Category: Data Theft

AI Training Data Leak: A Growing Security Nightmare

Posted on by Srishti Chaubey

A recent study by Truffle Security uncovered a massive security flaw—over 12,000 real secrets, including API keys and passwords, were embedded in AI training datasets. These secrets, sourced from Common Crawl’s publicly available web data, included authentication tokens for top-tier services like AWS, MailChimp, and WalkScore.

How Did This Happen?

Common Crawl, a nonprofit that archives vast amounts of web data, is widely used for training AI models, including OpenAI’s ChatGPT, Google Gemini, and Meta’s Llama. However, an analysis of 400 terabytes of data from 2.67 billion web pages in 2024 revealed alarming findings:

  • Over 200 different types of secrets were exposed, with AWS, MailChimp, and WalkScore being among the most affected.
  • 1,500+ MailChimp API keys were hardcoded into front-end HTML and JavaScript.
  • A single WalkScore API key was used 57,029 times across 1,871 subdomains.

This issue is a symptom of a widespread problem: developers frequently leave credentials in code during development and forget to remove them before deployment.

The Bigger Threat: AI-Powered Credential Harvesting

Cybercriminals have long used web scraping to extract sensitive information, but AI models amplify the risk. Since AI is trained on vast amounts of publicly available data, it can inadvertently learn, store, and reproduce these secrets. Even when training data is screened, current filtering mechanisms are not foolproof.

Security firm Truffle Security highlighted another concern—AI coding tools don’t distinguish between safe and unsafe credentials. This means example credentials can reinforce poor security practices, making AI-assisted development a potential security liability.

Beyond Credential Leaks: AI Training Risks Grow

This issue is part of a broader set of security challenges tied to AI training data:

  1. Wayback Copilot Attack – Even if organizations secure private repositories, older versions of their data remain accessible through AI tools like Microsoft Copilot due to search engine indexing.
  2. Jailbreak Attacks – Hackers are finding ways to bypass AI security safeguards and extract confidential data from models.
  3. AI Misalignment Risks – If AI is trained on insecure code, it may unknowingly generate unsafe or hazardous recommendations.

How Organizations Can Protect Themselves

Following the discovery, affected vendors revoked compromised keys, but organizations must adopt proactive security measures to prevent future leaks:

  • Use Environment Variables – Never hardcode secrets in source code. Instead, use secure vaults or environment variables.
  • Automate Secret Scanning – Implement tools like TruffleHog, GitGuardian, or AWS Secrets Manager to detect and remove exposed credentials.
  • Adopt Zero-Trust AuthenticationMove away from passwords entirely with passwordless and zero-trust authentication solutions like PureID to mitigate credential-related risks.
  • Enhance AI Training Data Security – AI providers must improve data sanitization techniques to prevent sensitive information from being included in training datasets.

Conclusion

This AI training data breach underscores a critical cybersecurity concern—the mass scraping of data for AI training can inadvertently expose sensitive information. While vendors have taken corrective action, the industry must rethink security practices in an AI-driven world.

As AI grows more advanced, so must our approach to safeguarding digital identities and authentication systems. It’s time for organizations to embrace a passwordless future and strengthen their security posture against evolving threats.

Stay secure. Stay informed.

The Cyber Battleground: Major Attacks Shaping 2025

Posted on by Srishti Chaubey

The year is 2025, and the cyber war front is more active than ever. Threat actors are refining their tactics, launching sophisticated attacks across industries. From media and infrastructure to encrypted messaging platforms and AI-driven workplaces. Below is a breakdown of the latest high-impact cyber incidents, what they mean for security, and how organizations can stay ahead.

1. The Newsroom Blackout: Cyberattack on Lee Enterprises

On February 3, 2025, a major cyberattack disrupted Lee Enterprises, a leading American media conglomerate, causing print delays and operational chaos. Newspapers like the Post-Dispatch and Casper Star-Tribune struggled to publish content, with parts of the IT infrastructure forcibly taken offline. While the exact attack vector remains undisclosed, the event underscores the vulnerability of media organizations to digital disruptions.

Key Takeaway: Ransomware and IT disruptions in media outlets can impact information dissemination. Cyber resilience planning is crucial for organizations handling sensitive data and tight production schedules.

