Through meticulous analysis of leaked communications, travel records, financial data, and public records, GangExposed has unmasked core leaders including Vladimir Viktorovich Kvitko (“Professor”), the elusive mastermind “Target,” negotiator Arkady Valentinovich Bondarenko, and system administrator Andrey Yuryevich Zhuykov (“Defender”).

This exclusive report delves into the syndicate’s Dubai-based operations, its attacks on hospitals during the COVID-19 pandemic, and the critical infrastructure sustaining its global cybercrime empire, offering law enforcement a rare opportunity to dismantle one of the world’s most dangerous ransomware networks.

The U.S. Department of State’s Rewards for Justice (RFJ) program has announced a reward of up to $10 million for information leading to the identification or location of individuals involved in malicious cyber activities against U.S. critical infrastructure, in violation of the Computer Fraud and Abuse Act (CFAA).

The initiative specifically targets members of the Conti ransomware group, a Russian government-linked ransomware-as-a-service (RaaS) operation known for attacking vital U.S. and Western infrastructure.

Conti Ransomware Group and Key Actors

The RFJ program is seeking information on malicious cyber actors operating under the aliases “Target,” “Reshaev,” “Professor,” “Tramp,” and “Dandis,” believed to be associated with Conti, also known as Wizard Spider.

First detected in 2019, Conti has conducted over 1,000 ransomware operations, targeting critical infrastructure sectors including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities.

Of the more than 400 organizations worldwide victimized by Conti, over 290 are located in the United States.

Unmasking “Professor”: Vladimir Viktorovich Kvitko

GangExposed has conclusively identified “Professor,” a core Conti leader, as Vladimir Viktorovich Kvitko (born October 23, 1984), a Russian national who relocated from Moscow to Dubai in autumn 2020.

Kvitko’s role in Conti involves orchestrating real-world carding schemes, leveraging weak banking systems in countries like India, Cuba, and Iran.

His identity was confirmed through synchronized travel patterns and chat inactivity: Russian records show Kvitko in the Altai Republic from June 15–17, 2021, matching periods when “Professor” was silent in Conti’s Jabber chats, resuming communication upon his return to Moscow on June 18.

FSB border data further document his frequent trips to the UAE, Cuba, Iran, Austria, and Turkey, aligning with Conti’s operations. Since August 2022, Kvitko has remained in Dubai, managing visa extensions via trips to the Netherlands and Austria.

His dossier, including passports, phone numbers, emails, social media profiles, and property records tied to income from RM RAIL Management Company and Rosselkhozbank, is part of GangExposed’s digital archive Mega link.

The Dubai Hub: Conti’s Autumn 2021 Offensive

In autumn 2021, Conti transformed Dubai into a strategic hub for a massive wave of ransomware attacks targeting Western, Middle Eastern, and Chinese companies.

Led by “Target,” a figure with a $10 million FBI bounty, the group operated from physical offices equipped with dedicated attack infrastructure, coordinated by system administrator Andrey Zhuykov and involving negotiator Arkady Bondarenko.

The operation’s timeline reveals meticulous planning:

• On October 1, 2021, leaked chats reference a “negotiator” described as a “Canadian from a recovery company,” identified as Bondarenko, who flew from Dubai to Moscow that day (flight EK-133), discussing payment issues via the Suex exchange. This coincided with Conti’s attack preparations.
• By October 2, “Target” coordinated the setup of a Dubai office, ordering equipment and collaborating with deputy Sergey Khitrov.
• Between October 10–14, key members, including Marat Nurtdinov, Oleg Fakeev, Kvitko, and Elizaveta Suchkova, arrived in Dubai via flights SU-520 and G9-956.
• From October 17 to November 6, Conti executed peak attacks: 7 on October 17 (e.g., Graff Diamonds, JVCKenwood), 11 on October 23 (e.g., Obeikan Investment Group in the UAE), and 13 on November 6, including ARM China and TRINA SOLAR (UAE).

These attacks exploited the UAE’s lack of extradition agreements and lax cybercrime oversight, targeting not only Western firms but also local and Asian companies, with Bondarenko managing victim negotiations and Zhuykov ensuring the technical infrastructure’s stability.

