AI observability startup Braintrust warned customers to rotate API keys after attackers gained unauthorized access to one of the company’s AWS accounts, potentially exposing secrets used to connect to cloud-based AI models.
The company said it discovered suspicious activity on May 4 and immediately locked down the affected account, restricted access to related systems, and rotated internal credentials. The firm launched an investigation into the security incident.
“We’ve identified a security incident that involved unauthorized access to one of our AWS accounts. We are actively investigating, and we have engaged incident response experts.” reads the security breach notice published by the company. “We have contained the incident by locking down the compromised account, auditing and restricting access across related systems, rotating internal secrets, and engaging incident response experts to support our investigation. As a precaution, we recommend that all customers rotate any org-level AI provider keys used with Braintrust.”
Braintrust notified customers the following day and shared indicators of compromise and remediation guidance.
Although Braintrust says the impact appears limited, experts warn the breach highlights growing AI supply chain risks, as AI platforms increasingly store valuable API credentials targeted by attackers.
The potential exposure could affect organizations relying on Braintrust to manage AI provider keys across services and applications.
Researchers note that once threat actors obtain valid API keys, they can abuse AI services while appearing as legitimate users, often bypassing traditional security controls.
“To date, we’ve confirmed the issue affected one customer. Three additional customers reported suspicious spikes in AI provider usage, and we’re investigating those alongside them.” continues the notice. “We have not identified broader customer exposure based on our investigation to date, but as a precaution we informed all org admins with stored AI provider secrets in Braintrust. The investigation is ongoing.”
The incident also reflects a broader trend of attackers targeting cloud accounts and SaaS providers to gain indirect access to downstream customers and interconnected AI infrastructure.
The company plans to add new safeguards, including timestamps and user attribution for API key changes, while the investigation into the incident remains ongoing.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, AI)
The RansomHouse ransomware group has claimed responsibility for the recent cyberattack on cybersecurity firm Trellix. To support its claims, the gang published screenshots allegedly showing access to internal Trellix services.
In early May, the company revealed a breach that allowed unauthorized access to part of its source code repository. The cybersecurity firm said it quickly launched an investigation with forensic experts and notified law enforcement. While the exact data accessed remains unclear, Trellix stated there is no evidence that its source code has been altered or exploited.
“Trellix recently identified unauthorized access to a portion of our source code repository. Upon learning of this matter, we immediately began working with leading forensic experts to resolve it. We have also notified law enforcement.” reads the update published by the security firm. “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited. As part of our commitment to our broader security community, we intend to share further details as appropriate once our investigation is complete.”
The company did not disclose who carried out the attack and how he did it. It is unclear how long attackers had gained access to the repository.
Unauthorized access to part of a source code repository can expose sensitive logic, APIs, or credentials. Attackers may study the code to find vulnerabilities, create exploits, or plan targeted attacks. It can also lead to intellectual property theft, reputational damage, and supply chain risks if tampered code is later distributed to customers or partners.
The cybersecurity firm confirmed that part of its source code repository was breached, but said there is currently no evidence that its code release process or products were compromised.
RansomHouse is a cyber extortion group that emerged in late 2021 and quickly gained attention for targeting large organizations worldwide. Unlike traditional ransomware gangs, it initially focused on stealing data and extorting victims rather than encrypting systems.
The group presents itself as a “professional mediator” exposing poor cybersecurity practices, although researchers classify it as a financially motivated criminal operation. RansomHouse has been linked to attacks on healthcare providers, retailers, government agencies, technology firms, and critical infrastructure operators, claiming breaches involving AMD, Shoprite, and European institutions. The gang typically exploits exposed services, weak credentials, phishing, and vulnerable remote access systems.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
Personal data belonging to nearly 197,000 Zara customers has been compromised following a cyberattack on a former technology provider used by Inditex, the Spanish fashion giant behind some of the world’s most recognized retail brands including Bershka, Pull&Bear, and Massimo Dutti.
