Some ChatGPT customers' data were exposed by a breach at vendor Mixpanel

'Tis the season to be generous. Please support Metacurity in our mission to end infosec news overload.

Metacurity is a pure labor of love and is the only daily newsletter that delivers the critical infosec developments you need to know, scanned from thousands of sources and smartly summarized.

But to continue delivering our daily updates, we need your support. Please consider upgrading to an annual paid subscription today.

If you can't upgrade to a paid subscription today, please consider donating what you can.

OpenAI is notifying some ChatGPT API customers that limited identifying information was exposed following a breach at its third-party analytics provider, Mixpanel.

Mixpanel offers event analytics that OpenAI uses to track user interactions on the frontend interface for the API product.

According to the AI company, the cyber incident affected “limited analytics data related to some users of the API” and did not impact users of ChatGPT or other products.

“This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed,” OpenAI says in a press release.

Mixpanel reported that the attack “impacted a limited number of our customers” and resulted from a smishing (SMS phishing) campaign that the company detected on November 8.

OpenAI received details of the affected dataset on November 25 after being informed of Mixpanel’s ongoing investigation.

Some users are reporting that CoinTracker, a cryptocurrency portfolio tracker and tax platform, has also been impacted, with exposed data also including device metadata and a limited transaction count.

OpenAI has started an investigation to determine the full scope of the incident. As a precaution, it has removed Mixpanel from its production services and is notifying organizations, administrators, and individual users directly. (Ionut Ilascu / Bleeping Computer)

Related: Mixpanel, OpenAI, Security Affairs, The Register, PCMag, Windows Central, InfoWorld, The Indian Express, Business Insider, 9to5Mac, Protos, Datamation, CyberInsider, DEV Community, Digit, Livemint, Windows Report, Salesforce Ben, Cyber Security News, Hackread, The Cyber Express, Infosecurity, International Business Times, Arabian Business, KnowTechie, The Decoder,  r/cybersecurity, r/OpenAI. Security Week, Decrypt, BankInfoSecurity, Independent, Protos, Security Affairs, WinBuzzer, SiliconANGLE, CSO Online, Techlusive

Sources say North Korean hacking group Lazarus is suspected to be behind a recent breach of around 45 billion won (US$30.6 million) worth of cryptocurrency from South Korea's largest crypto exchange, Upbit.

Sources say authorities plan to carry out an on-site investigation at the crypto exchange with the belief that Lazarus was behind the hacking.

Dunamu, which operates Upbit, said Thursday it confirmed the transfer of 44.5 billion won worth of Solana-affiliated assets to an unauthorized wallet address and plans to cover the full amount with assets the company owns.

The hacking group had been suspected of stealing 58 billion won worth of Ethereum from Upbit in 2019. Authorities said the methods used in the latest incident resembled those of the 2019 theft. (Kang Yoon-seung / Yonhap News)

Related: Unchained, CoinDesk, Tech in Asia, Blockonomi, Business Today, BeInCrypto,  Invezz, Bloomberg Technology, Tech-Economic Times, Korea Times News, Blockhead, Decrypt, crypto.news, Cryptonews, The Economic Times, Reuters, THE INVESTOR, Modern Diplomacy, The Crypto Basic, The Block, Crypto Briefing, Bloomberg, DL News, Tom's Hardware, Protos, Bitcoin Insider, CoinGape, Bloomberg, The Japan News, Korea Joongang Daily, Bitcoin.com

A significant vulnerability in the database of popular Korean online shopping platform Coupang allowed an intruder to access the personal information of more than 30 million users without a valid login, according to Vice Prime Minister and Science and ICT Minister Bae Kyung-hoon.

However, according to internal documents released by Rep. Choi Min-hee, chair of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, Coupang failed to revoke the signing keys issued to a former employee who had stolen personal data after leaving the company by exploiting the vulnerability tied to server-side authentication keys and access tokens.

Bae confirmed that the intruder “abused an authentication loophole in Coupang’s server” and extracted names, emails, phone numbers, and addresses tied to customers’ accounts.

The vice prime minister added that the government “deeply regrets that such incidents have occurred even at a major platform widely used by the public.”

The breach, which authorities believe began in June, went undetected until Nov. 18, when Coupang launched an internal investigation into suspicious activity within the company’s database. The company first announced that just 4,500 accounts were affected, but revised that number days later to 33.7 million — a figure surpassing the active user base of Korea’s dominant online retailer.