Target: The $10 Million Predator

“Target,” operating under aliases like “Bloodrush” and “Red,” is Conti’s disciplined and ruthless leader, commanding a near-corporate criminal enterprise with nearly 100 operatives.

Despite a $10 million FBI bounty, he has evaded capture for three years, boasting ties to Russia’s FSB and amassing millions in Bitcoin while paying operatives $200 weekly.

His chilling disregard for human suffering was evident during the COVID-19 pandemic, when he targeted 428 U.S. hospitals in October 2020, gloating in chats: “428 hospitals… I’m satisfied” and “make them die or pay up.”

Target’s offline offices, strict employee oversight, and erasure of digital traces via platforms like Jabber and RocketChat highlight his operational sophistication.

GangExposed recovered deleted messages through metadata and quotes, exposing his schemes, including the Dubai hub’s establishment.

Arkady Bondarenko: The Conti Negotiator

Arkady Valentinovich Bondarenko (born August 2, 1970), a dual Russian-Canadian citizen, is identified as Conti’s key negotiator, managing victim communications and ransom payments.

On October 1, 2021, Conti member “Mango” described him as a “Canadian from a recovery company” in chats, aligning with his departure from Dubai to Moscow (flight EK-133).

His travel frequently overlapped with Kvitko’s, notably on January 17, 2020 (Kvitko on SU-522, Bondarenko on EK-134), May 2022, and February 2019, suggesting in-person coordination while avoiding shared flights.

Bondarenko’s financial profile, with over 107 million RUB from VTB Bank and ownership of luxury Moscow properties, premium vehicles (e.g., Infiniti QX80), and shell companies like LLC “Jewelry House Millennium,” indicates money laundering activities.

His dossier details multiple phones (e.g., +7 926 686-00-00), emails (e.g., arkadiy.bondarenko.70@mail.ru), and bank accounts, confirming his role as a financial intermediary.

Andrey Zhuykov: The Technical Backbone

Andrey Yuryevich Zhuykov (born February 18, 1982), known as “Defender” or “Def,” is Conti’s principal system administrator and DevOps specialist, responsible for the group’s technical infrastructure.

Operating from Russia’s Sverdlovsk Region and Sochi, Zhuykov manages servers, domains, proxies, VPNs, control panels, and backup channels, ensuring the stability and anonymity of Conti’s operations.

His high technical competence and strict management style make him a critical “single point of failure” for the group.

Leaked chats show him coordinating with leadership (e.g., Stern, Buza), suppliers, and coders, handling payments for servers and licenses, and conducting security audits to prevent vulnerabilities.

His dossier includes passports (e.g., 6511090337), phones (e.g., +7 989 165 9356), emails (e.g., megaprof@gmail.com), and social profiles (e.g., Telegram@nohau).

Zhuykov’s financial struggles, with debts exceeding 2 million RUB and enforcement cases for child support, contrast with his critical role in Conti’s multimillion-dollar operations.

Other Key Figures

Additional Conti leaders exposed include:

Vitaly Kovalev (“Stern”), whose leaked Telegram messages (@tguser1) reveal network connections. Despite plastic surgery to alter his appearance, GangExposed exposed his new face and passports.

Mikhail Mikhailovich Tsaryov (“Mango”), born April 20, 1989, a coordinator in the Conti-TrickBot ecosystem who referenced Bondarenko’s negotiator role link.

Leaked Data: A Goldmine for Investigators

GangExposed’s unprecedented data release includes Conti Jabber and RocketChat leaks, Black Basta Matrix-Chat leaks, and Telegram messages from Kovalev, available in table and CSV formats.

These datasets detail internal communications, including Bondarenko’s negotiations and Zhuykov’s infrastructure management, enabling investigators to map Conti’s structure, track financial flows, and identify remaining figures. Recovered deleted chats reveal attempts to erase evidence of the Dubai hub, hospital attacks, and financial operations.

When GangExposed leaked Conti’s secrets, the group offered $4 million for a Telegram exploit to retaliate, as reported by Habr. This failed attempt underscores their desperation to silence the investigator, who noted, “I poked the hornet’s nest,” promising further revelations about Target’s identity.

