Category: Data Theft

Luxury Meets Liability: Dior Client Info Leaked in Major Cyber Breach

Posted on by Srishti Chaubey

Imagine this: You get a message from Dior. It’s exclusive. Personalized. A once-in-a-lifetime offer. You click. Just like that, your personal data is now in a scammer’s hands.

This isn’t fiction. It’s unfolding in real time. This occurs when luxury brands are hacked, and the Dior client information leak is one of the largest data breaches this year. Names, phone numbers, addresses, and purchase history of Dior’s high-end clientele are now compromised.

The House of Dior is dealing with much more than brand reputation damage. Legal examination, customer mistrust, and phishing risks now engulf the legendary brand.

What Occurred: Dior Data Breach Timeline

In one of the biggest data breaches this year, Dior—synonymous with elegance and trust—fell victim to a cyberattack that exposed the personal information of its high-end clientele.

The breach, confirmed on May 7, targeted Dior’s Fashion and Accessories division. The compromised data includes:

  • Names
  • Gender
  • Phone numbers
  • Email and mailing addresses
  • Transaction history

Passwords and payment details were housed in a different database and remained unaffected. Affected regions include South Korea and China.

Dior confirmed that cybersecurity specialists were summoned immediately. But the harm had already been inflicted.

Legal Consequences: Dior in Trouble in South Korea

In China, Dior also confirmed that a data breach compromised its list of high-end customers.

The consequences could severely damage Dior’s reputation with its most loyal and highest-spending customers.

The New Threat: Phishing Scams, False Coupons, and Brand Imitation

The real threat is just beginning.

With personal data now in circulation, cybercriminals are exploiting Dior’s trusted name to launch highly targeted phishing campaigns. Think:

  • Fake coupon codes
  • Phony marketing emails
  • Bogus password reset prompts

Dior’s prestige—its very brand equity—has become the perfect bait. Customers are much more likely to click on exclusive deals. These targeted phishing attacks are not only likely but inevitable.

The Core Problem: Traditional Trust Models Are Broken

Despite Dior’s high-end image and multi-layered security, the breach reveals a critical flaw: reliance on traditional perimeter-based defenses.

  • Once inside, attackers had access to sensitive customer information.
  • Zero Trust protocols were not in place.
  • Internal systems treated all access as legitimate by default—a dangerous assumption.

Dior’s Wake-Up Call

The Dior client info leak happened not just due to malicious actors but also due to outdated security thinking. Dior’s breach isn’t just a PR crisis. Outdated security thinking lies at the root of this strategic failure.

In luxury, trust isn’t just a value—it’s the product. And that trust now demands Zero Trust architecture.

Dior learned the hard way that sleek branding does not guarantee impenetrable systems. Its failure to comply with legal reporting requirements and its slow response endangered both customers and its reputation.

The cost? Legal sanctions, lost customer trust, and front-page headlines. This is not just negative press but a strategic failure.

Zero Trust is the New Luxury

Zero Trust is no longer a buzzword. It is the future of cybersecurity, especially for brands that trade on exclusivity and customer confidence.

PureAuth exemplifies this approach:

  • Never stores Personal Identifiable Information.
  • Verification is continuous, with no backdoors.
  • Attackers cannot exploit urgency or impersonation to bypass controls.

In a world where phishing emails and counterfeit Dior sales can fool even sophisticated customers, Zero Trust is not optional. It is essential.

PureAuth does not secure passwords. PureAuth secures people.

Read Also

The £650M Mistake: M&S Breach Breakdown

Credential Stuffing Attacks Hit Australian Super Funds: A Wake-Up Call for Passwordless Security

Posted on by Srishti Chaubey

In April 2025, several of Australia’s top superannuation funds fell victim to a cyberattack that could have – and should have – been prevented. Attackers drained over $500,000 in retirement savings through credential stuffing attacks, exposing a critical flaw in how we protect sensitive financial accounts.