The breach came to light last month when Inditex confirmed unauthorized access to databases hosted by a third-party vendor. The company was careful to limit the alarm: the compromised databases did not contain names, passwords, payment details, addresses, or phone numbers.
“Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally,” reads a statement by Inditex.
“Operations and systems haven’t been affected and customers can continue to access and use its services safely,”
What was exposed, however, tells a different story about the scale of the incident.
The data breach notification service Have I Been Pwned analyzed the stolen dataset and confirmed that 197,400 unique email addresses were among the compromised records, alongside order IDs, product SKUs, geographic locations, purchase history, and customer support tickets, enough to paint a detailed picture of individual shopping habits and interactions with the brand.
“In April 2026, the fashion brand Zara was among a number of organisations targeted by the ShinyHunters extortion group as part of their “pay or leak” campaign. The group claimed the breach was related to a compromise of the Anodot analytics platform and subsequently published a terabyte of data allegedly including 95M support ticket records.” reads the alert by HIBP. “The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in. Zara’s parent company Inditex advised that the incident didn’t affect passwords or payment information.”
The extortion group ShinyHunters claimed the attack and the theft of a 140GB archive from BigQuery instances by exploiting compromised Anodot authentication tokens, the same technique they have used against dozens of other companies.
“Your Bigquery instances data was compromised thanks to Anodot.com.” the cybercrime group wrote on its Tor data leak site. “The company failed to reach an agreement with us despite our incredible patience, all the chances”
The Anodot vector is significant. ShinyHunters has told journalists that stolen Anodot tokens gave them access to analytics infrastructure across multiple large organizations simultaneously, a single point of failure that cascaded into dozens of separate breaches. The gang has also run coordinated vishing campaigns targeting employees’ SSO accounts at Microsoft Entra, Okta, and Google to move laterally into connected SaaS environments.
Inditex has not yet named the compromised provider or attributed the attack to a specific threat actor, despite ShinyHunters having publicly claimed it and released data as proof.
Zara is the flagship fashion brand of Inditex, one of the world’s largest apparel groups. Inditex reported revenue of about €38.6 billion in fiscal 2025 and employs roughly 160,000 people worldwide. Zara operates in more than 90 countries through thousands of stores and online platforms, making it one of the most globally recognized fast-fashion retailers.
Rival retailer Mango disclosed its own data breach last October, after a marketing vendor was hacked and customer data used in promotional campaigns was exposed. In that case, no extortion group has come forward, and the attackers remain unidentified.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
A data breach at GFN.AM, an authorized NVIDIA GeForce NOW cloud gaming service provider operating under “GFN CLOUD INTERNET SERVICES” LLC, has exposed personal information belonging to registered users.
The company disclosed the incident on May 5, 2026, revealing that unauthorized access to its database occurred as far back as March 9, 2026, nearly two months before discovery.
The breach was first detected on May 2, 2026, leaving a roughly 54-day window during which threat actors may have had access to user records.
GFN.AM confirmed that the unauthorized party gained access to its backend database, allowing sensitive user data to be exfiltrated or viewed by third parties.
Critically, only users registered on or before March 9, 2026, are affected. The incident did not impact accounts created after that date.
According to the official disclosure, the following categories of personal data may have been compromised:
The company emphasized that account passwords were not compromised in this incident, reducing the immediate risk of account takeover.
However, the exposed combination of email addresses, phone numbers, and full names poses a significant risk of phishing, SIM swapping, and social engineering targeting affected users.
Following the discovery of the breach, GFN.AM stated it took immediate steps to eliminate the root cause of the unauthorized access. The company has also implemented additional organizational and technical security controls to harden its information systems and reduce the likelihood of a similar incident.
No further technical specifics, such as whether the access involved a compromised credential, an unpatched vulnerability, or a misconfigured database, were disclosed in the public notice.
Security professionals warn that even without password exposure, the leaked data is highly valuable to cybercriminals. Personal identifiers such as full names, phone numbers, and email addresses are routinely used in targeted phishing and credential-stuffing campaigns.