The exposure of Conti’s Dubai hub, coupled with dossiers on Kvitko, Bondarenko, Zhuykov, and others, provides actionable intelligence for UAE authorities to investigate local victims like Obeikan Investment Group and TRINA SOLAR, and for Chinese authorities to probe ARM China’s breach.

Western agencies can leverage the $10 million bounty on Target, while Bondarenko’s dual citizenship and Zhuykov’s financial trails offer avenues for international cooperation to seize illicit funds.

GangExposed’s relentless investigation has shattered Conti’s anonymity, unmasking Kvitko as “Professor,” Bondarenko as the negotiator, Zhuykov as the technical backbone, and detailing Target’s hospital attacks and Dubai operations. With comprehensive dossiers and leaked data, this breakthrough offers law enforcement and victims a historic chance to dismantle a global cybercrime syndicate.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

The post Exclusive! Entire Conti Ransomware Gang Including Key Leaders With Photo & Infrastructure Exposed appeared first on Cyber Security News.

The alleged breach reportedly involves GitHub credentials and source code from internal project repositories belonging to Deloitte’s U.S. consulting division.

According to reports emerging from cybersecurity monitoring services, the threat actor posted details of the alleged compromise on a well-known dark web forum, claiming to have accessed and exfiltrated critical development resources.

The leaked data allegedly includes GitHub credentials that could potentially grant unauthorized access to Deloitte’s internal development infrastructure, as well as source code from proprietary projects.

This latest incident adds to Deloitte’s ongoing cybersecurity challenges. The consulting firm has faced multiple breach allegations in recent months, including claims from the Brain Cipher ransomware group in December 2024, which Deloitte denied, stating that any compromised data originated from “a single client’s system which sits outside of the Deloitte network”. The company emphasized that “no Deloitte systems have been impacted” during that incident.

However, Deloitte’s history with credential leaks dates back several years. In 2017, security researchers discovered that Deloitte’s corporate VPN passwords, usernames, and operational details had been exposed in a public-facing GitHub repository.

The threat actor with the alias “303” has been linked to previous cybersecurity incidents, including an alleged breach of an Indian software company in December 2024 that affected major insurance providers. This pattern suggests the threat actor may be part of a broader campaign targeting large corporations and government entities.

The consulting giant has not provided a prompt response to inquiries seeking clarification or comment on the recent allegations that have come to light. As the investigations progress and further details emerge.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar

The post Deloitte Data Breach: Alleged Leak of Source Code & GitHub Credentials appeared first on Cyber Security News.

The sportswear giant revealed that unauthorized access was gained through a third-party customer service provider, compromising customers’ personal information who had contacted their service centers.

On May 16, Adidas disclosed on its website that the breach affected customers who had made inquiries to their customer service center in 2024 or earlier. According to the company, compromised data includes customer names, email addresses, phone numbers, and in some cases, birthdates and physical addresses.

“We have confirmed that there was unauthorized access to some consumer data through a third-party customer service provider,” Adidas stated in its official announcement, reports BusinessKorea.

The company emphasized that sensitive financial information remained secure, noting, “Financial information such as passwords and payment-related details were not included.”

Korean Customer Data Exposed

Adidas has already completed notifications to all affected Korean customers and is working with information security specialists to investigate the incident thoroughly.

“We are taking this matter very seriously and are immediately conducting a comprehensive investigation in cooperation with information security specialists,” an Adidas representative stated.

The company has also reported the incident to relevant Korean authorities and implemented additional security measures to prevent similar breaches in the future.

This breach comes just days after luxury brand Dior faced similar issues with customer data security in Korea. On May 13, Dior announced that unauthorized access to customer information had occurred on January 26, though the company only discovered the breach on May 7.

The Dior incident has drawn particular criticism as the compromised data included sensitive purchase history information along with customer names, mobile phone numbers, and email addresses.

Adding to the controversy, Dior reportedly failed to notify the Korea Internet & Security Agency (KISA) about the breach when it was discovered.

These consecutive data breaches affecting international fashion brands’ Korean customer databases indicate a concerning pattern in the industry. Cybersecurity experts suggest retail customer databases are increasingly becoming targets due to the valuable consumer behavior data they contain.