2. Microsoft KMS Exploited: Sandworm’s Silent Weapon

The infamous Sandworm APT (APT44/UAC-0145) has weaponized Microsoft Key Management Service (KMS) activators, targeting Windows users in Ukraine. The attack leverages pirated KMS tools and fake Windows updates to inject malware, including DarkCrystal RAT (DcRAT), compromising critical systems.

Key Takeaway: Secure software sourcing is critical. Enterprises must enforce strict software policies and monitor for unauthorized activations.

2025 Cyber Attacks: Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally
Credit: Dark Reading

3. PAN-OS Under Siege: Critical Vulnerability in Palo Alto Networks

Security teams are on high alert as Palo Alto Networks confirmed active exploitation of CVE-2025-0108, an access control flaw rated at 8.8 severity. Attackers with network access can bypass authentication and execute PHP scripts remotely. Combined with CVE-2024-9474, this vulnerability grants root-level access.

Key Takeaway: Immediate patching is essential. Delaying updates could be catastrophic.

4. Phishing Strikes Signal: A New Era of Social Engineering

Russian hacking groups (UNC5792 & UNC4221) are targeting Signal users by exploiting QR codes in phishing campaigns. Victims scanning these malicious codes unknowingly grant attackers access to their encrypted conversations. In response, Signal has rolled out new verification mechanisms to counter unauthorized device linking.

Key Takeaway: Users should verify QR codes before scanning and enable multi-factor authentication (MFA) for sensitive accounts.

5. The Fake IT Support Scam on Microsoft Teams

Russian hacking collectives Fin7 and Storm-1811 have been masquerading as IT support personnel on Microsoft Teams, tricking employees into granting access. Once inside, attackers deploy ransomware, encrypting data and demanding hefty ransoms.

Key Takeaway: Organizations must enforce strict identity verification for remote IT support and educate employees to recognize impersonation attempts.

6. Chinese Hackers Escalate from Espionage to Infrastructure Attacks

Volt Typhoon and Salt Typhoon, the two alleged Chinese state-sponsored groups, have shifted focus from corporate espionage to U.S. critical infrastructure. Their primary targets include utilities, ports, and telecom networks, exploiting outdated telecom equipment to infiltrate systems.

Key Takeaway: The attacks highlight the urgent need for infrastructure modernization and proactive cybersecurity measures.

7. Astaroth Phishing Attack: Bypassing 2FA Like Never Before

A new phishing campaign “Astaroth” targets Gmail and Outlook users, bypassing two-factor authentication (2FA) through real-time credential interception. Attackers trick users into entering login credentials and 2FA codes on counterfeit pages, hijacking accounts instantly.

Key Takeaway: Phishing-resistant authentication, such as PureAUTH, and continuous monitoring are essential for protection.

Final Thoughts: The Road Ahead

As cyber threats evolve, businesses and individuals must adopt a proactive security stance. The key takeaways:

  • Patch vulnerabilities immediately: Delayed updates remain a hacker’s best friend.
  • Implement Zero-Trust security: Don’t trust, always verify.
  • Educate employees on phishing threats: Human error remains a top attack vector.

Cybersecurity in 2025 is a battleground. Staying ahead requires vigilance, smart investments, and a commitment to continuous security improvements. The question isn’t if you’ll be targeted, it’s when. Are you ready?

Read Also:

Microsoft Reveals Russian Hack: Executives’ Emails Compromised

Passwords Leaked : Microsoft in Trouble

Hackers Exploit Exposed ASP.NET Keys to Deploy Malware

Posted on by Srishti Chaubey

Exposed ASP.NET Keys: A Growing Cyber Threat

Cybercriminals are actively exploiting publicly exposed ASP.NET machine keys to launch malicious ViewState code injection attacks. By leveraging these static keys, attackers can deploy malware like the Godzilla post-exploitation framework, potentially compromising entire systems. With over 3,000 exposed keys identified by Microsoft, this poses a serious and immediate security risk for developers and organizations. 

How Attackers Exploit ViewState Code Injection

ASP.NET machine keys (validationKey and decryptionKey) ensure the integrity of ViewState data by preventing tampering and unauthorized access. However, some developers mistakenly copy keys from public repositories, unwittingly opening the door for cyberattacks.