They targeted AustralianSuper, Rest, and HostPlus using stolen login credentials—ones that many users unknowingly reuse across multiple platforms. The attackers didn’t rely on sophisticated malware or cutting-edge hacking tools; instead, they exploited simple password reuse.

This wasn’t a zero-day exploit. It was a failure of basic security hygiene.
And it cost real people their savings.

Credential Stuffing Attack: ASFA Press Release
Credit: Bleeping Computer

What is Credential Stuffing and Why Does It Still Work?

Credential stuffing is a brute-force attack where hackers use usernames and passwords stolen in previous data breaches to access other accounts. The attack can be surprisingly effective since many people reuse the same credentials across platforms.

Here’s what happened:

  • AustralianSuper: 600 accounts compromised; over $500,000 stolen
  • Rest: 8,000 accounts targeted; personal data compromised
  • HostPlus: Incident under investigation; no financial loss reported yet

The common denominator? Weak authentication systems and a reliance on passwords that should’ve been retired years ago.

Where Super Funds Failed: Outdated Security Models

Despite years of warnings from cybersecurity experts, many superannuation funds had not implemented multi-factor authentication (MFA), real-time fraud detection, or Zero Trust security models.

In some cases, login systems didn’t even flag multiple failed access attempts: an open invitation for credential stuffing bots to test thousands of stolen credentials at scale.

This wasn’t a sophisticated breach. It was a consequence of ignoring the password problem.

The Solution: Passwordless, Zero Trust Authentication

The fastest way to stop credential stuffing is to eliminate passwords entirely. PureAuth is built specifically for that.

PureAuth is a modern Identity and Access Management (IAM) platform that stops identity-based attacks by removing the root cause: passwords.

Why PureAuth is different:

  • Passwordless by default: There’s nothing for hackers to steal
  • Phishing-resistant authentication: Credentials can’t be faked if they don’t exist
  • Behavioral and risk-based access: Each login is contextually validated
  • Privileged Access Management (PAM) included: Access is controlled from the start

If these super funds had implemented PureAuth, they would have prevented the breach.

Why This Matters: Billions at Risk

Super funds manage trillions in assets on behalf of everyday Australians. Yet many are still using outdated security infrastructures that rely on fragile credential systems and minimal threat detection.

This is no longer acceptable.

  • Credential stuffing is increasing year-on-year
  • Phishing scams are more sophisticated than ever
  • User trust is at an all-time low after each breach

Modern problems require modern solutions, and that starts with ditching passwords.

Final Thought: The Most Secure Password is No Password

The 2025 super fund breach proves one thing: waiting is no longer an option. Organizations that continue to depend on passwords are not just vulnerable: they’re guaranteeing future breaches. The path forward is clear: implement passwordless, Zero Trust security now or risk being the next headline.

PureAuth stops credential stuffing before it starts. No passwords, No phishing, No compromise

Don’t wait for the next breach. Go passwordless. Secure your super with PureAuth. #GoPasswordless

Oracle Cloud Data Breach: What Went Wrong?

Posted on by Srishti Chaubey

When Silence Isn’t Security: The Oracle Breach Timeline

Picture this: one of the world’s most prominent tech companies finds itself at the center of a data breach controversy, twice, in just a few weeks. First, they deny any issue. Then, private confirmations emerge. Clients start getting notified. Security researchers weigh in. And suddenly, what was once “no breach” becomes a confirmed Oracle Cloud data breach involving millions of records.

This unfolding cybersecurity drama isn’t just about one company, it’s a case study in how legacy infrastructure, communication strategy, and modern cyber threats collide.

Part I: The March Leak & The Initial Denial

🔍 The Claim

In March 2025, a hacker using the alias rose87168 posted on BreachForums, claiming they had accessed Oracle Cloud servers and stolen 6 million user records, including:

  • Encrypted SSO passwords
  • Hashed LDAP credentials
  • Java Keystore (JKS) files
  • Enterprise Manager security keys

They even shared sample files, archive URLs, and claimed access to the login.region-name.oraclecloud.com endpoint.

