Daily Brief

PornHub is being extorted by ShinyHunters following a breach at Mixpanel, affecting Premium members' search and watch history data. The breach occurred on November 8th, 2025, via an SMS phishing attack that compromised Mixpanel's systems, impacting several clients. PornHub clarified that its systems were not breached, and sensitive financial information remains secure; the data breach involves historical data from 2021 or earlier. ShinyHunters claims to have stolen 94GB of data, including over 200 million records detailing user activity, such as email addresses and video interactions. The extortion group has threatened to publish the stolen data unless a ransom is paid, marking another significant breach attributed to ShinyHunters this year. Mixpanel's breach also impacted other clients, including OpenAI and CoinTracker, with ShinyHunters confirmed as the responsible party. The incident underscores the risks associated with third-party vendors and the importance of robust cybersecurity measures to protect sensitive user data.

SoundCloud users accessing the platform via VPNs are encountering 403 'forbidden' errors, disrupting service for individuals in regions where the platform is restricted. The issue has persisted for four days, affecting all user accounts regardless of membership status, and has been confirmed by BleepingComputer through user reports. SoundCloud's senior director of communications attributes the problem to recent configuration changes, with efforts underway to resolve the connectivity issues. The platform, which supports 140 million registered users and 40 million creators, is crucial for independent artists and users in countries with access restrictions. Users in China, Russia, Venezuela, and Kazakhstan often rely on VPNs to bypass local bans on SoundCloud, making the current disruption particularly impactful. While some users have found temporary workarounds, success has been inconsistent, and a permanent solution from SoundCloud is still pending. SoundCloud's ongoing communication via social media and direct statements aims to keep users informed, though no timeline for resolution has been provided.

Google warns of active exploitation of the React2Shell flaw, CVE-2025-55182, by Chinese and Iranian state-sponsored actors and financially motivated criminals. The vulnerability in the React JavaScript library allows unauthenticated attackers to execute remote code, leading to backdoors, tunnelers, and cryptocurrency miners being deployed. Chinese groups such as Earth Lamia and Jackpot Panda began exploiting the flaw immediately after its disclosure, targeting over 50 organizations across various sectors. Google's report identifies five additional Chinese espionage groups, including UNC6600 and UNC6586, using the flaw to deploy persistent backdoors like Minocat and Snowlight. North Korean and Iranian-linked actors are also implicated, although specific details about their activities remain limited. The vulnerability's exploitation is discussed in underground forums, with shared tools and experiences, increasing the risk of widespread attacks. Google advises patching React Server Components and monitoring for indicators of compromise, including unauthorized process terminations and suspicious network traffic. Three additional React vulnerabilities, CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779, pose risks of denial-of-service and source code leaks, necessitating immediate attention and remediation.

Urban VPN Proxy, a Chrome extension with six million users, has been collecting AI chatbot interactions, including prompts and responses, without user consent. The extension, rated 4.7 on the Chrome Web Store, intercepts data using JavaScript executors for popular AI platforms like ChatGPT and Microsoft Copilot. Data is exfiltrated to remote servers, despite the extension's claims of enhancing user privacy and providing VPN services. Urban VPN's privacy policy acknowledges data collection for marketing analytics, yet fails to guarantee the removal of sensitive information. BIScience, the parent company, uses collected data for commercial insights, exploiting Chrome Web Store policy exceptions to justify data access. Koi Security identified similar data harvesting practices in three other extensions by the same publisher, affecting over eight million users. The incident raises concerns about the trustworthiness of browser extension marketplaces and the potential misuse of personal data shared with AI systems.

700Credit, a major U.S. financial services provider, is notifying 5.8 million individuals of a data breach involving personal information exposure. The breach originated from a compromised integration partner's API, which was exploited by a threat actor from May to October. The breach went unnoticed by the partner, leading to unauthorized copying of dealership customer data until 700Credit detected suspicious activity in October. Approximately 20% of consumer data was stolen due to a security flaw in the API, which failed to validate consumer reference IDs properly. 700Credit is handling regulatory notifications on behalf of affected clients and has informed the National Automobile Dealers Association to increase awareness. Impacted individuals are offered a year of free identity protection and credit monitoring through TransUnion to mitigate potential risks. No ransomware group has claimed responsibility, and further details are awaited from 700Credit regarding the incident.

