UK ICO fines LastPass $1.6 million over 2022 data breach

'Tis the season to be generous. Please support Metacurity in our mission to end infosec news overload.

Metacurity is a pure labor of love and is the only daily newsletter that delivers the critical infosec developments you need to know, scanned from thousands of sources and smartly summarized.

But to continue delivering our daily updates, we need your support. Please consider upgrading to an annual paid subscription today.

If you can't upgrade to a paid subscription today, please consider donating what you can.

The UK Information Commissioner's Office (ICO) imposed a fine of 1.2 million British pounds (around $1.6 million) against password manager LastPass over a 2022 data breach that exposed the data of millions of its customers.

Unidentified hackers stole backup data from LastPass's Amazon Web Services S3 bucket. Among the exposed data were email and IP addresses of 1.6 million British accounts, as well as names and phone numbers of thousands of LastPass customers.

"LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today," Information Commissioner John Edwards. The fine amounts to $1.6 million. (Akshaya Asokan / Bank Info Security)

Related: ICO, ITPro, Infosecurity Magazine, The Cyber Express, TechRadar, Lexology, The Record, The Register, Digit, Forbes

Cybercriminals are impersonating police officers in successful attempts to obtain sensitive information on tech and communications companies' users.

"Exempt" is a member of the group that carried out the ploy. He claims that his group has been successful in extracting similar information from virtually every major US tech company, including Apple and Amazon, as well as more fringe platforms like video-sharing site Rumble, which is popular with far-right influencers.

Exempt shared the information Charter Communications sent to the group with WIRED, and explained that the victim was a “gamer” from New York. When asked if he worried about how the information he obtained was used against the target, Exempt said: “I usually do not care.”

This method of tricking companies into handing over information that can be used to harass, threaten, and intimidate victims has been known about for years. But WIRED has gained unprecedented insight into how one of these doxing groups operates, and why, despite years of warnings, it is still happening so often.

The Charter Communications incident was one of up to 500 successful requests Exempt claims to have made in recent years. To back up his claims, the hacker shared multiple documents and recordings with WIRED, including what he claimed were screenshots of email requests, fake subpoenas, responses from tech companies, and even a video recording of a phone call with one company’s law enforcement response team, which was seeking to verify a request. Exempt also shared evidence suggesting that a current law enforcement officer (Exempt refused to provide the officer’s location or name) was in contact with the group about allegedly working with them to submit requests from his own account in return for a cut of the profits. (David Gilbert / Wired)

Related: r/technology

Researchers at the University of Cambridge determined that the rise of SMS activation services that offer throwaway phone numbers, typically for less than 30 US cents apiece, is knocking down the value of SMS two-factor authentication, which serves as a barrier to online disinformation.

The researchers said they collected a year's worth of data from four providers of on-demand text message verification - SMSActivate, 5Sim, SMShub, and SMSPVA - to come up with figures for the costs associated with creating a fake account on various social media platforms across the globe.

SMS activation does not guarantee an account will not get blocked, but Roozenbeek, who researches propaganda, said he and his colleagues validated their findings by, in some cases, creating accounts using the throwaway numbers. He said that while they were occasionally stymied, with at least one service, "we succeeded every time we tried."

The researchers' findings, available through a freshly launched online dashboard, show that phone number verification associated with many countries - including the United States - can be acquired for between 20 and 30 cents apiece. British, Russian, and Indonesian numbers were among the cheapest, at 10 cents or less, the researchers said.

They found that Japan and Australia, where SIM cards are more expensive and regulations around their purchase are more stringent, were among the most expensive, at around $5 and $3, respectively.

Shopping for throwaway numbers to use for different services yielded different results. Getting a US number for use on WhatsApp costs about $3, according to the researchers' dashboard. Getting one for use on X, the social network formerly known as Twitter, costs 8 cents.

SMS activations for direct-messaging apps like WhatsApp in general commanded higher prices, potentially due to more stringent vetting, while "Twitter or X is quite lax compared to others."

