Cybersecurity is the rickety scaffolding supporting everything you do online. For every new feature or app, there are a thousand different ways it can break – and a hundred of those can be exploited by criminals for data breaches, identity theft, or outright cyber heists. Staying ahead of those exploits is a full-time job, and one of the most lucrative and sought-after skills in the tech industry. All too often, it’s something up-and-coming companies decide to skip out on, only to pay the price later on.
The full report, which you can find here, shows that Google’s Threat Analysis Group (TAG) terminated almost 11,000 channels between April and June of 2025 as part of an investigation into “coordinated influence operation campaigns.”
The mass removals included over 7,700 channels with ties to China, and 2,000 linked to Russia, as reported by CNBC.
They say Columbia is just one of five universities they’ve penetrated.
More than $2.17 billion has been stolen from crypto services this year, more than the entirety of 2024, according to a report from blockchain analytics firm Chainalysis. Then again, most of that came from a single hack — a $1.46 billion heist of Bybit linked to North Korean hackers, the largest crypto theft in history — and without that, the numbers would look a little rosier.
[chainalysis.com]
A Department of Homeland Security memo, obtained by Property of the People through a freedom of information request, reveals the group — suspected to have links to China — “extensively compromised a U.S. state’s Army National Guard network” for nine months last year.
Salt Typhoon gained notoriety in 2024 for hacking telecom networks, targeting the Trump and Harris campaigns, though earlier this month a top FBI official said the group is “largely contained.”
Cameron John Wagenius, aka kiberphant0m, had already pleaded guilty on two charges for hacking T-Mobile and Verizon, and could face 20 years in prison after pleading guilty Tuesday to additional conspiracy, extortion, and identity theft charges.
Wagenius reportedly sold data stolen from Snowflake cloud storage accounts, including records for 560 million Ticketmaster customers and information from over 150 other companies, and said he’d posted hacked AT&T call logs for Donald Trump and Kamala Harris. Two other men, John Binns and Connor Moucka, have also been indicted in this case.
Security researchers Ian Carroll and Sam Curry broke into the backend of McDonald’s hiring system by entering the username and password “123456,” as reported by Wired. They were then able to view the data of the more than 64 million applicants who interacted with McDonald’s AI hiring bot, Olivia.
The researchers reported this flaw to McDonald’s and Paradox.ai, the company behind the chatbot, which has since addressed the issue.
A hacker has a list of millions of people by race. So why is the coverage about Zohran Mamdani?
The company built Zero-Knowledge Proof (ZKP) into Google Wallet earlier this year, a technology that allows users to verify their age across different apps and platforms without linking it to their identity.
Google has now put the ZKP codebase on GitHub so developers can use it to build more private apps and tools. Countries in the EU can also use it to build digital wallets, which are set to launch next year.
That’s according to FBI Cyber division head Brett Leatherman, who told Cyberscoop that the China-linked hackers are “largely contained” and “dormant” in telecom networks.
Last year, The Wall Street Journal found that Chinese hackers targeted US officials in a breach of major telecom providers, including AT&T, Verizon, T-Mobile, and Lumen Technologies. Cybersecurity officials later recommended that Americans use encrypted apps to make calls and send texts.
The airline says the Monday attack stole personal data of six million customers via a third-party service platform:
An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers. Importantly, credit card details, personal financial information and passport details are not held in this system. No frequent flyer accounts were compromised nor have passwords, PIN numbers or log in details been accessed.
[qantasnewsroom.com.au]
The idea is to make using passkeys a little more seamless. But this isn’t available to everyone just yet: Microsoft is initially rolling it out to Windows Insiders in the Dev Channel and you need to install the 1Password beta.
The original source of the report, Cybernews, says that since the start of the year, its researchers have “discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records.”
This isn’t a breach of one company or another’s systems, but compiled records, with some believed to be from “infostealer” malware, as well as previous leaks. As Bleeping Computer points out, what you should be doing hasn’t changed -- using unique passwords with a password manager, enabling two-factor authentication, and adding other forms of security like passkeys and security keys that can replace passwords altogether.
[bleepingcomputer.com]
The tool, which is built into DuckDuckGo’s browser, displays a warning message when you click on potentially dangerous sites. In addition to blocking phishing sites, malware, and common online scams, DuckDuckGo has expanded the tool to protect against fake online stores, phony crypto exchanges, and those obnoxious sites that falsely claim your device has a virus.
A 2023 breach of genetic testing company 23andMe that leaked sensitive data for millions of customers already led to a $30 million settlement and, eventually, bankruptcy for the company once valued at $6 billion. Now the UK is layering on a fine of just over $3 million for failing to protect the genetic data of 155,592 UK residents. It comes just days after co-founder and former CEO Anne Wojcicki said she was buying back the company’s assets for $305 million.
The Wall Street Journal reports that on Sunday, an internal memo from executive editor Matt Murray notified employees about an attack on on its email system, possibly by a foreign government. It also cites unnamed sources saying that the Microsoft accounts targeted included reporters on the national security and economic policy beats including some who write about China.
CNN says the outlet reset all employee logins on Friday, that Murray said they don’t believe it has had any impact on customers.
[Wall Street Journal]
The vulnerability, called “EchoLeak,” lets attackers “automatically exfiltrate sensitive and proprietary information” from Microsoft 365 Copilot without knowledge of the user, according to findings from Aim Labs.
An attacker only needs to send their victim a malicious prompt injection disguised as a normal email, which covertly instructs Copilot to pull sensitive information from a user’s account.
Microsoft has since fixed the critical flaw and given it the identifier CVE-2025-32711. It also hasn’t been exploited in the wild.
[bleepingcomputer.com]
Meta and Yandex were tracking Android users’ browsing data far more closely than they should have been, according to researchers. They bypassed the Android “sandbox” in some browsers, letting them de-anonymize users, track how they browse, and then use that data in native Facebook, Instagram, and Yandex apps.
Google is investigating the issue, saying that the companies used “capabilities present in many browsers across iOS and Android in unintended ways that blatantly violate our security and privacy principles.” In statements to Ars Technica, Meta and Yandex said they have discontinued the tracking, while denying wrongdoing.
The company behind the Murena 2 smartphone and de-Googled Pixel Tablet has announced a new version of its operating system: /e/OS 3.0. It will make better use of the larger screens on tablets and give parents new tools for limiting screen time and app access.
The update also introduces a way to locate a missing device using SMS text messages without the need for internet access, and a new search engine called Murena Find.