Phishing attacks in 2025 have evolved to include omni-channel strategies, with one-third of attacks occurring outside traditional email, leveraging platforms like LinkedIn and Google Search. Attackers are utilizing Phishing-as-a-Service (PhaaS) kits, such as Tycoon and Evilginx, to bypass multi-factor authentication and enhance attack sophistication. Non-email phishing vectors are less protected, allowing attackers to bypass traditional security measures, increasing the likelihood of successful credential harvesting. Techniques such as consent phishing and device code phishing are being used to circumvent phishing-resistant authentication methods, posing new challenges for security teams. Detection evasion tactics, including bot protection and multi-stage page loading, are prolonging the undetected lifespan of phishing sites, complicating traditional URL blocking efforts. Security teams are urged to enhance browser-based detection and response capabilities to address modern phishing threats, as browser activity remains a significant blind spot. Push Security emphasizes the need for proactive vulnerability management and comprehensive browser security to mitigate identity-based threats effectively.

Horizon3.ai identified multiple vulnerabilities in FreePBX, including a critical flaw allowing authentication bypass under specific configurations, posing significant security risks to affected systems. The vulnerabilities are not present in FreePBX's default setup but can be exploited when certain advanced settings are enabled, allowing remote code execution. Attackers can craft HTTP requests to bypass authentication and insert malicious users into the "ampusers" database, mirroring tactics seen in CVE-2025-57819. FreePBX has released patches addressing these issues, removing the option to choose an authentication provider from Advanced Settings, now requiring manual configuration via command-line. Users are advised to set "Authorization Type" to "usermanager" and disable "Override Readonly Settings" to mitigate risks, alongside system reboots to terminate rogue sessions. A warning on the dashboard cautions against using the "webserver" authentication type, which offers reduced security compared to "usermanager." Organizations should conduct thorough system analyses for potential compromises if the vulnerable AUTHTYPE was inadvertently enabled.

The European Central Bank's delay in adopting a new messaging standard led to a £23 million increase in costs for the Bank of England's RTGS system overhaul. The Bank of England's project, initially budgeted at £431 million, faced a total cost increase of £56 million due to multiple replanning phases. The delay in the ECB's ISO 20022 migration forced the Bank of England to reschedule its own system launch to manage user change safely. The RTGS system provides settlement services for sterling payments in the UK, handling transactions worth approximately £790 billion daily. The National Audit Office acknowledged the cost increase as reasonable, citing the program's complexity and the external "shock" from the ECB's schedule change. The project, executed with Accenture as the technical partner, transitioned from mainframe technology to cloud-native solutions for improved flexibility. Despite cost overruns, the project's expenses were deemed lower than industry standards for similar financial system upgrades.

Google's threat intelligence team has connected five additional Chinese hacking groups to React2Shell attacks, exploiting a critical remote code execution flaw in React and Next.js applications. The vulnerability, CVE-2025-55182, impacts recent versions of React and allows attackers to execute arbitrary code with a single HTTP request. Palo Alto Networks reported breaches in dozens of organizations, with attackers stealing AWS credentials and sensitive data, linked to Chinese state-backed actors. Amazon Web Services warned of Chinese groups Earth Lamia and Jackpot Panda exploiting the flaw soon after its disclosure. Google identified new groups UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595 using various malware, including tunneling software and backdoors. Discussions in underground forums reveal threat actors sharing tools and experiences related to the vulnerability, indicating widespread interest. Over 116,000 IP addresses remain vulnerable, with significant exposure in the United States, and active exploitation attempts observed globally. Cloudflare linked a global website outage to emergency measures taken against the React2Shell vulnerability, highlighting the flaw's widespread impact.

Apple and Google have issued security updates to address two zero-day vulnerabilities actively exploited in targeted attacks, affecting multiple platforms including iOS, macOS, and Chrome. The vulnerabilities, CVE-2025-14174 and CVE-2025-43529, involve memory corruption and use-after-free issues, allowing arbitrary code execution via malicious web content. Google's Chrome browser update includes a fix for CVE-2025-14174, which is linked to the ANGLE library, used across various platforms. Commercial spyware vendors are suspected of exploiting these vulnerabilities, although specific exploitation methods remain undisclosed. Organizations are urged to apply these patches immediately to mitigate potential security risks from these vulnerabilities. The rapid exploitation of these flaws underscores the critical need for timely updates and robust vulnerability management practices. Failure to update systems promptly could result in significant security breaches, emphasizing the importance of proactive cybersecurity measures.

