#data-breach

#data-breach

Based in Tehran, Emennet Pasargad is responsible for a variety of high-profile cyberattacks on Western organizations. Among these are attempted interference with US elections and attacks on the subscribers of French satirical magazine Charlie Hebdo, the Council stated.

A former DOGE software engineer told co-workers at their new job that he "possessed two tightly restricted databases of U.S. citizens' information" and was planning to use the information at his new company, according to the report, which added that the Social Security Administration's inspector general is investigating the whistleblower complaint.

According to BleepingComputer, a recent breach on LexisNexis gave hackers access to nearly 4 million database records, thousands of accounts, password hashes, and cloud records. The company admitted the hackers gained access by exploiting an unpatched React vulnerability in its systems.

In the Oracle EBS hacking campaign, the Cl0p ransomware and extortion group exploited zero-day vulnerabilities to gain access to data stored by more than 100 organizations in the enterprise management software. Madison Square Garden (MSG), the world-famous arena located in New York City, was named by the hackers as a victim of the campaign in November 2025.

The main issue, Khan said, was that all apps that are vibe-coded on Lovable's platform are shipped with their backends powered by Supabase, which handles authentication, file storage, and real-time updates through a PostgreSQL database connection. However, when the developer - in this case AI - or the human project owner fails to explicitly implement crucial security features like Supabase's row-level security and role-based access, code will be generated that looks functional but in reality is flawed.

Trusting cybercriminals is inherently flawed; there is no honour among thieves. There is absolutely no reliable way to verify that an extortionist has permanently deleted stolen data. Copies are frequently retained, shared, or sold months down the line.

Choice Hotels International disclosed a breach affecting franchisees and applicants. Its notification letter states that a "skilled person used social engineering" to gain access on January 14, 2026 to an application that contained records regarding franchisees and franchise applicants. The access occurred even though access required multifactor authentication (MFA). The information involved included names and Social Security numbers. There is no indication that any guest data was involved. No gang has publicly claimed responsibility for the attack as yet.

A UK councillor has dubbed her local authority's data breach "crazy" after the personal details of individuals behind a series of complaints were revealed to her. Dulcie Tudor, an independent councillor for the Threemilestone and Chacewater area in Cornwall, England, publicized the data protection gaffe via social media following complaints about comments she made during a November council meeting. Cllr Tudor received ten complaints after asking fellow councillor Leigh Knight whether a trans woman was a real woman.

PayPal is warning customers about a data breach that leaked personal data for six months. The leaked data includes social security numbers. The software error occurred in the PayPal Working Capital application, an app that allows small businesses to easily take out a business loan. The leak occurred between July 1, 2025, and December 13, 2025. In addition to names and email addresses, phone numbers, business addresses, social security numbers, and dates of birth were also compromised.