Users who authenticated via Google should review their account activity, as their full names were among the exposed fields.
Users registered on or before March 9, 2026, should take the following precautions:
GFN.AM has not publicly indicated whether affected users will be notified individually or whether regulatory authorities have been informed of the breach.
Cybercriminals now enter through your suppliers instead of your front door – Free Webinar
The post NVIDIA Data Breach Reportedly Exposes Personal Information of GeForce Users appeared first on Cyber Security News.
Škoda Auto has disclosed a significant IT security incident affecting its official online shop, revealing that unauthorized individuals exploited a vulnerability in the platform’s standard shop software to gain temporary unauthorized access to customer data.
During routine technical security monitoring, Škoda’s IT team identified that attackers had leveraged a flaw in the shop’s underlying software to infiltrate the system.
Upon discovery, Škoda immediately activated containment measures and took the online shop offline as a precautionary step.
The vulnerability has since been fully remediated, and an external IT forensics firm has been commissioned to conduct a thorough technical post-incident analysis.
The breach was also formally reported to the relevant data protection supervisory authority in compliance with regulatory obligations.
The Škoda online shop stores a range of personal customer data, including full names, postal addresses, email addresses, phone numbers, order history, and account login credentials.
Passwords were stored using cryptographic hashing rather than plaintext, which provides a meaningful layer of protection.
Critically, credit card details are not retained in the shop system; payment data is handled exclusively by third-party payment service providers, ruling out direct financial data exposure based on current forensic findings.
Forensic analysis confirmed that access to stored data was theoretically possible during the intrusion window. However, due to limitations in existing server-side logging protocols, investigators cannot definitively confirm whether data was actively exfiltrated or merely accessed.
Škoda states that no concrete evidence of customer data misuse has been identified so far, but is notifying affected customers as a precautionary measure, given that unauthorized access cannot be entirely excluded.
Customers whose data may have been exposed face two primary threat scenarios. First, phishing attacks where threat actors use known order details or personal information to craft convincing fraudulent emails or messages designed to harvest additional credentials or prompt victims to click malicious links.
Second, credential stuffing attacks, in which adversaries attempt to use compromised email-and-password combinations to gain unauthorized access to other online accounts, particularly when users reuse the same password across multiple services.
This incident underscores the persistent risk of e-commerce platform vulnerabilities, particularly when standard third-party shop software is deployed without sufficient hardening and continuous security monitoring.
Cybercriminals now enter through your suppliers instead of your front door – Free Webinar
The post Škoda Security Incident Exposes Customers Data From Online Shop appeared first on Cyber Security News.
GFN Cloud Internet Services, operating as the regional NVIDIA GeForce NOW cloud gaming partner, GFN.AM has officially confirmed a significant data breach. The security incident exposed personal information of users registered on their streaming platform. While the company has now secured its database, the delayed discovery of the network intrusion highlights ongoing challenges in protecting […]
The post NVIDIA Confirms GeForce Data Breach Exposed Users’ Personal Data appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
ShinyHunters-linked attackers defaced Canvas portals, disrupting finals week access and exposing SaaS security risks for schools.
The post ShinyHunters Extorts Universities in New Instructure Canvas Hack appeared first on TechRepublic.
The modern enterprise is no longer breached in the traditional sense. Firewalls remain intact; endpoints appear compliant, and credentials are often never “stolen” in the usual way. Yet attackers still get in—and stay in. The difference lies in how trust is being weaponized.
Threat actors are executing what looks like a supply chain attack without ever touching the actual supply chain infrastructure. Instead, they exploit the implicit trust organizations place in browsers, third-party services, and user behavior.
This shift represents a quiet but dangerous evolution in supply chain cybersecurity. It’s less about breaking systems and more about bending them, using legitimate access paths to bypass defenses that were designed to stop intrusion, not misuse.
