Over 20 malicious apps on Google Play are stealing crypto seed phrases by posing as trusted wallets and exchanges, putting users' funds at risk.

A recent investigation by threat intelligence firm Cyble has spotted a campaign targeting cryptocurrency users through the Google Play Store with more than 20 malicious Android applications.

These apps, disguised as trusted crypto wallets like SushiSwap, PancakeSwap, Hyperliquid, and Raydium, have been found harvesting users’ 12-word mnemonic phrases, the keys that unlock their crypto funds.

These apps mimic legitimate wallet interfaces, luring users into entering sensitive recovery phrases. Once entered, the attackers can access the real wallets and empty them. While Google has removed many of these fake apps following Cyble’s report, a handful remain live on the store and have been flagged for removal.

****How the Scam Works****

According to Cyble’s report shared with Hackread.com, the fraudulent apps carry names and icons of well-known crypto platforms and appear under developer accounts that previously hosted genuine apps, including games, video downloaders, and streaming tools. These accounts, some with more than 100,000 downloads, appear to have been hijacked and repurposed to distribute the malicious apps.

Screenshot showing a developer account that previously published legitimate apps, now used for malicious activity (Credit: Cyble)

In several cases, the apps use a development tool known as the “Median framework” to quickly turn phishing websites into Android apps. The apps load these phishing pages directly inside a WebView, an embedded browser window, that asks users for their mnemonic phrase under the guise of wallet access.

The campaign isn’t only widespread in scale but also coordinated in its infrastructure. One phishing domain found by Cyble was linked to over 50 similar domains, all part of the same broader effort to compromise wallet security.

Cyble’s researchers also noticed a pattern in how these fake apps operate. Many of them include links in their privacy policies that actually lead to phishing websites designed to steal users’ wallet recovery phrases. The apps also tend to follow similar naming styles, which points to the use of automated tools to quickly create and publish them.

On top of that, several apps are connected to the same servers or websites, showing they’re part of a larger, organized effort. Some of the fake domains linked to these apps include:

*   bullxnisbs
*   hyperliqwsbs
*   raydifloydcz
*   sushijamessbs
*   pancakefentfloydcz

These domains impersonate various wallet providers and serve pages meant to trick users into handing over their seed phrases. Meanwhile, the partial list of malicious apps, courtesy of Cyble, is available below:

1.  Raydium
2.  SushiSwap
3.  Suiet Wallet
4.  Hyperliquid
5.  BullX Crypto
6.  Pancake Swap
7.  Meteora Exchange
8.  OpenOcean Exchange
9.  Harvest Finance Blog

Despite efforts to remove the apps, the campaign is ongoing. As of this report, a few remain active on the Play Store. The quick replication of these apps using off-the-shelf frameworks suggests the attackers could easily spin up more fake apps if not quickly blocked.

This poses a serious risk. Unlike traditional banking, there is no safety net for crypto theft. Once a wallet is drained, the funds are nearly impossible to recover.

Cyble has shared detailed indicators of compromise (IOCs) including app names, package identifiers, and phishing domains, which security professionals can use to block or investigate further.

This campaign goes on to show how attackers continue to target the already vulnerable crypto space through official channels like app stores. While app platforms are working to catch malicious uploads, users remain on the receiving end of these cybersecurity threats. Therefore, users are urged to watch out and follow these steps to protect themselves:

Watch for red flags like low review counts, recently republished apps, or links to strange domains in privacy policies.

*   Avoid downloading and installing unnecessary apps.

*   Enable Google Play Protect to help identify potentially harmful apps.

*   Use biometric security and two-factor authentication where available.

*   Always watch out while downloading apps from third-party as well as official stores.

*   Never enter your 12-word phrase into any app or website unless you’re certain it’s legitimate.

Over 20 Malicious Apps on Google Play Target Users for Seed Phrases

Popular Chrome extensions exposed user data by sending it over unencrypted HTTP, raising privacy concerns. Symantec urges caution for users.

A recent investigation has revealed that several widely used Google Chrome extensions are transmitting sensitive user data over unencrypted HTTP connections, exposing millions of users to serious privacy and security risks.

The findings, published by cybersecurity researchers and detailed in a blog post by Symantec, reveal how extensions such as:

PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl)

Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh)

MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl)

SEMRush Rank (ID: idbhoeaiokcojcgappfigpifhpkjgmab)

DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc)

There are other extensions as well that are handling user data in ways that open the door to eavesdropping, profiling, and other attacks.

****Extensions That Promise Privacy Are Doing the Opposite****

Although these extensions are legitimate and meant to help users monitor web rankings, manage passwords, or improve their browsing experience, behind the scenes, they are making network requests without encryption, allowing anyone on the same network to see exactly what’s being sent.

In some cases, this includes details like the domains a user visits, operating system information, unique machine IDs, and telemetry data. More troubling, several extensions were also found to have hardcoded API keys, secrets, and tokens inside their source code which is a piece of valuable information that attackers can easily exploit.