Coupang received anonymous emails threatening to disclose a significant data breach that compromised the personal information of 33.7 million users, police said Monday.

Police confirmed that they have identified two separate email accounts used to send the messages, one to Coupang customers on Nov. 16 and another to the company’s customer service center last Tuesday. 
 
Considering that about 24.7 million people use the platform on a regular basis, officials say the leak likely includes data from former users as well, meaning nearly anyone who has ever shopped on the platform could be affected. (Michael Lee / Korea JoongAng Daily and No Kyung-min / The Investor and No Kyung-min / The Korea Herald)

Related: Chosun, Korean Economic Daily, Yonhap News, Korea Times, Korea Biz Wire, The Chosun Daily, Reuters, Bloomberg, Bloomberg, CXO Digital Pulse, StratNews Global, Reuters, Korea JoongAng Daily, Korea Times, Korea Post, Korea Times, BBC News, Pulse, TechCrunch

According to South Korean cybersecurity firm AhnLab's 2025 Cyber ​​Threat Trends & 2026 Security Outlook report, North Korea's Lazarus Group was the most frequently mentioned APT group, with 31 cases, in an analysis of publicly disclosed APT activities between October of last year and September of this year.

Kimsuky, another North Korean hacking group under the Reconnaissance General Bureau, followed with 27 cases.

During the same period, North Korea led with 86 cases by country, followed by China (27), Russia and India (each 18), and Pakistan (17).

AhnLab noted, “The actual number of attacks may be higher due to the secretive nature of APT groups, and some government agency attacks remain undisclosed. (Lee Ka-young / The Chosun Daily)

Related: Yonhap News

The Korean National Police Agency National Office of Investigation (NOI) said it arrested four people who hacked about 120,000 IP cameras and sold the videos to an overseas site, and detained three of them.

Suspect A, who was detained, is accused of hacking about 64,000 IP cameras and editing the footage to produce illegal sexual exploitation material. He was found to have made off with 35 million won worth of virtual assets by selling them on an overseas site.

Office worker B is accused of hacking 70,000 IP cameras and producing and selling 648 items of sexual exploitation material. B also pocketed 18 million won worth of virtual assets.

Self-employed C and office worker D are accused of hacking 15,000 and 136 IP cameras, respectively, and storing the stolen footage. They were found not to have distributed or sold the footage.

Police are pursuing the operators of the illegal site in cooperation with foreign investigative agencies. They also asked the Korea Communications Standards Commission to block access to the site in question. (Kwon Oh-eun / Chosun Biz)

Related: KoreaJoongAng Daily, Maeil Business Newspaper

Risk management company Crisis24 has confirmed its OnSolve CodeRED platform suffered a cyberattack that disrupted emergency notification systems used by state and local governments, police departments, and fire agencies across the United States.

The CodeRED platform enables these agencies to send alerts to residents during emergencies.

The cyberattack forced Crisis24 to decommission the legacy CodeRED environment, causing widespread disruption for organizations that use the platform for emergency notifications, weather alerts, and other sensitive warnings.

In statements and an FAQ shared with impacted customers, Crisis24 says its investigation found that the attack was contained to the CodeRED environment and did not affect any of its other systems.

However, they have confirmed that data was stolen from the platform during the attack. This stolen information includes names, addresses, email addresses, phone numbers, and passwords used for CodeRED user profiles.

Because the attack damaged the platform, Crisis24 is rebuilding its service by restoring backups to a newly launched CodeRED by Crisis24 system. However, the available data is from an earlier backup on March 31, 2025, so accounts will likely be missing from the system.

While Crisis24 only attributed the breach to an "organized cybercriminal group," BleepingComputer learned that the INC Ransomware gang has taken responsibility for the attack.

The ransomware gang claims to have breached OnSolve's systems on November 1, 2025, and encrypted files on November 10. After allegedly failing to receive a ransom payment, the threat actors say they are now selling the data stolen during the attack. (Lawrence Abrams / Bleeping Computer)

Related: Douglas County Sheriff's Office, Bitdefender, Malwarebytes, KOMO, Security Week, The Register, CyberScoop, Infosecurity Magazine, The Cyber Express

Researchers at Palo Alto Networks Unit42 experimented with two LLMs, WormGPT 4 and KawaiiGPT, that are seeing increased adoption among cybercriminals and discovered they are improving their capabilities to generate malicious code, delivering functional scripts for ransomware encryptors and lateral movement.

