Hackers exposed government ID photos of 70,000 Discord users
DHS has forced cybersecurity pros to work on immigrant deportation, CA now requires browsers to honor data sharing opt outs, DragonForce, Qilin, and LockBit are in cahoots, FCC data incident reporting rules are destined for oblivion, Telstra denies Scattered Lapsus$ Hunters breach, much more
Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.
If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!
Discord has identified approximately 70,000 users who may have had their government ID photos exposed as part of a customer service data breach announced last week.
A tweet by vx-underground said that the company was being extorted over a breach of its Zendesk instance by a group claiming to have “1.5TB of age verification related photos. 2,185,151 photos.”
Discord spokesperson Nu Wexler issued a statement saying, "Following last week’s announcement about a security incident involving a third-party customer service provider, we want to address inaccurate claims by those responsible that are circulating online. First, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts. Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord. Of the accounts impacted globally, we have identified approximately 70,000 users who may have had government-ID photos exposed, which our vendor used to review age-related appeals. Third, we will not reward those responsible for their illegal actions."
Wexler also added, "All affected users globally have been contacted, and we continue to work closely with law enforcement, data protection authorities, and external security experts. We’ve secured the affected systems and ended work with the compromised vendor." (Jay Peters / The Verge)
Related: BBC, Security Affairs, 9to5Mac, AppleInsider, Cryptonews, Silicon Republic, BleepingComputer, TheGamer, Engadget, Tech Times, SecurityWeek, Mashable, Crikey, 80 Level, Cyber Security News, Tom's Guide, Destructoid, Protos, Cointelegraph, Tweaktown, WebProNews, The Cyber Express, CyberInsider, Security Week, Digit, Security Affairs, Gamereactor, PC Mag
According to current and former DHS employees, the US Department of Homeland Security has shifted hundreds of national security specialists, including cyber personnel, into jobs that support Donald Trump’s deportation push and said it would dismiss anyone who refuses to go along.
Compulsory reassignments have gone in recent weeks to workers within the Cybersecurity and Infrastructure Security Agency, or CISA, who had focused on issuing alerts about threats against US agencies and critical infrastructure, current and former employees said.
Affected CISA staffers have been shuffled to agencies, including Immigration and Customs Enforcement, which received a $150 billion infusion to carry out Trump’s immigration crackdown, the employees said. CISA workers have been moved to Customs and Border Protection and the Federal Protective Service, a domestic police force working with ICE and CBP on deportations.
Changes have hit particularly hard in CISA’s Capacity Building team, which writes emergency directives and oversees cybersecurity for the government’s highest value assets, the employees said. Reassignments have primarily targeted senior CISA staffers, who are forbidden from joining unions because they work on national security issues, according to one person.
A DHS spokeswoman broadly defended the moves but declined to comment on individual cases. “DHS routinely aligns personnel to meet mission priorities while ensuring continuity across all core mission areas,” Tricia McLaughlin, assistant secretary for public affairs, said in a statement. She said the agency covers relocation costs for moves of more than 50 miles.
Shifting CISA staff to immigration work risks leaving the government less prepared to handle cyberattacks against US interests, including a newly detected campaign against Cisco Systems Inc. routers that are widely used across the government and private sector. While CISA warned of the Cisco attack last month, it has provided little guidance since its initial directive. (Patrick Howell O'Neill and Jeff Stone / Bloomberg)
Related: Washington Post, Wall Street Journal
California Gov. Gavin Newsom signed a bill that requires web browsers to make it easier for Californians to opt out of allowing third parties to sell their data.
The California Consumer Privacy Act, signed in 2018, gave Californians the right to send opt-out signals, but major browsers have not had to make opt-outs simple to use. The latest bill would require them to set up an easy-to-find mechanism that lets Californians opt out with the push of a button, instead of having to do so repeatedly when visiting individual websites.
Other bills signed by Newsom on Wednesday also give Californians important data privacy rights.
