FortiBleed: Massive Fortinet VPN Credential Leak Exposes 74,000 Firewalls Worldwide A newly uncovered data leak, dubbed FortiBleed, has exposed credentials for 73,932 Fortinet and FortiGate VPN firewalls across organizations globally. Security researcher Bob Diachenko discovered the breach after identifying an unsecured server containing usernames, email addresses, and plaintext passwords for high-profile targets, including Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, and multiple government agencies. The dataset, analyzed by Diachenko and later confirmed by threat intelligence firm Hudson Rock, includes 21,632 unique domains spanning 194 countries, with the highest concentrations of affected devices in India, the U.S., Taiwan, Mexico, and Turkey. The compromised credentials span industries such as telecommunications, IT services, finance, healthcare, manufacturing, and critical infrastructure. ### Attack Method & Scope Diachenko’s investigation revealed the breach was orchestrated by a Russian-speaking threat group that conducted 1.16 billion credential-stuffing attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 Microsoft SQL servers. The attackers used a 45-GPU cluster running Hashtopolis to crack intercepted SSL VPN authentication hashes, then leveraged the stolen credentials to infiltrate Active Directory environments. Additional exposed files accidentally left accessible on the same server contained attack logs, scripts, and tooling, along with detailed profiles of targeted organizations, including revenue, employee counts, and industry classifications. The breach also led to full compromises of entities in Japan, Taiwan, Vietnam, Iraq, and Turkey, including a Turkish NATO defense contractor, from which classified documents were allegedly exfiltrated. ### Credential Authenticity & Origin Cybersecurity researcher Kevin Beaumont independently verified portions of the dataset, confirming that many credentials were legitimate and that roughly 75,000 Fortinet devices most still online were affected. The data appears to have been extracted from Fortinet configuration files, as it includes email addresses and other details typically only accessible through exported configs. Notably, many of the exposed passwords were long and complex, suggesting the attackers may have exploited previously unknown vulnerabilities or misconfigurations rather than brute-force methods. Beaumont’s analysis, based on Shodan network scans, found that nearly half of all internet-exposed Fortinet firewalls were included in the leak, with many devices exposing management interfaces directly to the web. ### Unanswered Questions The exact method of initial compromise remains unclear. Researchers have not determined whether the data was obtained via known Fortinet vulnerabilities, a zero-day flaw, or another attack vector. Neither Diachenko, Hudson Rock, nor Beaumont have identified the original source of the configuration leaks. Fortinet has been contacted for comment but has not yet responded. The dataset’s scale and the ongoing exposure of affected devices underscore the severity of the breach, with potential implications for supply chain security, government networks, and critical infrastructure.

Massive Magento Cyberattack Compromises 7,500+ E-Commerce Sites Since February 2026 A large-scale cyberattack campaign has compromised over 7,500 Magento-powered e-commerce websites since late February 2026, with attackers uploading malicious files to publicly accessible web directories across 15,000+ hostnames. The campaign, tracked by Netcraft researchers, marks one of the most extensive Magento-focused attacks in recent years, affecting businesses, government agencies, universities, and non-profits worldwide. ### Scope and Impact The attack exploited a file upload vulnerability in Magento environments, allowing threat actors to deposit unauthorized files without authentication. Victims include high-profile brands such as Toyota, Fiat, Citroën, Asus, Diesel, Fila, Bandai, FedEx, BenQ, Yamaha, and Lindt, as well as government and university domains in Latin America and Qatar. Several Trump Organization-affiliated sites including trumpstore.com, trumphotels.com, and booktrump.com were also compromised, though researchers confirmed these were incidental targets in an indiscriminate sweep. Most defacements occurred on subdomains, staging environments, or regional storefronts, with only a few live customer-facing sites briefly impacted before remediation. Attackers left behind text files displaying aliases L4663R666H05T, Simsimi, Brokenpipe, and Typical Idiot Security alongside "greetz" messages, a common practice in defacement circles. A subset of defacements on March 7, 2026, included geopolitical messaging, though analysts determined this was not the campaign’s primary motive. ### Technical Details The attack leveraged an unauthenticated file upload flaw in Magento, enabling attackers to write files directly to web servers without credentials. Netcraft researchers successfully replicated the behavior on a Magento Community 2.4.9-beta1 test instance, demonstrating that even updated installations could remain vulnerable under certain configurations. The affected platforms include Magento Open Source, Magento Enterprise, Adobe Commerce, and Adobe Commerce with the B2B module. While Adobe released security bulletins around this period, the observed exploit does not directly align with the published fixes. The campaign shares similarities with the SessionReaper Magento vulnerability from October 2025, which also involved unauthorized file access. ### Attacker Activity and Documentation The threat actor behind the campaign, operating under the handle "Typical Idiot Security," self-reported many compromised sites to Zone-H, a public defacement archive. This suggests the attacker sought recognition within the defacement community rather than pursuing financial or political objectives. As of the latest reports, new compromised sites were still emerging, indicating the campaign remained active. Organizations running Magento-based infrastructure were urged to review file upload endpoints, apply security updates, and monitor web directories for unauthorized changes.