The WormGPT model originally emerged in 2023, but the project was reportedly discontinued the same year. WormGPT 4 is a resurgence of the brand that appeared in September. It is available $50/month or $220 for lifetime access and works as an uncensored ChatGPT variant specifically trained for cybercrime operations.

A free, community-driven alternative is KawaiiGPT, spotted this year in July, which can generate well-crafted phishing messages and automate lateral movement by producing ready-to-run scripts.

Unit 42 researchers tested the malicious LLM's capability to create ransomware code that encrypted all PDF files on a Windows host.

The tool generated a PowerShell script that could be configured to hunt for specific file extensions in certain paths and encrypt data using the AES-256 algorithm. According to the researchers, the generated code even added an option to exfiltrate data via Tor, which taps into realistic operational requirements.

With another prompt, WormGPT 4 produced "a chilling and effective ransom note" that claimed "military-grade encryption" and gave a 72-hour deadline before doubling the payment demand.

Although KawaiiGPT did not demonstrate the generation of an actual encryption routine or a functional ransomware payload like WormGPT 4, the researchers warn that its command execution capability could allow attackers to escalate privileges, steal data, and drop and execute additional payloads.

In both scenarios, inexperienced attackers gain the ability to conduct more advanced attacks at scale, cutting down the time required to research victims or craft tooling. The models also produce polished, natural-sounding phishing lures that lack the telltale grammar mistakes of traditional scams. (Bill Toulas / Bleeping Computer)

Related: Palo Alto Networks, Security Week, CyberScoop, The Register, Dark Reading, Techzine, PC Gamer

Scattered Lapsus$ Hunters may be circling Zendesk users for its latest extortion campaign, with new phishing domains and weaponized helpdesk tickets uncovered by ReliaQuest.

ReliaQuest researchers say they found more than 40 typosquatted and impersonation domains – names like "znedesk.com" or "vpn-zendesk.com" – designed to mirror Zendesk's portals over the past six months. Some hosts fake single sign-on (SSO) pages aimed at harvesting credentials, while others are used to submit fraudulent tickets to helpdesk staff.

All share common registration hallmarks – the same registrar (NiceNic), US or UK contact details, and Cloudflare-masked nameservers – a profile almost identical to that of a previous impersonation campaign targeting Salesforce. That similarity leads security watchers to suspect the same criminal crew is behind both schemes: the "retired" Scattered Lapsus$ Hunters crew. (Carly Page / The Register)

Related: ReliaQuest, Cyber Daily, TechRadar, CSO Online

In a data breach notification filing, Dartmouth College disclosed a data breach after the Clop extortion gang leaked data allegedly stolen from the school's Oracle E-Business Suite servers on its dark web leak site.

Dartmouth says the attackers exploited an Oracle E-Business Suite (EBS) zero-day vulnerability to steal personal information belonging to 1,494 individuals.

However, the total number of people potentially impacted by this data breach is likely much larger, given that the school is headquartered in Hanover, New Hampshire, and it hasn't yet filed a breach notice with the state's Attorney General.

In the same campaign, the extortion group has also targeted Harvard University, The Washington Post, Logitech, GlobalLogic, and American Airlines subsidiary Envoy Air, with their data also leaked online and now available for download via Torrent.

In recent weeks, other Ivy League schools have also been targeted by voice phishing attacks, with Harvard University, Princeton University, and the University of Pennsylvania disclosing that a hacker breached internal systems used for development and alumni activities to steal the personal information of students, alums, donors, staff, and faculty members. (Sergiu Gatlan / Bleeping Computer)

Related: Maine Attorney General, The Record, Security Week, The Register, Inside Higher Ed

The FBI warned of a massive surge in account takeover (ATO) fraud schemes and said that cybercriminals impersonating financial institutions have stolen over $262 million in ATO attacks since the start of the year.

Since January 2025, the FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, with the attacks impacting individuals, as well as businesses and organizations across all industry sectors.

In these schemes, criminals gain unauthorized access to online bank, payroll, or health savings accounts using various social engineering techniques or fraudulent websites, the FBI said.