Oracle cloud data breach
Credit: Bleeping Computer

🛡️ Oracle’s Response

Oracle responded with a firm denial, stating:

“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

Oracle

Despite this, third-party analysts and customers began to verify the authenticity of the leaked data.

Part II: April Breach Confirmed

📣 The Private Admissions

By early April, Oracle acknowledged the breach, but only privately to certain clients. The company revealed that older infrastructure, namely its Gen 1 cloud servers (also known as Oracle Cloud Classic), had been compromised. According to Oracle, these environments had been deprecated since 2017.

The threat actor had gained access via a 2020 Java vulnerability, deploying malware and exfiltrating data from Oracle’s Identity Manager (IDM) systems.

📁 What Was Compromised?

  • Email addresses, usernames, and hashed passwords
  • SSO and LDAP credentials
  • IDM database records
  • Legacy authentication data, some from late 2024 and 2025

Oracle insisted its Gen 2 cloud environment remained unaffected, but the distinction raised eyebrows among experts.

Dissecting the Discrepancy: What Is “Oracle Cloud” Anyway?

Cybersecurity researcher Kevin Beaumont highlighted a critical nuance: Oracle’s statements relied heavily on branding distinctions.

“They’re saying Oracle Cloud wasn’t breached by defining ‘Oracle Cloud’ as Gen 2. But Gen 1, now rebranded as Oracle Cloud Classic, was, and it’s still Oracle-managed infrastructure.”

Kevin Beaumont

This Oracle Cloud data breach was real. The question became whether the company was fully transparent about it.

Lessons for the Cloud Era

🧠 What This Breach Teaches Us

  1. Legacy systems remain high-risk
    Older, unpatched environments continue to be major vulnerabilities.
  2. Transparency matters more than spin
    Clear, timely communication builds trust—even during a crisis.
  3. Cyberattacks are evolving
    Threat actors now combine extortion, zero-day trading, and long-term infiltration.
  4. Security is a shared responsibility
    Customers must also enforce strong policies, MFA, and monitoring tools.

Final Takeaway: Don’t Let the “Classic” Fool You

The Oracle Cloud data breach saga reminds us that infrastructure rebranding doesn’t eliminate risk. While Oracle insists its current-gen systems were untouched, this incident proves legacy environments are still part of the attack surface, especially when they house sensitive data. In today’s cloud-first world, it’s not enough to secure what’s new. The past has a way of catching up fast.

Fortinet Authentication Bypass:A Critical Exploit You Can’t Ignore

Posted on by Srishti Chaubey

Imagine waking up to your organization’s security perimeter being compromised because of a critical authentication vulnerability exploited in the wild. That is exactly the threat that organizations face today, with recently found vulnerabilities in Fortinet FortiOS and FortiProxy, now highlighted by CISA as being actively exploited.

The Newest CISA Alert: What’s at Stake?

On March 18, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) included two Fortinet vulnerabilities in its Known Exploited Vulnerabilities Catalog with an urgent action recommendation. The vulnerabilities are a high-risk threat as they enable remote attackers to obtain super-admin privileges and completely bypass authentication controls.

Fortinet FortiOS and FortiProxy Authentication Bypass: CVE-2025-24472

Affected Versions:

FortiOS: 7.0.0 to 7.0.16

FortiProxy: 7.0.0 to 7.0.19, 7.2.0 to 7.2.12

Attack Method: CSF proxy requests with crafted requests

Severity: Critical (CVSS 9.8)

Risk: Permits unauthorized access, which allows complete takeover of impacted systems.

Malicious Code in tj-actions/changed-files GitHub Action: CVE-2025-30066

Problem: Attackers inserted malicious code into a commonly used GitHub Action.

Consequence: Possibility of supply chain attacks on CI/CD pipelines.

These are not theoretical threats; they are being exploited, so remediation is required urgently.