WhatsApp said in a statement that it welcomed the research into an industry it said was "aiming to mislead internet services." It added that, in addition to phone numbers, WhatsApp employed an array of "technical and behavioral signals" to screen users and police fraud. X did not return messages seeking comment. (Raphael Satter / Reuters)

Related: Science, Cotsi.org

Research group Strider Technologies reports that more than 85 percent of the utilities it surveyed confidentially are using inverter devices made by companies with ties to the Chinese government and military, which many cybersecurity experts warn are vulnerable to hacking that can set off cascading outages.

The researchers, however, found evidence that engineers in China have been studying how vulnerabilities in the US grid could be exploited, which unnerves US officials in the context of China’s broader initiatives to infiltrate infrastructure.

Solar power accounts for roughly 90 percent of the new energy added to America’s electricity system this year. (Evan Halper and Ellen Nakashima / The Washington Post)

Related: Strider, Chosun Biz

There is no evidence that patients’ data was stolen during a second ransomware attack targeting Health Service Executive (HSE) systems earlier this year, the authority has said.

Earlier this week, the HSE began offering compensation to victims of a cyberattack that caused widespread disruption in May 2021, costing the agency an estimated €102 million.

It has now emerged that a second ransomware attack took place last February, targeting a third-party processor and resulting in a data protection breach reported by HSE primary care services in the Midlands.

IT systems were fully recovered following the cyberattack, and there was no evidence that data had been exfiltrated, according to HSE records obtained under the Freedom of Information Act.

A spokeswoman said HSE systems were not “directly” impacted by the February ransomware attack.

“The HSE has invested significantly in cyber remediation since the cyberattack in May 2021. Multiple ongoing programmes of work are focused on addressing all issues highlighted in the wake of the attack,” she added.

The original ransomware attack occurred when an employee clicked on a malicious MS Excel file that was attached to a phishing email on March 18th, 2021. (Darragh McDonagh / Breaking News.ie)

Related: Databreaches.net, RTE

Naomi Long, Northern Ireland’s Justice Minister, is facing calls to apologise to police officers following a “monumental gaffe” over remarks around compensation for a major Police Service of Northern Ireland (PSNI) data breach.

Long said she had “misspoken” when she claimed the previous day that £119 million (€135.7 million or around $159 million) to deal with compensation claims had been agreed by the Stormont Executive.

Liam Kelly, the chairman of the Police Federation for Northern Ireland, said rank-and-file officers were “left speechless and massively disappointed” by her remarks.

Chief Constable Jon Boutcher told the Policing Board he hoped the “mistake” would become a “premonition”.

The PSNI breach occurred in August, 2023, when a spreadsheet released as part of a freedom of information request held hidden data with the initials, surname, rank and role of all PSNI officers and staff.

The information later got into the hands of dissident republicans.

The PSNI accepted liability for the data breach, and a test case over potential compensation has begun in the courts.

The Stormont Executive had made a reserve claim to the Treasury to cover an expected £120 million compensation bill, but this was rejected.

Long told The Nolan Show on BBC that the Executive had agreed to set aside “around £119 million” to compensate officers.

However, she appeared on the show again on Thursday to say she had “misspoken”.

She said: “That was my error in saying the money was agreed by the Executive, rather than agreed by the Department of Finance.”

Mr Kelly said Ms Long now “needs to make a clear apology to officers over the monumental gaffe." (Jonathan McCambridge / The Irish Times)

Related: BBC News, Belfast News Letter

Science Minister Bae Kyung-hoon said the government will seek to introduce punitive fines on businesses with repeated data breaches amid growing concern over personal information security.

Bae made the remark during the Ministry of Science and ICT's policy briefing to President Lee Jae Myung in the central city of Sejong.

"We aim to establish a stern responsibility-based system by imposing punitive fines on businesses that suffer repeated security breaches," Bae said.

"The government will bolster its data security capability and stand with the people to launch an all-out war against hacking attacks," he added.

The plan came in the wake of data breaches reported by businesses this year, including cases at SK Telecom Co., KT Corp., and e-commerce giant Coupang Inc., affecting most South Koreans.

In detail, the ministry said it will seek to codify the responsibility of chief executive officers under relevant laws and strengthen the authority of chief security officers.

