NEW, by me: A hacking campaign targeted high-profile Gmail and WhatsApp users across the Middle East this week, sent as a phishing lure over WhatsApp.

I obtained a copy of the phishing page and analyzed it with the help of experts. The attack aimed to steal passwords, hijack WhatsApp accounts, and grab victims' location data.

But a bug in the code also *exposed* victims' data, allowing us to see dozens of people who had fallen victim.

More: https://techcrunch.com/2026/01/16/how-a-hacking-campaign-targeted-high-profile-gmail-and-whatsapp-users-across-the-middle-east/

This week saw a scramble to save the CVE Program after federal funding was set to expire. The program's long-term future remains unclear. @lhn dives in.

https://www.wired.com/story/cve-program-cisa-funding-chaos/

NEW: U.S. Treasury officials say the department was hacked in early December by Chinese government hackers, which gained remote access to workstations and obtained unclassified documents.

More + Treasury's letter to lawmakers, which we've published: https://techcrunch.com/2024/12/30/us-treasury-says-china-stole-documents-in-major-cyberattack/

Grab some coffee, it's ~ this week in security ~

• Cleo software hit by zero-day hacks
• China spying on calls of senior US politicians
• DOJ has a busy week indicting North Korean IT workers
• SEC's cyber disclosure rules are a hot mess
• Yahoo Paranoids loses 25% of staff this year
• Krispy Kreme hacked; Rhode Island, too.
• Plus: brand new cyber cat, the happy corner and more.

Sign up/RSS: https://this.weekinsecurity.com

Read online: https://mailchi.mp/weekinsecurity/this-week-in-security-december-15-2024-edition

Support/donate: https://ko-fi.com/thisweekinsecurity