****Real Risk on Public Networks****

When extensions transmit data using HTTP rather than HTTPS, the information travels across the network in plaintext. On a public Wi-Fi network, for example, a malicious actor can intercept that data with little effort. Worse still, they can modify it mid-transit.

This opens the door to attacks that go far beyond spying. According to Symantec’s blog post, in the case of Browsec VPN, a popular privacy-focused extension with over six million users, the use of an HTTP endpoint during the uninstall process sends user identifiers and usage stats without encryption. The extension’s configuration allows it to connect to insecure websites, further widening the attack surface.

****Data Leaks Across the Board****

Other extensions are guilty of similar issues. SEMRush Rank and PI Rank, both designed to show website popularity, were found to send full URLs of visited sites over HTTP to third-party servers. This makes it easy for a network observer to build detailed logs of a user’s browsing habits.

MSN New Tab and MSN Homepage, with hundreds of thousands of users, transmit machine IDs and other device details. These identifiers remain stable over time, allowing adversaries to link multiple sessions and build profiles that persist across browsing activity.

Even DualSafe Password Manager, which handles sensitive information by nature, was caught sending telemetry data over HTTP. While no passwords were leaked, the fact that any part of the extension uses unencrypted traffic raises concerns about its overall design.

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security commented on this, stating, _“_This incident highlights a critical gap in extension security – even popular Chrome extensions can put users at risk if developers cut corners. Transmitting data over unencrypted HTTP and hard-coding secrets exposes users to profiling, phishing and adversary-in-the-middle attacks – especially on unsecured networks._“_

He warned of consequences for unsuspecting users and advised that _“_Organizations should take immediate action by enforcing strict controls around browser extension usage, managing secrets securely and monitoring for suspicious behaviour across endpoints._“_

****Privacy and Data Security Threat****

Although none of the extensions were found to leak passwords or financial data directly, the exposure of machine identifiers, browsing habits, and telemetry is far from harmless. Attackers can use this data to track users across websites, deliver targeted phishing campaigns, or impersonate device telemetry for malicious purposes.

While theoretical, NordVPN’s latest findings spotted more than 94 billion browser cookies on the dark web. When combined with the data leaks highlighted by Symantec, the potential for damage is significant.

Developers who include hardcoded API keys or secrets inside their extensions add another layer of risk. If an attacker gets hold of these credentials, they can misuse them to impersonate the extension, send forged data, or even inflate service usage leading to financial costs or account bans for the developers.

****What Users Can Do****

Symantec has contacted the developers involved, and only DualSafe Password Manager has fixed the issue. Yet, users who have installed any of the affected extensions are advised to remove them until the developers fix the issues. Even popular and well-reviewed extensions can make unsafe design choices that go unnoticed for years.

Hackread.com recommends checking the permissions an extension asks for, avoiding unknown publishers, and using a trusted security solution. Above all, any tool that promises privacy or security should be examined carefully for how it handles your data.

Popular Chrome Extensions Found Leaking Data via Unencrypted Connections

iVerify’s NICKNAME discovery reveals a zero-click iMessage flaw exploited in targeted attacks on US & EU high-value individuals…

iVerify’s NICKNAME discovery reveals a zero-click iMessage flaw exploited in targeted attacks on US & EU high-value individuals including political figures, media pros and executives from AI companies.

iVerify, a leading mobile EDR security platform, has revealed the discovery of a previously unknown zero-click vulnerability in Apple’s iMessage service. Dubbed NICKNAME, this flaw can compromise an iPhone without any user interaction, and it appears to be part of a sophisticated mobile spyware campaign, potentially backed by China, targeting important individuals in the US and Europe.

According to iVerify’s report, shared with Hackread.com, they observed unusual activity on iPhones of prominent entities in the US and the European Union in late 2024 and early 2025. This included rare crashes that made up only 0.0001% of crash logs from a sample of 50,000 iPhones, typical of advanced zero-click iMessage attacks.

Through forensic analysis, the NICKNAME vulnerability was detected on devices belonging to high-value individuals of interest to the Chinese Communist Party (CCP). These targets include political figures, media professionals, and executives from artificial intelligence companies. Notably, some affected individuals had previously been targeted by Salt Typhoon, a known cyber operation

The exploit leverages a weakness in the imagent process on iPhones, believed to be triggered by a rapid series of nickname updates sent through iMessage. This action results in a use-after-free memory corruption, creating an opening for attackers to gain control.

iVerify’s highly in-depth technical investigation has identified six devices believed to be targeted, with four showing clear NICKNAME signatures and two indicating successful exploitation. These victims consistently had connections to activities of interest to the CCP, such as prior targeting by Salt Typhoon, business dealings contrary to CCP interests, or activism against the regime.