"Once the impersonators have access and control of the accounts, the cyber criminals quickly wire funds to other criminal-controlled accounts, many of which are linked to cryptocurrency wallets; therefore, funds are disbursed quickly and are difficult to trace and recover," the law enforcement agency said. (Sergiu Gatlan / Bleeping Computer)

Related: IC3, Forbes, PennLive, The Street, Payments Journal

Newly released satellite images of the targeted KK Park cyber scam center in Myanmar reveal that only buildings in one limited section of the compound were destroyed during the initial raid, leading experts to conclude that the October reports of destroyed buildings were propaganda.

High-resolution images of the KK Park scam compound, which is located near the Myanmar-Thailand border, show how military forces have razed multiple buildings, leaving piles of rubble in their place. However, the images show the destruction is, so-far, confined to the Eastern side of the gigantic compound—with hundreds of buildings across the vast compound being left untouched.

The satellite images, taken on November 16, appear to show that some buildings located around courtyards have been almost destroyed, with debris strewn around other buildings. Heintz says that the images, plus extra social media footage, indicate that some “villas” and dormitories where trafficking victims may have been housed appear to have been damaged or destroyed. (Myanmar’s military government has said further destruction started on November 17; third-party reports also suggest more buildings have been destroyed). (Matt Burgess / Wired)

Related: Myanmar Ministry of Information, New York Times, The Nation, WebProNews, Eleven Media Group

“Rey,” the moniker chosen by the technical operator and public face of the Scattered LAPSUS$ Hunters (SLSH) cyber threat group, confirmed his real-life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father.

Infostealer data makes clear that Rey’s full name is Saif Al-Din Khader. Having no luck contacting Saif directly, KrebsOnSecurity sent an email to his father, Zaid. The message invited the father to respond via email, phone, or Signal, explaining that his son appeared to be deeply enmeshed in a serious cybercrime conspiracy.

Less than two hours later, Brian Krebs received a Signal message from Saif, who said his dad suspected the email was a scam and had forwarded it to him.

“I saw your email, unfortunately I don’t think my dad would respond to this because they think its some ‘scam email,'” said Saif, who told me he turns 16 years old next month. “So I decided to talk to you directly.”

Saif explained that he’d already heard from European law enforcement officials and had been trying to extricate himself from SLSH. When asked why, then he was involved in releasing SLSH’s new ShinySp1d3r ransomware-as-a-service offering, Saif said he couldn’t just suddenly quit the group. (Brian Krebs / Krebs on Security)

Related: The Register, Hackread, KELA Cyber Threat Intelligence, ITPro, Infosecurity, Cyber Daily

Multiple London councils were hit by a cyberattack, with the potential for residents' data to have been compromised.

The Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council (WCC) - which share several IT systems - informed the Information Commissioner's Office, a step usually taken when data is compromised.

A statement from RBKC added that the councils are working with the "help of specialist cyber incident experts and the National Cyber Security Centre (NCSC), with the focus on protecting systems and data, restoring systems, and maintaining critical services to the public." (Tim Baker / Sky News)

Related: The Register, London Evening Standard, The Independent, The Guardian, Bleeping Computer, BBC News

Peter Gregg, the president and chief executive officer of Nova Scotia Power, says a Russia-based actor is likely behind a cybersecurity breach that targeted the utility's customers in April.

"This incident was an unprecedented, sophisticated and targeted attack," Gregg told a committee of the Nova Scotia legislature in prepared remarks. "Based on expert assessments and intelligence, there is a high degree of confidence that the activity was closely associated with a Russia-based threat actor group."

The cyberattack in April has morphed into a crisis for the utility, prompting a barrage of complaints from customers concerned about who had gained access to their personal information.

The breach has also prompted some complaints from customers who say they were overbilled, after the utility said it could no longer rely on remote meter readings, choosing instead to estimate electricity consumption for billing. (Emily Baron Cadloff / The Canadian Press)

Related: Global News, The Chronicle Herald

The French Football Federation (FFF) disclosed a data breach after attackers used a compromised account to gain access to administrative management software used by football clubs.

After detecting the unauthorized access, FFF's security team disabled the compromised account and reset all user passwords across the system.

However, before they were detected and evicted from the breached systems, the threat actors stole personal and contact information from members of French football clubs.

