Vector: Handala — an Iranian state-linked hacktivist group operating as a persona for Iran's IRGC (Islamic Revolutionary Guard Corps) — obtained access to FBI Director Kash Patel's personal email account and/or cloud storage through unknown means, likely credential theft, SIM swapping, or exploitation of a third-party service

Vector: A suspected cyberespionage campaign targeted a Libyan oil refinery using commodity malware, maintaining persistent access over multiple months for industrial intelligence collection

Vector: Attackers used phishing — fake websites mimicking the Starbucks Partner Central employee portal — to steal employee login credentials, then used those credentials to access the portal and exfiltrate employee PII

Vector: Insider threat: cybercriminals bribed overseas customer support contractors (via TaskUs vendor) to exfiltrate customer data from internal support tools

Vector: North Korean UNC4736 (Citrine Sleet/Lazarus sub-group) delivered InletDrift malware via malicious PDF on Telegram, posing as a trusted ex-contractor; malware compromised at least 3 developer hardware wallets by replacing Safe Wallet front-end display while submitting malicious transactions for signing

Vector: Lazarus Group (North Korea) compromised WazirX multi-signature wallet by social engineering developers and manipulating Safe Wallet front-end; malware replaced legitimate transaction displays to collect hardware wallet signatures

Vector: TraderTraitor (North Korean) social engineering of an employee at crypto wallet company Ginco; attackers gained access to Ginco communications systems and intercepted a legitimate DMM Bitcoin transaction

Vector: CWE-307: Improper Restriction of Excessive Authentication Attempts (credential stuffing using credentials stolen from third-party breaches)

Vector: Tycoon2FA is a phishing-as-a-service (PhaaS) platform that implements adversary-in-the-middle (AiTM) techniques using reverse proxy infrastructure to intercept and steal session cookies from Microsoft 365 and Google Workspace users, bypassing multi-factor authentication in real time

Vector: CWE-307: Improper Restriction of Excessive Authentication Attempts (password spray attack against a legacy non-production test tenant account lacking MFA)

Vector: Attacker used compromised user credentials to access MyDeal's CRM system, which contained customer data; the compromised credentials allowed the attacker to extract approximately 2.2 million customer records

Vector: CWE-1390: Weak Authentication (MFA push notification fatigue / bombing combined with social engineering via WhatsApp)

Vector: Targeted social engineering attack against a Revolut employee who was tricked into granting the attacker access to Revolut's internal customer support database; the attacker used the employee's legitimate credentials and access to query and exfiltrate customer records

Vector: Social engineering — a threat actor used targeted phishing/social engineering techniques against a Revolut employee to obtain credentials, gaining unauthorized access to Revolut's internal database systems

Vector: Attacker used social engineering to trick a Marriott employee at a Maryland property into granting remote access to their workstation; once access was established, approximately 20GB of data was exfiltrated over a period prior to detection

Vector: Yanluowang ransomware affiliate gained access to a Cisco employee's personal Google Chrome profile that had Cisco VPN credentials saved; the employee's personal Google account was compromised, exposing the saved credentials; the attacker then conducted extensive MFA push fatigue attacks and vishing calls impersonating Cisco IT support to convince the employee to approve MFA push notifications

Vector: LAPSUS$ (DEV-0537) compromised a single Microsoft employee account and used it to access Microsoft's Azure DevOps source code repositories

Vector: LAPSUS$ gained access to NVIDIA's network (method not fully disclosed, believed to involve compromised employee VPN credentials and an employee whose personal computer was infected with malware connecting to corporate systems)

Vector: Attacker called a Robinhood customer support phone line and social-engineered a support employee into providing access to the customer support system, then used that access to exfiltrate customer records

Vector: Attacker used a compromised password to gain access to GoDaddy's Managed WordPress provisioning system; the password granted access since at least September 6, 2021 — giving the attacker 2+ months of undetected access

Vector: Credential stuffing — attackers used a database of approximately 380 million records (username/password pairs from unrelated third-party breaches) to systematically attempt logins on Spotify accounts; valid credential matches were used for account takeover

Vector: Vishing (voice phishing) calls targeting Twitter employees not in the office due to COVID-19; attackers impersonated Twitter IT staff to trick employees into providing credentials to a fake VPN portal, then used those credentials to access Twitter's internal admin tools

Vector: A phishing attack compromised the Microsoft Office 365 email accounts of multiple MEDNAX employees; the attackers used the compromised email accounts to access MEDNAX's business systems and then exfiltrated patient data from the company's healthcare platforms