Companies with repeated security breaches will face fines of up to 3 percent of their annual sales, the ministry said, noting that the Personal Information Protection Commission is in the process of raising the ceiling.

Fines for delayed reporting to authorities in the event of a breach will be increased to 50 million won (US$339,000) from the current 30 million won.

"To encourage the market to avoid businesses with poor security controls, the government will adopt a policy to assess companies' security capabilities and disclose the results to the public," the ministry said in a report. (Yonhap News Agency)

Related: Financial Times, Dong-A

Two Chinese tech companies have been sanctioned in the UK after launching “reckless and indiscriminate cyber-attacks” around the world, including against British IT networks.

Announcing the sanctions, the Foreign Office (FO) said that Sichuan Anxun Information Technology Co. Ltd, otherwise known as i-Soon, targeted more than eighty foreign governments and private businesses, and provided support for others planning to carry out malicious cyber activity.

The government said that i-Soon had engaged in “researching, exploiting and sharing vulnerabilities” targeting UK public sector and private industry IT networks, aiming to undermine the success and security of British organizations.

Elsewhere, i-Soon has been accused of targeting American systems, including those of the federal government, leading the US State Department to offer a reward of up to $10 million for information on the location of ten individuals associated with the firm.

Meanwhile, Integrity Technology Group Incorporated (Integrity Tech) is also facing sanctions in the UK, with the Beijing-based firm accused of operating a covert cyber network and providing support for attacks, including against British public sector IT systems. (Tom Quinn / Digit)

Related: GOV.uk, NTD

An anonymous hacker group has reportedly breached the servers of a little-known Russian tech firm alleged to be involved in building the country’s unified military registration database.

According to Grigory Sverdlov, head of the Russian anti-war human rights group Idite Lesom (“Get Lost”), the hackers contacted him and handed over a trove of internal Mikord documents, including source code, technical and financial records, and internal correspondence. Sverdlov said the group claimed it had maintained access to Mikord’s systems.

Idite Lesom, which helps Russians evade conscription and mobilization, has been labeled a “foreign agent” by Moscow. Sverdlov himself faces criminal charges for allegedly spreading “fake news” about the Russian military.

Mikord’s website has been offline for days, showing only a maintenance message. Earlier this month, the company’s homepage was defaced by hackers who said they intended to give the stolen materials to journalists and later publish them publicly.

The company, which provides software development and automation services for government agencies and major corporations, has never publicly acknowledged any role in developing Russia’s new military registry. But Latvia-based investigative outlet Important Stories (iStories) said it verified the leaked materials and confirmed Mikord’s participation in the project.

Mikord’s director, Ramil Gabdrakhmanov, admitted to iStories that the firm had been hacked. “It happens to everyone. Lots of people are being attacked these days,” he told the outlet. He declined to comment on whether the company worked on the military database. (Daryna Antoniuk / The Record)

Related: The Moscow Times, iStories

Researchers at SentinelOne report that CyberVolk, a pro-Russian hacktivist crew, is back after months of silence with a new ransomware service.

CyberVolk's soldiers can use the platform's built-in automation to generate payloads, coordinate ransomware attacks, and manage their illicit business operations, conducting everything through Telegram.

But, the ransomware slingers got sloppy when it came time to debug their code and hardcoded the master keys - this same key encrypts all files on a victim's system - into the executable files. This could allow victims to recover encrypted data without paying the extortion fee. (Jessica Lyons / The Register)

Related: SentinelOne

Notepad++ version 8.8.9 was released to fix a security weakness in its WinGUp update tool after researchers and users reported incidents in which the updater retrieved malicious executables instead of legitimate update packages.

The first signs of this issue appeared in a Notepad++ community forum topic, where a user reported that Notepad++'s update tool, GUP.exe (WinGUp), spawned an unknown "%Temp%\AutoUpdater.exe" executable that executed commands to collect device information.

According to the reporter, this malicious executable ran various reconnaissance commands and stored the output into a file called 'a.txt.'

Earlier this month, security expert Kevin Beaumont warned that he heard from three organizations that were impacted by security incidents linked to Notepad++.

"I've heard from 3 orgs now who've had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access," explained Beaumont.