Traditional software supply chain attack scenarios often involve tampering with code libraries, compromising vendors, or injecting malicious updates. Those risks still exist, but attackers are now pursuing a lighter, faster approach: manipulating user-facing workflows that rely on trusted platforms.
In recent campaigns, phishing pages masquerade as routine services—identity verification tools, account recovery portals, or internal workflows. What makes these attacks stand out is not just the deception, but the permissions they request. Instead of asking for passwords, they request access to cameras, microphones, and device-level metadata.
This tactic transforms a simple phishing attempt into a sophisticated supply chain attack example—one where the “chain” is not software distribution, but user trusts in familiar digital processes.
Once permissions are granted, the attack doesn’t need to escalate privileges. It already has them.
Modern browsers are powerful. They support APIs for video capture, audio recording, geolocation, and device fingerprinting. These capabilities are designed for legitimate applications—but in the wrong hands, they become surveillance tools.
Attackers embed scripts within phishing pages that activate these features immediately after permission is granted. Within seconds, they can:
This isn’t brute-force hacking. It’s precision harvesting.
The data is then quietly transmitted to attacker-controlled systems, often using simple channels like messaging bots. There’s no need for complex infrastructure, which makes detection even harder.
From a supply chain cybersecurity perspective, this is particularly concerning. The browser—arguably one of the most trusted components in enterprise environments—becomes the weakest link.
Another variation of this evolving threat involves QR codes embedded in seemingly legitimate documents. This technique, often called “quishing,” shifts the attack from desktops to mobile devices.
An employee receives a polished PDF—perhaps an HR document or compliance guide. It looks authentic, reads well, and builds credibility. Then, at the end, it asks the user to scan a QR code for more information.
That scan leads to a phishing site.
Because QR codes obscure the underlying URL, they bypass many traditional email filters. On mobile devices, where users are less likely to scrutinize links, the success rate increases dramatically.
This approach represents another subtle supply chain attack example: attackers are exploiting trusted communication formats—PDFs, QR codes, and mobile workflows—to deliver malicious payloads without triggering alarms.
Credential harvesting has also evolved. Instead of simply collecting usernames and passwords, attackers now position themselves between the user and the legitimate service.
This adversary-in-the-middle (AITM) technique allows them to intercept:
In effect, they don’t just log in—they become the user.
This is particularly damaging in enterprise environments where MFA was once considered a strong defense. It highlights a critical gap in how to prevent supply chain attacks: focusing solely on authentication is no longer enough. Continuous verification and behavioral monitoring are now essential.
What makes these campaigns effective isn’t just technical sophistication—it’s psychological alignment. Every step mimics something users already trust:
Attackers are not introducing new behaviors; they are blending into existing ones.
This is why traditional defenses struggle. Security tools are designed to detect anomalies, but these attacks look normal—because they are built on legitimate features.
Defending against this new class of software supply chain attack requires a shift in mindset. Organizations must move beyond perimeter-based security and adopt a context-driven approach.
Key strategies include:
Understanding how to prevent supply chain attacks now means recognizing that the “supply chain” includes user interactions, browser capabilities, and third-party workflows—not just software dependencies.
As attackers exploit trusted access points, endpoint visibility becomes critical. This is where platforms like Cyble Titan play a strategic role.
Cyble Titan is designed to go beyond traditional endpoint protection. It brings together real-time telemetry, threat intelligence, and automated response into a unified platform. Rather than relying on static rules, it continuously analyzes behavior across endpoints, detecting subtle anomalies that indicate misuse of legitimate tools.
Key strengths include:
In the context of supply chain cybersecurity, this level of visibility is essential. When attacks don’t “break in” but instead operate within trusted boundaries, detection depends on understanding what shouldn’t be happening, even if it looks normal on the surface.
The definition of a breach is changing. It’s no longer about unauthorized access—it’s about unauthorized use of authorized access.
