This vulnerability, rooted in the app’s contact discovery feature, persisted despite warnings to Meta dating back to 2017, raising serious concerns about user privacy on the world’s most popular messaging platform.​

The exploit relies on WhatsApp’s built-in mechanism for finding contacts, which reveals whether a user is on the service and public details like profile pictures and status texts when a phone number is entered.

Security researchers from the University of Vienna demonstrated the flaw by systematically querying billions of potential numbers, confirming active accounts at a rate of over 100 million per hour without any restrictions from WhatsApp.

Their study, conducted between December 2024 and April 2025, generated a comprehensive dataset using a tool called libphonegen to create realistic phone numbers across 245 countries.

By leveraging WhatsApp’s XMPP protocol through a modified open-source client, the team accessed not only phone numbers but also encryption keys, timestamps, and public profile information for 56.7% of accounts.​

WhatsApp Vulnerability Exposes 3.5 Billion Users

WhatsApp’s contact discovery tool, designed for convenience, lacks robust rate-limiting, enabling automated scraping on a massive scale. The researchers used just five authenticated accounts on a single university server to probe 63 billion potential numbers, identifying 3.5 billion active ones in under six months.

For 29.3% of users, “about” texts revealed sensitive details such as political views, religious affiliations, or links to other social media profiles.

Alarmingly, the study uncovered 2.9 million cases of public key reuse, including identity and prekeys, which could undermine end-to-end encryption if exploited by malicious actors using unofficial clients.

One extreme example involved 20 U.S. numbers sharing a key of all zeros, suggesting potential fraud or broken implementations.​

This vulnerability echoes earlier warnings; a researcher flagged the issue in 2017, yet Meta delayed fixes for eight years. The exposed data overlaps significantly with prior breaches, like the 2021 Facebook leak of 500 million numbers, where nearly half remained active on WhatsApp, heightening risks for scams and targeted attacks.

Users in countries banning WhatsApp, such as China, Iran, and North Korea, face amplified dangers, including state surveillance or persecution.​

Meta’s Response and Ongoing Risks

Meta acknowledged the findings through its bug bounty program in April 2025 and implemented stricter rate limits in October 2025, claiming the data was already public and messages stayed encrypted.

WhatsApp VP of Engineering Nitin Gupta stated the company was developing anti-scraping measures, and the research helped stress-test them, with no evidence of malicious exploitation found.

The researchers responsibly deleted their dataset and emphasized that private profiles limited exposure, but they criticized Meta for not encountering defenses during the probe.​

Despite the patch, experts warn of lingering threats. Business accounts, comprising 9% of those scraped, often unwittingly expose more data via WhatsApp Business features.

The flaw highlights broader issues in enumeration attacks, where convenience features become privacy pitfalls, potentially fueling phishing, SIM-swapping, or doxxing campaigns. Cybersecurity analysts urge users to set profiles to private, avoid sharing personal details in statuses, and monitor for suspicious activity, especially post-leak.​

This incident underscores the challenges of securing platforms with billions of users, where even “public” data aggregation creates a shadow profile ecosystem.

As WhatsApp dominates messaging in regions like West Africa, where 80% of profiles were public, the risks of identity theft and cyberattacks escalate.

Regulators may scrutinize Meta further following GDPR fines for past lapses, pushing for proactive defenses such as advanced CAPTCHA or behavioral analysis.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post WhatsApp Vulnerability Exposes 3.5 Billion Users’ Phone Numbers appeared first on Cyber Security News.

The breach, first spotlighted on November 16, 2025, allegedly includes source code repositories, configuration files, SQL databases, and, critically, hardcoded credentials and SMTP server details potentially exposing LG’s internal communications and development pipelines to widespread exploitation.​

The leak surfaced via a post on ThreatMon, a platform that tracks dark web activity, where “888” shared samples to prove authenticity. Described as originating from a contractor access point, the dataset reportedly spans multiple LG systems, hinting at a supply chain vulnerability rather than a direct corporate hack.

LG Data Leak Claim

Cybersecurity analysts note that hardcoded credentials embedded directly in code for convenience pose severe risks, as they could enable attackers to impersonate LG personnel or pivot to connected services.

SMTP credentials, which manage email routing, might further allow phishing campaigns or spam operations disguised as legitimate LG correspondence.​

Threat actor “888” is no stranger to high-profile claims. Active since at least 2024, this individual has targeted entities like Microsoft, BMW Hong Kong, Decathlon, and Shell, often extorting ransoms or selling data on breach forums.

