Spanish fashion retailer MANGO is sending notices of a data breach to its customers, warning that its marketing vendor suffered a compromise exposing personal data. [...]

Dark web activity can hide in plain sight within everyday network traffic. Corelight's NDR platform brings deep visibility, AI-driven detection, and behavioral analytics to uncover hidden threats across your network. [...]

U.S. cybersecurity company F5 disclosed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code. [...]

Apple is now offering a $2M bounty for a zero-click exploit. According to the Apple website : Today we’re announcing the next major chapter for Apple Security Bounty, featuring the industry’s highest rewards, expanded research categories, and a flag system for researchers to objectively demonstrate vulnerabilities and obtain …

ICO makes example of outsourcing giant over sluggish cyber response The UK's Information Commissioner's Office (ICO) has issued a £14 million ($18.6 million) penalty to outsourcing giant Capita following a catastrophic 2023 cyberattack that exposed the personal data of 6.6 million people.... [...]

Hackers stole personal information of 6.6m people but outsourcing firm did not shut device targeted for 58 hours The outsourcing company Capita has been fined £14m for data protection failings after hackers stole the personal information of 6.6 million people, including staff details and those of its …

Welcome to the first Cloud CISO Perspectives for October 2025. Today, Kristina Behr, VP, Workspace Product Management, and Jorge Blanco, director, Office of the CISO, explain how a new AI-driven capability in Google Drive can help security and business leaders protect their data and minimize the impact of ransomware …

Microsoft today released software updates to plug a whopping 172 security holes in its Windows operating systems, including at least two vulnerabilities that are already being actively exploited. October’s Patch Tuesday also marks the final month that Microsoft will ship security updates for Windows 10 systems. If you …

A threat actor called TigerJack is constantly targeting developers with malicious extensions published on Microsoft's Visual Code (VSCode) marketplace and OpenVSX registry to steal cryptocurrency and plant backdoors. [...]

By using Amazon Bedrock AgentCore, developers can build agentic workloads using a comprehensive set of enterprise-grade services that help quickly and securely deploy and operate AI agents at scale using any framework and model, hosted on Amazon Bedrock or elsewhere. AgentCore services are modular and composable, allowing them to …

A new side-channel attack called Pixnapping enables a malicious Android app with no permissions to extract sensitive data by stealing pixels displayed by applications or websites, and reconstructing them to derive the content. [...]

Today is Microsoft's October 2025 Patch Tuesday, which includes security updates for 172 flaws, including six zero-day vulnerabilities. Get patching! [...]

The U.S. Department of Justice has seized $15 billion in bitcoin from the leader of Prince Group, a criminal organization that stole billions of dollars from victims in the United States through cryptocurrency investment scams, also known as romance baiting or pig butchering. [...]

Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group. [...]

This is a current list of where and when I am scheduled to speak: I and Nathan E. Sanders will be giving a book talk on Rewiring Democracy at the Harvard Kennedy School’s Ash Center in Cambridge, Massachusetts, USA, on October 22, 2025 at noon ET. I and …

FuzzingLabs has accused the YCombinator-backed startup, Gecko Security, of replicating its vulnerability disclosures. Gecko allegedly filed for 2 CVEs based on FuzzingLabs' reports without crediting them. Gecko denies any wrongdoing, calling the allegations a misunderstanding over disclosure process. [...]

Japan's beer behemoth still mopping up after ransomware spill that disrupted deliveries and delayed results Asahi's cyber hangover just got worse, with the brewer now admitting that personal information may have been tapped in last month's attack.... [...]

AI assistants are no longer just helping — they're acting. Autonomous agents now open tickets, fix incidents, and make decisions faster than humans can monitor. As "Shadow AI" spreads, learn from Token Security why orgs must govern these agents like powerful new identities before oversight disappears. [...]

Lucky few randomly selected to trial the feature, which won't fully roll out for several months Mozilla is working on a built-in VPN for Firefox, with beta tests opening to select users shortly.... [...]

Around 200,000 Linux computer systems from American computer maker Framework were shipped with signed UEFI shell components that could be exploited to bypass Secure Boot protections. [...]

Latest in a long line of EBS flaws leta miscreants remotely compromise enterprise systems to pinch sensitive data Oracle is rushing out another emergency patch for its embattled E-Business Suite as the fallout from the Clop-linked attacks continues to spread.... [...]

Chinese state hackers remained undetected in a target environment for more than a year by turning a component in the ArcGIS geo-mapping tool into a web shell. [...]

This chilling paragraph is in a comprehensive Brookings report about the use of tech to deport people from the US: The administration has also adapted its methods of social media surveillance. Though agencies like the State Department have gathered millions of handles and monitored political discussions online, the Trump …

Warn businesses to act now as high-severity incidents keep climbing Cyberattacks that meet upper severity thresholds set by the UK government's cyber agents have risen 50 percent in the last year, despite almost zero change in the volume of cases handled.... [...]

Malfunctioning equipment and manual processing cause 90-minute waits The European Union's new biometric Exit/Entry System (EES) got off to a chaotic start at Prague's international airport, with travelers facing lengthy queues and malfunctioning equipment forcing border staff to process arrivals manually.... [...]