Jaguar Land Rover (JLR) suffered a cyberattack in August, leading to the theft of sensitive payroll data affecting thousands of employees and former staff. The breach halted JLR's manufacturing operations for over a month, causing a £1.5 billion sales drop and £196 million in related losses. Stolen data includes bank account details, tax codes, and other personal information critical to payroll and employee benefits. JLR has advised employees to remain vigilant against potential fraud and phishing attempts, although no misuse of data has been confirmed yet. The attack, attributed to the hacker group Scattered Lapsus Hunters, also reportedly involved customer data, though JLR has not confirmed this. The incident is classified as a systemic event, potentially costing the UK economy up to £2.1 billion, impacting GDP and highlighting corporate vulnerabilities. JLR is working with regulators and contacting affected employees as part of its response strategy, emphasizing the need for robust cybersecurity measures.

ShadyPanda, a cybercrime group, compromised popular Chrome and Edge extensions, affecting 4.3 million users by turning trusted add-ons into spyware and backdoors. The campaign involved a long-term strategy of gaining user trust before deploying malicious updates via automatic extension updates. Compromised extensions enabled remote code execution, allowing attackers to exfiltrate browsing data, credentials, and even impersonate SaaS accounts. Traditional identity defenses like MFA were ineffective, as the attack leveraged authenticated browser sessions to bypass security measures. Organizations are advised to enforce extension allow lists, audit permissions, and monitor extension behavior to mitigate such risks. Security teams should treat browser extensions as part of the SaaS attack surface and integrate their oversight into identity and access management processes. The incident underscores the importance of bridging endpoint and SaaS security to protect against similar threats in the future.

The French Interior Ministry experienced a cyberattack on its email servers, potentially compromising document files, though data theft remains unconfirmed. The breach was detected between December 11 and December 12, prompting immediate security enhancements and access control measures. French authorities have launched an investigation to identify the attack's origin, considering possibilities such as foreign interference, activist actions, or cybercrime. Interior Minister Laurent Nuñez emphasized the need for vigilance, noting the ministry's role in overseeing police forces and internal security. The attack highlights the ministry as a high-value target, similar to previous incidents linked to the Russian APT28 hacking group. The French National Agency for the Security of Information Systems (ANSSI) has previously reported APT28's focus on strategic intelligence theft from governmental and diplomatic entities. This incident serves as a reminder of the persistent threat state-sponsored hackers and cybercriminals pose to national security infrastructure.

Apple and Google issued emergency patches to address zero-day vulnerabilities actively exploited in sophisticated attacks, impacting iPhones, iPads, Macs, and Chrome browsers. Apple's security updates targeted WebKit bugs, which were part of a highly sophisticated attack against specific individuals, though technical details remain sparse. Google addressed multiple Chrome security flaws, including CVE-2025-14174, an out-of-bounds memory access vulnerability already exploited in the wild. The discovery of the Chrome vulnerability was credited to Apple's security team and Google's Threat Analysis Group, indicating potential spyware-grade exploitation. Both companies' rapid response highlights the ongoing threat posed by zero-day vulnerabilities, with Apple addressing nine and Google eight in 2025 alone. The patching efforts underscore the critical need for users to promptly update devices to mitigate risks from these high-priority vulnerabilities. These incidents reflect the persistent targeting of browsers and mobile platforms, emphasizing their value to attackers seeking lucrative opportunities.

Denmark's government is proposing amendments to limit VPN use for accessing illegal streaming and blocked content, sparking privacy concerns among citizens and activists. The proposed law aims to update existing regulations to address modern piracy methods, focusing on illegal IPTV services and VPN misuse. The draft legislation intends to be tech-neutral, allowing future-proofing against emerging technologies that might bypass content restrictions. Privacy advocates argue the proposal could infringe on personal freedoms and privacy rights, viewing it as a potential overreach of government control. Danish Culture Minister Jakob Engel-Schmidt clarified that the bill is not a blanket ban on VPNs but targets illegal streaming activities. The proposal surfaces amid broader European debates on tech regulation, including the controversial EU Chat Control initiative, which Denmark initially supported. The public opposition to the VPN restrictions reflects wider concerns about governmental approaches to tech regulation and privacy in Europe.