Optimizely Breach Exposes Customer Contact Data in Sophisticated Vishing Attack On February 11, digital experience platform Optimizely fell victim to a cyberattack after hackers bypassed security controls using a voice-phishing (vishing) attack. The breach compromised "basic" customer contact information, including names, email addresses, and potentially phone numbers, though the company confirmed no sensitive data was accessed. The attackers gained entry to internal business systems, CRM records, and limited back-office documents but failed to escalate privileges or deploy malware. Optimizely stated operations remained unaffected, with no evidence of deeper system compromise. While the company did not attribute the attack to a specific group, the tactics align with ShinyHunters, a threat actor known for recent vishing campaigns. The group typically impersonates IT or support staff to trick employees into resetting credentials, often targeting Okta, Microsoft, Google, and Salesforce accounts. ShinyHunters has not claimed responsibility for this incident. Optimizely serves over 10,000 businesses, including major brands like H&M, PayPal, Toyota, Nike, and Salesforce. The breach follows a pattern of similar attacks, underscoring the growing threat of social engineering in cyber intrusions.

Cybercrime in 2025: A Global Threat Surpassing National Economies Cybercrime continues to escalate into one of the world’s most lucrative illicit industries, with damages projected to reach $10.5 trillion USD globally in 2025 a figure that, if measured as a country, would rank as the third-largest economy after the U.S. and China. This staggering growth, driven by increasingly sophisticated attacks, underscores the evolving threat landscape as cybercriminals target businesses, governments, and individuals with alarming efficiency. ### The Cybercrime Epidemic: Key Trends - Underreporting Persists: Despite improved reporting practices, less than 25% of global cybercrimes are reported to law enforcement, leaving vast swaths of criminal activity unaddressed. - Youth-Driven Threats: The FBI reports that cybercriminals are getting younger, with the average age of arrested offenders dropping a trend that complicates traditional law enforcement approaches. - Hotspots Identified: A 2024 World Cybercrime Index ranked Russia, Ukraine, China, the U.S., Nigeria, and Romania as the top sources of cybercrime, highlighting concentrated hubs of malicious activity. ### Ransomware: A Pervasive Threat Ransomware remains a dominant force, with attacks increasing 9% year-over-year in 2024. The most active groups Akira, LockBit, RansomHub, FOG, and PLAY targeted critical infrastructure, with 88% of small-to-midsized businesses (SMBs) and 39% of large enterprises experiencing breaches. The financial toll is staggering: - $20 billion USD in 2021 (up from $325 million in 2015). - Projected to exceed $265 billion by 2031, with attacks occurring every 2 seconds by 2031. High-profile incidents in 2024–2025 include: - UnitedHealth’s $1.6 billion loss after a ransomware attack disrupted U.S. healthcare payments. - CDK Global’s auto dealership shutdowns, forcing businesses offline for days after a ransom demand in the tens of millions. - MGM Resorts’ $100 million hit from a 2023 attack that crippled casino operations. ### Cryptocurrency Crime: A Booming Black Market Cryptocurrency-related crimes surged, with $28 billion in illicit funds flowing into exchanges over two years. Key developments: - Ripple co-founder Chris Larsen lost $112.5 million in a 2024 hack one of the largest individual crypto thefts. - Huione, a Cambodian marketplace, processed $70 billion in suspicious transactions since 2021, facilitating scams, fraud, and sanctioned activities. - North Korea’s Lazarus Group was linked to the $625 million Axie Infinity hack (2022), the largest crypto theft to date. ### Major Breaches and Supply-Chain Attacks 2024–2025 saw a wave of supply-chain and cloud-based attacks, exposing vulnerabilities in interconnected systems: - Snowflake Breach: Hackers exploited stolen credentials to access 560 million Ticketmaster records and Live Nation data, prompting a federal investigation. - Salesforce Exploits: The ShinyHunters gang breached dozens of companies, including Google, Allianz, and Toyota, by targeting cloud databases. - MOVEit Hack: The Clop ransomware group compromised 2,600+ organizations, including U.S. government agencies and global corporations. - Oracle Cloud Attack: Over 100 companies were affected by a campaign targeting Oracle’s business software, with damages still being tallied. ### Historic Cyberattacks: Lessons from the Past The report highlights landmark cyber incidents that reshaped security paradigms: - Equifax (2017): 147 million records exposed, including Social Security numbers, due to an unpatched vulnerability. - NotPetya (2017): A $10 billion attack originating in Ukraine, crippling Maersk, Merck, and global supply chains. - WannaCry (2017): Infected 200,000 systems across 150 countries, demanding Bitcoin ransoms. - Stuxnet (2010): A U.S.