Beaumont says that all of the organizations he spoke to have interests in East Asia and that the activity appeared very targeted, with victims reporting hands-on reconnaissance activity after the incidents. (Lawrence Abrams / Bleeping Computer)

Related: Notepad++ Forum, GBhackers, Security Week, TechSpot

Researchers at Push Security report that a new variation of the ClickFix attack dubbed ConsentFix abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications.

According to the researchers, the ConsentFix technique steals OAuth 2.0 authorization codes that can be used to obtain an Azure CLI access token.

Azure CLI is a Microsoft command-line application that uses an OAuth flow to let users authenticate and manage Azure and Microsoft 365 resources from their local machine. In this campaign, attackers trick victims into completing that Azure CLI OAuth flow and then steal the resulting authorization code, which they exchange for full account access without needing the user's password or MFA.

Push says the attack triggers only once per victim IP address, so even if valid targets return to the same phishing page, they will not get the Cloudflare Turnstile check.

The researchers suggest that defenders look for unusual Azure CLI login activity, such as logins from new IP addresses, and monitor for legacy Graph scopes, which attackers intentionally leverage to evade detection. (Bill Toulas / Bleeping Computer)

Related: Push Security, CSO Online

Pet wellness company Petco has taken a portion of its Vetco Clinics website offline after a security lapse exposed reams of customers’ personal information to the open web.

After TechCrunch alerted the company to the exposed data relating to Vetco customers and their pets, Petco confirmed in a statement that it was investigating the data leak at its veterinary services company, and declined to comment further.

The security lapse allowed anyone on the internet to download customer records from Vetco’s website without needing a user’s login information. At least one customer record was exposed and indexed by Google, allowing anyone to find the data by searching for it.

The customer records, seen by TechCrunch, included visit summaries, medical histories, and prescription and vaccination records, among other files relating to Vetco customers and their pets.

The files also contained customer names; their home address, email address, and phone number; the location of the Vetco clinic where the services were performed; medical assessments, tests, and diagnoses; and the costs of goods, names of veterinarians, consent forms, owner signatures, and dates of service.

We also found animal names, species and breed, their sex, age and date of birth, their microchip number (if registered), their medical vitals, and prescription records in the files. (Zack Whittaker / TechCrunch)

Related: Engadget

Joe Francescon, who was announced in August as the next NSA deputy director, was recently informed he will no longer get the job, multiple sources said.

The administration now plans to name Tim Kosiba, who formerly held top roles at the NSA and FBI, to the role, according to these people, who were granted anonymity to candidly discuss the personnel change.

The switch is the latest turbulence for the world’s most powerful electronic spying agency, which has been without a Senate-confirmed leader for more than eight months, witnessed changes among several senior roles, and undergone massive personnel cuts. The deputy position does not require Senate confirmation.

Despite being named months ago, Franceson, a former NSA analyst who held senior roles on the National Security Council during President Donald Trump’s first term, had yet to begin work. His selection came under almost immediate scrutiny from far-right activist Laura Loomer, who claimed Francescon had donated money to a Democratic congressman.

There was also resistance in the administration to Franceson becoming NSA deputy chief, a position that oversees much of the agency’s day-to-day operations and acts as a filter to provide only the most critical information to its leader. (Martin Matishak / The Record)

Researchers at Palo Alto Networks Unit 42 report that "Wirte," a cyber threat group affiliated with Hamas, has been conducting espionage across the Middle East.

Tracked by Unit 42 as "Ashen Lepus," the group has been spying on regional government bodies and diplomatic entities since 2018. Lately, it's been expanding its interests into countries less directly associated with the Israel-Palestine conflict, like Oman and Morocco. And to match its broadening scope, Wirte has invented a new malware suite with a variety of features useful for evading cybersecurity programs.

The Wirte playbook is in most ways textbook cyber espionage. Victims receive phishing emails with PDFs relating to the Israel-Palestine conflict. When they follow a link in the PDF, they reach a file-sharing service with a RAR archive waiting.