For affected customers of both companies, security specialists recommend monitoring accounts for unusual activity, being cautious of potential phishing attempts that might leverage the stolen information, and considering changing passwords for other services where similar credentials might have been used.

Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free

The post Adidas Data Breach – Customers’ Personal Information Exposed appeared first on Cyber Security News.

According to the group’s statements, they have released a sample of 927,000 TikTok user records into the wild, describing it as “proof of their vulnerabilities”.

R00TK1T stated they had previously warned ByteDance and TikTok about security vulnerabilities but were ignored.

“We warned ByteDance and TikTok, but their silence speaks volumes. Despite our clear message, they’ve ignored the cries of users locked out, suspended, or erased from the platform,” the group declared.

R00TK1T Leak Exposes User Credentials

According to a post on a popular dark web forum, the hackers characterized this data dump as merely “a taste of what’s coming,” threatening that “the next phase will hit harder, exposing their deepest secrets and shattering their systems”. 

The released information allegedly contains usernames, passwords, and potentially other sensitive account details from the platform’s backend systems.

According to cybersecurity experts, if verified, this breach could represent a significant security incident for the platform. The hackers claim they accessed an insecure cloud server containing user credentials and platform code. 

While the exact attack vector remains unconfirmed, previous TikTok vulnerabilities have included insecure API endpoints and inadequate server-side validation protocols.

This is not R00TK1T’s first high-profile claim. The group has previously alleged successful breaches of multiple organizations, including Maxis’ network in Kulim, Nestle, and Qatar Airways. The group has a pattern of making dramatic claims that sometimes outpace verifiable evidence.

“R00TK1T has a track record of exploiting vulnerabilities across various sectors, leveraging both technical weaknesses and insider knowledge,” notes one analysis of their previous activities.

TikTok’s Response

As of publication time, TikTok has not officially responded to these specific allegations. However, the company has previously denied similar breach claims, stating their security teams found no evidence of security breaches in their systems.

In recent statements about their security posture, TikTok has emphasized that “protected U.S. user data is stored in the Oracle Cloud, with controlled and monitored gateways that only approved personnel have access to”.

Security experts recommend that TikTok users take immediate precautionary measures:

• Change passwords immediately
• Enable two-factor authentication
• Monitor accounts for suspicious activity
• Be alert for potential phishing attempts leveraging the leaked data

As investigations continue, this incident highlights ongoing concerns about data security on major social platforms and the persistent threat posed by sophisticated threat actors in the digital landscape.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post Hackers Allegedly Breach TikTok, Exposing Over 900,000 Usernames & Passwords appeared first on Cyber Security News.

The company disclosed that unauthorized third parties acquired customer data after exploiting zero-day vulnerabilities in a vendor’s file transfer platform, potentially exposing the personal details of an undisclosed number of customers.

How Hackers Gained Access

According to a recent notice of data incident, Hertz discovered on February 10, 2025, that customer data had been compromised through its vendor, Cleo Communications US, LLC. 

The hackers exploited zero-day vulnerabilities within Cleo’s file transfer platform during two separate incidents in October and December 2024.

“The unauthorized access was facilitated through critical security flaws that were previously unknown to the software developers,” said cybersecurity expert Marcus Reynolds, who specializes in transportation sector security breaches. 

“Zero-day vulnerabilities are particularly dangerous as they can be exploited before vendors have an opportunity to develop and distribute patches.”

Following a comprehensive data analysis completed on April 2, 2025, Hertz confirmed that the compromised information includes customers’ names, contact information, dates of birth, credit card details, and driver’s license information. The breach also exposed data related to workers’ compensation claims.

A smaller subset of individuals may have had more sensitive information compromised, including Social Security numbers, government identification numbers, passport information, Medicare or Medicaid IDs associated with workers’ compensation claims, and injury-related information connected to vehicle accident claims.

Hertz’s Data Breach Response

In response to the breach, Hertz has taken several remedial measures. The company has confirmed that Cleo has investigated the incident and addressed the identified vulnerabilities. 

Additionally, Hertz has reported the incident to law enforcement and is working with relevant regulatory authorities. “We take the privacy and security of personal information seriously,” stated a Hertz representative. 

“While we are not aware of any misuse of personal information for fraudulent purposes in connection with this event, we are providing resources to help customers protect themselves.”