While Apple released a patch for this vulnerability in iOS 18.3.1, iVerify cautions that NICKNAME may be just one component of a larger, active exploit chain. The company stresses the critical need for organizations, including government bodies, to adapt their mobile security models to counter these advanced modern threats.

The CCP’s direct attribution is not definitively proven, but circumstantial is compelling. Furthermore, as per iVerify, evidence from independent iOS security experts, including Patrick Wardle from the Objective-By-The-Sea foundation, supports mobile compromise as a real threat in the US.

This discovery is important as it could be the first systematic detection of iMessage zero-click exploitation in the United States. Such attacks are particularly dangerous because they bypass even highly secure messaging applications like Signal.

Once a device is compromised, all private conversations and data, regardless of the application used, become accessible to attackers. This is particularly important given events like SignalGate, which show that no communication channel is truly private if compromised.

NICKNAME: Zero-Click iMessage Exploit Targeted Key Figures in US, EU

A massive data leak has put the personal information of over 3.6 million app creators, influencers, and entrepreneurs…

A massive data leak has put the personal information of over 3.6 million app creators, influencers, and entrepreneurs at risk, reveals a report from vpnMentor. Cybersecurity expert Jeremiah Fowler uncovered an unsecured database containing a whopping 12.2 terabytes of sensitive data, linked to an app-building platform.

The exposed database, which was neither encrypted nor protected by a password, held 3,637,107 records. These records included names, email addresses, physical addresses, and details about payments for what appeared to be both users and app creators.

According to Fowler’s report, internal files and the database’s name suggested the data belonged to Passion.io, a company based in Texas/Delaware. Passion.io provides a no-code platform, allowing individuals like creators, coaches, and celebrities to build their own mobile apps without needing technical skills. These apps enable users to offer interactive courses and earn money through subscriptions or one-time purchases.

The exposed information, including personally identifiable information (PII) like names addresses, and even images, carries significant risks. Fowler warns that such data can be used by criminals for “phishing or social engineering attacks,” which are a common starting point for cybercrimes. Leaked email addresses and purchase histories can be used to trick individuals into revealing more personal or financial details by impersonating a trusted company.

Furthermore, the exposure of user profile images, some of which included children, raises serious privacy concerns. These images could potentially be misused for impersonation, creating fake accounts, or other online scams.

Source: vpnMentor

The researcher noted that even seemingly harmless images could be “potentially weaponized or used for unethical purposes.” Beyond personal data, the database also contained video files and PDF documents that appeared to be premium content sold by app creators, along with internal financial records, which could undermine creators’ revenue and give competitors insight into the company’s operations.

**Kudos to Passion.io’s Transparency**

Upon discovering the leak, Fowler promptly informed Passion.io. The company acted swiftly, restricting public access to the database on the same day. Passion.io acknowledged the finding, stating their “Privacy Officer and technical team are working on fixing the issue, making sure this can’t happen again.”

Nevertheless, if your company processes data, here are 5 key steps to follow to avoid database misconfigurations and prevent data leaks like the one affecting Passion.io. It is worth noting that these following steps won’t guarantee perfection, but they lower the chance of leaving a database exposed and leaking user data:

****1\. Enforce Authentication and Access Controls****

*   Implement multi-factor authentication for administrative access.

*   Use role-based access to limit who can view or modify sensitive data.

*   Never leave a database exposed without a password or access control.

****2\. Encrypt Data at Rest and In Transit****

*   Use strong encryption protocols and manage keys securely.

*   Ensure all sensitive data is encrypted both on disk and during transfer.

****3\. Automate Misconfiguration Detection****

*   Set up alerts for public exposure or unusual access patterns.

*   Use cloud security tools or configuration scanners (e.g., AWS Config, GCP Security Command Center) to detect misconfigurations in real-time.

****4\. Conduct Regular Security Audits and Pen Tests****

*   Test not just your app but also your storage and database layers.

*   Perform routine vulnerability assessments and penetration tests on your infrastructure.

****5\. Train DevOps and Technical Teams on Security Best Practices****

*   Keep documentation updated and enforce policies during development.

*   Make sure all team members handling infrastructure know how to secure cloud databases, manage permissions, and spot risky configurations.

Unsecured Database Exposes Data of 3.6 Million Passion.io Creators

Cybersecurity experts warn of widespread data exposure as a recent investigation reveals a staggering number of internet cookies…

Cybersecurity experts warn of widespread data exposure as a recent investigation reveals a staggering number of internet cookies circulating on the dark web.

A new report from NordVPN highlights the severe privacy risks associated with web cookies, which are small files websites store on your device to remember your browsing activity. The research, conducted in partnership with threat exposure management platform, NordStellar, uncovered approximately 93.7 billion stolen cookies available for sale in underground online marketplaces.

Researchers analyzed data from Telegram channels between April 23 and April 30, 2025, resulting in a dataset of around 94 billion cookies. The researchers analyzed the cookies’ active or inactive status, malware used, country of origin, data content, the company, the user’s OS, and keyword categories assigned to users. NordVPN did not buy stolen cookies or access their contents, but only examined the data within them.

