Report of 16 billion credentials breach debunked

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Cybersecurity publication Cybernews created a firestorm of press reports and fear that was quickly countered by cybersecurity experts when it published a story suggesting it had discovered the "mother of all breaches" that exposed 16 billion sets of credentials for every online service imaginable.

Despite Cybernews' statement that this breach had never been disclosed, cybersecurity experts are confident it is a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.

Experts say it is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.

The stolen credentials were likely circulating for some time, if not years. They were then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database exposed on the Internet.

This report is the second time Cybernews has promoted a dodgy collection of data scraped from the dark web as the "Mother of All Breaches," only to receive widespread attention from a crush of follow-up media reports.

On January 29th, 2024, the publication said it discovered an "astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records," in what it called the "Mother of All Breaches."

Closer analysis, however, revealed that the vast majority of the breached data had been compiled from previous data leaks and breaches and did not constitute a breach at all. (Lawrence Abrams / Bleeping Computer and various social media reports)

Related: Cyber Daily

US Defense Secretary Pete Hegseth is under mounting pressure to fill the top dual-hatted post at Cyber Command and the National Security Agency, which has been vacant for months since Donald Trump fired Air Force Gen. Timothy Haugh after a White House meeting with far-right influencer Laura Loomer.

He told the Senate Armed Services committee Wednesday that the Department of Defense and the White House were "in talks" to replace Haugh in the dual-hatted role, which leads defense operations for DOD information networks and a team of nearly 27,000 military and civilian staff in carrying out a wide range of military cyberspace operations.

He dodged questions about Loomer's involvement in Haugh's dismissal—telling one Democratic senator her "time is up" for questioning when she asked if he believed it was appropriate "for any social media personality to influence personnel decisions"—and failed to offer a timeline for nominating a replacement.

The White House and Defense Department have yet to name a nominee. Several of the president's cyber appointments are already stalled by procedural delays, including an apparent FBI security backlog and a Senate hold on the nominee to lead the Cybersecurity and Infrastructure Security Agency. The source said those obstacles could further prolong the vacancy at Cyber Command, and it remains unclear who the administration is considering for the role. (Chris Riotta / Payment Security)

Related: Senate Armed Services Committee, The Independent, 3News, Mediaite

Gonjeshke Darande or Predatory Sparrow, the Israel-linked hackers behind a $100 million exploit of Iranian cryptocurrency exchange Nobitex, released the platform’s complete source code, placing remaining user assets at risk.

Nobitex exchange was hacked for at least $100 million of cryptocurrencies on Wednesday by a pro-Israel group calling itself “Gonjeshke Darande,” which claimed responsibility for the attack.

In the latest development, the group said it had fulfilled its earlier threat to leak the exchange's code and internal files.

“Time’s up - full source code linked below. ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN,” Gonjeshke Darande wrote in an X post on Thursday.

The X thread detailed the exchange's key security measures, including its privacy settings, blockchain cold scripts, list of servers, and a zip file containing the full source code of the Nobitex exchange.

The source code was leaked a day after the group took responsibility for the exploit, promising to release the exchange’s source code and internal files within 24 hours. (Zoltan Vardai / Cointelegraph)

Related: Telegram, Coinspeaker, crypto.news, The Crypto Times, CoinDesk, Finance Feeds, The Block

Czech President Petr Pavel said that China and Russia pose similar cyber threats to Europe, saying he considered the two countries on par regarding state-sponsored hacking and espionage.

Beijing and Moscow are “equal in terms of cyber threat”, he said.

“We’ve seen cyber attacks coming from both directions and almost at the same level.” Last month, Prague said that its foreign ministry had been the target of a “malicious cyber campaign” by APT31, a hacking group connected to the Chinese state security ministry.

The group faced similar accusations from the US and UK last year, with some members subject to American and British sanctions. Beijing has denied the allegations. (Raphael Minder / Financial Times)

Related: Censor.net, Devdiscourse

Taiwan-based cybersecurity research firm TeamT5 reports that since the beginning of the war in Ukraine, groups linked to the Chinese government have repeatedly hacked Russian companies and government agencies in an apparent search for military secrets.

The intrusions started accelerating in May 2022, just months after Moscow’s full-scale invasion. And they have continued steadily, with Chinese groups worming into Russian systems even as President Vladimir V. Putin of Russia and President Xi Jinping of China publicly professed a momentous era of collaboration and friendship.

The hacking campaign shows that China sees Russia as a vulnerable target despite this partnership and years of promises not to hack each other. In 2023, one group, known as Sanyo, impersonated the email addresses of a significant Russian engineering firm in the hunt for information on nuclear submarines.

It is unclear how successful these attempts have been, partly because Russian officials have never publicly acknowledged these intrusions. However, a classified counterintelligence document from Russia’s domestic security agency, the FSB, clarifies that intelligence officials are concerned.

