Adam Shostack

JUNE 16, 2025

Karol Mazurek of Afine documents a new Threat of TCC Bypasses on macOS : “I decided to disclose a TCC bypass vulnerability in Cursor.app because, despite responsible disclosure, developers stated this issue ‘falls outside their threat model’ and have no plans to fix it.” Specifically, Article 13 states: “3. a description of the design.

Risk 130

Risk Architecture Manufacturing Cybersecurity 130

Security Affairs

APRIL 7, 2025

Cybercriminals exploit compromised accounts for EDR-as-a-Service (Emergency Data Requests – EDR), targeting major platforms According to a detailed analysis conducted by Meridian Group, an increasingly complex and structured phenomenon, commonly referred to as EDR-as-a-Service, is taking hold in the cybersecurity landscape.

Cybercrime 139

Cybercrime Social Engineering Accountability Government 139

The Last Watchdog

NOVEMBER 12, 2024

Unisys, for instance, was found to have framed cyber risks hypothetically even though its systems had already been breached, exfiltrating gigabytes of data. But the SEC’s latest actions underscore that failing to inform stakeholders about material risks and breaches is not an option. Addressing this root cause must be a priority.

CISO 263

CISO CSO Risk Cyber threats 263

SecureWorld News

MAY 29, 2025

A new report from Oasis Security reveals a critical security flaw in Microsoft's OneDrive File Picker, exposing users to significant data privacy and access control risks. This creates a window of risk not just for the file shared, but for everything stored in the user's drive. Older versions of the OneDrive File Picker (6.0

Risk 76

Risk Data privacy Accountability Banking 76

SecureWorld News

MAY 13, 2025

As geopolitical instability, supply chain disruption, and cyber threats continue to escalate, third-party risk management (TPRM) is evolving from a compliance function to a strategic business imperative. According to the EY survey , 87% of organizations have experienced a third-party risk incident in the past three years.

Risk 80

Risk Cyber Risk Artificial Intelligence Technology 80

Krebs on Security

DECEMBER 11, 2024

wtf, and PQHosting ; -sites selling aged email, financial, or social media accounts, such as verif[.]work The site Verif dot work, which processes payments through Cryptomus, sells financial accounts, including debit and credit cards. work and kopeechka[.]store store ; -anonymity or “proxy” providers like crazyrdp[.]com

Cryptocurrency 288

Cryptocurrency Banking Cybercrime Advertising 288

Security Affairs

NOVEMBER 7, 2024

SentinelLabs researchers identified a North Korea-linked threat actor targeting crypto businesses with new macOS malware as part of a campaign tracked as “Hidden Risk.” SentinelLabs researchers speculate DPRK-linked actors targeting the crypto industry since July 2024 as part of the Hidden Risk campaign.

Malware 123

Malware Architecture Risk Cryptocurrency 123

Malwarebytes

MAY 27, 2025

Since one infected system can leak multiple credentials tied to different accounts and services, the number of victims is likely far smaller than the number of exposed credentials but still alarmingly high. Here are some practical steps to protect yourself: Change your passwords regularly, and dont reuse them across multiple accounts.

Identity Theft 145

Identity Theft Passwords Accountability Phishing 145

Malwarebytes

JANUARY 17, 2025

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members of think tanks, and employees of non-governmental organizations (NGOs), according to new details revealed by Microsoft. WhatsApp will double-check whether you want to add a device to the account.

Phishing 139

Phishing Accountability Mobile Risk 139

Security Affairs

DECEMBER 18, 2024

The Irish Data Protection Commission (DPC) fined Meta 251 million ($263M) for a 2018 data breach impacting 29 million Facebook accounts. “This data breach impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. ” reads the press release published by DPC.

Data breaches 106

Data breaches Accountability Risk Advertising 106

Malwarebytes

DECEMBER 3, 2024

While hard to measure precisely, tech support scams accounted for $924M, according to the FBI’s 2023 Internet Crime Report. We’ve identified specific advertiser accounts that make up the bulk of fraudulent ads we have reported to Google this past year. While the organic result looks more trustworthy, it does appear under.

Scams 133

Scams Advertising Accountability Engineering 133

Krebs on Security

JANUARY 7, 2021

The ongoing breach affecting thousands of organizations that relied on backdoored products by network software firm SolarWinds may have jeopardized the privacy of countless sealed court documents on file with the U.S. federal court system, according to a memo released Wednesday by the Administrative Office (AO) of the U.S.