Why This Matters

Authentication bypass vulnerabilities are one of the most critical security vulnerabilities. They disable the first line of defense, enabling attackers to function as privileged users without credentials. The consequences are:

  • Unauthorized Access: Attackers can penetrate networks undetected.
  • Data Breach Risks: Sensitive data can be exfiltrated or tampered with.
  • Ransomware & Lateral Movement: Compromised systems can be used as entry points for further organizational attacks.

How to Protect Your Organization

CISA strongly urges all organizations to take the following action: 

  1. Apply Vendor Patches Immediately
  • Patches for these vulnerabilities have been issued by Fortinet. Organizations need to update their FortiOS and FortiProxy installations as soon as possible.
  1. Implement Zero-Trust Principles
  • Treat each access request as possibly malicious.
  • Enforce robust authentication and access control practices.
  1. Monitor for Indicators of Compromise (IoCs)
  • Audit logs regularly for suspicious activity.
  • Configure automated alerts for suspicious authentication attempts.
  1. Secure Your CI/CD Pipelines
  • If utilizing GitHub Actions, inspect dependencies and limit untrusted third-party code.
  • Enforce strict repository access controls.

The Bigger Picture: Convenience vs. Security

This attack highlights a growing problem – security gaps created by prioritizing convenience over robust authentication. Organizations value ease of use, but frequently at the expense of strong authentication measures. Password-based security, even with MFA, remains susceptible to bypasses. A passwordless, zero-trust solution, such as PureAuth, provides a more resilient option by removing traditional authentication vulnerabilities.

Final Takeaway: Act Now, Stay Secure

This is not another security notice: It’s a wake-up call. Fortinet’s authentication bypass vulnerabilities are being exploited today, and the delay compounds the threat. Organizations have no choice but to patch ASAP, harden their authentication efforts, and revamp how they approach identity security.

In cybersecurity, delay is not an option. Proactive defense is the only way to go. Be ahead of the attackers, because they’re already ahead of you. #gopasswordless

AI Training Data Leak: A Growing Security Nightmare

Posted on by Srishti Chaubey

A recent study by Truffle Security uncovered a massive security flaw—over 12,000 real secrets, including API keys and passwords, were embedded in AI training datasets. These secrets, sourced from Common Crawl’s publicly available web data, included authentication tokens for top-tier services like AWS, MailChimp, and WalkScore.

How Did This Happen?

Common Crawl, a nonprofit that archives vast amounts of web data, is widely used for training AI models, including OpenAI’s ChatGPT, Google Gemini, and Meta’s Llama. However, an analysis of 400 terabytes of data from 2.67 billion web pages in 2024 revealed alarming findings:

  • Over 200 different types of secrets were exposed, with AWS, MailChimp, and WalkScore being among the most affected.
  • 1,500+ MailChimp API keys were hardcoded into front-end HTML and JavaScript.
  • A single WalkScore API key was used 57,029 times across 1,871 subdomains.

This issue is a symptom of a widespread problem: developers frequently leave credentials in code during development and forget to remove them before deployment.

The Bigger Threat: AI-Powered Credential Harvesting

Cybercriminals have long used web scraping to extract sensitive information, but AI models amplify the risk. Since AI is trained on vast amounts of publicly available data, it can inadvertently learn, store, and reproduce these secrets. Even when training data is screened, current filtering mechanisms are not foolproof.

Security firm Truffle Security highlighted another concern—AI coding tools don’t distinguish between safe and unsafe credentials. This means example credentials can reinforce poor security practices, making AI-assisted development a potential security liability.

Beyond Credential Leaks: AI Training Risks Grow

This issue is part of a broader set of security challenges tied to AI training data:

  1. Wayback Copilot Attack – Even if organizations secure private repositories, older versions of their data remain accessible through AI tools like Microsoft Copilot due to search engine indexing.
  2. Jailbreak Attacks – Hackers are finding ways to bypass AI security safeguards and extract confidential data from models.
  3. AI Misalignment Risks – If AI is trained on insecure code, it may unknowingly generate unsafe or hazardous recommendations.