Their tactics typically involve initial access brokers and infostealer malware, and they monetize leaks through cryptocurrency payments. In this LG incident, no ransom demand has been publicly confirmed.

Still, samples shared include file structures suggesting the presence of gigabytes of proprietary code, which could undermine LG’s intellectual property in consumer electronics and smart appliances.​

LG Electronics has yet to issue an official statement, but the timing aligns with a turbulent year for the company. Earlier in October 2025, LG’s telecom arm, LG Uplus, confirmed a separate breach affecting customer data, amid a wave of South Korean telecom hacks.

LG Electronics confirmed to Cybersecuritynews “that the personal information of 584 employees from LG Electronics and HiPLAZA (LGE’s official distributor in Korea) — including names, company email addresses, and mobile phone numbers — stored on a website used for collaboration on domestic store design materials in Korea, was exposed externally at approximately 11 p.m. on January 16”.

“The incident occurred after the server of Nine Five, a development partner of HSAd, which had been commissioned by LG Electronics to develop the website, was compromised in a hacking attack. The partner’s server contained an authentication key that allowed access to the website.”

“Upon confirming the incident, LG Electronics immediately initiated the necessary response procedures in accordance with applicable regulations. The company will report the personal information breach to the relevant authorities, including the Korea Internet & Security Agency (KISA) and the Personal Information Protection Commission, within the required 72-hour window, and will notify the affected individuals directly.”

“LG Electronics is conducting a thorough investigation into the incident and is taking all appropriate measures to prevent any recurrence.”

Experts speculate these incidents may share common vectors, such as unpatched vulnerabilities in cloud integrations or third-party tools. The exposure of source code could reveal flaws in LG’s IoT devices, amplifying risks for millions of users worldwide.​

As investigations unfold, security firms urge organizations to scan for leaked credentials using tools like Have I Been Pwned and to rotate all suspected keys immediately.

This alleged breach underscores the fragility of global supply chains, where a single contractor’s lapse can cascade into corporate espionage. For LG, swift disclosure and remediation will be key to mitigating fallout amid relentless cyber threats.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Allegedly Claim Leak of LG Source Code, SMTP, and Hardcoded Credentials appeared first on Cyber Security News.

The breach, which the company attributes to its own oversight in decommissioning the outdated platform, affects less than 25% of its current merchant base but spares critical payment infrastructure.

The incident surfaced last week when ShinyHunters, a collective known for high-profile data thefts including breaches at Microsoft, AT&T, and Ticketmaster, contacted Checkout.com demanding a ransom.

The group claimed possession of sensitive data tied to the London-based fintech firm, which processes billions in transactions annually for e-commerce giants worldwide.

Upon investigation, Checkout.com confirmed unauthorized access to a cloud system used before 2020 for internal operational documents and merchant onboarding materials. “This was our mistake, and we take full responsibility,” stated Mariano Albera, the company’s Chief Technology Officer, in an official blog post.

What are the Data Affected

The legacy setup, managed by a third-party provider, was not properly retired, creating a vulnerability that threat actors exploited. Crucially, the hackers never reached the live payment processing platform; no merchant funds, card numbers, or real-time transaction data were compromised.

ShinyHunters, active since at least 2020, has built a reputation for selling stolen data on dark web forums, often targeting financial and tech sectors.

Their tactics typically involve exploiting misconfigurations or weak access controls, aligning with the decommissioning lapse here. Security experts note this as a reminder of “zombie systems” forgotten infrastructure that lingers as easy prey for cybercriminals.

Checkout.com emphasized transparency in its response, vowing not to yield to extortion. “We will not pay this ransom,” Albera declared. Instead, the company plans to donate an equivalent amount to Carnegie Mellon University and the University of Oxford’s Cyber Security Center, funding research to combat cybercrime.

“Security, transparency, and trust are the foundation of our industry,” he added. “We will own our mistakes, protect our merchants, and invest in the fight against the criminal actors who threaten our digital economy.”

The firm is now notifying affected merchants, collaborating with law enforcement, and regulators to mitigate fallout. “We are sorry. We regret that this incident has caused worry for our partners,” Albera wrote, offering direct support through account managers.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Checkout.com Hacked – ShinyHunters Breached Cloud Storage, Company Refuses Ransom appeared first on Cyber Security News.

The wiz research, which examined 50 leading AI companies from the Forbes AI 50 list, uncovered widespread security vulnerabilities across the industry.