As part of its response plan, Hertz has partnered with Kroll, a risk consulting firm, to provide affected U.S. residents with two years of complimentary identity monitoring or dark web monitoring services.

Cybersecurity analysts have noted that this breach follows a growing trend of attacks targeting third-party vendors to gain access to larger corporations’ data. 

Affected customers are advised to remain vigilant by regularly reviewing account statements and monitoring credit reports for unauthorized activity. 

Industry experts recommend that affected individuals consider placing fraud alerts or credit freezes on their credit files as additional precautionary measures to protect against potential identity theft or fraud resulting from the data breach.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

The post Hertz Data Breach – Customer Personal Information Stolen by Hackers appeared first on Cyber Security News.

The breach, which began in May 2023, was confirmed by HPE in December 2023 and has since been contained.

Details of the Breach

The attack targeted several email accounts within HPE’s cybersecurity, marketing, and business teams. Using a compromised account, the hackers gained unauthorized access to email mailboxes and exfiltrated sensitive data.

Information stolen includes Social Security numbers, driver’s license details, and credit card numbers belonging to employees. Additionally, some files from HPE’s SharePoint server were accessed during the same timeframe.

HPE’s forensic investigation revealed that the breach was part of a larger campaign by Midnight Blizzard, a group linked to Russia’s Foreign Intelligence Service (SVR).

This group has been implicated in other high-profile cyberattacks, including the SolarWinds espionage campaign and a recent breach of Microsoft’s corporate network.

Response and Notifications

HPE began notifying affected individuals on January 29, 2025. Impacted employees were offered complimentary credit monitoring and identity theft protection services.

The company also implemented enhanced security measures, such as rotating passwords and tokens, increasing monitoring capabilities, and strengthening access controls for privileged accounts

In its communications with regulators and employees, HPE emphasized its commitment to safeguarding personal information and mitigating risks associated with the breach.

The incident highlights ongoing vulnerabilities in cloud-based systems like Microsoft Office 365. Experts have pointed out that such breaches often exploit weak authentication practices or unprotected legacy accounts.

The attack underscores the need for robust cybersecurity measures, including multi-factor authentication (MFA) and tighter endpoint controls.

Midnight Blizzard’s activities appear to be part of a broader espionage effort targeting governments, corporations, and IT service providers worldwide. The group is known for leveraging sophisticated techniques such as password spraying and abusing OAuth applications to maintain persistent access.

This is not the first time HPE has faced cyberattacks. In past years, the company dealt with breaches involving Chinese threat actors and vulnerabilities in its Aruba Central network monitoring platform.

The latest attack adds to growing concerns about state-sponsored cyber espionage targeting critical technology firms. As investigations continue,

HPE has assured stakeholders that it will take all necessary steps to address the incident and prevent future breaches. However, this event serves as a stark reminder of the escalating cyber threats faced by enterprises globally.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates

The post HPE Alerts Employees of Data Breach After Russian Cyberattack on Office 365 appeared first on Cyber Security News.

The breach potentially exposed the sensitive personal and health information of patients and individuals who received COVID-19 tests or vaccines at CHC clinics.

The organization has issued letters to affected individuals and set up a dedicated website to assist those who may not have received direct communication.

In a regulatory filing with the Maine Attorney General’s Office, CHC reported that the data breach impacted 1,060,936 individuals.

Details of the Incident

According to CHC report, the breach was detected on January 2, 2025, when unusual activity was identified within its computer systems. Cybersecurity experts were immediately brought in to investigate and secure the network.

It was determined that a skilled hacker had accessed and extracted data but did not delete or lock any information.

CHC stated that the hacker’s access was terminated within hours, and daily operations were not disrupted. The organization believes there is no ongoing threat to its systems.

The type of information involved varies depending on the individual’s relationship with CHC:

• CHC Patients: Data potentially accessed includes names, dates of birth, addresses, phone numbers, email addresses, diagnoses, treatment details, test results, Social Security Numbers (SSNs), and health insurance information.
• COVID-19 Test or Vaccine Recipients: For individuals who are not regular CHC patients but received COVID-19 services at a CHC clinic, the compromised data may include names, dates of birth, phone numbers, email addresses, addresses, gender, race, ethnicity, and insurance details (if provided). Additional information such as test dates and results or vaccine details (e.g., type, dose, and administration date) may also have been affected. In rare cases where an SSN was collected for these individuals, it may have been included in the breach.