Computers and Electronics 363

Computers and Electronics Software Engineering Accountability 363

Schneier on Security

AUGUST 2, 2023

There are two basic rules: Public companies must “disclose any cybersecurity incident they determine to be material” within four days, with potential delays if there is a national security risk. Continuous assessment of the risk reduction activities should be elevated within an enterprise risk management framework and process.

Cybersecurity 242

Cybersecurity Risk Government Accountability 242

Krebs on Security

JUNE 21, 2020

In a post on Twitter , DDoSecrets said the BlueLeaks archive indexes “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources,” and that “among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.”

Government 363

Government Accountability Cyber threats Cyber Attacks 363

The Last Watchdog

JANUARY 27, 2022

Throughout this period, the risk level of the acquirer is much higher than the acquired company, creating a major cybersecurity gap as they merge their tech stack and security tools together. They can be divided into two categories: Pre-Close Risks. This due diligence process should account for: •Deal information exposure.

Marketing 265

Marketing Data privacy Risk Accountability 265

Krebs on Security

MAY 19, 2021

Many online services allow users to reset their passwords by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over one thanks to a divorce, job termination or financial crisis can be devastating.

Mobile 360

Mobile Wireless Accountability Authentication 360

SecureWorld News

NOVEMBER 25, 2024

It’s a chance to take a high-level look at how well your organization is managing information security risks, meeting objectives, and staying aligned with regulatory and business needs. Whether it’s a gap in controls, a missed objective, or an emerging risk, this is your chance to catch it early and take action.

Cybersecurity 109

Cybersecurity Risk Information Security Accountability 109

Malwarebytes

JANUARY 6, 2025

Westend Dental agreed to settle several violations of the Health Insurance Portability and Accountability Act (HIPAA) in a penalty of $350,000. Nothing showed evidence that a HIPAA-compliant risk analysis had ever been conducted (lists of usernames and passwords in plain text on the compromised server).

Data breaches 145

Data breaches Ransomware Passwords Insurance 145

Malwarebytes

APRIL 3, 2025

Phones are also likely personal devices which provide attackers with a direct path to sensitive personal accounts. The attackers can even embed the QR codes in professionally designed documents mimicking HR portals, payroll updates, tax reviews , or e-signature services (e.g.

Phishing 139

Phishing Banking Mobile Accountability 139

Centraleyes

FEBRUARY 17, 2025

Policy management is the sturdy scaffolding that supports governance, risk, and compliance (GRC) objectives while shaping corporate culture and ensuring adherence to regulatory obligations. It anchors organizational goals, mitigates risks, and guides compliance. Maintain a comprehensive audit trail for accountability.

Architecture 52

Architecture Government Risk Technology 52

Webroot

MARCH 3, 2025

The growing risks to your data During the third quarter of 2024, data breaches exposed more than 422 million records worldwide. Millions of customers were put at risk when their social security numbers, phone numbers, and other sensitive personal information were leaked. Document disposal Shred sensitive documents.

Consumer Protection 99

Consumer Protection Identity Theft Scams Social Engineering 99

SecureWorld News

FEBRUARY 3, 2025

While this operation marks a significant victory against BEC infrastructure, the $3 million in documented losses highlights only a fraction of the financial damage these automated phishing operations can inflict on organizations."

Phishing 112

Phishing Cybercrime Scams Authentication 112

Adam Shostack

JANUARY 2, 2025

The DAIR Institutes response to the AI Pause letter calls for transparency and accountability, enforced by regulation: but organizations building these systems should also be required to document and disclose the training data and model architectures.

Architecture 130

Architecture Accountability Software Risk 130

Malwarebytes

DECEMBER 6, 2024

What made this market attractive for cybercriminals was that they could buy data sorted by region and account balance with advanced filtering options. We don’t just report on threats – we help safeguard your entire digital identity Cybersecurity risks should never spread beyond a headline.

Marketing 114

Marketing Banking Encryption Phishing 114

Digital Shadows

NOVEMBER 12, 2024

DRP Insights: Credential Exposure Makes Up 75% of Alerts Construction companies are increasingly vulnerable to opportunistic attacks, with credential exposure incidents now accounting for 75% of all GreyMatter Digital Risk Protection (DRP) alerts for the sector.