These leaked secrets were discovered in deleted forks, gists, and developer repositories, representing an attack surface that standard GitHub scanning tools routinely overlook.

What Makes this Different

Unlike commodity secret-scanning tools that rely on surface-level GitHub organization searches. The Wiz researchers employed a three-pronged methodology targeting depth, perimeter, and coverage.

The “Depth” approach examined complete commit histories, deleted forks, workflow logs, and gists, the submerged portion of the security iceberg.

The “Perimeter” dimension expanded discovery to include secrets accidentally committed by organization members to their personal repositories.

Meanwhile, “Coverage” addressed detection gaps for emerging AI-specific secret types across platforms such as Perplexity, Weights & Biases, Groq, and NVIDIA.

Among the most impactful leaks were Langsmith API keys granting organization-level access and enterprise-tier credentials from ElevenLabs, discovered in plaintext configuration files.

One anonymous AI50 company’s exposure included a Hugging Face token that provided access to approximately 1,000 private models, alongside multiple Weights and Biases keys that compromised proprietary training data.

Troublingly, 65% of exposed companies were valued at over $400 billion collectively. Yet, smaller organizations proved equally vulnerable, even those with minimal public repositories demonstrated exposure risks.

Wiz experts emphasize the urgent need for action by AI companies. Implementing mandatory secret scanning for public version-control systems is essential and cannot be overlooked.

Establishing proper disclosure channels from inception protects companies during vulnerability remediation. Additionally, AI service providers must develop custom detection for proprietary secret formats, as many leak their own platform credentials during deployment due to inadequate scanning.

The wiz research underscores a critical message: organizational members and contributors represent extended attack surfaces requiring security policies during onboarding.

Treating employees’ personal repositories as part of corporate infrastructure becomes essential as AI adoption accelerates. In an industry racing ahead, the message is clear: speed cannot compromise security.

Comprehensive secret detection must evolve alongside emerging AI technologies to raise organizational defense standards.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post 65% of Leading AI Companies Exposes Verified Secrets Including Keys and Tokens on GitHub appeared first on Cyber Security News.

Jinfeng Luo, a software developer who has worked at Intel since 2014, was based in Seattle when the company notified him of his pending dismissal on July 7.

His employment officially ended on July 31 as part of Intel’s massive workforce reduction effort that saw over 15,000 employees laid off worldwide during the summer restructuring.

The Alleged Theft

According to Intel’s lawsuit filed in Washington federal court, Luo attempted to download files from his work laptop to an external hard drive on July 23. However, the company’s security controls blocked the transfer.

Luo allegedly connected a different storage device five days later and downloaded about 18,000 files. Many of these files were marked as “Top Secret” by Intel.

The unauthorized file transfer immediately triggered an internal investigation. Intel spent months attempting to contact Luo at his Seattle residence and two other addresses linked to him, including one in Portland, but the engineer could not be reached.

Unable to locate Luo, Intel pursued legal action seeking substantial compensation. The lawsuit demands at least $250,000 in damages, attorney fees, and a court injunction prohibiting Luo from disclosing any of the stolen confidential information to unauthorized parties.

Neither Intel nor Luo has provided public comments about the case. The tech giant declined to discuss details when contacted by media outlets, and Luo’s current whereabouts remain unknown.

Legal observers, OregonLive first reported on Intel’s lawsuit earlier this week through specialized law and employment news platforms.

The incident highlights significant vulnerabilities in protecting sensitive corporate data during layoffs.

As companies implement cost-cutting measures affecting thousands of employees, insider threats pose escalating risks to intellectual property and classified information.

Intel’s case demonstrates how quickly departing employees can access and remove sensitive materials before security measures can be fully implemented.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Fired Intel Engineer Stolen 18,000 Files, Many of which Were Classified as “Top Secret” appeared first on Cyber Security News.

The exposure, uncovered by cybersecurity firm Neo Security during a routine asset mapping exercise, highlights how even well-resourced organizations can inadvertently leave sensitive data vulnerable to the internet’s automated scanners.

Neo Security’s lead researcher discovered the file while examining passive network traffic with low-level tools. A simple HEAD request designed to retrieve metadata without downloading content revealed a massive size: 4 terabytes of data, which is equivalent to millions of documents or the contents of an entire library.

The file’s naming convention screamed SQL Server backup (.BAK format), which typically contains full database dumps, including schemas, user data, and, crucially, embedded secrets such as API keys, credentials, and authentication tokens.