How Organizations Can Protect Themselves

Following the discovery, affected vendors revoked compromised keys, but organizations must adopt proactive security measures to prevent future leaks:

  • Use Environment Variables – Never hardcode secrets in source code. Instead, use secure vaults or environment variables.
  • Automate Secret Scanning – Implement tools like TruffleHog, GitGuardian, or AWS Secrets Manager to detect and remove exposed credentials.
  • Adopt Zero-Trust AuthenticationMove away from passwords entirely with passwordless and zero-trust authentication solutions like PureID to mitigate credential-related risks.
  • Enhance AI Training Data Security – AI providers must improve data sanitization techniques to prevent sensitive information from being included in training datasets.

Conclusion

This AI training data breach underscores a critical cybersecurity concern—the mass scraping of data for AI training can inadvertently expose sensitive information. While vendors have taken corrective action, the industry must rethink security practices in an AI-driven world.

As AI grows more advanced, so must our approach to safeguarding digital identities and authentication systems. It’s time for organizations to embrace a passwordless future and strengthen their security posture against evolving threats.

Stay secure. Stay informed.

The Cyber Battleground: Major Attacks Shaping 2025

Posted on by Srishti Chaubey

The year is 2025, and the cyber war front is more active than ever. Threat actors are refining their tactics, launching sophisticated attacks across industries. From media and infrastructure to encrypted messaging platforms and AI-driven workplaces. Below is a breakdown of the latest high-impact cyber incidents, what they mean for security, and how organizations can stay ahead.

1. The Newsroom Blackout: Cyberattack on Lee Enterprises

On February 3, 2025, a major cyberattack disrupted Lee Enterprises, a leading American media conglomerate, causing print delays and operational chaos. Newspapers like the Post-Dispatch and Casper Star-Tribune struggled to publish content, with parts of the IT infrastructure forcibly taken offline. While the exact attack vector remains undisclosed, the event underscores the vulnerability of media organizations to digital disruptions.

Key Takeaway: Ransomware and IT disruptions in media outlets can impact information dissemination. Cyber resilience planning is crucial for organizations handling sensitive data and tight production schedules.

2. Microsoft KMS Exploited: Sandworm’s Silent Weapon

The infamous Sandworm APT (APT44/UAC-0145) has weaponized Microsoft Key Management Service (KMS) activators, targeting Windows users in Ukraine. The attack leverages pirated KMS tools and fake Windows updates to inject malware, including DarkCrystal RAT (DcRAT), compromising critical systems.

Key Takeaway: Secure software sourcing is critical. Enterprises must enforce strict software policies and monitor for unauthorized activations.

2025 Cyber Attacks: Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally
Credit: Dark Reading

3. PAN-OS Under Siege: Critical Vulnerability in Palo Alto Networks

Security teams are on high alert as Palo Alto Networks confirmed active exploitation of CVE-2025-0108, an access control flaw rated at 8.8 severity. Attackers with network access can bypass authentication and execute PHP scripts remotely. Combined with CVE-2024-9474, this vulnerability grants root-level access.

Key Takeaway: Immediate patching is essential. Delaying updates could be catastrophic.

4. Phishing Strikes Signal: A New Era of Social Engineering

Russian hacking groups (UNC5792 & UNC4221) are targeting Signal users by exploiting QR codes in phishing campaigns. Victims scanning these malicious codes unknowingly grant attackers access to their encrypted conversations. In response, Signal has rolled out new verification mechanisms to counter unauthorized device linking.

Key Takeaway: Users should verify QR codes before scanning and enable multi-factor authentication (MFA) for sensitive accounts.

5. The Fake IT Support Scam on Microsoft Teams

Russian hacking collectives Fin7 and Storm-1811 have been masquerading as IT support personnel on Microsoft Teams, tricking employees into granting access. Once inside, attackers deploy ransomware, encrypting data and demanding hefty ransoms.

