New #ChatGPT #Lockdown Mode #Limits #Tools That Could Enable #DataExfiltration thehackernews.com/2026/06/ne…

SearchLeak Flaw in Microsoft 365 Copilot Exposes User Data #searchleak #microsoft365copilot #dataexfiltration anavem.com/en/news/cybersecu…

🚨 Detecting External Copilot Prompt Attacks 🚨 Varonis’ latest SearchLeak research shows how attackers can chain P2P injection, HTML injection, and SSRF to coerce enterprise Copilot into leaking sensitive data. varonis.com/blog/searchleak Although Microsoft has patched CVE‑2026‑42824, defenders now face a new reality: knowing the URL format that can trigger Copilot prompts means adversaries can weaponize links in email, Teams, and Office documents to break guardrails and exfiltrate data. To counter this, defenders must monitor for suspicious link activity that could coerce users into executing external Copilot prompts. Below is a KQL detection designed to surface potential external threats where attackers attempt to force Copilot into unsafe prompting behavior. github.com/SlimKQL/Detection… #Cybersecurity #CopilotPrompt #DataExfiltration

#CyberWhisper #CyberSecurity #DataExfiltration

#CyberWhisper #CyberSecurity #DataExfiltration

In this post, we explore a surprisingly simple concept: using line-of-sight communication and rolling QR codes to move virtually unlimited amounts of data between two parties: covertaccessteam.substack.co… | #CyberSecurity #InfoSec #DataExfiltration #AirGappedSystems #ThreatResearch

This campaign is a reminder that data theft does not always look like a sudden breach. Incremental mailbox exfiltration through trusted services like Dropbox and OneDrive Personal can blend into normal business activity—especially when targeting executives with high-value communications and sensitive information. What organizations should prioritize now: - Monitor executive mailboxes for unusual access patterns, mass reads, exports, and forwarding behavior - Restrict or govern personal cloud storage use from corporate devices and accounts - Enforce phishing-resistant MFA and conditional access for executives and high-risk users - Review OAuth apps, mailbox rules, delegated access, and suspicious session activity - Implement DLP and alerting for sensitive data movement to personal cloud services - Build response playbooks for executive account compromise, including session revocation, credential rotation, and legal/compliance review 𝗩𝗶𝘀𝘁𝗲𝗺 𝗘𝗹𝗲𝘃𝗮𝘁𝗲 𝗽𝗼𝘄𝗲𝗿𝗲𝗱 𝗯𝘆 𝗩𝗶𝘀𝘁𝗲𝗺𝗦𝗲𝗰𝘂𝗿𝗲𝗣𝗿𝗼 helps organizations strengthen executive protection, Microsoft 365 security, and data loss prevention with vCISO-led strategy, continuous monitoring, and measurable outcomes. Contact: sales@vistem.com | vistem.com?utm_source=in_pag… #Cybersecurity #ExecutiveProtection #Microsoft365 #OutlookSecurity #DataExfiltration #CloudSecurity #IdentitySecurity #DLP #IncidentResponse #CyberResilience #VistemElevate #VistemSecurePro #VistemSolutions #SecurityCompliance security.com/threat-intellig…

🌐 THREAT EXPANSION — "OILBURNERSEC" SELLS ZERO-DAY AND DATA LEAKS [STATUS: THREAT ACTIVITY - "UNCONFIRMED" - EXPLOITS AND DATA] An analysis of the "OilBurnerSec" threat actor's communication channels reveals that the vulnerability in WP User Frontend is only part of a large-scale operation aimed at monetizing zero-day exploits and exfiltrated data. However, this has not been verified, and an alert is issued as a precautionary measure regarding technologies that may be exploited in the future. Caesars Entertainment Group: The actor claims to have exfiltrated 235,000 PII records from hotel and casino users. Teledisk: The sale of access to a database containing over 6 million users and 40 million files has been announced. 📂 Additional Technical Analysis The actor also claims to possess exploits of other technologies: 2FA Bypass: Specific to certain WordPress plugins. Captcha Bypass: Implementations for v2/v3 versions in plugin environments. Lateral Movement: Use of zero-day strings for unauthenticated exfiltration in Jenkins environments. ⚠️ Security Considerations Business Risk: The ability to weaponize vulnerabilities on demand for specific clients increases the likelihood of targeted attacks against critical infrastructure using these plugins. Verification: The actor admits that, although they can fabricate evidence, they prefer to demonstrate the effectiveness of zero-day exploits directly on the buyer's test infrastructure. VECERT TOOLS Strategic Monitoring Tools & Intelligence Platform: 🌐 analyzer.vecert.io Security Verification & Monitoring: 🛡️ monitor.vecert.io #CyberSecurity 🔐 #OilBurnerSec #ThreatActor #ZeroDay #DataExfiltration #SupplyChainAttack #VECERT 🏢 #UnderInvestigation ⚠️