Discovery and Verification Process

Initial searches on the Azure Blob Storage yielded no immediate ownership clues, but deeper probes uncovered merger documents in a European language, translated with tools like DeepL, pointing to a 2020 acquisition.

A pivotal DNS SOA record lookup tied the domain to ey.com, confirming EY’s involvement. To avoid any legal pitfalls, the team downloaded only the file’s first 1,000 bytes, revealing an unmistakable “magic bytes” signature for an unencrypted SQL Server backup, Neo Security learns.

This was not a theoretical risk. Neo Security relied on real-world incident response experience, recalling a fintech breach that resulted from the brief exposure of a similar .BAK file for just five minutes.

In that case, attackers exploited the brief window to exfiltrate personally identifiable information and credentials, leading to ransomware and the company’s collapse.

With today’s botnets scanning the entire IPv4 address space in minutes, such exposures invite inevitable compromise. Neo Security halted further probing and pursued responsible disclosure over a weekend, eventually connecting with EY’s CSIRT via LinkedIn outreach after 15 attempts.

EY responded swiftly and professionally, triaging and remediating the issue within a week, with no defensiveness, just effective action.

EY Spokesperson said to Cyber Security News, “Several months ago, EY became aware of a potential data exposure and immediately remediated the issue. No client information, personal data, or confidential EY data has been impacted. The issue was localized to an entity that was acquired by EY Italy and was unconnected to EY global cloud and technology systems.”

Experts warn that automated adversarial scanning means exposures aren’t “if” but “how many” actors notice.

As cloud complexity grows, continuous mapping and visibility tools become essential to outpace threats, ensuring organizations discover their own leaks first.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post EY Data Leak – Massive 4TB SQL Server Backup Exposed Publicly on Microsoft Azure appeared first on Cyber Security News.

The company has assured its clients that its own internal systems were not compromised and that no financial data was exposed.

Renault UK began sending emails to affected drivers to inform them of “a cyber-attack on one of our third-party providers, leading to some Renault UK customers’ personal data being taken from one of their systems.”

The company emphasized that the incident was isolated to the vendor and did not impact Renault’s own infrastructure.

A spokesperson for Renault UK confirmed the situation with Express, stating that a data processing provider had notified them of the attack. The provider has since confirmed that the incident has been contained and the vulnerability removed.

Renault is now working closely with the third party to ensure all necessary actions are taken and has notified all relevant authorities about the security failure.

What Data Was Compromised?

While financial details and passwords were not affected, a significant amount of personal and vehicle-related information was stolen.

According to a statement from a Renault UK spokesperson, the compromised data includes some or all of the following for affected customers: full names, addresses, dates of birth, gender, and phone numbers.

Furthermore, vehicle-specific details such as Vehicle Identification Numbers (VIN) and vehicle registration numbers were also part of the exfiltrated data set.

The company reiterated in its communication that it does not hold any financial details for customers, so no bank or payment card information was involved in the cyberattack.

In response to the breach, Renault UK is contacting all affected customers directly to inform them of the situation. The company is urging drivers to be vigilant and cautious of any unsolicited communications, particularly those requesting personal information by phone or email.

Renault has clearly stated that it will never ask customers for their passwords. In its apology to those impacted, the company expressed deep regret over the incident and underscored that data privacy is of the utmost importance.

For customers seeking more information or assistance, Renault has directed them to its official data privacy webpage or to contact its Data Protection Officer directly via email.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

The post Renault UK Suffers Cyberattack – Hackers Stolen Users Customers Personal Data appeared first on Cyber Security News.

The cyber incident took place on June 5, 2025 and was discovered nearly two weeks later on June 19, 2025. Chess.com confirmed that the breach was the result of an external hack, where attackers gained unauthorized access to sensitive data.

The company reported that hackers were able to obtain names and personal identifiers, though it did not provide a full breakdown of all the data elements exposed. The breach affected users across multiple regions, including one resident of Maine.

Chess.com Response

Chess.com began notifying impacted individuals on September 3, 2025 through written notices. To help protect its community, the company is offering 12 months of complimentary identity theft protection services.

The notification was formally submitted by Elias Colabelli, Head of the Legal Department and Data Protection Officer at Chess.com, who emphasized that the company is strengthening its systems to prevent similar incidents in the future.

Although the number of affected users may seem low compared to other large-scale data breaches, the incident underscores how even major online platforms remain targets for cybercriminals. With more than 150 million users worldwide, Chess.com holds a vast amount of personal data, making it a lucrative target for hackers.