Key Takeaway: Organizations must enforce strict identity verification for remote IT support and educate employees to recognize impersonation attempts.

6. Chinese Hackers Escalate from Espionage to Infrastructure Attacks

Volt Typhoon and Salt Typhoon, the two alleged Chinese state-sponsored groups, have shifted focus from corporate espionage to U.S. critical infrastructure. Their primary targets include utilities, ports, and telecom networks, exploiting outdated telecom equipment to infiltrate systems.

Key Takeaway: The attacks highlight the urgent need for infrastructure modernization and proactive cybersecurity measures.

7. Astaroth Phishing Attack: Bypassing 2FA Like Never Before

A new phishing campaign “Astaroth” targets Gmail and Outlook users, bypassing two-factor authentication (2FA) through real-time credential interception. Attackers trick users into entering login credentials and 2FA codes on counterfeit pages, hijacking accounts instantly.

Key Takeaway: Phishing-resistant authentication, such as PureAUTH, and continuous monitoring are essential for protection.

Final Thoughts: The Road Ahead

As cyber threats evolve, businesses and individuals must adopt a proactive security stance. The key takeaways:

  • Patch vulnerabilities immediately: Delayed updates remain a hacker’s best friend.
  • Implement Zero-Trust security: Don’t trust, always verify.
  • Educate employees on phishing threats: Human error remains a top attack vector.

Cybersecurity in 2025 is a battleground. Staying ahead requires vigilance, smart investments, and a commitment to continuous security improvements. The question isn’t if you’ll be targeted, it’s when. Are you ready?

Read Also:

Microsoft Reveals Russian Hack: Executives’ Emails Compromised

Passwords Leaked : Microsoft in Trouble

Hackers Exploit Exposed ASP.NET Keys to Deploy Malware

Posted on by Srishti Chaubey

Exposed ASP.NET Keys: A Growing Cyber Threat

Cybercriminals are actively exploiting publicly exposed ASP.NET machine keys to launch malicious ViewState code injection attacks. By leveraging these static keys, attackers can deploy malware like the Godzilla post-exploitation framework, potentially compromising entire systems. With over 3,000 exposed keys identified by Microsoft, this poses a serious and immediate security risk for developers and organizations. 

How Attackers Exploit ViewState Code Injection

ASP.NET machine keys (validationKey and decryptionKey) ensure the integrity of ViewState data by preventing tampering and unauthorized access. However, some developers mistakenly copy keys from public repositories, unwittingly opening the door for cyberattacks.

The Attack Chain:

  • Attackers obtain machine keys from publicly available sources like code repositories.
  • They craft a malicious ViewState with a message authentication code (MAC) using the stolen key.
  • The infected ViewState is sent via a POST request to an IIS web server.
  • The ASP.NET Runtime validates and decrypts the malicious ViewState, executing the attacker’s code.
  • The attacker gains Remote Code Execution (RCE), allowing them to deploy further payloads.
ASP.NET Machine Keys used in Viewstate injection
Credit: Microsoft

Real-World Impact: Godzilla Framework Deployment

In December 2024, Microsoft detected threat actors using this technique to inject the Godzilla post-exploitation framework. Godzilla enables malicious command execution and shellcode injection, posing a severe risk to IIS web servers. Unlike stolen keys sold on dark web forums, these publicly disclosed keys are easily accessible, making them more dangerous.

How to Protect Your Systems

Microsoft and cybersecurity experts recommend the following mitigation steps:

Secure Machine Key Management

  • Never use public or default keys. Always generate unique, secure keys.
  • Encrypt machine keys. Protect sensitive data like the machineKey and connectionStrings elements to prevent plaintext exposure.
  • Regularly rotate keys. Update machine keys periodically to minimize security risks.

System Hardening

  • Upgrade to ASP.NET 4.8. Enable Antimalware Scan Interface (AMSI) to detect suspicious activity.
  • Apply attack surface reduction rules. Block web shell creation to reduce exploitation chances.
  • Audit and monitor configuration files. Track unauthorized changes to web.config and machine.config files.