El lado del mal - OpenAI "Lockdown Mode" para luchar contra (la exfiltración de datos en ataques de) Prompt Injection elladodelmal.com/2026/06/ope… #OpenAI #ChatGPT #AI #IA #PromptInjection #DataExfiltration #InteligenciaArtificial

🚨 CYBER INTELLIGENCE ALERT: ALLEGED INFRASTRUCTURE COMPROMISE — ENLACEVISUAL 🇨🇱 ⚠️ "RSA CRAKERS" GROUP (LINKED TO SYSTEM RIPPERS) EXFILTERS 21.5 GB OF FINANCIAL AND COMMERCIAL DATA [STATUS: SAMPLES VISIBLE, UNCONFIRMED] Through monitoring of communication channels operated by cybercriminals, an urgent statement issued by the group calling itself RSA CRAKERS has been detected. This group claims complete control of the server and database of the Chilean company EnlaceVisual The most critical aspect of this incident is that the attackers are acting in concert or are an offshoot of the System Rippers group (and the OxPayload actor), the same group responsible for the recent breaches against the Chilean Navy and the Municipality of La Serena. 🎯 Affected Entity: EnlaceVisual - Private Sector / Services, Chile). 👤 Threat Actor: RSA CRAKERS 📂 Claimed Volume: 21.5 GB total (20 GB of server files 1.5 GB of database). ⚙️ Incident Type: Mass Data Exfiltration, Server Compromise (Root/Admin), and Cyber Extortion. 📊 TECHNICAL BREAKDOWN AND IMPACT VECTORS 🗄️ Core Server Exposure (20 GB): The extraction of 20 GB of "operational web files" implies that cybercriminals possess the platform's complete source code, security certificates, backend configurations, and any repositories of attachments or company backups. 💸 Critical Database Leak (1.5 GB): The SQL dump directly exposes EnlaceVisual's financial and operational core. The exfiltrated data includes financial records, sales data, payment information, critical customer data, payroll records, and personnel details. Proof-of-Concept (PoC) tests reveal `INSERT INTO` statements containing actual email addresses (e.g., Gmail accounts), phone numbers, physical addresses, and customer transaction data. 🛡️ MITIGATIONS AND EMERGENCY TECHNICAL RECOMMENDATIONS 🛑 Activation of Incident Containment Protocol (CSIRT): EnlaceVisual must immediately disconnect the affected servers to halt any network persistence or the potential deployment of encrypting ransomware (given that the attackers currently possess full access). 🔒 Legal Notification and Customer Transparency: Following the confirmation of the data leak involving "critical customer information" and "payroll records," the company is legally obligated to proactively notify its client base and employees, advising them to block any suspicious transactions and remain vigilant against targeted phishing attempts. ⚡ MONITORING AND ASSESSMENT 🌐 Intelligence System: analyzer.vecert.io 🛡️ Quickly assess your website's security at: monitor.vecert.io/ #CyberSecurity #DataBreach #Chile #EnlaceVisual #RSACrakers #SystemRippers #Extortion #DataExfiltration #ThreatIntelligence #CiberAlerta #VECERT #Infosec