Cybersecurity experts warn that breaches of this nature can pave the way for identity theft, phishing attempts, and further fraud if stolen data circulates on underground markets.

Chess.com has not yet disclosed whether law enforcement is involved in the investigation. The company says it continues to work on tightening security protocols and monitoring its systems closely.

We have reached out to Chess.com for further details regarding the breach and are awaiting their response. This article will be updated as soon as new information becomes available.

For users, the breach is a reminder to stay vigilant, monitor financial accounts, and be cautious of suspicious emails that could exploit stolen personal details.

                   Find this Story Interesting! Follow us on X, Google News, LinkedIn, and  to Get More Instant Updates.

Recent Data Breaches:

1. PagerDuty Confirms Data Breach After Third-Party App Vulnerability Exposes Salesforce Data
2. Cloudflare Confirms Data Breach, Hackers Stole Customer Data from Salesforce Instances
3. Palo Alto Networks Confirms Data Breach – Hackers Stole Customer Data from Salesforce Instances
4. Zscaler Confirms Data Breach – Hackers Compromised Salesforce Instance and Stole Customer Data
   
   
   
   

The post Chess.com Data Breach – Hackers Breached External System and Gained Internal Access appeared first on Cyber Security News.

The massive leak, discovered through 30 separate datasets, represents an unprecedented threat to global cybersecurity and digital privacy.

The exposed datasets vary dramatically in size, with the smallest containing over 16 million records and the largest housing more than 3.5 billion credentials. 

On average, each dataset contained approximately 550 million records, creating what researchers describe as “a blueprint for mass exploitation.” 

The data structure follows a consistent pattern typical of infostealer malware, consisting of URL, username, and password combinations, often accompanied by authentication tokens, session cookies, and metadata.

Most datasets were temporarily accessible through unsecured Elasticsearch instances and object storage configurations before being secured, Cybernews stated.

Leaked from 320 million computers, But Not a New One!

Regarding this report, Alon Gal, CTO at Hudson Rock, added in a post that an average infected computer has around 50 sets of credentials. Given that there are 16 billion credentials, this would suggest that 320 million computers have been infected by infostealers. However, this claim is simply not true, regardless of how one might interpret the numbers.

“The leak is likely the result of a combination of legacy Infostealer credentials, data from older database leaks, and fabricated entries, similar to the ALIEN TXTBASE leak. For instance, the leaked information could include actual lines with slight variations in passwords or logins that can be used for brute-force attacks,” he added.

Some datasets were named generically as “logins” or “credentials,” while others bore specific geographical or service-related identifiers, including one with over 455 million records linked to Russian Federation origins and another containing 60 million Telegram-related credentials.

The exposed data creates significant opportunities for credential stuffing attacks, account takeover schemes, and business email compromise (BEC) operations. 

It appears that the breaches in question are not recent developments; rather, they have been available on the dark web for an extended period as parts. These compilations have been aggregated and subsequently exposed on the internet.

Cybercriminals can leverage these massive datasets to execute phishing campaigns with unprecedented precision, using legitimate login credentials to bypass basic security measures. 

The presence of authentication tokens and session cookies in many records amplifies the threat, potentially enabling immediate access to active user sessions without requiring password verification.

The structured nature of the data makes it particularly valuable for ransomware intrusions and identity theft operations. 

With success rates of less than one percent still potentially affecting millions of users, the scale of this exposure represents a fundamental shift in the cyberthreat landscape. 

Organizations lacking robust multi-factor authentication (MFA) implementations and comprehensive credential hygiene practices face a higher risk of compromise.

It is recommended to implement strong password policies, rotate credentials frequently, and conduct comprehensive system scans for infostealer malware. 

Users should enable multi-factor authentication (MFA) across all accounts and monitor for suspicious activity indicators. Organizations must prioritize endpoint detection and response (EDR) solutions to identify and neutralize infostealer infections before credentials can be harvested.

This breach highlights the crucial importance of proactive cybersecurity measures in an era where credential theft has become increasingly industrialized. 

As new massive datasets continue emerging every few weeks, the cybersecurity community faces an ongoing challenge to protect against increasingly sophisticated and large-scale credential harvesting operations.

How to Protect Yourself

Lock Down Your Devices: Infostealers sneak in through outdated software or weak devices. Use tools like Microsoft Defender or CrowdStrike to spot and stop shady activity, like keylogging or stealing passwords.