These emerging supply chain attack examples demonstrate that attackers are adapting faster than traditional defenses. They are leveraging trust, not bypassing it. And that makes them harder to detect, harder to prevent, and potentially more damaging.
Organizations that want to stay ahead must rethink how to prevent supply chain attacks. That means focusing on context, behavior, and continuous verification—not just barriers.
Ready to see how modern endpoint security can close these gaps? Explore Cyble Titan and experience a more intelligent approach to defending against today’s most deceptive threats.
Request a demo and evaluate how real-time visibility and AI-driven detection can strengthen your security posture from the inside out.
The post Third-Party Breaches Without Breaches: How Attackers Use Trusted Access to Bypass US Enterprise Defenses appeared first on Cyble.
Trellix, the global cybersecurity firm formed from the merger of McAfee Enterprise and FireEye, has confirmed unauthorized access to a portion of its source code repository, with the RansomHouse ransomware group formally claiming responsibility for the attack.
Trellix reported a data breach involving unauthorized access to a portion of its source code repository, which was disclosed publicly around May 2, 2026.
Upon discovering the intrusion, Trellix immediately engaged leading forensic experts to investigate and has notified law enforcement authorities.
In an official statement published on its website, the company said: “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited”.
The RansomHouse ransomware group formally named Trellix on its dark web leak site, claiming the compromise occurred on April 17, 2026.
The group published multiple screenshots reportedly demonstrating access to Trellix’s internal services and management dashboards, though they have not specified the volume of data exfiltrated or its nature.
Notably, RansomHouse listed the breach status as “Evidence Depends on You,” a hallmark tactic used to pressure victims into negotiations before releasing stolen data publicly.
RansomHouse is a sophisticated ransomware-as-a-service (RaaS) group known for deploying a unique ransomware variant called Mario ESXi, whose code shares lineage with the leaked Babuk ransomware source code, alongside a tool called MrAgent to target both Windows and Linux-based virtualized environments.
The group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.
RansomHouse distinguishes itself by positioning itself as a “professional mediator community,” often seeking payment for data deletion rather than decryption.
The full extent of the data exposure remains unspecified, and Trellix has not confirmed whether corporate or customer data beyond source code was accessed.
Preliminary investigations indicate no evidence that the software distribution pipeline or customer-facing products were tampered with.
The incident highlights the growing trend of ransomware groups targeting cybersecurity vendors themselves, organizations whose proprietary source code, if weaponized, could have far-reaching consequences for enterprise defenses globally.
Cybercriminals now enter through your suppliers instead of your front door – Free Webinar
The post Trellix Breach – RansomHouse Claims Access to Parts of Source Code appeared first on Cyber Security News.
Leading cybersecurity firm Trellix is actively investigating a potential security incident following claims made by the RansomHouse extortion group. The threat actors recently listed Trellix on their dark web leak site, alleging a successful cyberattack against the prominent security vendor. The RansomHouse Breach Claims Threat intelligence platform VenariX first highlighted the development, noting on X […]
The post Trellix Investigates RansomHouse Breach Claims Involving Source Code Repository appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Vimeo confirmed a data breach after the ShinyHunters gang stole personal information of 119,000 users in April 2026. According to Have I Been Pwned, the attackers accessed user data through a compromise at Anodot, a third‑party analytics vendor.
“In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their “pay or leak” campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata.” reported Have I Been Pwned.”The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include “Vimeo video content, valid user login credentials, or payment card information”.”
Vimeo confirmed that the security incident is linked to a breach at Anodot. An unauthorized actor accessed some Vimeo user and customer data, mainly technical information, video titles, metadata, and in some cases email addresses.
“Vimeo is aware of a security incident affecting Anodot, a third-party analytics vendor used by Vimeo and many other companies. The Google Threat Intelligence report associated with the unauthorized actor claiming responsibility for the Anodot incident can be found at this link.” reads the notice on the security incident published by the company.
We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses.”