"Upon detection of this unauthorized access through the use of a compromised account, the FFF services took the necessary steps to secure the software and data, including immediately disabling the account in question and resetting all user account passwords," the FFF said [machine translation].

"This breach is limited to the following data only: name, surname, gender, date and place of birth, nationality, postal address, email address, telephone number and license number."

The FFF said it will directly notify all individuals whose email addresses appear in the compromised database and urged members to be suspicious of messages claiming to originate from the federation, their clubs, or other senders. (Sergiu Gatlan / Bleeping Computer)

Related: FFF, Security Affairs, The Cyber Express, Security Week

A 44-year-old man was sentenced to seven years and four months in prison for operating an “evil twin” WiFi network to steal the data of unsuspecting travelers during flights and at various airports across Australia.

The man, an Australian national, was charged in July 2024 after Australian authorities had confiscated his equipment in April and confirmed that he was engaging in malicious activities during domestic flights and at airports in Perth, Melbourne, and Adelaide.

Specifically, the man was setting up an access point with a ‘WiFi Pineapple’ portable wireless access device and used the same name (SSID) for the rogue wireless network as the legitimate ones in airports.

Users connecting to the malicious access point were directed to a phishing webpage that stole their social media account credentials.

The man used these credentials to access women's accounts to monitor their communications and steal private images and videos. (Bill Toulas / Bleeping Computer)

Related: AFP, The National Tribune

Security researcher Luke Marshall of Truffle Security discovered more than 17,000 exposed secrets across over 2,800 unique domains after scanning all 5.6 million public repositories on GitLab Cloud.

He used the TruffleHog open-source tool to check the code in the repositories for sensitive credentials like API keys, passwords, and tokens.

The researcher previously scanned Bitbucket, where he found 6,212 secrets spread over 2.6 million repositories. He also checked the Common Crawl dataset that is used to train AI models, which exposed 12,000 valid secrets.

GitLab is a web-based Git platform used by software developers, maintainers, and DevOps teams to host code, for CI/CD operations, development collaboration, and repository management.

Marshall used a GitLab public API endpoint to enumerate every public GitLab Cloud repository, using a custom Python script to paginate through all results and sort them by project ID.

The researcher reports that many organizations revoked their secrets in response to his notifications. However, an undisclosed number of secrets continue to be exposed on GitLab. (Bill Toulas / Bleeping Computer)

Related: Truffle Security

Making his first public appearance since the incident, Japanese beer giant Asahi Group Holdings' CEO and President Atsushi Katsuki said the group has found 1.52 million potential leaks of customer data, 114,000 leaks of those whom the group has sent congratulatory or condolence telegrams, 107,000 leaks of employee information and 168,000 leaks of data belonging to family of employees, including those who have retired from the group.

Exposed data may include email addresses, mailing addresses, and phone numbers, but credit card information is not included in this data exposure, according to Asahi.

Chief Financial Officer Kaoru Sakita and Asahi Group Japan CEO Kenji Hamada apologized for the prolonged disruption that has plagued the beer and beverage giant since Sept. 29.

“We sincerely apologize for all of this trouble,” Katsuki said. “I want to thank our customers for their messages and letters of support, as well as special arrangements from our business partners. We are deeply grateful for your support and cooperation.” (Jessica Speed / The Japan Times)

Related: Asahi, The Record, BBC News, The Register, Security Affairs

Hacktivists from the Iran-linked "Handala" claimed that members of the group broke into the vehicle of an Israeli nuclear scientist, leaving behind a bouquet of flowers.

The group also published a threatening message along with the claim.

"By now, you have surely felt it, the subtle shift in the air around you. The moment when an ordinary day becomes... wrong," the group threatened.

"Funds are moving. People are moving. Shadows are moving. All in directions you never anticipated," the threat continued.

"Yesterday, you received our bouquet. A harmless object, at first glance. But you noticed the weight of it, didn’t you? You felt the presence behind it, the hands that carried it, the footsteps that faded just before you opened the door," the group continued.

The hacktivist group also published a list of names of individuals it claimed were members of the IDF Intelligence Directorate's Signal Intelligence unit, known as Unit 8200. (The Jerusalem Post)

Related: Ynet News, Shafaq, WANA, PressTV, Roya News

Researchers at WatchTowr examined the JSONFormatter and CodeBeautify online platforms and found that their Recent Links feature provided access to JSON snippets that users had saved on the services' servers for temporary sharing purposes.