Vector: Unauthorized database access by ShinyHunters threat group; exact initial access vector not disclosed by Wattpad; database exfiltrated containing 268M user account records

Vector: Phishing emails compromised the email accounts of 47 Service NSW staff members; from the compromised email accounts, attackers were able to access customer data processed through Service NSW email correspondence and attached documents

Vector: Attackers used credential stuffing — username and password combinations from other data breaches — to log into Nintendo accounts via the legacy Nintendo Network ID (NNID) login system; the NNID system was being deprecated and allowed third-party login to Nintendo accounts

Vector: Credential stuffing — attackers used previously leaked username/password combinations to log into Nintendo Network IDs (NNIDs) via a legacy login portal; successful logins allowed attackers to access linked Nintendo Accounts and make fraudulent purchases via saved payment methods

Vector: CWE-285: Improper Authorisation (malicious actors gained access to T-Mobile employee email accounts, which contained customer information)

Vector: An attacker used the login credentials of two Marriott employees at a franchise property to access a Marriott application used to provide services to guests; the attacker accessed guest data through the legitimate employee login for approximately two months before detection

Vector: Unauthorized access to T-Mobile systems containing prepaid customer data; specific access vector not disclosed publicly; distinct from the 2021 John Binns breach affecting 54M records

Vector: Unauthorized database access by threat actor GnosticPlayers; attacker claimed to have exploited a vulnerability in Canva's systems (exact vector not publicly confirmed by Canva); affected database contained user account records including bcrypt-hashed passwords

Vector: Credential stuffing / account takeover — unauthorized parties used lists of phone number and PIN combinations (likely from prior breaches) to access Boost Mobile customer accounts through the customer portal

Vector: Cybercriminals used credential stuffing — testing large volumes of username/password combinations stolen from other data breaches — against Dunkin' Donuts's DD Perks rewards program; the attack targeted the mobile app login and successfully authenticated using previously compromised credentials from unrelated breaches

Vector: An attacker used a compromised cloud environment credential (lacking multi-factor authentication) to access Timehop's production cloud environment; from there, the attacker accessed Timehop's production database and social network access tokens

Vector: Business email compromise (BEC) phishing — a sophisticated email fraud campaign impersonating a UnityPoint Health executive directed employees to click a link and enter credentials, compromising multiple employee email accounts; the attacker used compromised email accounts to access patient data and attempt additional payroll and wire fraud

Vector: Compilation of data from 2,000+ previously breached databases, aggregated into a single 87GB credential collection and posted on MEGA cloud storage and hacking forums, designed for use in credential stuffing attacks at scale

Vector: Sustained brute-force attack against UK Parliament's internet-facing Outlook Web Access (OWA) email portal; attackers targeted accounts where MPs and staff used weak passwords without multi-factor authentication enforced on remote access

Vector: FIN7 cybercrime syndicate (affiliated with Joker's Stash carding marketplace) deployed POS malware across all Lord & Taylor stores and 83 Saks Fifth Avenue locations in North America; malware captured payment card Track data from magnetic stripe readers at physical retail locations

Vector: POS malware exploiting disabled or non-functioning point-to-point encryption (P2PE) on Forever 21 payment terminals; malware captured plaintext card data at terminals where encryption was not active, and also accessed completed transaction logs stored on POS devices

Vector: POS malware installed on payment devices at the majority of Chipotle Mexican Grill restaurant locations; malware searched for and captured Track 1 and Track 2 magnetic stripe data as it was routed through POS processing systems

Vector: POS malware deployed across Sonic Drive-In restaurant locations; malware copied payment card data at each swipe from magnetic stripe readers and exfiltrated it to attacker infrastructure

Vector: POS malware deployed on corporate-owned Arby's restaurant systems (not franchise locations); malware captured Track 1 and Track 2 magnetic stripe data as it transited infected POS devices

Vector: Attacker compromised an administrator-level account in Sabre's SynXis central reservations system; the admin password was stored in plaintext within the system; the attacker used the admin account to access payment processing pages and exfiltrate card data daily over approximately 7 months

Vector: POS malware deployed on restaurant and bar point-of-sale systems at IHG franchise hotel locations; malware searched for and captured Track 1 and Track 2 payment card data as it transited affected POS servers

Vector: Russian GRU Unit 26165 (Fancy Bear / APT28) sent spear-phishing emails to Democratic National Committee (DNC) staff and John Podesta (Clinton campaign chairman) that harvested their Google account credentials via a fake Google security alert page; access to Podesta's Gmail was obtained after a staffer incorrectly characterised the phishing email as 'legitimate'

