of their own networks. It is the entire digital identity of their employees and partners. This new reality requires security teams to take a new approach. Instead of attempting to block attacks, they must proactively detect compromised credentials before they are weaponized. This will be the difference between reacting to a data breach and preventing one.
“The infostealer economy has fully industrialized the attack chain, making initial compromise a low-cost commodity. Multiple security incidents in 2025 tie back to credentials found in infostealer logs. This reality has underscored the critical importance of digital trust—specifically, verifying who can access what resources. For 2026, identity is the perimeter to watch, and security teams must proactively hunt for compromised credentials before they’re weaponized.”
Ian Gray, Vice President of Intelligence at Flashpoint
The temporary funding crisis at CVE in April 2025 and the subsequent CISA stopgap extension through March 2026 exposed the systemic fragility of a centralized vulnerability intelligence model. With the future of the CVE/NVD system hanging in the balance, 2026 will be defined by the urgent need for redundancy and diversification in vulnerability intelligence.
In today’s vulnerability intelligence ecosystem, nearly every organization’s vulnerability management framework relies on CVE and NVD—including its “alternatives” such as the EUVD (European Union Vulnerability Database). The CVE system has grown into a critical global cybersecurity utility, relied upon by nearly all vulnerability scanners, SIEM platforms, patch management tools, threat intelligence feeds, and compliance reports. A complete shutdown of CVE would result in a widespread loss of institutional infrastructure.
The next generation of security needs to be built on practices that are resilient, diversified, and intelligence-driven. It should be focused on providing insights that can be used to take action such as threat actor behavior, likelihood of exploitation in the wild, relevance to ransomware campaigns, and business context. Security teams will need to leverage a comprehensive source of vulnerability intelligence such as Flashpoint’s VulnDB that provides full coverage for CVE, while also cataloging more than 100,000 vulnerabilities missed by CVE and NVD.
The continued blurring of lines between cyber, physical, and geopolitical threats will elevate the risk to organizational leadership, turning executive protection into a holistic intelligence function in 2026. The rise of information warfare combined with physical world convergence means the threat to key personnel is no longer purely digital.
In the aftermath of the tragic December 2024 assassination of United Healthcare’s CEO, Flashpoint has seen the continued circulation and glorification of “wanted-style posters” of executives in extremist communities. Additionally, Flashpoint has seen nation-state actors participate, using espionage and influence to target high-value individuals.
Organizations must adopt an integrated approach that connects insights from threat actor chatter and a wealth of other OSINT sources. This fusion of intelligence is essential for applying frameworks to ensure the safety of leadership and key personnel.
2025 was marked by several large-scale extortion campaigns, demonstrating how the threat landscape is rapidly evolving. Ransomware operations have shifted into a straight extortion play. Flashpoint has observed a surge in new entrants to the ransomware market, accompanied by a decline in the quality and decorum of ransomware groups.
Furthermore, vishing campaigns attributed to “Scattered Spider” have highlighted weaknesses in identity, trust, and verification. Campaigns from “Scattered LAPSUS$ Hunters” have also exposed vulnerabilities in third-party integrations. These attacks culminated in extortion, showcasing that modern attacks will target trusted users and trusted applications for initial access, and will forgo ransomware in place of data access.
As this shift continues into 2026, threat actors will increasingly focus their efforts on exploiting human behavior and identity systems. Instead of attempting to spend resources on breaking network perimeters, attackers will instead socially engineer employees to gain access to corporate systems at scale. This change in TTPs will undoubtedly greatly increase supply chain risk, especially for third parties.
These five predictions highlight the transformative trends shaping the future of cybersecurity and threat intelligence. Staying ahead of these challenges demands more than just reactive measures—it requires actionable intelligence, strategic foresight, and cross-sector collaboration. By embracing these principles and investing in proactive security strategies, organizations can not only mitigate risks but also seize opportunities to enhance their resilience.
As the threat landscape continues to rapidly evolve, staying informed and prepared are critical components of risk mitigation. With the right tools, insights, and partnerships, security teams can navigate the complexities ahead and safeguard what matters most.
The post Flashpoint’s Top 5 Predictions for the 2026 Threat Landscape appeared first on Flashpoint.
Recent attacks from Clop emphasize the importance of implementing an organization-wide ransomware and cyber extortion strategy, from preparedness to detection and isolation
Table Of ContentsIt’s been one month since the Clop ransomware group began exploiting the MOVEit vulnerability (CVE-2023-34362 (VulnDB ID: 322555) to claim nearly 100 victims across the globe, many of which have come public. This attack comes on the heels of Clop leveraging the GoAnywhere MFT vulnerability (CVE-2023-0669), which led them to claim they’d illegally obtained information for more than 100 companies.