The Attack Chain:

  • Attackers obtain machine keys from publicly available sources like code repositories.
  • They craft a malicious ViewState with a message authentication code (MAC) using the stolen key.
  • The infected ViewState is sent via a POST request to an IIS web server.
  • The ASP.NET Runtime validates and decrypts the malicious ViewState, executing the attacker’s code.
  • The attacker gains Remote Code Execution (RCE), allowing them to deploy further payloads.
ASP.NET Machine Keys used in Viewstate injection
Credit: Microsoft

Real-World Impact: Godzilla Framework Deployment

In December 2024, Microsoft detected threat actors using this technique to inject the Godzilla post-exploitation framework. Godzilla enables malicious command execution and shellcode injection, posing a severe risk to IIS web servers. Unlike stolen keys sold on dark web forums, these publicly disclosed keys are easily accessible, making them more dangerous.

How to Protect Your Systems

Microsoft and cybersecurity experts recommend the following mitigation steps:

Secure Machine Key Management

  • Never use public or default keys. Always generate unique, secure keys.
  • Encrypt machine keys. Protect sensitive data like the machineKey and connectionStrings elements to prevent plaintext exposure.
  • Regularly rotate keys. Update machine keys periodically to minimize security risks.

System Hardening

  • Upgrade to ASP.NET 4.8. Enable Antimalware Scan Interface (AMSI) to detect suspicious activity.
  • Apply attack surface reduction rules. Block web shell creation to reduce exploitation chances.
  • Audit and monitor configuration files. Track unauthorized changes to web.config and machine.config files.

Incident Response

  • Use Microsoft Defender for Endpoint. Identify publicly disclosed keys with alert systems.
  • Deploy Microsoft Sentinel. Leverage threat intelligence analytics to detect ViewState-based attacks.
  • Investigate compromised servers. If an attack is detected, perform a full forensic analysis and consider system reinstallation.

Final Thoughts

The exploitation of exposed ASP.NET machine keys for ViewState code injection attacks is a critical and escalating cybersecurity threat. With over 3,000 exposed keys identified, the risk to businesses and developers is more significant than ever. These attacks enable remote code execution (RCE), allowing hackers to deploy dangerous malware like the Godzilla post-exploitation framework, potentially compromising entire systems.

Organizations can no longer afford to overlook secure key management and system hardening. Implementing unique, encrypted, and regularly rotated machine keys, upgrading security frameworks, and leveraging real-time threat detection tools are essential steps in mitigating these attacks.

Cyber threats evolve rapidly, and staying ahead requires vigilance, proactive defense strategies, and a commitment to security best practices. By securing your ASP.NET applications today, you can prevent tomorrow’s breaches.

Also Read

Microsoft Entra ID Vulnerabilities: Pass-Through Authentication Risks

DeepSeek’s Database Breach: A Wake-Up Call for AI Security

Posted on by Srishti Chaubey

DeepSeek, a rising Chinese AI startup, has garnered global attention for its innovative AI models, particularly the DeepSeek-R1 reasoning model. Praised for its cost-effectiveness and strong performance, DeepSeek-R1 competes with industry leaders like OpenAI’s o1. However, as its prominence grew, so did scrutiny from security researchers. Their investigations uncovered a critical vulnerability—DeepSeek’s database leaked sensitive information, including plaintext chat histories and API keys.

What Happened?

Security researchers at Wiz discovered two unsecured ClickHouse database instances within DeepSeek’s infrastructure. These databases left exposed via open ports with no authentication, contained:

  • Over one million plaintext chat logs.
  • API keys and backend operational details.
  • Internal metadata and user queries.

This misconfiguration created a significant security risk, potentially allowing unauthorized access to sensitive data, privilege escalation, and data exfiltration.

How It Was Found

Wiz’s routine scanning of DeepSeek’s external infrastructure led to the detection of open ports (8123 and 9000) linked to the ClickHouse database. Simple SQL queries revealed a trove of sensitive data, including user interactions and operational metadata.

While Wiz promptly disclosed the issue and DeepSeek swiftly secured the database, the key concern remains—was this vulnerability exploited before the fix?

The Bigger Picture

This breach highlights the urgent need for AI companies to prioritize security alongside innovation. As AI-powered tools like DeepSeek’s R1 model become integral to businesses, safeguarding user data must be a top priority.

Wiz researchers emphasized a growing industry-wide problem: AI startups often rush to market without implementing proper security frameworks. This oversight exposes sensitive user data and operational secrets, making them prime targets for cyberattacks.