The company said no video content, login credentials, or payment data were exposed, and services were not disrupted. In response, Vimeo disabled Anodot access, removed the integration, engaged external security experts, and notified law enforcement.
The investigation is still ongoing, and updates will be shared as more details emerge.
After Vimeo’s disclosure, the ShinyHunters cybercrime group leaked a 106GB archive of stolen documents on its Tor data leak site.
ShinyHunters is a well-known name in the cybercriminal ecosystem. The group is associated with a broader loosely connected network often referred to as “the Com,” made up largely of young, English-speaking individuals. Their operations typically focus on stealing data from large organizations and using leak sites to pressure victims into paying ransoms in cryptocurrency.
ShinyHunters has recently targeted major companies and organizations, leaking data when ransom demands fail. Victims include the European Commission, Odido, Figure, Canada Goose, Rockstar, and SoundCloud. The group primarily uses social engineering, especially voice phishing, to steal credentials and access SaaS platforms like Salesforce, Okta, and Microsoft 365.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Vimeo)
In a significant supply chain security incident, the popular video hosting platform Vimeo has confirmed a data breach that exposed user information.
Discovered in April 2026, the breach exposed 119,000 unique email addresses and other metadata.
The incident highlights the growing risks associated with third-party service providers, as the compromise did not occur directly on Vimeo’s infrastructure but rather through an analytics vendor.
The notorious extortion group known as ShinyHunters claimed responsibility for the attack.
They added Vimeo to their public extortion portal as part of an aggressive “pay or leak” campaign.
Following the initial threat, the threat actors published hundreds of gigabytes of stolen data online.
Google Threat Intelligence has also released a report detailing the expansion of ShinyHunters’ software-as-a-service data theft operations, directly associating the threat group with this specific vendor compromise.
While the sheer volume of leaked data is massive, the contents primarily consist of technical records rather than highly sensitive financial information.
The exposed databases contained video titles, system metadata, and technical logs.
However, the most concerning aspect for users is the exposure of 119,000 unique email addresses, which were sometimes accompanied by user names.
Data breach notification service Have I Been Pwned analyzed and added 119,200 accounts to its database, noting 56% were already exposed in prior breaches.
Cybercriminals frequently use this type of personal information to launch targeted phishing campaigns or credential stuffing attacks across other platforms.
Vimeo has stepped forward to reassure its user base regarding the limitations of the breach.
According to their official security advisory, the unauthorized access did not compromise actual Vimeo video content.
Furthermore, the company confirmed that valid user login credentials, passwords, and payment card information remain entirely secure.
The incident also did not disrupt Vimeo’s core systems or daily hosting services, meaning platform operations continue to function normally without interruption.
The root cause of the data exposure stems from Anodot, a third-party analytics vendor used by Vimeo and several other organizations.
The threat actors breached Anodot’s systems, gaining unauthorized access to specific Vimeo customer data stored in the analytics environment.
This indirect compromise underscores the critical importance of monitoring vendor security and managing data access permissions within integrated enterprise supply chains.
Upon discovering the unauthorized access, Vimeo’s security team immediately initiated its incident response protocols.
The company promptly revoked all Anodot credentials and completely removed the vendor’s integration from Vimeo’s internal systems to prevent further data exfiltration.
Additionally, Vimeo engaged external third-party cybersecurity experts to assist with a comprehensive forensic investigation.
The company has also notified relevant law enforcement agencies and stated that it will continue to monitor the situation and update users as the ongoing investigation progresses.
Security experts strongly recommend that affected Vimeo users implement precautionary measures.
Even though passwords were not exposed, individuals should remain highly vigilant against incoming communications.
Threat actors often leverage exposed names and email addresses to craft highly convincing phishing messages designed to steal passwords or deploy malware.
Users are encouraged to use a reputable password manager to generate and store strong, unique passwords for all their online accounts, ensuring that a breach on one platform does not compromise another.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Vimeo Data Breach Exposes 119,000 Users Unique Email Addresses appeared first on Cyber Security News.
Entrar