Incident Response

  • Use Microsoft Defender for Endpoint. Identify publicly disclosed keys with alert systems.
  • Deploy Microsoft Sentinel. Leverage threat intelligence analytics to detect ViewState-based attacks.
  • Investigate compromised servers. If an attack is detected, perform a full forensic analysis and consider system reinstallation.

Final Thoughts

The exploitation of exposed ASP.NET machine keys for ViewState code injection attacks is a critical and escalating cybersecurity threat. With over 3,000 exposed keys identified, the risk to businesses and developers is more significant than ever. These attacks enable remote code execution (RCE), allowing hackers to deploy dangerous malware like the Godzilla post-exploitation framework, potentially compromising entire systems.

Organizations can no longer afford to overlook secure key management and system hardening. Implementing unique, encrypted, and regularly rotated machine keys, upgrading security frameworks, and leveraging real-time threat detection tools are essential steps in mitigating these attacks.

Cyber threats evolve rapidly, and staying ahead requires vigilance, proactive defense strategies, and a commitment to security best practices. By securing your ASP.NET applications today, you can prevent tomorrow’s breaches.

Also Read

Microsoft Entra ID Vulnerabilities: Pass-Through Authentication Risks

DeepSeek’s Database Breach: A Wake-Up Call for AI Security

Posted on by Srishti Chaubey

DeepSeek, a rising Chinese AI startup, has garnered global attention for its innovative AI models, particularly the DeepSeek-R1 reasoning model. Praised for its cost-effectiveness and strong performance, DeepSeek-R1 competes with industry leaders like OpenAI’s o1. However, as its prominence grew, so did scrutiny from security researchers. Their investigations uncovered a critical vulnerability—DeepSeek’s database leaked sensitive information, including plaintext chat histories and API keys.

What Happened?

Security researchers at Wiz discovered two unsecured ClickHouse database instances within DeepSeek’s infrastructure. These databases left exposed via open ports with no authentication, contained:

  • Over one million plaintext chat logs.
  • API keys and backend operational details.
  • Internal metadata and user queries.

This misconfiguration created a significant security risk, potentially allowing unauthorized access to sensitive data, privilege escalation, and data exfiltration.

How It Was Found

Wiz’s routine scanning of DeepSeek’s external infrastructure led to the detection of open ports (8123 and 9000) linked to the ClickHouse database. Simple SQL queries revealed a trove of sensitive data, including user interactions and operational metadata.

While Wiz promptly disclosed the issue and DeepSeek swiftly secured the database, the key concern remains—was this vulnerability exploited before the fix?

The Bigger Picture

This breach highlights the urgent need for AI companies to prioritize security alongside innovation. As AI-powered tools like DeepSeek’s R1 model become integral to businesses, safeguarding user data must be a top priority.

Wiz researchers emphasized a growing industry-wide problem: AI startups often rush to market without implementing proper security frameworks. This oversight exposes sensitive user data and operational secrets, making them prime targets for cyberattacks.

Key Takeaways for the Industry

The DeepSeek breach serves as a critical lesson for AI developers and businesses:

  • Security First: Treat AI infrastructure with the same rigor as public cloud environments, enforcing strict access controls and authentication measures.
  • Proactive Defense: Regular security audits and monitoring should be standard practice to detect and prevent vulnerabilities.
  • Collaboration is Key: AI developers and security teams must work together to secure sensitive data and prevent breaches.

Earlier, DeepSeek reported detecting and stopping a “large-scale cyberattack,” underscoring the importance of robust cybersecurity measures. The rapid advancement of AI brings immense opportunities but also exposes critical security gaps. The DeepSeek breach is a stark reminder that failing to implement basic security protocols puts sensitive data—and user trust—at risk.