The document says that China is seeking Russian defense expertise and technology and is trying to learn from Russia’s military experience in Ukraine. The document refers to China as an “enemy.” (Megha Rajagopalan / New York Times)

Related: Babel.ua

Ukrainian authorities said an unnamed suspected member of the Ryuk ransomware gang has been extradited to the US, where he faces charges over cyberattacks that extorted more than $100 million from victims worldwide.

Ukraine’s Office of the Prosecutor General said the 33-year-old foreign national was arrested in Kyiv in April at the request of US law enforcement and handed over to American authorities earlier this week.

Ukrainian investigators said the man was “engaged in searching for vulnerabilities in the corporate networks of the victim companies” — or what cybersecurity experts call an “initial access broker.” Police said they seized over $600,000 in crypto assets, nine luxury vehicles, and 24 plots of land.

Authorities said the group launched over 2,400 ransomware attacks in multiple countries, encrypting victims’ data and demanding cryptocurrency payments in exchange for access. It is believed to have used the Ryuk ransomware strain in many attacks, which targeted corporations, critical infrastructure, and industrial enterprises worldwide, typically for financial gain.

Ukrainian authorities said the FBI had previously placed the suspect on an international wanted list. (Daryna Antoniuk / The Record)

Related: GP.gov.ua, NPU.gov.ua, Infosecurity Magazine, Bleeping Computer, Databreaches.net, The New Voice of Ukraine, UNN, Ukrinform

One of South Korea’s largest megachurches, the Onnuri Church, said its YouTube worship service was briefly hacked during a live broadcast to display the North Korean flag.

The incident occurred early Wednesday morning, when the live stream of the church's service abruptly filled with the North Korean flag, accompanied by what appeared to be Pyongyang’s propaganda music.

The flag was displayed for about 20 seconds, a church official told AFP, adding that the incident had been reported to the police. “During the early morning worship service on June 18, an unexpected video was broadcast due to a hacking incident,” the church said in a separate statement.

“We are currently conducting an urgent investigation into the cause of the incident and will take appropriate measures as soon as the situation is clarified.”

South Korea’s state-run Korea Internet & Security Agency told AFP it was “looking into the case.” (AFP)

Related: Punch Newspapers, Chosun Biz, KoreaJoongAng Daily, The Dong A-Ilbo, Maeil Business Newspaper

Australia’s world-first social media ban for under-16s moved closer to implementation after a key trial found that checking a user’s age is technologically possible and can be integrated into existing services.

The conclusions are a blow to Facebook-owner Meta Platforms, TikTok, and Snap, which opposed the controversial legislation. Some platform operators had questioned whether a user’s age could be reliably established using current technology.

The results of the government-backed trial will allow the law to come into force by the end of the year. The findings could also potentially allow other jurisdictions to follow Australia’s lead as countries around the world grapple with ways to protect children from harmful content online.

The trial’s project director, Tony Allen, said there were “no significant technological barriers” to stopping under-16s gaining social media accounts. “These solutions are technically feasible, can be integrated flexibly into existing services, and can support the safety and rights of children online,” he said.

Under the new law, digital platforms including Snapchat, Meta-owned Instagram, and X will be responsible for enforcing the age limit, with penalties of as much as A$50 million ($32 million) for breaches. (Angus Whitley / Bloomberg)

Related: The Register, The Guardian, Reuters, Japan Today, ABC, Information Age, The Senior, Age Assurance Technology Trial, The Conversation, Cryptopolitan, Biometric Update, Slashdot

In a data breach notification filing, US doughnut chain Krispy Kreme confirmed that attackers stole the personal information of over 160,000 individuals in a November 2024 cyberattack.

The filing discloses that stolen documents contained affected individuals' social security numbers, financial account information, and driver's license information.

Krispy Kreme detected unauthorized activity on its IT systems on November 29 and disclosed the incident and disruptions to its online ordering in an SEC filing filed on December 11.

 The Play ransomware gang claimed responsibility for the attack in late December, saying they also stole data from the company's network. (Sergiu Gatlan / Bleeping Computer)

Related: Maine Attorney General, Reddit - Information Security News, The Register - Security, Security Week, The Charlotte Observer

Oxford City Council in the UK is notifying current and former employees that their personal information was likely compromised in a recent cyberattack.

The council says the incident occurred over the weekend of June 7 and 8, when it detected suspicious activity within its network.

“Our automated security systems kicked in, removed the presence and minimized the access the attackers had to our systems and databases,” the council said in an incident notice.

Oxford City Council took down core systems to perform security checks, which resulted in service disruptions over the past week.

It says most of the impacted systems have been restored, and the remaining ones should be back online this week. (Ionut Arghire / Security Week)

Related: Oxford City Council, IT Pro

Feng Chia University in Taiwan said that the emerging NOVA ransomware group had hit it with a ransomware attack and that necessary measures have been taken to prevent the damage from escalating.