Key Takeaways for the Industry

The DeepSeek breach serves as a critical lesson for AI developers and businesses:

  • Security First: Treat AI infrastructure with the same rigor as public cloud environments, enforcing strict access controls and authentication measures.
  • Proactive Defense: Regular security audits and monitoring should be standard practice to detect and prevent vulnerabilities.
  • Collaboration is Key: AI developers and security teams must work together to secure sensitive data and prevent breaches.

Earlier, DeepSeek reported detecting and stopping a “large-scale cyberattack,” underscoring the importance of robust cybersecurity measures. The rapid advancement of AI brings immense opportunities but also exposes critical security gaps. The DeepSeek breach is a stark reminder that failing to implement basic security protocols puts sensitive data—and user trust—at risk.

Also Read

Cisco Data Breach: A Timeline of Events and Broader Implications

LDAP Nightmare: A Critical Flaw Shakes Enterprise Networks

Cisco Data Breach: A Timeline of Events and Broader Implications

Posted on by Srishti Chaubey

A Breach That Keeps Unfolding:

When Cisco was accused of a breach by a hacker named IntelBroker in October 2024, the tech giant initially denied any compromise of its internal systems. However, as the situation unfolded and over 4GB of data was leaked, Cisco acknowledged the authenticity of the exposed files while maintaining that its enterprise environments remained secure.

This incident sheds light on a concerning trend: organizations frequently deny breaches outright, only to later concede limited impact as evidence continues to emerge. In this blog, we examine the timeline of events, the repercussions, and the broader lessons stemming from the Cisco breach.

Cisco Data Breach: IntelBroker's Claim
Credit: Bleeping Computer

Timeline of the Breach

  1. October 14, 2024
    • Hacker IntelBroker announced a “Cisco breach” on BreachForums.
    • Claims included access to source code, credentials, and confidential documents from major companies, including Cisco.
  2. October 21, 2024
    • Cisco confirmed an investigation was underway but denied a breach of its internal systems.
    • The company reported that the data was accessed from a public-facing DevHub environment due to a configuration error.
  3. Mid-December 2024
    • IntelBroker leaked 2.9GB of data, including source code, certificates, and scripts.
    • Cisco acknowledged the leak but reiterated no sensitive personal or financial information was compromised.
  4. December 25, 2024
    • The hacker released an additional 4.45GB of data on BreachForums, claiming it was part of a much larger dataset.
    • Cisco analyzed the leak and confirmed its alignment with files previously identified in October.
  5. December 31, 2024
    • Cisco confirmed the authenticity of the leaked data but maintained that its internal systems remained uncompromised.
Cisco Data Breach: Timeline

Impact Analysis: What’s at Stake?

The breach exposed:

  • Source Code: Critical for Cisco products like WebEx, Catalyst,z and Secure Access Service Edge (SASE).
  • Internal Project Archives: Java binaries, Cryptographic Signatures, Certificates, and Configuration files.
  • Customer-Related Data: Files linked to Cisco CX Professional Services customers.

 What Cisco Claims:

  • No sensitive personal or financial information was exposed.
  • Internal production systems were unaffected.

Risks Highlighted:

  1. Exploitation Potential: Exposed source code could help attackers identify vulnerabilities in Cisco products.
  2. Supply Chain Risks: Customers and partners could be indirectly targeted using leaked data.
  3. Reputation Damage: Prolonged uncertainty damages trust in Cisco’s security practices.

A Broader Trend: Denial, Admission, and Full Disclosure

Cisco’s handling of the breach mirrors a recurring pattern:

  1. Initial Denial: Early claims often assert no compromise.
  2. Partial Admission: As evidence mounts, organizations acknowledge limited impact.
  3. Full Scope Revealed: Final admissions often come after external pressure or further leaks.

The Okta breach followed a similar trajectory, where early denials gave way to admissions of more significant exposure.

Lessons for the Future

Cisco’s breach underscores critical lessons for organizations:

  1. Prioritize Transparency: Honest and timely communication can mitigate reputational damage.
  2. Audit Public-Facing Platforms: Regular checks can prevent inadvertent exposure of sensitive files.
  3. Strengthen Configuration Management: Misconfigurations remain a top cause of data exposure.
  4. Adopt Proactive Monitoring: Real-time alerts can detect unusual activity before damage escalates.