****What’s Inside the Digital Cookie Jar?****

The analysis of these stolen cookies revealed a treasure trove of personal data. When analyzing these stolen cookies, ‘ID’ (Assigned ID was associated with 18 billion cookies) and ‘session’ (associated with 1.2 billion cookies) were identified as the most common keywords, indicating the type of data they held.

These are crucial for maintaining active user sessions on websites, meaning a stolen session ID could grant an attacker direct access to an account without needing a password. Alarmingly, out of the total 93.7 billion stolen cookies analysed, 15.6 billion were still active, posing an immediate threat to users.

This vast collection of compromised data poses a significant threat to personal security, potentially allowing malicious actors to access sensitive information and online accounts. Beyond session data, the report reveals that compromised cookies frequently contained personal details such as names, email addresses, countries, cities, and even passwords.

This information can be exploited for targeted phishing attacks or, in more severe cases, identity theft. Here’s a breakdown of the data attackers can steal via cookies.

Source: NordVPN

****Where Did These Cookies Come From?****

The majority of these stolen cookies were traced back to several major online platforms and originated from a diverse set of countries. Google services alone accounted for over 4.5 billion cookies, with YouTube and Microsoft each contributing more than 1 billion. This indicates that widely used platforms are prime targets for cybercriminals due to the sheer volume of user data they handle.

The primary method of theft involved various types of malware, including infostealers, trojans, and keyloggers. Redline emerged as the most prolific, responsible for stealing almost 42 billion cookies. Check out the list of malicious software used to steal these cookies:

Source: NordVPN

****Protecting Your Digital Crumbs****

Given the widespread threat, cybersecurity experts advise users to take proactive steps to safeguard their online presence.

> _“Cookies may seem harmless, but in the wrong hands, they’re digital keys to our most private information. What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide.”_
> 
> Adrianus Warmenhoven, Cybersecurity Expert – NordVPN

Therefore, to stay safe, always be careful when accepting cookies on websites, opting to reject unnecessary ones, especially third-party trackers. Also, regularly clear cookies from your browser to limit the window of opportunity for attackers.

Furthermore, using security tools like anti-malware software and Virtual Private Networks (VPNs) can significantly enhance protection. It helps block malicious websites, scan downloads for threats, and encrypt internet traffic, making it harder for cybercriminals to snatch your digital cookies.

Nearly 94 Billion Stolen Cookies Found on Dark Web

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these…

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these sophisticated attacks trick users into running malware and what to watch out for.

Cybersecurity experts at Cofense Intelligence are warning hotel chains and other businesses in the food and accommodation sector about an email scam that mimics Booking.com. These deceptive emails are part of attack campaigns known as ClickFix, which aims to trick users into running malicious software.

The ClickFix campaign has been steadily gaining traction since November 2024, with a notable acceleration in recent months. According to Cofense’s analysis, a staggering 47% of the total campaign volume was observed in March 2025 alone.

The firm’s active threat reports (ATRs) indicate that 75% of all incidents involving fake CAPTCHAs utilized Booking.com-themed ClickFix templates. While Booking.com impersonations are most common, Cofense also noted less frequent variations, including those spoofing Cloudflare Turnstile and cookie consent banners.

****How the Scam Works****

The scam begins with an email containing a link to a fake CAPTCHA website. A CAPTCHA is usually a test designed to tell humans and computers apart, like typing distorted letters. In this case, however, the fake CAPTCHA is a trick. Instead of a real verification code, clicking on it delivers a harmful script to the user’s computer.

These ClickFix websites then instruct users to press specific keyboard shortcuts, typically Windows key + R, followed by Ctrl + V, and then Enter. This sequence opens the Run command in Windows, pastes the hidden malicious script, and then executes it. The malicious script often includes extra characters that look like a _verification code_ to hide the real harmful commands.

These sites are cleverly designed to look like legitimate pages from well-known brands such as Booking.com and Cloudflare. Interestingly, the scam only targets Windows computers, and if accessed on other devices, the fake CAPTCHA sites will display a message indicating they only work on Windows.

****What Malware is Being Delivered?****

Once the malicious script is run, it can install various types of dangerous software. The most common payload seen in these attacks is XWorm RAT, a type of Remote Access Trojan (RAT). For your information, RATs allow attackers to secretly control a victim’s computer from a distance.

Other frequently observed malware include Pure Logs Stealer and DanaBot, which are information stealers designed to swipe sensitive data. In some instances, both RATs and information stealers have been delivered in a single attack.

Sample Attack Chain (Source: Cofense)

This ClickFix method is a concerning new tactic because it manipulates users into activating the malware themselves, without needing to download any files directly. It highlights the importance of being cautious about suspicious emails, even those that appear to be from trusted sources like Booking.com, and to always double-check the legitimacy of any verification steps or prompts that ask you to run commands on your computer.