🚨 CYBER THREAT ALERT: PROBABLE CRITICAL VULNERABILITY AND DATA EXFILTRATION — CNRTL (FRANCE) 🇫🇷 "LUNARISSEC" GROUP EXPOSES ALLEGED MASSIVE SQL INJECTION AT THE NATIONAL CENTER FOR TEXTUAL RESOURCES [STATUS: UNDER INVESTIGATION / UNCONFIRMED] Through monitoring on the social network X (formerly Twitter), a post was detected on May 24, 2026, made by the threat actor identified as m0rphyn (operating alongside pwn2d) under the banner of the #LunarisSec group. They have publicly exposed the exploitation of an SQL Injection (SQLi) vulnerability directly affecting the domain cnrtl.fr (Centre national de ressources textuelles et lexicales)—the official French platform for linguistic resources. 🎯 Affected Entity: CNRTL (cnrtl.fr - France). 👤 Threat Actors: m0rphyn and pwn2d (#LunarisSec Group). 📂 Incident Type: SQL Injection (SQLi) Exploitation and Database Exfiltration. 📊 TECHNICAL BREAKDOWN AND IMPACT VECTORS Analysis of the published Proof of Concept reveals the depth of the intrusion within the institution's database architecture: 🗄️ Exposure of Main Schema: The automated tool used by the attackers attempts to connect to and extract the complete structure of the main database, named *BaseLexicale*. The console dump confirms unrestricted access to a total of 39 internal tables, thereby revealing the full scale of the compromise. 📋 Compromised Critical Tables: Operational and Lexical Data: A listing of production tables has been observed. 🛡️ MITIGATIONS AND TECHNICAL RECOMMENDATIONS 🛑 Deployment of Mitigation Shields (WAF): Urgently implement a Web Application Firewall (WAF) configured with strict rules against SQL Injection attacks to intercept and discard anomalous queries originating from external sources. 🔒 Input Sanitization and Refactoring: The CNRTL IT team must audit the web portal's source code and replace any dynamic variable concatenation within SQL queries with Parameterized Queries (Prepared Statements). ⚡ MONITORING AND EVALUATION 🌐 Intelligence System: analyzer.vecert.io 🛡️ Quickly assess your website's security with: monitor.vecert.io/ #CyberSecurity #LunarisSec #SQLInjection #DataExfiltration #CNRTL #ThreatActors #ThreatIntelligence #CiberAlerta #VECERT #Infosec #France

🚨 CYBERINTEL ALERT: POTENTIAL MASSIVE BREACH AT MOBILITY PLATFORM — PARKINGPAY (SWITZERLAND) 🇨🇭 ⚠️ THREAT UNDER INVESTIGATION: THREAT ACTOR "GIORGGIOS" IS SELLING 2.8 MILLION USER AND TRANSACTION RECORDS [STATUS: UNCONFIRMED / ACTIVE SALE ON UNDERGROUND FORUMS / POTENTIAL EXPOSURE OF PII AND FINANCIAL DATA] Through continuous monitoring of underground platforms linked to cybercrime (Breached), a post was detected today—May 24, 2026—made by a threat actor identified as "giorggios." The attacker has put up for sale a database that they claim contains 2.8 million records belonging to Parkingpay (parkingpay.ch), a platform recognized as the official digital service and the most widely used centralized system in Switzerland for parking payments and management. 🎯 Affected Entity: Parkingpay Switzerland. 👤 Threat Actor: giorggios ⚙️ Incident Type: Alleged Database Exfiltration / Sale of PII and Payment Metadata. 📊 TECHNICAL BREAKDOWN OF ALLEGEDLY EXFILTRATED ASSETS Forensic analysis of the JSON sample exposed by the attacker reveals a rich and highly structured data schema, which could compromise multiple dimensions of user privacy: 🪪 Personally Identifiable Information (PII): Full names of the account holder. Maiden name: A data point of extreme criticality, frequently used as an answer to bank security questions. Mobile and landline phone numbers, including international dialing codes ( 41, 423). 📍 Geolocation and Movement Patterns: Exact physical residential addresses, including city and Canton. Parking zone identifiers (zoneId), enabling the tracking of vehicles' physical locations and citizens' daily mobility habits. 💳 Transactional and Payment Data: Exact timestamps for the start and expiration of parking sessions (timestamp, expiresAt). Account type classification (PRIVATE, BUSINESS, RESIDENT, FAMILY). Linked payment methods in clear text (paidMethod), exposing the use of: APPLE_PAY, CREDIT_CARD_VISA, CREDIT_CARD_MASTER, CREDIT_CARD_CORP, POSTFINANCE_CARD, and MUNICIPAL_INVOICE. 🛡️ MITIGATIONS AND PREVENTIVE RECOMMENDATIONS 🔒 Preventive Notification: Corporate organizations providing BUSINESS-type accounts to their employees on Parkingpay should be proactively alerted to monitor for anomalous charges or social engineering attempts targeting their finance departments. ⚡ MONITORING AND ASSESSMENT 🌐 Intelligence System: analyser.vecert.io 🛡️ Quickly assess your website's security with: monitor.vecert.io/ #CyberSecurity #DataBreach #Switzerland #Parkingpay #UnverifiedLeak #PII_Leak #DataExfiltration #FinancialFraud #ThreatIntelligence #CyberAlert #VECERT #Infosec #OSINT