Conclusion: A Story Still Unfolding

The Cisco breach, though limited in scope compared to initial claims, highlights how vulnerabilities in public-facing platforms can quickly escalate into significant incidents. While Cisco has introduced corrective measures, the full impact of the exposed data remains unclear.

This case illustrates a broader trend where companies initially deny breaches, only to gradually disclose the extent of their impact over time. As we await further updates and mitigation efforts from Cisco, the importance of proactive security strategies and transparent communication has become increasingly evident.

BeyondTrust Breach: A Wake-Up Call for Cybersecurity

Posted on by Srishti Chaubey

Introduction

Imagine this: An organization that promises to protect your passwords and block unauthorized access falls victim to the very attack it aims to prevent. That’s exactly what happened to BeyondTrust, one of the well-known companies in the privileged access management space, when attackers targeted their Remote Support SaaS instances earlier this month. The breach exposed a serious vulnerability CVE-2024-12356 that allows attackers to execute commands remotely. Though BeyondTrust responded with swift patching of the problem, the incident leaves several tough questions regarding the exploitations that can even take place against the best of defenses.

Beyond Trust breach vulnerability
Credit: Bleeping Computer

What Went Wrong in the BeyondTrust Breach?

On December 2, 2024, BeyondTrust noticed something unusual: attackers had seized an API key for their Remote Support SaaS. This gave them the power to reset application passwords and gain unauthorized access.

As they investigated, BeyondTrust uncovered two vulnerabilities:

  • CVE-2024-12356: A critical flaw that scored 9.8 out of 10 in severity and lets attackers inject commands remotely.
  • CVE-2024-12686: A medium-severity bug that allows attackers with admin privileges to upload malicious files.

What’s worse, CVE-2024-12356 wasn’t just a hypothetical risk. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that attackers were already exploiting it in the wild.

The Irony

It’s hard to ignore the irony. BeyondTrust promised to protect against attacks like remote code execution and password theft, but attackers breached its defenses.

This isn’t the first time BeyondTrust has faced such a challenge. Last year, the company confirmed they were targeted after the Okta breach, underscoring how interconnected cybersecurity threats have become.

This is not BeyondTrust’s story alone but a stark reminder that no company, not even cybersecurity experts, is perfectly immune to attacks.

Why It Matters for Businesses

Thousands of organizations in healthcare, retail, and banking use BeyondTrust’s tools. A breach like this doesn’t just affect the company; it ripples out, impacting businesses that rely on their tools.

Here’s why this should matter to you:

  • Eroded Trust: Clients might start questioning the reliability of their systems.
  • Raising Risk: Exploited vulnerabilities can lead to data theft, operational issues, or worse.
  • Supply Chain Woes: If a key vendor is breached, one asks themselves how secure third-party software really is.

What You Can Do to Protect Your Business

Whether or not you use BeyondTrust’s products, it is a good time to take stock of your security practices. Here’s what you can do right now:

  1. Patch Your Systems: Update to the latest versions of BeyondTrust’s PRA and RS software.
  2. Check for Signs of Trouble: Review logs for unusual activity linked to API keys.
  3. Limit Your Exposure: Disable any unnecessary features and limit your access to the internet.
  4. Be Alerted: Monitor updates from BeyondTrust and cybersecurity agencies such as CISA.

Conclusion

The BeyondTrust breach is a reality check for everyone. Even the most trusted cybersecurity companies can get caught in the crossfire. It’s a reminder that no system is invincible and that vigilance is non-negotiable.

This means that organizations go beyond trust—pun intended—and actively work toward making their defenses stronger. They should update early, monitor their systems, and never assume they are safe. In today’s evolving world of cyber threats, one can only protect what matters most by staying a step ahead.

Termite Exploits Cleo Zero-Day in Widespread Attacks

Posted on by Srishti Chaubey

Introduction

Cleo’s popular file transfer software has fallen victim to a critical zero-day vulnerability, and the Termite ransomware group is wasting no time exploiting it. This flaw impacts Cleo’s Harmony, VLTrader, and LexiCom products—tools trusted by over 4,200 organizations in industries like logistics, manufacturing, and transportation.

Despite an earlier patch in October, the flaw (CVE-2024-50623) remains a serious threat, leaving businesses scrambling to protect their data and operations.

Cleo Zero Day Vulnerability
Credit: Huntress

What’s Happening with the Cleo Zero-Day?