For more detailed information on how to spot these ClickFix attacks, refer to Hackread.com’s guide on the techniques used to trick users and how to stay safe.

ClickFix Email Scam Alert: Fake Booking.com Emails Deliver Malware

After three years of peddling stolen data, BidenCash, one of the web's most brazen cybercrime hubs is offline, and authorities say they're just getting started.

BidenCash cybercrime market seized by global authorities; 145 domains linked to stolen credit card sales taken offline in a major crackdown.

In major news from the cybercrime world, BidenCash, one of the internet’s most notorious marketplaces for stolen credit card data, has been seized and taken offline in a coordinated law enforcement operation involving U.S. and Dutch authorities.

The takedown, officially confirmed on June 4, 2025, involved the seizure of 145 domains connected to the market. Visitors to the once-active URLs now land on a seizure banner posted by the US Department of Justice, FBI, U.S. Secret Service, and Dutch National Police, announcing the end of BidenCash’s online presence, at least for now.

Notice on the now seized BidenCash sites (Image credit: Hackread.com)

**A Market Built on Chaos**

Launched in March 2022, BidenCash quickly made a name for itself in cybercrime circles by doing what most dark web marketplaces avoided: operating in the open. The platform did not require a Tor browser for access and was indexed on the surface web, an intentional strategy to maximize traffic and lure low-skilled cybercriminals.

But what set BidenCash apart was its aggressive self-promotion on multiple occasions in which the site’s administrators leaked millions of stolen credit card numbers for free, as part of marketing campaigns designed to draw in new users.

As reported by Hackread.com in March 2023, BidenCash leaked over two million valid credit cards as part of its birthday anniversary promotion, most of these cards belonged to users in the United States, China, Mexico, India, Canada, and the United Kingdom.

In December 2023, the marketplace administrators leaked 1.6 million credit card details in plaintext. Most recently in April 2025, BidenCash leaked 1 million payment card numbers along with their CVVs, and expiry dates.

One of the leaks from 2023 by BidenCash on the Russian cybercrime forum XSS.IS

Authorities say that over its three-year run, the site had more than 117,000 registered users and facilitated the sale of over 15 million payment card records, generating an estimated $17 million in illicit revenue.

****What Was Seized?****

According to US DoJ’s press release, the operation resulted in the seizure of 145 dark web and clear web domains, cryptocurrency wallets and assets and disruption of “critical infrastructure” supporting the marketplace. Authorities have already begun working on identifying and arresting administrators and affiliates.

Here are the seized dark web and clear net domains used by BidenCash. The dark web domains now redirect users to Bidencash.usssdomainseizure.com with the same takedown notice:

https://bidencash.bid

https://bidencash.asia

http://biden3veilozweo2xubiusixn4kbfbbih23s6xsd35bzsuaz2weiz4yd.onion 

http://biden3veilozweo2xubiusixn4kbfbbih23s6xsd35bzsuaz2weiz4yd.onion

http://bidencjap2u4hmzh3vtqsyqc54uevcariczl56y7jah4lgof4xzxb5qd.onion

http://bidencjap2u4hmzh3vtqsyqc54uevcariczl56y7jah4lgof4xzxb5qd.onion

The global takedown also had private sector support from cybersecurity organizations including Searchlight Cyber and The Shadowserver Foundation, who helped law enforcement map out BidenCash’s infrastructure and activity over time.

****BidenCash Victims Remain Vulnerable****

While the takedown is a win for cybersecurity, the impact won’t be immediate for victims. Many of the cardholders whose data was sold or dumped on BidenCash are likely still vulnerable, especially if they haven’t changed their banking details or been notified of exposure.

It is advised that consumers and businesses monitor their accounts closely, use two-factor authentication, and freeze credit if possible, particularly if they suspect any prior compromise.

**What Comes Next?**

BidenCash may be gone, but its users, and its model, are not. For now, the BidenCash seizure shows that cybercrime isn’t invisible. And for a market that gained attention with public data dumps, its end came just as publicly with victims having the last laugh.

Feds Seize BidenCash Carding Market and Its Crypto Profits

Hackers leak data of 88 million AT&T customers with decrypted SSNs; latest breach raises questions about links to earlier Snowflake-related attack.

Hackers have leaked what they claim is AT&T’s database which was reportedly stolen by the ShinyHunters group in April 2024 after they exploited major security flaws in the Snowflake cloud data platform. But is this really the Snowflake-linked data? We took a closer look.

As seen by the Hackread.com research team, the data was first posted on a well-known Russian cybercrime forum on May 15, 2025. It was re-uploaded on the same forum on June 3, 2025, after which it began circulating among other hackers and forums.