Ransomware 111

Ransomware Phishing Cyber threats Malware 111

Krebs on Security

JULY 27, 2020

. “The ferocity of cyber criminals to take advantage of COVID-19 uncertainties by preying on small businesses is disturbing,” said Andrew LaMarca , who leads the global high-risk and fraud team at Dun & Bradstreet. Another team member works on revising the business documents and registering them on various sites.

Identity Theft 363

Identity Theft Small Business Energy and Utilities Computers and Electronics 363

Adam Levin

MARCH 17, 2022

A single compromised account is usually the point of entry for hacking campaigns. Educating employees and colleagues about the risks of phishing emails, cloned websites, and other common vectors for cyberattacks, especially during annual events like March Madness or the Superbowl can help prevent a data incident.

Cyber threats 229

Cyber threats Phishing Passwords Malware 229

Troy Hunt

JULY 31, 2024

We're bombarded to the point of desensitisation, which itself is dangerous because it creates the risk of inadvertently dismissing something that really does require your attention. The email went on: The impact of this vulnerability is severe, potentially resulting in: Mass account takeovers by malicious actors.

Scams 362

Scams Passwords Malware Accountability 362

Malwarebytes

JUNE 10, 2025

The flaw was found in the flow that allows users to recover their Google account using a phone number. A cybersecurity researcher called Brutecat was able to figure out the phone number linked to any Google account, information that is usually not public and is considered sensitive.

Accountability 141

Accountability Risk Cybersecurity Phishing 141

SecureWorld News

NOVEMBER 27, 2024

The more laptops, tablets and smartphones you take with you, the more risk you open yourself up to. Back up files If you haven't backed up the data on your devices, like photos, documents or other files, do so before heading on vacation. Don't access key accounts like email or banking on public Wi-Fi.

Cybersecurity 104

Cybersecurity Wireless Accountability Internet 104

Krebs on Security

JUNE 17, 2020

Central Intelligence Agency produced in the wake of a mammoth data breach in 2016 that led to Wikileaks publishing thousands of classified documents stolen from the agency’s offensive cyber operations division. A key phrase in the CIA’s report references deficiencies in “compartmentalizing” cybersecurity risk.

Data breaches 353

Data breaches Security Awareness Surveillance Media 353

SecureWorld News

JUNE 9, 2025

In 2021, SITA, a major IT provider for Star Alliance and OneWorld members, was breached, exposing the data of over 2 million frequent-flyer accounts across multiple global carriers. Comprehensive risk assessments across information and operational technology (OT) systems lay the groundwork for targeted defenses.

Cybersecurity 117

Cybersecurity Social Engineering Computers and Electronics Risk 117

Krebs on Security

JUNE 28, 2019

says it will soon force all Cloud Solution Providers (CSPs) that help companies manage their Office365 accounts to use multi-factor authentication. And when that PCM employee’s account got hacked, so too did many other PCM customers. It might be difficult to fathom how this isn’t already mandatory, but Microsoft Corp.

Authentication 272

Authentication Accountability Data breaches Software 272

Krebs on Security

JUNE 21, 2021

While documenting each device that needs protection is a necessary first step, a number of recent cyberattacks on water treatment systems have been blamed on a failure to properly secure water treatment employee accounts that can be used for remote access. Image: WaterISAC. A copy of the Water ISAC report is available here (PDF).

Hacking 362

Hacking Accountability Cybersecurity Technology 362

Duo's Security Blog

FEBRUARY 13, 2025

In one of their documented cases, an organization reported that 13 million authentication attempts were made in 24 hours against known accounts. We saw demos from MDM products, IGA vendors, and other identity providers that showed how Shared Signals can be used to dynamically change user permissions based on risk.

Authentication 80

Authentication Accountability Passwords Risk 80

The Last Watchdog

JUNE 1, 2022

Krishnan gave me the example of a technology company that was concerned about employees flouting a company ban on the use of personal email accounts to share proprietary documents. We inventoried everything from tax filings to NDAs to design documents to even things they may not care about, like resumes,” he says.

Unstructured Data 235

Unstructured Data Government Internet Internet 235

Krebs on Security

AUGUST 25, 2023

This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number. A major portion of Kroll’s business comes from helping organizations manage cyber risk.

Mobile 244

Mobile Cyber Risk Data breaches Cryptocurrency 244