Keep all your systems, apps, and firmware updated with the latest patches to plug security holes. Also, set up application whitelisting to block unauthorized programs and turn off Office macros unless you really need them.

Beef Up Logins: Infostealers love stealing passwords to dig deeper into your systems. Make multi-factor authentication (MFA) a must for all accounts, especially important ones like admin or VPN access. Use strong, unique passwords with a password manager and limit who can access sensitive stuff. If a leak happens, reset passwords, kill active sessions, and watch for weird login attempts using tools like Splunk.

Watch Your Network: Infostealers send stolen data over the internet. Use firewalls, intrusion detection, and data loss prevention (DLP) tools like Symantec to catch and block unauthorized transfers. DNS filtering and network segmentation can stop malware from phoning home or spreading.

Stay Ready to Respond: Spot threats fast with SIEM and behavior analytics. If hit, investigate with tools like Volatility, isolate infected devices, and restore from clean backups. Have a NIST-aligned response plan and test it regularly.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial

The post Massive 16 Billion Passwords From Apple, Facebook, Google and More Leaked – Reset Passwords Now! appeared first on Cyber Security News.

The lingerie retailer’s website displays only a black screen with a message stating the company has “identified and are taking steps to address a security incident” and has “taken down our website and some in store services as a precaution”. 

The disruption has persisted for three days, with reports indicating the outage began as early as Monday during a Memorial Day sale promotion.

Security Breach Disrupts Operations and Systems

The cybersecurity incident has significantly impacted Victoria’s Secret’s digital infrastructure, with employees reportedly locked out of their email accounts and passwords failing to work.

The company immediately enacted its incident response protocols and engaged third-party cybersecurity experts to investigate and remediate the breach. 

CEO Hillary Super reportedly informed employees that recovery operations would take considerable time, while customer care operations and some distribution center functions have been halted.

The timing of the attack aligns with known cybercriminal tactics of targeting organizations during public holidays when IT departments are typically short-staffed and less able to mount effective defenses. 

This strategic timing maximizes the potential for successful initial compromise and lateral movement within target networks before detection. 

The company has not disclosed whether the incident involves ransomware deployment, data exfiltration, or other specific attack vectors, though security experts note the operational disruption pattern suggests a sophisticated multi-stage attack.

Victoria’s Secret’s incident occurs amid an unprecedented wave of cyberattacks targeting major retailers globally. 

Recent months have witnessed significant breaches affecting Marks & Spencer, Co-op, and Harrods in the UK, with security researchers attributing many of these attacks to the Scattered Spider cybercriminal collective (also tracked as UNC3944, Octo Tempest, and Muddled Libra). 

Google’s Threat Intelligence Group has warned that this English-speaking hacking group, primarily composed of young adults from the US and UK, has pivoted from targeting UK retailers to focusing on US retail chains.

The attackers have demonstrated proficiency with DragonForce ransomware deployment on VMware ESXi hosts, credential dumping techniques using tools like Mimikatz (T1003.001 – LSASS Memory), and network reconnaissance through port scanning utilities such as SoftPerfect Network Scanner. 

Their attack methodology typically involves initial compromise through social engineering targeting IT helpdesks, followed by credential harvesting, lateral movement across Active Directory environments, and eventual deployment of ransomware payloads that encrypt both Windows and Linux systems.

The security incident has triggered immediate financial consequences for Victoria’s Secret, with shares falling approximately 7% on Wednesday following disclosure of the breach. 

This decline represents significant investor concern given that digital sales accounted for $2 billion in revenue during 2024, representing roughly one-third of the company’s total revenue stream. 

The operational disruption threatens to impact the retailer’s financial performance during a critical sales period.

Victoria’s Secret operates approximately 1,350 retail stores across 70 countries, with its physical locations remaining operational despite the digital infrastructure compromise. 

The company has confirmed that both Victoria’s Secret and PINK store locations continue serving customers, though some in-store digital services remain affected. 

Security analysts note that the extended duration of the outage suggests either extensive system compromise requiring comprehensive rebuilding, or ongoing negotiations in a potential ransomware scenario, though the company has not confirmed payment of any ransom demands.

The incident underscores the critical vulnerability of retail organizations heavily dependent on e-commerce platforms and highlights the evolving sophistication of cybercriminal operations targeting consumer-facing businesses during peak shopping periods.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar

The post Victoria’s Secret Website Went Offline Following a Cybersecurity Incident appeared first on Cyber Security News.