Mastodawn

UFP Technologies disclosed a cybersecurity incident after detecting suspicious activity in its IT systems earlier this month. The company is investigating potential data access while reporting no material operational impact so far.

1️⃣ Suspicious activity detected on February 14, 2026
2️⃣ External cybersecurity advisors engaged for investigation
3️⃣ Possible unauthorized access and data exfiltration under review
4️⃣ Company reports no material financial or operational impact at this time

UFP Technologies, Inc. designs and manufactures custom-engineered components and packaging for medical devices and other highly regulated industries.
https://www.board-cybersecurity.com/incidents/tracker/20260224-ufp-technologies-inc-cybersecurity-incident/

2026-02-24 UFP TECHNOLOGIES INC Cybersecurity Incident

UFP TECHNOLOGIES INC initially disclosed a cybersecurity incident in an SEC 8-K filing on 2026-02-24 16:40:24 EST. Incident Details Filings 8-K filed on 2026-02-24 Company Information Incident Details Material: Unknown Is Breach: Unknown Records Compromised: Unknown Data Types Impacted: No Data Types Tracked (yet) Compromised Date: Unknown Detected Date: Unknown Disclosure Date: Unknown Contained Date: Unknown Recovered Date: Unknown Attack Goal: Unknown Attack Tactics1: No Attack Tactics Tracked (yet) Attack Techniques1: No Attack Techniques Tracked (yet)

Andrew Hoog Feb 8

data in State AG breach notification has some issues. No, this 2021 breach wasn't first reports in the year 9999!

I'm a few weeks away from releasing the new Board Cybersecurity website that's ingesting far more incident data. You can sign up for free alerts on the current side and you'll get notified when the new system with 1000's of breaches is available. https://www.board-cybersecurity.com/

in the meantime, here's the Maine AG filing for this 2021 breach: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/598f0dd5-2f8f-4610-9c63-5f2b7e96cf60.shtml

Andrew Hoog Feb 3

Andrew Hoog Jan 11

when security nerds with dev backgrounds use AI coding assistants:
❯ great. question: what happens after 10 iterations? I want to make sure we fail with an error, not let's a persistent
attacker in if they nest 11 times. just wanted to make sure

⏺ Excellent security question! Let me check what actually happens.

⏺ Bash(node -e "
const { sanitizeInput } = require('./lib/utils/sanitize');…)
⎿ 11-level encoded result: "<script>alert(1)</script>"

⏺ You're absolutely right - that's a vulnerability! After 10 iterations, it returns the partially-decoded string, which then
gets decoded by the final decode() after sanitization, bypassing the XSS protection.

Let me fix this to reject input that doesn't stabilize.

Andrew Hoog Dec 29

Coupang provided a significant update, including a $1.2B in customer compensation program, on its previously disclosed cybersecurity incident.

1️⃣ The perpetrator has been identified, is cooperating with investigators, and surrendered all devices used in the incident
2️⃣ About 33 million accounts were accessed, but data from only ~3,000 accounts was saved and later deleted
3️⃣ No customer data was shared with third parties, based on the investigation to date
4️⃣ Coupang announced a customer compensation program worth approximately $1.2B in vouchers

Coupang, Inc. is a technology and commerce company operating retail e-commerce, restaurant delivery, video streaming, and fintech services.
https://www.board-cybersecurity.com/incidents/tracker/20251216-coupang-inc-cybersecurity-incident/#8-k-filed-on-2025-12-29

2025-12-16 Coupang, Inc. Cybersecurity Incident

Coupang, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2025-12-16 16:13:34 EST. Company Summary Incident Details Filings 8-K filed on 2025-12-16 8-K filed on 2025-12-29 Company Information Company Summary Coupang, Inc. is a technology and commerce company operating retail e-commerce, restaurant delivery, video streaming, and fintech services (brands include Coupang, Coupang Eats, Coupang Play) and, following its acquisition, the Farfetch luxury marketplace. Incident Details Material: Yes

Andrew Hoog Dec 16

Coupang disclosed a cybersecurity incident involving unauthorized access to customer data, impacting up to 33 million accounts.