Also Read

Cisco Data Breach: A Timeline of Events and Broader Implications

LDAP Nightmare: A Critical Flaw Shakes Enterprise Networks

Cisco Data Breach: A Timeline of Events and Broader Implications

Posted on by Srishti Chaubey

A Breach That Keeps Unfolding:

When Cisco was accused of a breach by a hacker named IntelBroker in October 2024, the tech giant initially denied any compromise of its internal systems. However, as the situation unfolded and over 4GB of data was leaked, Cisco acknowledged the authenticity of the exposed files while maintaining that its enterprise environments remained secure.

This incident sheds light on a concerning trend: organizations frequently deny breaches outright, only to later concede limited impact as evidence continues to emerge. In this blog, we examine the timeline of events, the repercussions, and the broader lessons stemming from the Cisco breach.

Cisco Data Breach: IntelBroker's Claim
Credit: Bleeping Computer

Timeline of the Breach

  1. October 14, 2024
    • Hacker IntelBroker announced a “Cisco breach” on BreachForums.
    • Claims included access to source code, credentials, and confidential documents from major companies, including Cisco.
  2. October 21, 2024
    • Cisco confirmed an investigation was underway but denied a breach of its internal systems.
    • The company reported that the data was accessed from a public-facing DevHub environment due to a configuration error.
  3. Mid-December 2024
    • IntelBroker leaked 2.9GB of data, including source code, certificates, and scripts.
    • Cisco acknowledged the leak but reiterated no sensitive personal or financial information was compromised.
  4. December 25, 2024
    • The hacker released an additional 4.45GB of data on BreachForums, claiming it was part of a much larger dataset.
    • Cisco analyzed the leak and confirmed its alignment with files previously identified in October.
  5. December 31, 2024
    • Cisco confirmed the authenticity of the leaked data but maintained that its internal systems remained uncompromised.
Cisco Data Breach: Timeline

Impact Analysis: What’s at Stake?

The breach exposed:

  • Source Code: Critical for Cisco products like WebEx, Catalyst,z and Secure Access Service Edge (SASE).
  • Internal Project Archives: Java binaries, Cryptographic Signatures, Certificates, and Configuration files.
  • Customer-Related Data: Files linked to Cisco CX Professional Services customers.

 What Cisco Claims:

  • No sensitive personal or financial information was exposed.
  • Internal production systems were unaffected.

Risks Highlighted:

  1. Exploitation Potential: Exposed source code could help attackers identify vulnerabilities in Cisco products.
  2. Supply Chain Risks: Customers and partners could be indirectly targeted using leaked data.
  3. Reputation Damage: Prolonged uncertainty damages trust in Cisco’s security practices.

A Broader Trend: Denial, Admission, and Full Disclosure

Cisco’s handling of the breach mirrors a recurring pattern:

  1. Initial Denial: Early claims often assert no compromise.
  2. Partial Admission: As evidence mounts, organizations acknowledge limited impact.
  3. Full Scope Revealed: Final admissions often come after external pressure or further leaks.

The Okta breach followed a similar trajectory, where early denials gave way to admissions of more significant exposure.

Lessons for the Future

Cisco’s breach underscores critical lessons for organizations:

  1. Prioritize Transparency: Honest and timely communication can mitigate reputational damage.
  2. Audit Public-Facing Platforms: Regular checks can prevent inadvertent exposure of sensitive files.
  3. Strengthen Configuration Management: Misconfigurations remain a top cause of data exposure.
  4. Adopt Proactive Monitoring: Real-time alerts can detect unusual activity before damage escalates.

Conclusion: A Story Still Unfolding

The Cisco breach, though limited in scope compared to initial claims, highlights how vulnerabilities in public-facing platforms can quickly escalate into significant incidents. While Cisco has introduced corrective measures, the full impact of the exposed data remains unclear.

This case illustrates a broader trend where companies initially deny breaches, only to gradually disclose the extent of their impact over time. As we await further updates and mitigation efforts from Cisco, the importance of proactive security strategies and transparent communication has become increasingly evident.

© 2026 | PureID. All Rights Reserved

Privacy & Terms | Licenses