Android devices are vulnerable to a new attack that can covertly steal 2FA codes, location timelines, and other private data in less than 30 seconds. The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on …

My latest book, Rewiring Democracy: How AI Will Transform Our Politics, Government, and Citizenship, will be published in just over a week. No reviews yet, but can read chapters 12 and 34 (of 43 chapters total). You can order the book pretty much everywhere, and a copy signed by …

'We will never stop,' say crooks, despite retiring twice in the space of a month The Scattered Lapsus$ Hunters (SLSH) cybercrime collective - compriseed primarily of teenagers and twenty-somethings - announced it will go dark until 2026 following the FBI's seizure of its clearweb site.... [...]

The encryption protecting communications against criminal and nation-state snooping is under threat. As private industry and governments get closer to building useful quantum computers, the algorithms protecting Bitcoin wallets, encrypted web visits, and other sensitive secrets will be useless. No one doubts the day will come, but as the …

At Google, protecting your data is our most important responsibility, and we are committed to keeping your data safe. To further this commitment, we are proud to announce that starting in November 2025, we will start transitioning our approach to media sanitization to fully rely on a robust and …

Redmond argued schools, education authorities are responsible for GDPR An Austrian digital privacy group has claimed victory over Microsoft after the country's data protection regulator ruled the software giant "illegally" tracked students via its 365 Education platform and used their data.... [...]

Beijing insists it's business as usual – Washington might see it differently China's competition regulator has launched an investigation into Qualcomm's purchase of Israeli firm Autotalks, the latest salvo in the escalating tech trade war between Washington and Beijing.... [...]

Regulator warns penalties will pile up until internet toilet does its paperwork Ofcom, the UK's Online Safety Act regulator, has fined online message board 4chan £20,000 ($26,680) for failing to protect children from harmful content.... [...]

Two years ago, Americans anxious about the forthcoming 2024 presidential election were considering the malevolent force of an election influencer: artificial intelligence. Over the past several years, we have seen plenty of warning signs from elections worldwide demonstrating how AI can be used to propagate misinformation and alter the …

Minister invokes powers to stop firm shifting knowledge to China, citing governance shortcomings The Dutch government has placed Nexperia - a Chinese-owned semiconductor company that previously operated Britain's Newport Wafer Fab — under special administrative measures, citing serious governance failures that threaten European tech security.... [...]

Video. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]

Threat actors are exploiting a zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox products, which allows a local attacker to access system files without authentication. [...]

In today's hyper-connected world, cyber threats are more sophisticated and frequent than ever - ransomware, data breaches, and social engineering scams, targeting everyone from individuals to Fortune 500 companies. Right now, you can grab "Cybersecurity For Dummies, 3rd Edition" - a $29.99 value - completely FREE for a limited time. [...]

Microsoft is warning of an active scam that diverts employees' paycheck payments to attacker-controlled accounts after first taking over their profiles on Workday or other cloud-based HR services. Payroll Pirate, as Microsoft says the campaign has been dubbed, gains access to victims’ HR portals by sending them phishing emails …

Apple is announcing a major expansion and redesign of its bug bounty program, doubling maximum payouts, adding new research categories, and introducing a more transparent reward structure. [...]

The world’s largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is …

Protecting your organization from cyber threats is essential for ensuring smooth operations and meeting compliance requirements. Specialized defense has become more urgent as sensitive data and critical applications have migrated to the cloud. Security is no longer about perimeter firewalls; it’s about securing dynamic cloud networks. Recognizing the …

Understanding malware functionality and analysis processes can be a thorny ball of string. To help IT and information security professionals, corporate investigators, and anyone else get started in pursuing malware analysis as a primary specialty, Mandiant Academy’s new "Basic Static and Dynamic Analysis" course can help enhance your …

Forescout's phony water plant fooled TwoNet into claiming a fake cyber victory – then it quietly shut up shop Security researchers say they duped pro-Russia cybercriminals into targeting a fake critical infrastructure organization, which the crew later claimed - via their Telegram group - to be a real-world attack.... [...]

From lab work to leadership — VMware certification can transform your IT career. Learn from VMware User Group (VMUG) how the VMUG Advantage can help you build real skills, gain confidence, and join a global IT community. [...]

Crooks phish campus staff, slip into HR systems, and quietly reroute paychecks Microsoft's Threat Intelligence team has sounded the alarm over a new financially-motivated cybercrime spree that is raiding US university payroll systems.... [...]

AI agents are now hacking computers. They’re getting better at all phases of cyberattacks, faster than most of us expected. They can chain together different aspects of a cyber operation, and hack autonomously, at computer speeds and scale. This is going to change everything. Over the summer, hackers …

US and French fuzz pull the plug on Scattered Lapsus$ Hunters' latest leak shop targeting Salesforce US authorities have seized the latest incarnation of BreachForums, the cybercriminal bazaar recently reborn under the stewardship of the so-called Scattered Lapsus$ Hunters, with help from French cyber cops and the Paris prosecutor's …

Prospect apologizes for cyber gaffe affecting up to 160K members UK trade union Prospect is notifying members of a breach that involved data such as sexual orientation and disabilities.... [...]

The FBI has seized last night all domains for the BreachForums hacking forum operated by the ShinyHunters group mostly as a portal for leaking corporate data stolen in attacks from ransomware and extortion gangs. [...]