The screenshot shows the data now leaked on two cybercrime forums. While hackers claim it contains 70 million customer records, Hackread.com confirms it actually holds 86 million AT&T customer records. (Image Credit: Hackread.com)

After analyzing the leaked data, we found it contains a detailed set of personal information. Each of these data points poses a serious privacy risk on its own, but together, they create full identity profiles that could be exploited for fraud or identity theft. The data includes:

*   **Full names**

*   **Date of birth**

*   **Phone numbers**

*   **Email addresses**

*   **Physical addresses**

*   **44 Million Social Security Numbers (SSN) (43,989,219 in total)**

****Plain Text and Full Social Security Numbers (SSNs) Leaked****

Here’s the troubling part: the threat actor claims that both date of birth and Social Security numbers (SSNs) were originally encrypted but have since been fully decrypted and are now included in the leaked data as plain text. Put simply, if you’re an AT&T customer, your SSN could be part of this leak.

Screenshot from the leaked data (Credit: Hackread.com)

Not that it changes much; your SSNs were likely already exposed in the August 2024 National Public Data breach, where a now-arrested hacker using the alias USDOD, leaked over 3.2 billion SSNs and other personal details online.

****Background of AT&T Snowflake Data Breach****

AT&T has a long history of large-scale data breaches, so if this feels familiar, you’re not imagining it. Buckle up, this is just the latest in a growing list.

In April 2024, as reported by Hackread.com, AT&T experienced a major data breach when hackers accessed its Snowflake cloud environment, compromising the call and text metadata of nearly 110 million customers.

The breach lasted from May 2022 to October 2022 and included some records from January 2023, exposed phone numbers, interaction counts, and call durations, though not the content of communications or personally identifiable information.

The cyberattack was part of a large-scale campaign targeting over 160 Snowflake customers. Hackers exploited stolen credentials lacking multi-factor authentication to infiltrate these environments.

AT&T’s compromised data was stolen by a hacker associated with the ShinyHunters group. Reports indicate that AT&T paid a ransom of approximately $370,000 in Bitcoin to have the stolen data deleted, a transaction facilitated through an intermediary known as Reddington.

It’s worth noting that the ShinyHunters group also took credit for the major Ticketmaster data breach connected to the Snowflake security lapse in which data of 560 million users was put to sale online.

In response to the breach, AT&T initiated an incident response process with third-party cybersecurity experts, closed the unauthorized access point, and notified affected customers. The company stated that it does not believe the data is publicly available.

The breach prompted scrutiny from US lawmakers, with Senators Richard Blumenthal and Josh Hawley demanding explanations from AT&T and Snowflake regarding the security lapses that led to the incident. They expressed concerns about the misuse of the compromised data by malicious actors.

****Is this the AT&T Database from Snowflake Breach? Not So Fast.****

The threat actor behind the latest leak claims the database contains 70 million AT&T customer records stolen in April 2024 by exploiting a major security vulnerability in the Snowflake cloud data warehouse.

“Originally one of the databases from the Snowflake breach, here is my backup I created,” the account behind the data leak stated. But does that claim hold up? Not quite.

Hackread.com’s analysis reveals that the dataset actually includes more than 88 million (88,320,018) records. After removing duplicates, the number drops to more than 86 million (86,017,090) unique entries, far more than the claimed 70 million.

There’s another issue. The database contents don’t fully match what was reported in the Snowflake-related AT&T breach. That breach reportedly exposed nearly 110 million customer records, including call and text metadata; none of which appears in this leak.

So, is this a partial AT&T database from the Snowflake breach? Maybe, maybe not. But unless AT&T officially confirms it, there’s no way to say for certain.

****But, There’s More****

In August 2021, the notorious hacking group ShinyHunters claimed to possess a database containing the personal information of over 70 million AT&T customers. They listed this data for sale on the now-seized Raid Forums marketplace, starting at $200,000.

Hackread.com reviewed sample records provided by the group back in 2021, which included full names, addresses, ZIP codes, dates of birth, email addresses, and encrypted Social Security Numbers (SSNs). AT&T responded by stating that, based on their investigation, the information did not appear to originate from their systems.

However, in April 2024, after nearly two years of denial, AT&T acknowledged the August 2021 data breach when ShinyHunters leaked the full database on BreachForums. “Based on our preliminary analysis, the dataset appears to be from 2019 or earlier, affecting approximately 7.6 million current AT&T account holders and 65.4 million former account holders,” the company admitted.

****Similarities and Differences Between the April 2024 AT&T Leak and the Latest One****

Hackread.com has noticed several similarities and differences between the April 2024 AT&T leak and the latest one. The April 2024 leak was a poorly structured mess. The data appeared in a loosely organized, pipe-delimited format with no field labels, making it difficult to interpret or analyze without a corresponding schema to explain each value.

The latest leak is well-structured, clearly formatted, and straightforwardly divided into three CSV files, making it easy to understand what each field represents. Interestingly, the biggest similarity, and difference, between the two leaks is the handling of Social Security Numbers (SSNs). In the 2024 leak, the SSNs were encrypted. In the latest leak, however, those same SSNs appear to have been decrypted.