One of them requires social media companies to make it easy to cancel accounts and mandates that cancellation lead to the full deletion of consumers’ data. A second bolsters the state’s Data Broker Registration Law by giving consumers more information about what personal data is collected by data brokers and who can obtain it. (Suzanne Smalley / The Record)
Related: Governor Gavin Newsom, EPIC, Consumers Union, Bloomberg Law, BDC, Hacker News (ycombinator), Tech Times
According to security vendor ReliaQuest's third-quarter 2025 ransomware report, ransomware-as-a-service giants DragonForce, Qilin, and LockBit claim to be collaborating on ransomware attacks.
In early September, around the time when LockBit reemerged with its new LockBit 5.0 ransomware variant, fellow RaaS crew DragonForce proposed a partnership.
"Create equal competition conditions, no conflicts and no public insults…" the criminals said, in a post (translated from Russian) that was later shared on social media by cyber sleuths, including those at malware collector vx-underground.
"This way we can all increase our income and dictate market conditions," it continues. "Call it whatever you like - coalition, cartel, etc. The main thing is to stay in touch, be friendly to each other, and be strong allies, not enemies."
To which LockBit replied: "I completely agree with you. I don't wish you anything bad. As people are to me, so I am to people."
Soon after, DragonForce announced the coalition between the three Russian-speaking groups and told other criminals, "Our doors are open to anyone who cares about the future of our challenging field. If you have a partnership program, feel free to reach out to us, and together we can maximize our overall income!" (Jessica Lyons / The Register)
Related: ReliaQuest, Cyber Press, SC Media, Dark Reading
The US Federal Communications Commission (FCC) will seek to eliminate its data incident reporting rules, which powerful industry lobbyists, including NCTA, USTelecom, and CTIA, have objected to, and has successfully asked the Sixth Circuit Court of Appeals to hold in abeyance its August decision to uphold the December 2023 rules.
The industry groups challenging the order asked the court to grant their request for rehearing, thus vacating the panel’s decision upholding the challenged regulation, before ruling on the FCC’s abeyance motion.
“The Commission now has three sitting members, only one of whom [Commissioner Anna Gomez] voted to approve the order, and is in the process of evaluating the agency’s past actions, including the order challenged here,” wrote FCC General Counsel Adam Sorensen in a petition asking the court to suspend its decision until a rehearing could be held.
On Tuesday, the court ruled to hold the case in abeyance, or suspend it, without ruling on a rehearing. However, it also rejected the FCC’s proposal to file a status report within 90 days from the date of the order (and every 90 days thereafter) until the order is lifted. Instead, the court ruled the FCC must file a report every 60 days, with the first due Dec. 16. (Amy Maclean / Cablefax)
Related: Court Listener
Scattered Lapsus$ Hunters, the same group responsible for a string of high-profile Salesforce-based attacks over recent months, has listed Australian telco Telstra as a victim on its darknet leak site overnight.
Scattered Lapsus$ Hunters shared what it says is a sample of customer data stolen from Telstra in an overnight leak post, claiming to have more than 19 million sets of personally identifiable information.
“We highly advise you proceed into the right decision, your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always,” a Scattered Lapsus$ Hunters spokesperson said in a 9 October leak post.
“We highly recommend a decision-maker to get involved as we are presenting a clear and mutually beneficial opportunity to resolve this matter.”
The hackers also shared a sample file with several hundred sets of names, mobile numbers, and home addresses. However, Telstra has denied the hackers’ claims.
“We’re aware that a malicious actor has listed what it claims is Telstra data online, and we have investigated,” a Telstra spokesperson told Cyber Daily.
“Based on our assessment, the data has been scraped from publicly available sources and does not originate from Telstra systems. No passwords, banking details or personal identification data such as driver’s licence or Medicare numbers are included.” (David Hollingworth / Cyber Daily)
Related: Financial Review, The Cyber Express, The Sydney Morning Herald
The Ukrainian parliament supported the creation of the Cyber Forces within Ukraine's military in the first reading on Oct. 9, underscoring the growing importance of this domain in the war with Russia.
The bill, backed by 255 lawmakers, aims to establish the Cyber Forces as a military command body responsible for Ukraine's defense and security capabilities in cyberspace.