When clicking the 'save' button, the platform generates a unique URL pointing to that page and adds it to the user’s Recent Links page, which has no protection layer, thus leaving the content accessible to anyone.

Since Recent Links pages follow a structured, predictable URL format, the URL can be easily retrieved with a simple crawler.

By scraping these public “Recent Links” pages and pulling the raw data using the platforms’ getDataFromID API endpoints, watchTowr collected over 80,000 user pastes corresponding to five years of JSONFormatter data and one year of CodeBeautify data with sensitive details.

In one case, the researchers found "materially sensitive information" from a cybersecurity company that could be easily identified. The content included "encrypted credentials for a very sensitive configuration file," SSL certificate private key passwords, external and internal hostnames and IP addresses, and paths to keys, certificates, and configuration files.

Currently, the Recent Links are still freely accessible on the two code-formatting platforms, allowing threat actors to scrape the resources for sensitive data. (Bill Toulas / Bleeping Computer)

Related: watchTowr, InfoWorld, Help Net Security, Security Affairs, Security Week, TechRadar, The Cyber Express, SC Media

Researchers at security company PromptArmor demonstrated how an attacker can manipulate Gemini to invoke a malicious browser subagent in order to steal credentials and sensitive code from a user’s IDE or integrated development environment.

They illustrated that a poisoned web source (an integration guide) can manipulate Gemini into (a) collecting sensitive credentials and code from the user’s workspace, and (b) exfiltrating that data by using a browser subagent to browse to a malicious site.

The attack itself is hidden in a 1px font on a web page claiming to offer an integration guide for an Oracle ERP API.

If successful, this will steal the user's AWS credentials from their .env file and send them off to the attacker.

Google's Antigravity IDE defaults to refusing access to files that are listed in .gitignore - but Gemini turns out to be smart enough to figure out how to work around that restriction.

Coding agent tools like Antigravity are an incredibly valuable target for attacks like this, especially now that their usage is becoming much more mainstream. (Simon Willison’s Weblog)

Related: PromptArmor, Google Bug Hunters. Embrace The Red, WinBuzzer, Hacker News (ycombinator)

Polish Interior Minister Marcin Kierwiński said that police arrested a man for breaching security systems to gain access to the IT systems of local companies.

A more detailed statement from the Krakow prosecutor’s office said the suspect allegedly hacked into an online retailer’s systems without authorization and manipulated its databases in ways that could have disrupted operations and endangered customers.

The suspect, whose identity has not been disclosed, illegally crossed into Poland in 2022 and obtained refugee status the following year. He has been placed in temporary custody while the investigation continues.

Authorities believe the man may be linked to additional cybercriminal activity targeting companies in Poland and across the EU, and are still assessing the scale of the possible damage. (Daryna Antoniuk / The Record)

Related: Prosecutor's Office, Reuters

Cable and broadband giant Comcast will pay a $1.5 million fine after a vendor breach exposed personal data from 237,000 current and former customers, the Federal Communications Commission said.

In a consent decree, the FCC said a debt collector used by Comcast until 2022, Financial Business and Consumer Solutions, suffered a 2024 data breach that exposed personal information of Comcast internet, TV, and home security customers.

The FCC noted the vendor known as FBCS filed for bankruptcy before the data breach was disclosed in August 2024.

As part of the FCC settlement, Comcast agreed to adopt a compliance plan that includes new vendor oversight practices related to customer privacy and information protection.

Comcast said it "was not responsible for and has not conceded any wrongdoing in connection with this incident." The company added that no Comcast systems were compromised, and FBCS was required to comply with its vendor security requirements. (David Shephardson / Reuters)

Related: FCC, Cord Cutter News, Bleeping Computer, Bitdefender

Hackers are hijacking US radio transmission equipment to broadcast bogus emergency messages and obscene language, the Federal Communications Commission said.

In a public notice, the FCC said a "recent string of cyber intrusions against various radio broadcasters" had occurred, resulting in the issuance of the US Emergency Alert System's "Attention Signal." The signal is an attention-grabbing sound that is meant to precede official announcements related to tornadoes, hurricanes, earthquakes, and other emergencies.