-Israeli cyberweapon that sabotaged Iran’s nuclear centrifuges. - Heartbleed (2014): A catastrophic OpenSSL flaw that exposed 500,000 servers to data theft. ### The Future of Cybersecurity While AI-driven defenses have reduced breach containment times to 241 days (the lowest in nine years), the same technologies are being weaponized by attackers. With 60% of global data now stored in the cloud and 6 billion internet users by 2025, the attack surface continues to expand. Small businesses remain particularly vulnerable 60% fold within six months of a cyberattack. As cybercrime evolves, the economic and operational risks demand heightened vigilance, though the battle against digital threats shows no signs of slowing.

Cyberattacks Surge in the Automotive Industry: Key Incidents from 2024–2025 The automotive sector has become a prime target for cybercriminals, with attacks ranging from ransomware extortion to large-scale data breaches exposing sensitive customer and operational data. Between 2024 and 2025, major automakers, suppliers, and rental companies faced significant disruptions, underscoring the industry’s vulnerability to digital threats. ### Dark Web Trends: U.S. Dominates as Top Target Dark web activity reveals the U.S. as the most discussed and targeted market, accounting for 23% of automotive-related posts, followed by France (8%) and India (7%). While automobile dealers represent less than 1% of dark web chatter, broader sectors like finance, retail, and technical services many tied to automotive operations remain high-risk targets. ### Major Breaches and Ransomware Attacks - Avis Rent a Car (August 2024): Hackers accessed a business application, exposing 299,006 customers’ personal data, including driver’s licenses, credit card details, and contact information. - Toyota (2024–2025): A third-party breach led to the leak of 240GB of data, including employee records, financial documents, and network credentials. The ZeroSevenGroup claimed responsibility, using ADRecon to map Active Directory environments. Toyota emphasized its systems were not directly compromised. - Kawasaki Motors Europe (September 2024): The RansomHub group stole 487GB of sensitive data after a failed ransomware attack, later dumping the files online when Kawasaki refused to pay. - Volkswagen’s Cariad (November 2024): A cloud misconfiguration exposed terabytes of data, including geolocation records from 800,000 vehicles, some linked to German police and intelligence personnel. Researchers traced the breach to an unsecured AWS memory dump. - Hertz (February 2025): The Clop ransomware gang exploited vulnerabilities in Cleo software, accessing customer data between October–December 2024. Over 3,400 Maine residents were affected, though the full scope remains undisclosed. - Scania (May 2025): Hackers stole insurance claim documents using compromised credentials from an IT partner, later attempting extortion. The data was later offered for sale on the dark web. - Cycle & Carriage (July 2024): A Singapore-based dealer suffered a breach affecting 147,000 customers, with 2% of records containing NRIC numbers and deposit details. - Nissan’s Creative Box Inc. (August 2025): The Qilin ransomware gang stole 4TB of design data, including 3D car models and internal documents, threatening to leak them to competitors. - Jaguar Land Rover (August–September 2025): A cyberattack forced the automaker to halt production at multiple plants, disrupting shipments and dealership operations. While no customer data was compromised, the incident caused widespread operational delays. ### Impact and Industry Response These incidents highlight the automotive sector’s expanding attack surface, from third-party vulnerabilities to cloud misconfigurations and ransomware extortion. Companies have responded with containment measures, forensic investigations, and enhanced security protocols, but the frequency and severity of attacks continue to rise. The financial and operational fallout including production halts, data leaks, and reputational damage underscores the urgent need for stronger cybersecurity defenses across the industry.