The vulnerability allows attackers to upload malicious files, execute commands remotely, and potentially steal sensitive data. First detected on December 3, the attacks have escalated rapidly, targeting industries like consumer goods and trucking.

The Technical Lowdown:

  • Affected Products: Harmony, VLTrader, and LexiCom (versions before 5.8.0.21).
  • What’s the Risk?: Attackers can run unauthorized commands, leading to data breaches and operational disruptions.
  • The Culprit: Termite ransomware, which has already hit major organizations like Blue Yonder and Starbucks, is suspected.

How to Stay Safe: Immediate Steps to Take

While Cleo develops a new patch, here’s how you can mitigate the risk:

  1. Unplug from the Internet: Temporarily disconnect Cleo systems from public access.
  2. Turn Off Autorun:
    • Open Cleo’s settings.
    • Go to Configure > Options > Other Pane and disable the autorun directory.
    • Save the changes.
  3. Check for Signs of Trouble:
    • Look for suspicious files like healthchecktemplate.txt or .jar files in Cleo directories.
    • Use Cleo-provided scripts to scan for malicious activity.
  4. Stay Updated: Monitor Cleo’s security bulletins for patch updates.

Who’s Behind This?

All signs point to Termite, a growing ransomware group that mirrors the infamous Clop gang in its operations. Termite has gained a reputation for targeting file transfer software vulnerabilities, and some experts speculate they could be filling the gap left by Clop’s declining activity.

Their tactics include deploying malicious web shells to maintain access, running reconnaissance tools to identify assets, and using stolen data as leverage in ransom demands.

Conclusion

The Cleo zero-day vulnerability serves as another reminder of how quickly ransomware groups exploit weaknesses in trusted software. Organizations relying on Cleo products need to act now to protect their systems and data.

Third-Party Breaches: A Growing Concern

The ripple effects of a breach like this extend far beyond the immediate victims. High-profile organizations like Target, Walmart, Lowes, CVS, The Home Depot, FedEx, Kroger, Wayfair, Dollar General, Victrola, and Duraflame, which rely on Cleo software, now face the risk of third-party breaches. Attackers targeting Cleo’s vulnerabilities could exploit access to these businesses’ supply chains, putting customer data and operations at risk.

Third-party breaches are a significant pain point for businesses today, exposing them to reputational damage, financial loss, and regulatory scrutiny. Companies must assess their supply chain security and demand transparency and accountability from vendors like Cleo.

Deloitte UK Allegedly Breached: Ransomware Gang Claims Responsibility

Posted on by Srishti Chaubey

Introduction

Deloitte UK, one of the “Big Four” professional services firms, is facing allegations of a significant cybersecurity breach. The ransomware group Brain Cipher has claimed responsibility, stating it has exfiltrated over 1TB of compressed data. While Deloitte has not confirmed the incident, the attack, if verified, raises serious concerns about cybersecurity practices at one of the most trusted global firms.

Deloitte UK Data Breach
Credit: Cybernews

Brain Cipher’s Allegations: Details of the Attack

Brain Cipher, a ransomware group that surfaced in June 2024, has rapidly gained notoriety for targeting critical sectors such as healthcare, government, and education. Known for employing LockBit 3.0-based ransomware, the group typically gains access through phishing and spear-phishing campaigns before deploying its payload.

In their statement, the group alleged:

  • Data Volume: More than 1TB of compressed sensitive data stolen.
  • Security Lapses: Criticized Deloitte’s failure to observe “elementary points” of cybersecurity.
  • Monitoring Failures: Claimed to demonstrate inadequacies in Deloitte’s monitoring systems.
  • Potential Impact: Hinted at contractual violations and compromised client confidentiality.

Brain Cipher has given Deloitte until December 15, 2024, to respond before releasing data samples and further information on the breach via its dark web leak site.

Deloitte UK Data Breach
Credit: Cybersecurity News

Potential Implications of the Breach

If the claims are confirmed, the consequences of this alleged breach could be far-reaching:

  • Client Confidentiality Risks: Exposure of corporate client data, financial records, and sensitive agreements.
  • Professional Reputation: Damage to Deloitte’s credibility and trustworthiness.
  • Operational Disruption: Impacts on Deloitte’s clients in critical industries.

Cybersecurity experts have noted that such attacks often involve multi-layered extortion tactics, such as data publication threats and ransom demands.