Hackread.com conducted a detailed analysis and found that all previously encrypted SSNs from the earlier leak have been carefully decrypted and mapped in the new dataset, making them more accessible for malicious use.

Credit: Hackread.com

We also found matching customer names, email addresses, physical addresses, and phone numbers across both leaks. However, while the 2024 leak contained around 73 million records, the latest dataset includes 86 million.

This makes it unclear whether the new leak is simply the 2024 database with decrypted values, or if it originates from the more recent Snowflake-related breach. That said, the data appears legitimate, especially since AT&T has already acknowledged the earlier breach and data leak.

****Our Conclusion****

At this point, it’s difficult to say with certainty whether the newly leaked database is a decrypted version of the 2024 Snowflake breach, a separate dump, or some combination of both. What’s clear, though, is that a massive amount of highly sensitive AT&T customer data is circulating once again, this time in a more organized and potentially more dangerous form.

With decrypted Social Security Numbers, full personal details, and a growing pattern of repeated exposure, the stakes for affected users are higher than ever. While AT&T has acknowledged past breaches, the company has yet to confirm whether this latest dataset is part of the same incident or something new altogether.

Until a formal response is issued, unfortunately, unsuspecting customers are left in the dark, relying on our report, and forums to understand the scope of their exposure. Nevertheless, we have reached out to AT&T and this article will be updated accordingly.

Exclusive: Hackers Leak 86 Million AT&T Records with Decrypted SSNs

Today, your internet presence is much more than just a website or social media profile, it’s like your…

Today, your internet presence is much more than just a website or social media profile, it’s like your business card, reputation and main medium of staying connected. However, with this visibility comes genuine danger. Do you know what’s one of the most troublesome threats hiding out there? DDoS attacks! If you have not heard this term before, no need to worry. Let’s simplify it and understand how to protect your online space from it.

****DDoS: What it Means****

DDoS is short for Distributed Denial of Service. It may sound complicated, but basically, it means overwhelming a server or website with excessive fake traffic until it falls apart. Imagine a coffee shop where suddenly many people arrive at the same time, not to buy anything, just to block the space. In this situation, real customers are unable to enter and the business comes to a halt. This is primarily what occurs during a DDoS attack – it’s bots that cause this blockage.

Usually, these kinds of attacks are started by using networks of computers that have been taken over – many times they belong to people who don’t even know. This is what is meant by “distributed”. When it starts, your website could either become very slow or completely unavailable.

****Why You Should Care (Even If You’re a Small Business)****

At this point, it’s normal to think, “I don’t have a major brand, just a small business” or “I just run a personal blog.” DDoS attacks can also be used against much smaller businesses. Smaller sites are targeted quite often because attackers believe their security is not as strong. Truth is, when your website goes down, even briefly, it affects your reputation, and your budget and makes your customers or users unhappy.

In addition, a DDoS attack can stop your service or online store from operating. People can’t order or get answers which causes them to doubt the business. It can be very irritating, but it can also be truly harmful.

****Start with Strong Hosting****

A solid first action is to select a reliable hosting provider. Hosting providers are not all the same and some are better prepared to handle DDoS attacks than others. Find hosting providers that guarantee or promote DDoS protection through their services. This is because they have effective steps to prevent and handle an attack early on.

Don’t hesitate and ask your hosting provider which security measures they have for your website. If their responses are unclear or they treat security lightly, this is a warning sign. You should choose a provider that handles the back-end work and protects your site from malicious users at the same time.

****Get a CDN Working for You****

For even better performance, allow your website to tap into a CDN. A Content Delivery Network uses multiple servers worldwide to distribute the activities involved in content delivery. Therefore, all the requests are not delivered to your main server at the same time. If there is a DDoS attack, the distribution system can save you.

****Firewalls and Rate Limiting****

Firewalls act like filters, they inspect incoming traffic and stop suspicious things before reaching your main systems. Web Application Firewalls (WAFs) are specially designed to block the kind of unwanted traffic that DDoS attacks cause.

Next, we have rate limiting – this is a background function that restricts how frequently someone can interact with your site. If something is making constant requests to your server, it will be flagged or stopped.

****Keep an Eye on What’s Happening****

A lot of damage from DDoS attacks happens because people don’t notice it early enough. So, make sure to monitor your site’s traffic. Sudden increases, constant hits to one page or visits from strange places can all suggest concerns. 

Many tools exist today that make website monitoring easy. Some of these are included in hosting plans, while others can be added by you manually. You don’t need advanced coding skills – just some understanding of this domain is quite helpful.

****Have a Contingency Plan****

Regardless of how strong your security is, things can still go wrong. So it’s smart to have a plan in case you do get hit. Be aware of who you should reach out to when problems occur – this could be your host, a protective service or someone experienced in such matters.

Maintain updated backups and ensure you are familiar with quick restoration. Additionally, inform your users about the ongoing situations. Clear communication can go a long way in keeping trust intact during tough times.