Should they continue, they'll trigger a dynamic link library (DLL) sideloading attack in the background of their machine. They'll then see the document they were after, while Wirte's infection chain quietly commences. Eventually, the hackers will perform hands-on keyboard activity to steal documents of diplomatic and political significance. (Nate Nelson / Dark Reading)

Related: Unit42, GBhackers

Researchers at Wiz report that an unpatched zero-day vulnerability in Gogs, a popular self-hosted Git service, has enabled attackers to gain remote code execution on Internet-facing instances and compromise hundreds of servers.

CVE-2025-8110, the Gogs RCE vulnerability exploited in these attacks, stems from a path traversal weakness in the PutContents API. The flaw allows threat actors to bypass the protections implemented for a previously patched remote code execution bug (CVE-2024-55947) by using symbolic links to overwrite files outside the repository.

While Gogs versions that addressed the CVE-2024-55947 security bug now validate path names to prevent directory traversal, they still fail to validate the destination of symbolic links. Attackers can abuse this by creating repositories containing symbolic links pointing to sensitive system files, and then using the PutContents API to write data through the symlink, overwriting targets outside the repository.

By overwriting Git configuration files, specifically the sshCommand setting, attackers can force target systems to execute arbitrary commands.

Wiz Research discovered the vulnerability in July while investigating a malware infection affecting a customer's Internet-facing Gogs server. In total, the researchers found over 1,400 Gogs servers exposed online, with more than 700 instances showing signs of compromise.

Gogs users are advised to immediately disable the open registration default setting and limit access to the server using a VPN or an allow list. Those who want to check whether their instance has already been compromised should look for suspicious use of the PutContents API and for repositories with random 8-character names. (Sergiu Gatlan / Bleeping Computer)

Related: Wiz, The Register, Security Affairs, Dark Reading, Security Week, SC Media

Researchers at Huntress report that hackers are exploiting a new, undocumented vulnerability in the implementation of the cryptographic algorithm present in Gladinet's CentreStack and Triofox products for secure remote file access and sharing.

By leveraging the security issue, the attackers can obtain hardcoded cryptographic keys and achieve remote code execution, researchers warn.

Although the new cryptographic vulnerability does not have an official identifier, Gladinet notified customers about it and advised them to update the products to the latest version, which, at the time of the communication, had been released on November 29.

The company also provided customers with a set of indicators of compromise (IoCs), indicating that the issue was being exploited in the wild.

The researchers are aware of at least nine organizations targeted in attacks leveraging the new vulnerability, along with an older one tracked as CVE-2025-30406. This local file inclusion flaw allows a local attacker to access system files without authentication. (Bill Toulas / Bleeping Computer)

Related: Huntress

Brave has introduced a new AI browsing feature that leverages Leo, its privacy-respecting AI assistant, to perform automated tasks for the user.

Intended to assist with tasks such as autonomous web research, product comparison, promo-code discovery, and news summarization, the feature is currently in its testing phase and accessible through the Brave Nightly version.

The new agentic AI browsing mode is disabled by default and represents the first step towards tighter AI-user integration for the privacy-focused browser.

Brave stresses that agentic AI browsing is "inherently dangerous" and shouldn’t be used for critical operations, mainly due to prompt injection attacks and the potential for misinterpreting users' intent.

To mitigate this risk, the new mode runs on a separate, isolated profile that does not have access to the user’s cookies, login information, and other sensitive data.

The mode will also be restricted from accessing the browser’s settings page, non-HTTPS sites, the Chrome Web Store, where it could download extensions, and any sites flagged by Brave’s Safe Browsing system.

All its actions will be visible in tabs, and anything risky will trigger warnings to the user, requesting their explicit approval. (Bill Toulas / Bleeping Computer)

Related: Brave, Thurrott, CyberInsider

CISA ordered US federal agencies to patch a critical GeoServer vulnerability now actively exploited on websites.

In such attacks, an XML input containing a reference to an external entity is processed by a weakly configured XML parser, allowing threat actors to launch denial-of-service attacks, access confidential data, or perform Server-Side Request Forgery (SSRF) to interact with internal systems.

The security flaw (tracked as CVE-2025-58360) flagged by CISA on Thursday is an unauthenticated XML External Entity (XXE) vulnerability in GeoServer 2.26.1 and prior versions (an open-source server for sharing geospatial data over the Internet) that can be exploited to retrieve arbitrary files from vulnerable servers.