🚨 CYBERINTEL ALERT: POSSIBLE ACTIVE INTRUSION IN PROGRESS — POSSIBLE COMPROMISE OF THE CHILEAN ARMY 🇨🇱 ⚠️ CRITICAL THREAT: THREAT ACTOR "EL ESPEJO DE TU SOMBRA" EXFILTRATING MILITARY RECORDS AND PERSONAL DATA (RUN) IN REAL TIME [STATUS: ACTIVE MONITORING; AUTOMATED SQL EXPLOITATION TOOLS DETECTED] Through active monitoring, the threat actor "El Espejo De Tu Sombra" (previously associated with high-impact incidents, such as the NemorisHacking breach in Guatemala) has been detected announcing and providing a technical demonstration of an active attack targeting government institutions within the Republic of Chile. The actor has published an exfiltration log (dump log) in JSON format, explicitly implying that the target is the Chilean Army, and has warned their audience that the data dumping process will remain active until all recent data has been extracted ("wait for us to finish extracting everything, including recent data"). 🎯 Affected Entity: Likely the Chilean Army, or registration platforms linked to Chile's National Defense. 👤 Threat Actor: NemorisHacking 📂 Incident Type: Real-Time Structured Database Exfiltration (SQL Injection / API Scraping). 📊 FORENSIC ANALYSIS OF THE EXFILTRATION LOG (EXPOSED LOGS) A detailed analysis of the JSON code sample—exfiltrated in real time—confirms the severity of the data leak, as it exposes military training records, identity information, and network telemetry pertaining to the affected individuals: 🪪 National Identity Information (PII): Unique Identifiers: The logs explicitly show the extraction of Chile's *Rol Único Nacional* (National Unique Identifier), logically separating the base number from its verification digit (e.g., "RUN":"", "":"6"). Biographical Data: Full names and surnames correlated with each RUN (e.g., "FIRST_SURNAME":"", "SECOND_SURNAME":""). 🎖️ Military Records and Confirmed Training: The data structure includes a key relational field ("COURSE") containing descriptions that validate the military nature of the target subject. One of the exfiltrated variables explicitly indicates: "COURSE":"" and "COURSE_TYPE":"INSTITUTIONAL", accompanied by an "EFFECTIVE_DATE". This suggests that the attacker is dumping historical records regarding military specialization, ranks, or the historical registry of cadets and permanent staff. 📡 Operational Telemetry (Device Fingerprints): The data dump reveals that the compromised system stored precise user connection data (likely from an intranet portal or management platform), exposing IP addresses (, ), the browser used (), and the terminal's operating system ()—along with unique device identification hashes. Additionally, the attacker highlights record update timestamps within their console, noting that they have already successfully extracted information entered as recently as "2025-04-18". 🛡️ MITIGATIONS AND EMERGENCY TECHNICAL RECOMMENDATIONS 🛑 Immediate Connection Cutoff (Kill-Switch): The Joint Cyber ​​Defense Command and the IT departments of the Chilean Ministry of Defense are urged to temporarily disconnect exposed web interfaces or APIs used for personnel lookup, institutional polytechnic intranet portals, and course evaluation systems—until the specific leakage point enabling this massive JSON-formatted data dump can be identified. ⚡ MONITORING AND EVALUATION 🌐 Intelligence System: analyzer.vecert.io 🛡️ Quickly assess your website's security with: monitor.vecert.io/ #CyberSecurity #Chile #ChileanArmy #TheMirrorOfYourShadow #DataExfiltration #MilitaryHack #RUN_Leak #NationalDefense #ActiveDumping #ThreatIntelligence #CyberAlert #VECERT #Infosec #StateSecurity

