Telehealth company Hims & Hers suffered a data breach between February 4-7 when hackers accessed customer support tickets containing names, email addresses, and medical information. The ShinyHunters group claimed responsibility for the attack on the third-party support platform.

This breach is particularly concerning because Hims specializes in sensitive health issues like erectile dysfunction, hair loss, and mental health—conditions that carry significant stigma. The exposed data could potentially enable blackmail attempts against affected customers.

Hims took a month to determine what information was compromised and another month to notify customers. The company is offering free credit monitoring to impacted users.

Source: Dark Reading

Cyber criminals have breached Healthdaq, an Irish recruitment platform used by Northern Ireland health trusts, claiming to have stolen nearly 500,000 sensitive files. The hackers, known as XP95, accessed personal data including names, CVs, passports, driving licenses, criminal background checks, and vaccine records on March 30th.

All Northern Ireland health trusts have been notified and are advising staff to remain vigilant. The breach poses risks of identity theft and fraud given the sensitive nature of healthcare worker data stored on the platform.

Healthdaq, headquartered in Dublin with international operations, says the incident has been contained and security measures implemented. The Information Commissioner's Office is now investigating the breach.

Source: BBC News

A security researcher using the alias "Chaotic Eclipse" publicly released exploit code for an unpatched Windows zero-day vulnerability called "BlueHammer" on April 2, citing frustration with Microsoft's Security Response Center. The flaw combines a race condition and path confusion in Windows Defender's update system, potentially allowing local attackers to access password hashes and gain administrator rights.

The exploit currently works on desktop systems but not Windows Server. Security experts warn that skilled threat actors could quickly weaponize the proof-of-concept code, with ransomware groups typically deploying such exploits within days of release.

This incident highlights ongoing tensions between security researchers and Microsoft's vulnerability disclosure process, which critics have long called frustrating and opaque despite the company's 2023 promises to improve transparency.

Source: Dark Reading

Hackers are exploiting an unpatched vulnerability in Adobe Reader to steal sensitive data from victims' computers. The attack works simply by opening a malicious PDF file - no other user interaction required.

The exploit, detected by EXPMON's threat-hunting system, bypasses Adobe's security protections to read local files and transmit system information to attacker servers at IP address 169.40.2.68. This includes operating system details, language settings, and file paths.

What makes this particularly dangerous is the two-stage attack. After initial data theft, attackers can send back additional malicious code capable of complete system takeover through Remote Code Execution.

Adobe has been notified but no patch exists yet. Users should avoid opening PDFs from unknown sources immediately.

Source: Cybersecurity News

The UK's National Cyber Security Centre warned Tuesday that Russian hackers are exploiting common internet routers to steal credentials and access home networks. The attacks, likely carried out by APT28 (Fancy Bear) linked to Russian intelligence, target "edge devices" like routers that users often forget to update.

Once compromised, hackers can redirect users to fake banking sites, access phones and PCs on the network, and harvest intelligence. Professor Alan Woodward from University of Surrey called routers a "weak point" that attackers use to establish network footholds.

The warning follows the US banning foreign-made routers over national security concerns. Experts urge users to keep routers updated, as many devices no longer receive security patches.

Source: The Guardian

Storm-1175, a financially motivated cybercrime group, is conducting "high velocity" Medusa ransomware campaigns that move from initial breach to data theft in as little as 24 hours. Microsoft reports the group exploits vulnerabilities in the critical window between disclosure and widespread patching, recently targeting healthcare, education, and finance organizations across Australia, the UK, and US.

The attackers have weaponized over a dozen known vulnerabilities, including recent flaws in BeyondTrust and CrushFTP software. They've also exploited zero-day vulnerabilities in SmarterMail and GoAnywhere before public disclosure. Storm-1175 disables Microsoft Defender Antivirus by tampering with Windows registry settings, allowing their ransomware to execute undetected. Microsoft urges immediate patching and enabling tamper protection features.

Source: Dark Reading

Cybercriminals are exploiting a critical React2Shell vulnerability (CVE-2025-55182) in Next.js web applications to launch a massive automated credential theft campaign. Cisco Talos researchers discovered the operation, attributed to threat group UAT-10608, has compromised at least 766 hosts across multiple industries and regions.

The attackers use an automated tool called "NEXUS Listener" that harvests credentials, SSH keys, cloud tokens, and environment secrets after exploiting the pre-authentication remote code execution flaw. The framework includes a graphical interface with search capabilities, turning stolen data into a searchable intelligence database.

Defenses include patching the vulnerability, rotating exposed credentials, and monitoring for suspicious processes spawned from /tmp/ directories with randomized names.

Source: Dark Reading

Cybercriminals launched a targeted supply chain attack against Guardarian, a cryptocurrency payment gateway, using 36 malicious NPM packages in the Strapi ecosystem. Security firm SafeDep discovered the campaign Friday, revealing attackers deployed multiple payloads capable of Redis code execution, Docker container escapes, and credential theft.

The attack specifically targeted Strapi users through fake plugins that could inject crontab entries, deploy webshells, harvest wallet credentials, and establish persistent access to systems. The attackers showed clear progression - starting with aggressive tactics like Redis attacks, then pivoting to reconnaissance and data collection when initial methods failed.

Users who installed these malicious packages should immediately rotate all credentials, including database passwords, API keys, and JWT secrets stored on their systems.

Source: Security Week

CISA added a dangerous TrueConf software vulnerability (CVE-2026-3502) to its Known Exploited Vulnerabilities catalog after detecting active attacks. The flaw lets hackers hijack software updates by replacing legitimate files with malicious code, potentially giving attackers full system control.

The vulnerability affects TrueConf Client's update process, which fails to verify file authenticity. When users update their software, attackers can substitute malware that executes with full privileges.

Federal agencies must patch by April 16, 2026, under mandatory security directives. CISA recommends immediately applying vendor patches or discontinuing TrueConf if fixes aren't available. Private organizations should also patch urgently, as the flaw creates an easy entry point for ransomware and data theft.

Source: Cybersecurity News

Hackers stole over 300GB of data from the European Commission's AWS cloud environment after compromising an API key through the Trivy supply chain attack on March 19. The TeamPCP hacking group exploited a vulnerability in Aqua Security's scanner, which the EC unknowingly received through regular software updates.

The breach affected Europa.eu's hosting service, impacting 71 clients including 42 internal EC departments and 29 other EU entities. Stolen data includes personal information like names, email addresses, and usernames from multiple EU websites.

The notorious ShinyHunters group later published the 340GB dataset on their leak site. The EC has revoked compromised credentials and notified data protection authorities, confirming internal systems weren't affected.

Source: Security Week