CHC has taken immediate steps to enhance its cybersecurity by implementing advanced monitoring software and reinforcing system protections. The organization has assured the public that there is no evidence of misuse of the compromised data at this time.

Mark Masselli, President and CEO of Community Health Center, Inc., expressed regret over the incident: “We sincerely regret any inconvenience resulting from this criminal activity and thank you for your continued support of CHC.”

To support affected individuals, CHC is offering free identity theft protection services through IDX for all patients and COVID-19 service recipients whose SSNs were involved. These services include:

• 24 months of credit and CyberScan monitoring
• A $1 million insurance reimbursement policy
• Identity recovery assistance in case of theft

Individuals whose SSNs were not impacted are encouraged to follow recommended steps for additional protection.

CHC advises those who may be impacted to contact IDX at 1-877-229-9277 for assistance or to enroll in the free identity protection services. IDX representatives are available to address questions and provide guidance on safeguarding personal information.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try 14 Day Free Trial.

The post U.S Community Health Center Hacked – 1 Million Patients Data Stolen appeared first on Cyber Security News.

The breach, which compromised sensitive personal information, is one of the largest cybersecurity incidents to impact the education sector in recent years.

The breach occurred when attackers gained unauthorized access to PowerSchool’s customer support portal using stolen credentials.

This allowed them to extract data from the company’s Student Information System (SIS), which is widely used across North America to manage student records, grades, and attendance.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Data Exposed in Breach

The compromised data includes names, addresses, Social Security numbers (SSNs), medical information, and academic records. While PowerSchool serves over 60 million students globally, it remains unclear how many individuals were directly impacted.

However, hackers claim to have stolen the personal data of approximately 62.4 million students and 9.5 million educators.

PowerSchool has started notifying affected individuals and regulatory authorities in compliance with legal requirements. In Maine alone, over 33,000 residents were confirmed to have been affected by the breach.

The company is offering two years of complimentary credit monitoring and identity protection services to all impacted individuals, regardless of whether their SSNs were involved. This measure aims to mitigate potential risks such as identity theft and fraud.

PowerSchool’s official statement emphasized its commitment to transparency and support for affected communities. “We care deeply about the students, teachers, and families we serve and are wholeheartedly committed to supporting them,” said a company spokesperson.

The organization has also engaged third-party cybersecurity experts to investigate the incident and strengthen its security measures.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

The post PowerSchool Starts Notifying Students Following Massive Breach appeared first on Cyber Security News.

The FTC alleges that GoDaddy’s “unreasonable security practices” led to several major breaches between 2019 and 2022, exposing sensitive customer information and putting millions of businesses and consumers at risk.

According to the FTC, GoDaddy failed to adopt basic cybersecurity practices necessary to safeguard its hosting services. The company allegedly neglected critical measures such as:

1. Conducting regular software updates and patch management.
2. Implementing multi-factor authentication (MFA) for administrative access.
3. Logging and monitoring security-related events.
4. Segmenting its network to prevent lateral movement by attackers.
5. Securing connections to sensitive systems, such as APIs.

The FTC also accused GoDaddy of misleading customers through marketing claims that it provided robust security.

Despite assurances of “24/7 network security” and adherence to international privacy frameworks like the EU-U.S. Privacy Shield, the FTC found these claims to be false or misleading.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Impact Of Security Failures

GoDaddy’s lapses in cybersecurity resulted in multiple breaches that compromised customer websites and data. Notable incidents include:

1. 2019-2020 Breach: Attackers exploited vulnerabilities in GoDaddy’s hosting environment, gaining unauthorized access for over six months. They replaced application files with malicious versions, compromising login credentials for approximately 28,000 customers and 199 employees.

2. 2021 WordPress Breach: Hackers accessed an insecure API, exposing sensitive data from 1.2 million customers, including email addresses, private encryption keys, and database credentials.

3. 2022 Recurrence: A threat actor exploited leftover vulnerabilities from earlier breaches, redirecting visitors of customer websites to malicious sites.