Vector: An attacker impersonated Snapchat's CEO Evan Spiegel in a phishing email sent to a Snapchat payroll employee, requesting payroll information; the employee complied and sent payroll data for a number of current and former employees to the attacker — a classic CEO fraud / business email compromise (BEC) attack

Vector: Attackers compromised remote access credentials belonging to a third-party service provider with access to Wendy's franchisee POS systems, then installed POS malware across multiple franchise locations; a second distinct malware strain was also discovered affecting additional locations

Vector: POS malware installed on payment processing computers at Hyatt-managed hotels, primarily targeting restaurant and food/beverage outlet POS terminals; malware harvested cardholder names, card numbers, expiration dates, and internal verification codes as data was processed

Vector: Sophisticated crime ring (attributed to Russian-speaking criminal syndicate) used previously stolen personal data (Social Security numbers, dates of birth, addresses, filing status) obtained from external sources to pass the IRS Get Transcript application's authentication questions and access prior-year tax returns for use in fraudulent refund claims

Vector: Point-of-sale (POS) malware installed on Kmart store payment terminals; the malware was undetected by Kmart's and Sears Holdings' antivirus systems for approximately one month before discovery; the precise initial intrusion vector (how malware was installed on the POS systems) was not disclosed

Vector: FIN6 cybercrime group deployed POS malware on P.F. Chang's restaurant payment systems; malware captured Track 1 and Track 2 magnetic stripe data from in-store transactions over approximately 9 months

Vector: POS malware — attackers compromised P.F. Chang's corporate network and installed RAM-scraping malware on point-of-sale systems at restaurant locations; the specific initial network intrusion vector was not fully disclosed

Vector: POS malware deployed on payment systems at Michaels arts and crafts stores and Aaron Brothers stores; initial access likely via compromised third-party vendor credentials; malware captured Track 1 and Track 2 magnetic stripe data

Vector: POS malware — attackers installed RAM-scraping malware on point-of-sale terminals at Michaels Stores and Aaron Brothers (subsidiary) retail locations, capturing full payment card track data as cards were swiped at checkout

Vector: POS malware — attackers installed RAM-scraping malware on Schnucks' point-of-sale systems at multiple grocery store locations, capturing payment card track data during checkout transactions

Vector: Physical tampering — attackers installed hardware skimming devices (including PIN capture overlays) on PIN pad terminals at 63 Barnes & Noble stores across 9 states; tampered terminals captured both the magnetic stripe data and PIN from debit card transactions

Vector: Physical PIN pad tampering — attackers physically installed hardware skimmers or modified PIN pad devices at Barnes & Noble retail checkout terminals in 63 stores across nine US states; the tampered devices captured payment card magnetic stripe data and PINs

Vector: Database breach — attackers gained unauthorized access to eHarmony's member database and extracted hashed passwords; eHarmony stored passwords as unsalted MD5 hashes, making them highly susceptible to rainbow table and brute-force cracking

Vector: Unauthorized access to eHarmony's user database; attackers obtained and published approximately 1.5 million unsalted MD5 password hashes online

Vector: Database breach — attackers obtained Last.fm's user credential database; the passwords were stored as unsalted MD5 hashes, enabling mass cracking; the breach was not discovered publicly until 2016 when the database appeared on underground markets

Vector: Remote desktop protocol (RDP) intrusion — a Romanian criminal group remotely accessed franchise-owned Subway POS systems using weak or default RDP credentials; many Subway franchise locations ran their POS software on Windows computers with RDP enabled and inadequate passwords

Vector: Automated brute-force attack against Twitter's administrative control panel using common passwords; Twitter had no account lockout policy or rate limiting on administrative login attempts, allowing unlimited password guesses

Vector: Eastern European cybercriminals (Sergei Tsurikov et al.) exploited vulnerabilities in RBS WorldPay's payment processing network, broke the encryption protecting payroll debit card account data, raised withdrawal limits on 44 compromised accounts, and cloned cards for distribution to a global network of ATM 'cashers'

Vector: Centralized underground internet forum enabling buying, selling, and trading of stolen credit card data, identity documents, and malware tools; supplied by members conducting phishing, skimming, malware deployment, and SQL injection attacks against financial institutions and retailers

Vector: Attacker (known only as 'Maxus,' believed to be an Eastern European teenager) exploited a vulnerability in CD Universe's payment processing software to access the customer credit card database