"An XML External Entity (XXE) vulnerability was identified affecting GeoServer 2.26.1 and prior versions. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap," a GeoServer advisory explains.

"However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request."

The Shadowserver Internet watchdog group now tracks 2,451 IP addresses with GeoServer fingerprints, while Shodan reports over 14,000 instances exposed online.

​CISA has now added CVE-2025-58360 to its Known Exploited Vulnerabilities (KEV) Catalog, warning that the flaw is being actively exploited in attacks and ordering Federal Civilian Executive Branch (FCEB) agencies to patch servers by January 1st, 2026, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021. (Sergiu Gatlan / Bleeping Computer)

Related: OSGeo, Security Affairs

Donald Trump said he will withhold federal broadband funding from states whose laws to regulate artificial intelligence are judged by his administration to be holding back American dominance in the technology.

"We want to have one central source of approval," Trump told reporters, flanked by top advisers, including Treasury Secretary Scott Bessent, arguing that 50 different regulatory regimes hamper the growth of the nascent industry.

The order also reflects the Trump administration's broader attack against anti-discrimination efforts, aiming at states such as Colorado that have sought to prevent discriminatory language from being embedded in AI models. Such efforts could result in "ideological bias" and produce false results, it said. (Andrea Shalal, Jody Godoy and Courtney Rozen / Reuters)

Related: The White House, New York Times, Washington Post, BBC, Wired, CNBC, The A.V. Club, Marcus on AI, Deadline, The Markup, The Independent, Wall Street Journal, Barron's Online, The Verge, UPI, NOTUS, Washington Times, CNET, Joe.My.God, FedScoop, The Boston Globe, San Francisco Chronicle, Nextgov/FCW, Washington Examiner, Benzinga, Music Technology Policy, Roll Call, Analytics India Magazine, The Wrap, Decrypt, The Hill, Politico, NBC News, Axios, aller Alert,  r/technologyr, r/ArtistHate, r/politics, r/antiai

Reddit filed a lawsuit in Australia's highest court seeking to overturn the country's social media ban for children, calling it an intrusion on free political discourse and setting the stage for a protracted legal battle.

The San Francisco-based firm, which ranks Australia among its biggest markets, said in a High Court filing that the ban should be declared invalid because it interfered with free political communication implied by the country's constitution.

Even if the court upheld the ban, Reddit should be exempt since it did not meet the definition of social media, added the filing, which named the Commonwealth of Australia and Communications Minister Anika Wells as defendants. (Byron Kaye and Renju Jose / Reuters)

Related: BBC, Silicon Republic, RTÉ, ABC, Crikey, WinBuzzer, Benzinga, Sydney Morning Herald, TheJournal.ie, New York Times, The Indian Express, Australian Financial Review, Washington Times, Agence France-Presse, 9News, Capital Brief, Le Monde, Bloomberg, Tech in Asia, NDTV Profit, CNET, Bloomberg Law, Reclaim The Net, SmartCompany, The Guardian, r/RedditSafety, r/redditstock

The Trump administration released guidance for federal agencies to try to ensure that the AI models they procure are not spitting out "woke" responses.

The guidance from the Office of Management and Budget states that agencies looking to buy AI systems must determine whether the models comply with what it calls two "unbiased AI principles" — "truth-seeking" and "ideological neutrality."

This OMB guidance was called for in an executive order President Trump signed in July. AI czar David Sacks previously said that the executive order is mainly aimed at diversity, equity, and inclusion. (Maria Curi / Axios)

Related: White House, White House, FedScoop

Best Thing of the Day: Still Encrypting After All These Years

Let’s Encrypt, the largest certificate authority in the world in terms of certificates issued, is now ten years old and is closing in on protecting one billion websites.

Worst Thing of the Day: We're Not Quite Sure Who the Nazi Is Here

Elon Musk has called for the abolishment of the 27-nation EU bloc and compared it to Nazi Germany after regulators fined X, the social media platform he owns, roughly $140 million for violating digital transparency rules.

Closing Thought