A Closer Look at Brain Cipher

Emerging in mid-2024, Brain Cipher has already made headlines for its high-profile cyber attacks, including a breach of Indonesia’s National Data Center. This incident disrupted public services like immigration processing and education systems. The group’s tactics involve:

  • Initial Access: Phishing and spear-phishing to infiltrate targets.
  • Payload: Leveraging ransomware variants based on LockBit 3.0.
  • Extortion Strategy: Public shaming and countdown timers to pressure victims.

Their ability to target prominent organizations highlights the urgent need for robust cybersecurity measures.

Deloitte’s Response and Next Steps

As of now, Deloitte UK has not confirmed or denied the breach. The company is likely conducting internal investigations to assess the extent of the alleged incident. Cybersecurity analysts recommend immediate steps to mitigate potential fallout:

  • Enhance Monitoring: Strengthen system surveillance and detect persistent threats.
  • Engage Forensics Experts: Conduct a thorough review of potential vulnerabilities.
  • Transparent Communication: Keep clients informed to maintain trust.

Conclusion

The allegations of a Deloitte UK data breach by Brain Cipher highlight the persistent cyber threats even the most reputable organizations face. Regardless of whether the claims are verified, the incident underscores the need to prioritize cybersecurity—especially zero-trust mechanisms—as a core business practice.

Deloitte’s past breach revealed the risks of storing credentials and sensitive data unnecessarily. Organizations should limit storing Personally Identifiable Information (PII) to what is essential and ensure it is secured with industry-standard encryption. Protecting customer data is not optional—it’s a responsibility.

Adopting a zero-trust policy with solutions like PureAUTH can help mitigate risks and prevent future data exposures. Organizations must stay vigilant to safeguard their reputation and the trust of their customers.

Zello Faces Another Potential Data Breach, Urges Precautionary Measures

Posted on by Srishti Chaubey

Introduction

Zello, the widely-used push-to-talk app, is once again under scrutiny for its handling of user security. Recently, the company required users to reset their passwords, citing concerns that point to either a credential-stuffing attack or a potential data breach. With 175 million users spanning sectors like emergency response and hospitality, this incident has raised significant questions about the platform’s security measures.

What Happened?

On November 15, 2024, Zello warned users whose account creation date was before November 2nd to change their password. While the exact incident is not known, evidence suggests that:

  • Possible Breach: Customer credentials may have been accessed by unauthorized users.
  • Credential-Stuffing Attack: Threat actors might be using passwords compromised earlier to gain access.

This measure aims to mitigate risks to affected accounts.

Zello Potential Data Theft
Credit: CyberIL

Breaches History at Zello

In 2020, Zello faced a similar challenge:

Data Breach in 2020:

  • Unauthorized activity on a server led to the exposure of email addresses and hashed passwords.
  • Zello required password resets and asked users not to reuse passwords across platforms.

While the company achieved ISO 27001 certification in September 2024—a certification enforcing strict information security procedures—the recurrence of such incidents questions the strength of Zello’s defenses.

The Implications

If confirmed, such a breach or an attack might empower cybercriminals to:

  • Steal Credentials: Access account data for unauthorized use.
  • Expand Attacks: Use cracked passwords for credential-stuffing attacks on other platforms.
  • Expose Sensitive Operations: With Zello used by first responders and other critical sectors, data misuse could disrupt essential services.

What Users Should Do

Zello users should take the following steps to safeguard their accounts immediately:

  • Reset Passwords: Change passwords immediately for accounts created before November 2, 2024.
  • Use Unique Passwords: Avoid reusing passwords across different services.
  • Enable Security Tools: Consider using password managers to generate strong, unique passwords.

With passwordless solutions like PureAuth, organizations can eliminate vulnerabilities altogether, ensuring security by design and default.

Conclusion

The latest security incident at Zello serves as a grim reminder of the changing cyber threats that organizations face. Though breaches may not always be avoidable, proactive measures like enforcing password resets and adopting robust access management solutions can go a long way in mitigating risks.

By going passwordless, facilitated by solutions like PureAuth, businesses can ensure user credentials and data are secure by default and design, protecting against future incidents.

Read Also

Your 1st Step to #GoPasswordless

Making World Password Free

3 ways passwords are Failing the Enterprises

© 2025 | PureID. All Rights Reserved

Privacy & Terms | Licenses