The private university, located in the central Taiwan city of Taichung, said in a statement that it received outside intelligence indicating that the NOVA ransomware group targeted it.

Feng Chia University said it immediately responded by launching an investigation and enlisting outside experts to assist with the inquiry. After nearly 24 hours of investigating the cyberattack, the school felt it had confirmed the cause of the incident and its impact.

Other reports state that the ransomware group NOVA recently attacked two Asian universities, Sun Moon University in South Korea and Feng Chia University in Taiwan. (Focus Taiwan)

Related: Taipei Times

The X account of prominent tech venture capitalist Andreessen Horowitz (a16z) was temporarily hacked by bad actors who linked to a suspicious crypto airdrop.

Andreesen Horowitz’s X account, which has 851,000 followers, was used to promote a new, nonexistent Solana (SOL)- based token that the firm was said to have created. (Mehron Rokhy / The Daily Hodl)

Related: crypto.news, CoinStats

Researchers from Cato Networks revealed that a new AI agent protocol released by service desk solution provider Atlassian could allow an attacker to submit a malicious support ticket through Jira Service Management (JSM) with a prompt injection.

This proof-of-concept (PoC) attack conducted by Cato’s team has been dubbed a ‘Living off AI’ attack.

MCP is an open standard introduced in November 2024 by Anthropic, the maker of several generative AI models and the AI chatbot Claude.

The Cato researchers performed a PoC attack on Atlassian JSM using Atlassian’s own MCP assets to show how an anonymous external user connected via JSM could perform a range of malicious actions.

While Atlassian was used to demonstrate the ‘Living Off AI’ attack, the Cato researchers believe that any environment where AI executes untrusted input without prompt isolation or context control is exposed to this risk. (Kevin Poireault / Infosecurity Magazine)

Related: Cato Networks, Cyber Security News, GBHackers

Researchers at ReversingLabs discovered a new campaign tied to the group known as Banana Squad, which exploited GitHub to distribute malicious Python code disguised as legitimate hacking tools.

The campaign used 67 repositories hosting trojanized files that mimicked benign open-source projects.

The campaign reflects a shift in open-source software supply chain attacks. While overall volumes of malicious uploads to repositories like PyPI and npm have dropped, attackers now leverage more covert tactics to target platforms like GitHub.

In this instance, threat actors exploited GitHub’s interface to conceal backdoor code using long space strings, making the malicious content invisible in normal view.

Banana Squad, originally identified by Checkmarx in late 2023, had already made headlines with a series of Windows-targeting malware packages uploaded to Python repositories earlier that year. Those packages were downloaded nearly 75,000 times before being taken down.

This newer campaign used repositories that appeared identical to legitimate ones by name. (Alessandro Mascellino / Infosecurity Magazine)

Related: ReversingLabs, Tech Radar, HackRead, GBHackers

In its 2025 Cyber Risk Report, risk mitigation products company Aon reported that the financial impact of cyber events that escalate into reputation-related incidents can cause an average 27% drop in shareholder value.

The findings build upon Aon’s 2023 research, which showed an average 9% shareholder value decline following major cyber incidents. The latest report analyzed over 1,400 global cyber events to identify the types of attacks that are more likely to generate reputational consequences and the degree of financial impact when they do.

Out of the 1,414 events reviewed, 56 were classified as reputation risk events, which are defined as cyber incidents that attracted substantial media attention and were followed by a measurable drop in share price. Companies affected by these events experienced an average decline in shareholder value of 27%. (Josh Recamara / Insurance Business Magazine)

Related: Aon, Insurance Business, Global Reinsurance, Guru Focus, Intelligent Insurer

Open source intelligence analysis company Tadaweb announced it had raised $20 million in a venture funding round.

Arsenal Growth and Forgepoint Capital International led the round. (Chris Metinko / Axios)

Related: Tech.eu, eeNews Europe, FinSMEs, Tech Funding News, EU-Startups

Best Thing of the Day: 100,000 Machines Now Freed from Microsoft

Under the GendBuntu project, which stems from Microsoft's decision to end the development of Windows XP in 2005, France’s Gendarmerie began switching from Microsoft products to open-source software and has now quietly deployed 100,000+ Linux machines.

Bonus Best Thing of the Day: Cloudflare Killing It Again

In mid-May 2025, Cloudflare blocked the largest DDoS attack ever recorded: a staggering 7.3 terabits per second (Tbps).

Worst Thing of the Day: The Double Whammy of Late-Stage Capitalism

TaskUs said it stopped taking Coinbase calls at the Indore, India, call center, where the employees were being bribed, laying off 226 workers whose poverty left them susceptible to malicious hacking groups such as Scattered Spider.

Closing Thought