1️⃣ Incident disclosed in an SEC 8-K filed on December 16, 2025
2️⃣ Former employee allegedly accessed customer names, emails, phone numbers, and addresses
3️⃣ No payment, banking, or login credentials were compromised
4️⃣ Regulatory investigations are ongoing, with potential financial penalties

Coupang, Inc. is a technology and commerce company operating e-commerce, delivery, streaming, and fintech services, including Coupang, Coupang Eats, Coupang Play, and Farfetch.

https://www.board-cybersecurity.com/incidents/tracker/20251216-coupang-inc-cybersecurity-incident/

Andrew Hoog Dec 2

**Data Breach Alert** University of Phoenix just disclosed a data breach impacting SSN, DOB, bank account numbers, and contact info. Attackers exploited an Oracle EBS vulnerability. The company reports no operational impact and no evidence of public dissemination.

1️⃣ Data exfiltration occurred via an Oracle EBS vulnerability
2️⃣ Impacted data includes SSN, DOB, bank account numbers, and contact info
3️⃣ Incident was detected on 2025-11-21 and disclosed on 2025-12-02
4️⃣ Company reports no material impact on operations and ongoing review of affected data

The University of Phoenix is a private for-profit university offering open-enrollment accredited degree programs.

https://www.board-cybersecurity.com/incidents/tracker/20251202-phoenix-education-partners-inc-cybersecurity-incident/

Andrew Hoog Nov 14

Logitech disclosed a cybersecurity incident involving data exfiltration through a zero-day vulnerability in a third-party platform. The company reports no operational impact and no sensitive personal data exposure.

1️⃣ Unauthorized third party accessed internal IT systems
2️⃣ Zero-day vulnerability exploited in third-party software
3️⃣ Limited employee, consumer, customer, and supplier data likely copied
4️⃣ No impact to products, operations, or manufacturing reported

Logitech International S.A. designs and markets software-enabled hardware solutions for work, creation, and gaming.
https://www.board-cybersecurity.com/incidents/tracker/20251114-logitech-international-sa-cybersecurity-incident/

Andrew Hoog Nov 6

Oncology Institute, Inc. reported a cybersecurity incident affecting a third-party software provider, causing a temporary disruption in billing operations. No evidence of patient data exposure has been identified.

1️⃣ Disclosed via SEC 8-K on Nov 6, 2025
2️⃣ Incident detected on Nov 3, 2025
3️⃣ Impact limited to delayed fee-for-service collections
4️⃣ No confirmed breach or data compromise

The Oncology Institute provides oncology care and clinical trial services for adult and senior cancer patients across the U.S.
https://www.board-cybersecurity.com/incidents/tracker/20251106-oncology-institute-inc-cybersecurity-incident/

Andrew Hoog Oct 30

BayFirst Financial Corp. disclosed a cybersecurity incident involving a third-party marketing vendor that exposed personal information of some customers. No misuse has been detected, and the incident is not expected to be material.

1️⃣ Incident tied to a third-party marketing provider
2️⃣ Data exposed: name, DOB, and SSN/tax ID
3️⃣ Law enforcement and cybersecurity experts engaged
4️⃣ No evidence of misuse or material impact so far

BayFirst Financial Corp. operates as the bank holding company for BayFirst National Bank, providing community banking, lending, and treasury services to small and medium-sized businesses and individuals in Florida.
https://www.board-cybersecurity.com/incidents/tracker/20251030-bayfirst-financial-corp-cybersecurity-incident/

Board Cybersecurity	https://www.board-cybersecurity.com
Personal Website	https://www.andrewhoog.com
YouTube Channel	https://www.youtube.com/@SPFExpert
GitHub	https://github.com/ahoog42
LinkedIn	https://www.linkedin.com/in/andrewhoog/