****Call in the Pros if You Need to****

Feeling overwhelmed? Managed security services exist for a reason. These individuals are experts in detecting threats and reacting quickly, so you don’t need to be on guard all the time.

Yes, it costs money. However, if your business relies on your online presence, the expense may be worthwhile simply for the reassurance. Think of it as employing a security guard for the night shift at your virtual store.

****Keep Everything up to Date****

This may seem like the basics of cybersecurity, but it’s important to keep your devices updated. Old plugins, CMS versions or themes can be great opportunities for hackers. Fix those gaps before anyone else discovers them.

Nevertheless, DDoS attacks are very serious, but they’re not impossible to defeat. By using intelligent strategies such as improving hosting services, CDNs, traffic filters and constant monitoring you can significantly reduce your risk.

(Image by Free stock photos from www.rupixen.com from Pixabay)

How to Protect Your Online Presence from Devastating DDoS Attacks

What comes to your mind when you think of Photoshop? A tool for editing and retouching photos –…

What comes to your mind when you think of Photoshop? A tool for editing and retouching photos – that’s what most of us would say. But Adobe Photoshop is more than that. 90% of professional designers, photographers, web developers, and retouchers use Photoshop for its versatile image editing features and seamless integration capabilities with Adobe software. Let’s review the top reasons why professionals globally prefer Adobe Photoshop.

****Why Adobe Photoshop?****

*   **Vast Collection of Templates:** Adobe Photoshop templates cover a wide range of customizable flyers, brochures, banners, logos, social media posts, and more, helping you tap into visual creativity with cutting-edge designs.
*   **Stunning Visuals:** Adobe Photoshop provides unique tools and features for manipulating images, and creating graphics, digital paintings, illustrations, and other art formats.
*   **Flawless Editing:** Professionals use Photoshop to fine-tune images, remove blemishes, retouch images, and adjust colors and lighting to enhance the overall quality. 
*   **Versatility:** Whether you want to create visuals for your social media account or various marketing channels, Photoshop is the go-to solution for professionals’ design needs.

****When to Use Photoshop?****

Let’s say you want to edit your remote work portfolio that you created with AI-generated content samples, adjust the photo composition, and fix the lighting. What do you do? Simple! You Photoshop! Adobe Photoshop is a widely preferred editing application for everything that needs editing and retouching, from correcting the lighting of a photo to cropping, combining, and layering images, and creating collages.

You can do a lot with Photoshop. Unlike vector images, Photoshop images are raster graphics or pixel-based. Their colors and shadings are more detailed and can handle detailed textures and precise editing.

****Key Photoshop Skills You Need to Master****

*   **Brushes:** You can create different textures and strokes and manipulate different brushes for designing.
*   **Brightness and Contrast:** The tools help to manipulate the lightness and darkness of hues and increase the focus on the subject.
*   **Layers**: Layers create a logical hierarchy and organize your work by creating separate parts for shapes, images, and text for improved visibility.
*   **Cropping**: This feature allows you to remove unwanted elements from the background and increase the focus on the design’s main subject.
*   **Selection Tools**: These enable you to work on a specific design section. The marquee tool helps to select areas with straight edges and curves, while the lasso tool allows free-form selections.
*   **Blending Modes**: Nearly 30 blending modes are available for modifying the key aspects of an image, such as brightness or contrast, saturation, and opacity. 
*   **Saturation**: A fundamental tool for adjusting the hues in an image, either in a particular section or throughout. 
*   **Transform Tools**: This tool offers features like scale, distort, skew, perspective, rotate, and warp to alter an image or balance the effects on a design. 
*   **Masking**: With masking, you can isolate sections of an image using the brush or selection tool without disturbing the original image. 
*   **Sharpening and Healing Brush**: Sharpening helps define the edges and lines for improved clarity, whereas the healing brush removes minor details from an image and replicates them in another region.
*   **Pen Tool**: Offers standard, free-form, and curvature formats for creating different shapes and lines
*   **Curves**: An advanced feature used for modifying colors and tones and manipulating the highlights and shadows 
*   **Histogram**: This helps assess the tones, adjust the contrast and brightness levels, and enhance the highlights, exposure, composition, and shadows.

****Improve Your Photoshop Skills With Expert-Recommended Tips** **

1.  Photoshop is a complicated tool with multiple intricate features and functionalities. Practice regularly to improve your efficiency and gain confidence in the tool.
2.  Experiment with each tool in Photoshop to understand its mechanism. Recreate different art pieces using various effects to polish your design and editing skills. 
3.  Follow step-by-step guides by industry specialists to comprehend how different tools, techniques, or effects work in Photoshop. 
4.  Join online groups and participate in professional workshops to stay updated about the latest trends, premium elements, advanced techniques, and hacks. Use these groups to build your network and collaborate on different projects to develop new skills.

(Image by Hitesh Choudhary from Pixabay)

Source

HackRead