The Cyber Forces Command will answer directly to Ukraine's commander-in-chief and, on the political level, to the president in matters of national security.
The Main Directorate of Radio Electronic and Cyber Warfare of Ukraine's General Staff will be responsible for its establishment.
The new command will organize regular training and recruit and coordinate cyber forces reserves.
Service in these reserves does not require formally becoming a military service member and can be carried out on a temporary or periodic basis to fulfill specific tasks. (Martin Fornusek / Kyiv Independent)
Related: Mezha, EMPR Media
UK Foreign Secretary Yvette Cooper will host the Western Balkans Summit Foreign Ministers' meeting in Hillsborough Castle in Ireland today, during which she will unveil a new £4 million (around $5.3 million) project to reinforce cyber defenses in the region, and share expertise in countering disinformation and other malign activity from hostile actors.
The meeting with European partners will "discuss the importance of building resilience in the western Balkans to combat the constant flood of Russian hybrid threats aimed at destabilising the region." (BBC News)
Related: GOV.UK, Politico, Telegraph
Russia is behind a campaign of cyberattacks, sabotage, and provocation across Europe, according to the president of the European Commission, who warned: “It is time to call it by its name. This is hybrid warfare, and we have to take it very seriously.”
In a speech at the European Parliament in Strasbourg, Ursula Von der Leyen described “a worrying pattern of growing threats” across the bloc, including MiG fighters recently violating Estonian airspace and drones being flown “over critical sites in Belgium, Poland, Romania, Denmark and Germany.”
Over the past year, similar sightings of drones have also been made in the United Kingdom, which deployed a counter-drone unit to Denmark last week following “incidents near civilian and military installations” at the same time as Copenhagen hosted two major European summits. Britain is not part of the EU.
Von der Leyen said a blueprint for a pan-European security plan, coordinated closely with NATO, was presented to EU leaders during one of these Copenhagen summits. The EU needed to “urgently equip itself with a strategic capacity to respond” to Russian hybrid warfare, she warned. (Alexander Martin / The Record)
Related: The Record, RFI, CNBC, United24, Politico EU, Reuters
Apple removed an app called EyesUp for preserving TikToks, Instagram reels, news reports, and videos documenting abuses by ICE.
The app differs from other banned apps, such as ICEBlock, which were designed to report sightings of ICE officials in real-time to warn local communities. Eyes Up, meanwhile, was more of an aggregation service pooling together information to preserve evidence in case the material is needed in the future in court.
The news shows that Apple and Google’s crackdown on ICE-spotting apps, which started after pressure from the Department of Justice against Apple, is broader in scope than apps that report sightings of ICE officials. It has also impacted at least one app that was more about creating a historical record of ICE’s activity during its mass deportation effort. (Joseph Cox / 404 Media)
Related: Tech Times
Security data pipeline platform startup Realm.Security announced that it has raised $15 million in a Series A venture funding round.
Jump Capital led the round with participation from Glasswing Ventures and Accomplice. (Duncan Riley / Silicon Angle)
Related: Realm Security, FinTech Global, FinSMEs, MSSP Alert, Business Wire, Silicon Angle
Best Thing of the Day: It's Not Nice to Illegally Scrape Facial Images
The UK's Information Commissioner's Office (ICO) has won an appeal against controversial facial recognition technology firm Clearview AI, making a £7.5m ($8.7 million) fine more likely against the company for illegally scraping the images of UK residents from websites and social media pages and uploading them to a global database that could be used for facial recognition.
Worst Thing of the Day: Was He Trolling or Just Lazy?
In August, a relatively unknown security researcher named Agostino “Van1sh” Panico gave a main stage talk at Defcon that turned out to be AI slop.
Bonus Worst Thing of the Day: Hackers Don't Care for Your Stinking Injunctions
Qantas got an injunction against anyone publishing the data that Scattered LAPSUS$ Hunters obtained in the Salesforce breach, which has the unhappy consequence of not allowing services such as HaveIBeenPwned to inform users when their data appears in the Qantas breach.
Closing Thought