When a ransomware or cyber extortion event occurs, security teams are racing against the clock:
These questions are of vital importance to organizations across the public and private sectors. And the recent Clop attacks—which affected organizations across the globe in nearly every vertical—are yet another example of why it’s vital to have proactive defense measures in place.
First, it’s vital to have a deep understanding of the adversary, such as a RaaS (ransomware-as-a-service) group like Clop. Here are five ways that ransomware groups like Clop attack targets, as well as the threat vectors they seen to exploit:
CLOP’s use of the MOVEit and GoAnywhere MFT vulnerabilities provide us with two recent high-profile examples of the power and impact of the group’s attacks—as well as the damage they can have on victims.
It also shines a bright light onto the level of information and context that CTI analysts and vulnerability management teams require in order to better prioritize and take action on the vulnerabilities likely to be used in ransomware and other attacks.
Tools such as Flashpoint’s VulnDB can unpack vulnerabilities like MOVEit in order to provide practitioners with access to real-time, comprehensive information so that they can understand the scope of the incident and develop effective response strategies to make faster, informed decisions and mitigate the attack.
This includes information about 300,000 vulnerabilities, including thousands not listed in the public source, as well as robust metadata and numerous prioritization and prediction metrics, including:
Furthermore, when equipped with this context, vulnerability practitioners should be able to gain an active understanding of how the software, services, and other third-party assets they use are affected.
Speed is crucial when responding to or setting up defenses for a ransomware or cyber extortion event. In order to stay current on known exploits and better understand potential organization risks, vulnerability managers, analysts, and researchers should be able to set up customizable, automated ransomware alerts of leaked assets as a result of an extortion incident, and gain insight into the extent of exposure and damage.
The combination of threat intelligence and vulnerability intelligence is a powerful weapon against adversaries. For instance, when a ransomware event occurs, vulnerability practitioners should be able to easily raise their awareness levels by using a robust alerting system. From there, they can quickly drill down into supplemental information to identify if exploits are being shared, see which threat actors are discussing the vulnerability across all illicit and open-source communities (forums, chats, ransomware sites, paste sites, blogs, social media, e.g.), and better assess the risk.
Gaining continuous intelligence and context on ransomware attacks is vital throughout an attack, which often extends for weeks in the public sphere (and undoubtedly longer behind closed doors). It is therefore important to ensure that your organization is being provided with an active understanding of the situation as it unfolds in real-time—beyond vulnerability intelligence.
Flashpoint’s Intelligence Team, for example, delivers to customers incident pages and regular updates that communicate the most important details of an extortion event in progress. This includes background and assessments of the vulnerability, status updates with timelines, known victims, change logs, and intelligence that contributes to a more holistic understanding of a risk and informs decision-making.
A managed attribution solution allows intelligence teams to shift from defense to offense by enabling security teams to safely and anonymously conduct investigations. Analysts will often access or download files from a ransomware blog to verify if their organization was impacted in the incident. While doing so, it’s vital to protect and keep your organization safe via a secure research environment that is isolated from analyst browsers, computers and network infrastructure. Flashpoint’s Managed Attribution solution allows security teams to interact with files, conduct online investigations, and browse safely without risk to their organization.
To quickly assess, contain, and mitigate the impact of such incidents, it is crucial for organizations to have robust risk management practices in place. This includes conducting thorough due diligence when selecting third-party vendors, assessing their security practices, actively monitoring their security posture, and implementing contractual obligations and security controls to protect the company’s interests.
Additionally, it’s crucial to have incident response plans in place in order to respond effectively and recover from security breaches.In the event that an organization is impacted by ransomware, having a well-practiced incident response plan can greatly minimize damages. This includes:
Ransomware and cyber extortion events are undoubtedly stressful and challenging, but there are practical and proven ways to lessen that burden to reduce risk across your organization. To learn more about how Flashpoint empowers security teams to prevent and respond to ransomware attacks, contact us, sign up for a free trial, or watch this video to understand the top ways to prevent a ransomware attack at your organization.
Corey Ham // Tl;dr Use a password manager instead of browser storage for passwords, credit card numbers, and other autofill items. Personal security: Do not save anything sensitive in […]
The post Your Browser is Not a Safe Space appeared first on Black Hills Information Security, Inc..
Login