The FCC said the hackers appeared to have compromised improperly secured equipment made by the Swiss network audio company Barix and reconfigured it "to receive attacker-controlled audio in lieu of station programming." The agency said affected stations "broadcast to the public an attacker-inserted audio stream that includes an actual or simulated Attention Signal and EAS alert tones, as well as obscene language, and other inappropriate material."

The FCC notice cited reporting from the last few days about radio streams in Texas and Virginia being hijacked to broadcast bigoted or offensive material. The agency urged broadcasters to take basic security precautions, such as changing default passwords and regularly installing updates. (Raphael Satter and A.J. Vicens / Reuters)

Related: FCC, Times of India, TechInformed, Radio Insight, WRIC

Spanish flag carrier Iberia is notifying customers that their personal information was compromised after one of its suppliers was hacked, with the hackers now reportedly demanding $6 million from the airline as a ransom to stop the data being leaked or sold.

The data breach was allegedly perpetrated by a Russian-linked group of Hackers known as Everest, who were also responsible for a ransomware attack in September that brought chaos to several major European airports when check-in software was taken offline.

In Spanish-written emails sent on Sunday, a copy of which threat intelligence provider Hackmanac shared on social media, the company said that names, email addresses, and frequent flyer numbers were stolen in the attack.

According to Iberia, no passwords or full credit card data were compromised in the attack, and the incident was addressed immediately after discovery.

The airline said it also improved customer account protections by requiring a verification code to be provided when attempting to change the email address associated with the account.

Iberia said it has notified law enforcement of the incident and that it has been investigating it together with its suppliers.

The company did not say when the data breach occurred and did not name the third-party supplier that was compromised. It is unclear if the incident is linked to recently disclosed hacking campaigns involving Salesforce and Oracle EBS customers. (Ionut Arghire / Security Week and Mateusz Maszczynski / PYOK)

Related: PYOK, Travel Weekly, Security Affairs

The Cybersecurity and Infrastructure Security Agency warned that threat groups using commercial spyware to target messaging apps and urged users to take protective steps.

“CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps),” the agency said in a brief online notice. “These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.”

The warning draws on research this year that calls attention to hackers who are mimicking popular apps to deploy Android spyware, as well as Android spyware targeting Samsung devices by sending image files over WhatsApp. The warning also piggybacks on research about Russian hackers infecting Signal accounts.

“While current targeting remains opportunistic, evidence suggests these cyber actors focus on high-value individuals, such as current and former high-ranking government, military, and political officials, as well as civil society organizations (CSOs) and individuals across the United States, Middle East, and Europe,” the CISA warning states. (Tim Starks / CyberScoop)

Related: CISA

The House Homeland Security Committee has asked Anthropic CEO Dario Amodei to testify at a Dec. 17 hearing on how Chinese state actors used Claude Code in a wide-reaching cyber-espionage campaign.

House Homeland Security Chair Andrew Garbarino (R-NY) sent letters to Amodei, Google Cloud CEO Thomas Kurian, and Quantum Xchange CEO Eddy Zervigon requesting they testify at a hearing on the future of AI and cybersecurity next month. (Sam Sabin / Axios)

Related: Washington Examiner, NewsMax.com, Committee on Homeland Security, Gizmodo, CyberScoop, Bloomberg

Several public websites designed to allow courts across the United States and Canada to manage the personal information of potential jurors had a simple security flaw that easily exposed their sensitive data, including names and home addresses.

A security researcher, who asked not to be named for this story, contacted TechCrunch with details of the easy-to-exploit vulnerability and identified at least a dozen juror websites made by government software maker Tyler Technologies that appear to be vulnerable, given that they run on the same platform. 

The sites are all over the country, including California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia.

Tyler told TechCrunch that it is fixing the flaw. (Lorenzo Franceschi-Bicchierai / TechCrunch)

A Nov. 13 message authored by Army deputy chief of staff for intelligence Lt. Gen. Anthony R. Hale was sent to over a million soldiers and civilians in the Army apparatus and noted the threat of foreign intelligence entities trying to gather information remains persistent, the Army said.

The information, which was voluntarily publicized, underscores that foreign rivals are continuing covert online efforts to access national intelligence and defense information from people connected to the US government, including military members. It also comes as the Trump administration has worked to severely shrink the government through layoffs and paid offers for employees to leave federal service early.