🚨 CYBER INTELLIGENCE ALERT: MASSIVE COLLECTION OF NETWORK ACCESS (FTP) ⚠️ HIGH THREAT: ACTOR SELLS LIST OF 30,000 VALIDATED FTP ACCESS CREDENTIALS [STATUS: UNDER INVESTIGATION, LIMITED SAMPLE ANALYSIS] A threat actor operating under the alias LinxProdX has announced on clandestine Telegram channels the availability of a massive batch containing over 30,000 validated FTP access credentials (30K ACCESS FTP AVAILABLE). To verify the legitimacy of the exposed infrastructure, they displayed a plaintext dump (specifically line 30,900 of the file) with the server addresses, ports, usernames, and passwords. 👤 Threat Actor: LinxProdX 🎯 Compromised Assets: File Transfer Protocol (FTP) server credentials (Port 21). 📂 File Size: Over 30,900 unique server records with their respective authentication credentials exposed in plain text. 📊 Affected Institutions and Infrastructures Identified Detailed analysis of the exposed fragment of the configuration file (FTPs.txt) allows for the direct isolation and identification of the following compromised institutional and corporate servers: 🇨🇱 1. Education Sector and Schools (Chile) Colegio Siria (colegiosiria.cl): Server exposed colegiosiria.cl:21. Compromising school portals allows attackers to access the records of minors or use the server to host malware. 🇮🇹 2. Government, Educational, and Business Infrastructure (Italy) The vast majority of the servers visible in the sample belong to organizations and SMEs in Italy: School / Educational Institution (guastalla.edu.it): Server exposed: ftp.icguastalla.edu.it. Copesco / Financial Solutions and Services (cogesco.it): FTP Server: ftp1.cogesco.it:21. Bonomi Arnaldo (bonomiarnaldo.it): Metallurgy Industry and Automotive Manufacturing. Gruppo Yuma (gruppoyuma.it): Comprehensive Services and Corporate Security Firm. 🇪🇺 3. Other Affected International Domains Netherlands (happy.nl): Digital Services and Hosting Server: happy.nl:21. Romania (succes.ro): Exposed Server: succes.ro:21. Poland (trimor.com.pl): Industrial Services Infrastructure. Tourism / Travel (journeystoitaly.com): Server: journeystoitaly.com:21. Technology Providers (dsp.nl): Dedicated Secure Transfer Server. 🔍 STRATEGIC TECHNICAL INTELLIGENCE NOTE [VECERT ANALYSIS]: The traditional FTP protocol (port 21) lacks encryption by design, meaning that credentials travel across the network in plaintext and are highly vulnerable to interception attacks (Man-in-the-Middle) or automated brute-force attacks. The compilation of a list of 30,000 FTP access credentials by LinxProdX acts as a force multiplier for Ransomware campaigns and intellectual property theft. Buyers of these batches use the access credentials to gain entry to the root directories of corporate web servers, download confidential customer databases, and—critically—inject malicious code to transform legitimate websites into malware distribution or phishing portals, all without the company's knowledge. 🛡️ URGENT MITIGATIONS AND TECHNICAL RECOMMENDATIONS 🛑 Immediate Credential Revocation: Administrators of the identified domains (specifically the technical teams at Colegio Siria in Chile and the Guastalla School in Italy) are urged to immediately deactivate the exposed FTP user accounts and reset passwords at the network perimeter. 🔒 Deactivation of Legacy FTP: Mandatorily migrate from using plain FTP services to secure transfer protocols that implement channel encryption and robust authentication, such as SFTP (SSH File Transfer Protocol) or FTPS (FTP over TLS). ⚠️ IP Restrictions and Connection Blocking: Configure perimeter firewalls to deny any inbound connections to port 21/TCP originating from the public internet, restricting access exclusively to static corporate IP addresses or via an institutional VPN tunnel. 🔍 Recent File Audit: Inspect the storage directories on the listed servers to verify that no malicious scripts, WebShells, or files unrelated to normal site operations have been uploaded within the last 48 hours. ⚡ MONITORING AND ASSESSMENT 🌐 Intelligence System: analyzer.vecert.io 🛡️ Quickly assess your website's security at: monitor.vecert.io/ #CyberSecurity #LinxProdX #FTPLeaks #CredentialTheft #Chile #Italy #NetworkSecurity #DataExfiltration #ThreatIntelligence #CiberAlerta #VECERT #Infosec #SFTP

Vector embedding security gap exposes enterprise AI pipelines - helpnetsecurity.com/2026/05/… - #CyberSecurity #AISecurity #InfoSec #DataExfiltration #RAG

OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability dlvr.it/TSHTZM #OpenAI #ChatGPT #Cybersecurity #DataExfiltration #Vulnerability

🇨🇱 Chile - Zyght Chilean EHS Software Provider Zyght Suffers Massive Data Breach Zyght, a prominent Chilean provider of Environmental, Health, and Safety (EHS) management software solutions for industries such as mining, oil & gas, energy, and manufacturing, has allegedly been compromised. An anonymous actor is reportedly selling a massive 6.1 terabytes (TB) of the company's data. Zyght, founded in 2011 and headquartered in Santiago, Chile, offers cloud-based platforms designed to improve regulatory compliance, operational efficiency, and risk detection for its clients. The allegedly compromised data includes: The specific types of data compromised are not detailed at this time, beyond the substantial 6.1 TB volume. #Zyght, #Chile, #DataBreach, #EHSSoftware, #MiningIndustry, #OccupationalSafety, #RiskManagement, #Cyberattack, #DataExfiltration

Mission: extraction. Get the data, leave no echo, and vanish before the machine learns it was touched. #TheMission #DataExfiltration ow.ly/TgQF30sUy0e