These incidents not only harmed businesses relying on GoDaddy’s services but also endangered consumers visiting affected websites. Victims faced risks such as identity theft, financial fraud, and exposure to malware.

FTC’s Actions And Settlement

In response to these failures, the FTC has mandated that GoDaddy overhaul its cybersecurity practices under a proposed settlement agreement. Key requirements include:

1. Establishing a comprehensive information-security program.
2. Implementing MFA across all administrative accounts.
3. Conducting regular third-party assessments of its security measures.
4. Ensuring secure connections for all API communications.

The settlement prohibits GoDaddy from making false claims about its security practices in the future. While the company did not admit wrongdoing or face monetary penalties, non-compliance with the order could result in fines of up to $51,744 per violation.

GoDaddy stated that it has already implemented many of the FTC’s recommended measures and remains committed to improving its cybersecurity defenses.

“We are focused on protecting our customers’ data and websites,” a company spokesperson said. “We continue to invest in technologies, tools, and expertise to enhance system and information security.”

The company emphasized that it expects minimal financial impact from complying with the settlement terms.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, highlighted the importance of this case: “Millions of small businesses rely on hosting providers like GoDaddy to secure their websites.

The FTC is acting to ensure companies strengthen their security frameworks to protect consumers worldwide.”

This action underscores the FTC’s commitment to holding companies accountable for cybersecurity failures that put consumers at risk.

Similar enforcement actions have been taken against other major firms like Marriott International for comparable lapses in data protection.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

The post FTC Warns GoDaddy for Inadequate Security Practices in Website Hosting Services appeared first on Cyber Security News.

The attackers allege they have exfiltrated 17 terabytes of data, including sensitive customer information, industry insights, and smartphone location data that could reveal individuals’ precise movements.

This breach has sparked alarm over the potential misuse of such data and its implications for privacy. The hackers announced their claim on the XSS cybercrime forum, sharing samples of the stolen data totaling 1.4GB.

The leaked samples reportedly include historical smartphone location data with precise latitude and longitude coordinates, timestamps, and other sensitive details.

Screenshots posted by the attackers also suggest they gained root access to Gravy Analytics’ servers and control over its domains and Amazon S3 buckets, which are often used for large-scale data storage.

The hackers warned Gravy Analytics that they would begin publishing the stolen data if the company did not respond within 24 hours.

As of January 8, 2025, Gravy Analytics’ website remains offline, adding to speculation about the company’s response to the breach.

Gravy Analytics specializes in collecting and analyzing anonymized location signals from mobile devices to provide insights for businesses.

Its subsidiary Venntel has been known to sell location data to U.S. government agencies, including the Department of Homeland Security (DHS), Internal Revenue Service (IRS), and Federal Bureau of Investigation (FBI).

These agencies have used such data for various purposes, including immigration enforcement. However, Gravy Analytics has faced criticism for its data practices.

In December 2024, the Federal Trade Commission (FTC) accused Gravy Analytics and Venntel of violating consumer privacy laws by collecting and selling sensitive location data without obtaining proper user consent.

The FTC alleged that the companies continued using consumer data even after discovering that consent had not been granted.

They were also accused of selling information related to visits to sensitive locations such as healthcare facilities, religious sites, and political gatherings.

The potential fallout from this breach is immense. Experts warn that if the stolen bulk location data is sold on underground markets or made public, it could lead to severe privacy violations.

Researcher Baptiste Robert shared “hared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.”

He highlighted risks such as deanonymization of individuals and tracking high-risk targets like activists or journalists.

The leaked data could also expose sensitive personal details about individuals’ health decisions, political activities, or religious affiliations—information that could be exploited for discrimination or surveillance.

Furthermore, the breach underscores vulnerabilities in the location data industry, where companies collect vast amounts of personal information with limited oversight.

As investigations unfold, this incident may prompt renewed calls for stronger privacy protections and accountability in the data brokerage industry.

Meanwhile, individuals whose information may have been compromised face heightened risks of surveillance and exploitation in an increasingly interconnected digital world.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free

The post Gravy Analytics Hacked – Attackers Allegedly Claiming 17TB Data Stolen appeared first on Cyber Security News.