The information, which was voluntarily publicized, underscores that foreign rivals are continuing covert online efforts to access national intelligence and defense information from people connected to the US government, including military members. It also comes as the Trump administration has worked to severely shrink the government through layoffs and paid offers for employees to leave federal service early.

Foreign spy groups are posing online as consulting firms, corporate recruiters, think tanks, and other seemingly legitimate companies, Hale’s message said. It does not name specific nations involved.

“Especially in the context of the recent lapse in appropriations and government shutdown, our adversaries are looking online to identify individuals seeking new employment opportunities, expressing dissatisfaction or describing financial insecurity,” he wrote. The government reopened on Nov. 12, just before the memo was issued. (David DiMolfetta / NextGov/FCW)

Related: US Army, Military Times

The "Strategic Subsea Cables Act of 2025," introduced by Sens. Jeanne Shaheen (D-NH), and Senate Majority Whip John Barrasso, (R-WY) would induce the Department of State to develop more expanded engagement with global efforts to protect undersea cables from physical and cyber attacks.

It would allow the Department of the Treasury to cut off from the dollar-settling system any foreign person responsible or complicit in damaging a cable.

The bill also seeks to fortify US defenses against cable disruptions and sabotage attempts, which officials say have become more frequent in the Baltic Sea, the Taiwan Strait, and other global hot spots.

Shaheen said the United States must be ready for malicious activity and the cascading national security and economic effects that can follow attacks on subsea cables. (Chris Riotta / Payment Security.io)

Related: Senate Foreign Relations Committee, Circle ID, Focus Taiwan, Taipei Times

DeFi platform Yearn Finance confirmed that an active exploit affecting its yETH product took place when an attacker minted an effectively unlimited amount of yETH and drained around $3 million in liquidity from Balancer pools.

According to blockchain data, the exploit occurred around 21:11 UTC on November 30, when a malicious wallet executed an infinite-mint attack that created roughly 235 trillion yETH in a single transaction.

Nansen’s alert system later confirmed the attack and identified the event as an infinite-mint vulnerability in the yETH token contract, not in Yearn’s Vault infrastructure.

The attacker used the newly minted yETH to drain real assets—primarily ETH and Liquid Staking Tokens (LSTs)—from Balancer liquidity pools. Early estimates suggest roughly $2.8 million in assets were removed.

Around 1,000 ETH was laundered through Tornado Cash shortly after the attack. Several helper contracts used in the exploit were deployed minutes before the incident and self-destructed afterward to obscure the trail. (Mohammad Shahid / BeInCrypto)

Related: Cryptonews, Tron Weekly, Coinfomania

Opti, the AI-native identity security platform, has secured $20 million in a venture funding seed round.

YL Ventures, Mayfield Fund, and Hetz Ventures led the round with participation from Squared Circle Ventures, LocalGlobe, Maple Capital, and angel investor and cybersecurity trailblazer Shlomo Kramer. (Chris Metinko / Axios)

Related: Security Week, Calcalist, PR Newswire, FinTechGlobal

Clover Security, a Tel Aviv, Israel-based product security company, raised $36 million in funding.

Notable Capital and Team8 led the round with participation from SVCI, Wiz co-founders Assaf Rappaport and Yinon Costica, Shlomo Kramer of Cato Networks, Rene Bonvanie, and executives from Snyk, CrowdStrike, Palo Alto Networks, Atlassian, and Google. (Sam Sabin / Axios)

Related: CTech, Clover Security, SiliconANGLE, FinSMEs, Notable Capital, Tech.eu, FinTech Global

Best Thing of the Day: Sparing Security Pros a Lot of Drama

A group of current and former CISOs and security experts launched a website called Hacklore, a portmanteau of hacking and folklore, to offer drama-free and myth-free advice to security professionals that is proportional to both the likelihood and the potential harm of various threats.

Worst Thing of the Day: It's Not Nice for CISOs to Be Classist or Racist

Campbell Soup Company fired its vice president and chief information security officer, Martin Bally, after a former employee recorded an hour-long rant in which Bally alleged the company produces “highly processed food” for “poor people” and made several derogatory comments about Indian employees, calling them “idiots.”

Bonus Worst Thing of the Day: Literally Physically Painful

A magician in Missouri had the idea to implant a computer chip into his hand and then do some fun magic tricks with it, but unfortunately, he forgot the password.

Closing Thought