Toyota was listed among over 50 global corporations targeted in a large-scale data theft campaign by the Scattered LAPSUS$ Hunters group. The attackers exploited vulnerabilities in Salesforce customer environments, including weak OAuth protections and inadequate two-factor authentication, to exfiltrate multiple terabytes of sensitive data. The stolen records reportedly include personally identifiable information (PII) such as driver’s licenses, dates of birth, social security numbers, and other regulated fields. The group claims to hold strategic corporate data that could undermine Toyota’s market position, with sample leaks ranging from single-digit gigabytes to hundreds of gigabytes per victim. The threat actors set a public disclosure deadline (October 10, 2025), demanding ransom payments under the threat of full data exposure. While Toyota has not confirmed the authenticity of the leaked samples, the breach aligns with a year-long campaign targeting high-profile enterprises across industries, raising severe compliance risks under GDPR, CCPA, and other privacy regulations. The attack’s scale and the nature of the exfiltrated data suggest profound operational, financial, and reputational consequences for the automaker.

Emerging and Evolving Ransomware Threats: A 2024–2025 Overview Recent years have seen a surge in sophisticated ransomware operations, with several groups refining tactics, expanding targets, and adapting to law enforcement disruptions. Below is a breakdown of the most active and evolving threats as of late 2024 and early 2025. ### LockBit: A Persistent Threat with Ties to Russia Once the most prolific ransomware-as-a-service (RaaS) operation, LockBit targeted thousands of victims worldwide, including government agencies, critical infrastructure, and private enterprises. Western law enforcement linked the group to Russian national Dmitry Yuryevich Khoroshev, indicted in 2023 alongside two other Russian affiliates. Despite crackdowns, LockBit’s infrastructure and tactics remain influential, with former affiliates migrating to newer RaaS platforms. ### Lynx: A Rebranded RaaS with Aggressive Tactics Emerging as a potential successor to the INC ransomware (sharing 48% of its code), Lynx operates a RaaS model and employs double extortion stealing data before encrypting files with the `.lynx` extension while deleting backups. Between July and November 2024, the group targeted U.S. and U.K. sectors, including energy, oil and gas, retail, and financial services. Despite claims of "ethical" victim selection, its rapid expansion suggests a calculated focus on high-value industries. ### Medusa: A Global RaaS Operation with Russian Links Active since 2022, Medusa exploits vulnerabilities in public-facing systems, phishing, and initial access brokers to breach organizations. Its victims span healthcare, education, manufacturing, and retail across the U.S., Europe, and India. While its core operators are suspected to be Russian-speaking, attribution remains unconfirmed. ### Play: A Low-Profile but High-Impact Threat First detected in June 2022, Play ransomware intensified operations following the disruption of other major groups. Unlike typical RaaS operations, Play avoids dark web advertising, claiming to be a "closed group" for secrecy. However, evidence suggests it collaborates with affiliates. Targets include healthcare, telecommunications, finance, and government services. In October 2024, researchers at Palo Alto Networks’ Unit 42 linked a Play ransomware deployment to North Korea’s APT45, highlighting potential state-sponsored cybercrime crossover. ### Qilin (Agenda): A Russia-Based RaaS with Growing Reach Operating since May 2022, Qilin targets Windows, Linux, and VMware ESXi servers using ransomware written in Golang and Rust. The group avoids attacks in CIS countries but aggressively recruits affiliates, leading to a five-fold increase in victim postings in the second half of 2025. Its rise is attributed to partnerships with initial access brokers, who supply stolen VPN credentials. ### RansomHub: A Rising RaaS with Affiliate-Friendly Terms Emerging in February 2024, RansomHub (formerly Cyclops/Knight) quickly became a dominant threat by recruiting affiliates from disrupted groups like LockBit and ALPHV/BlackCat. Its model offers affiliates a 10% fee or direct ransom collection, making it attractive to cybercriminals. With over 210 victims across healthcare, finance, government, and critical infrastructure in North America and Europe, RansomHub’s rapid growth underscores the resilience of the RaaS ecosystem. ### Scattered Lapsus$ Hunters: A Cybercrime Supergroup Formed in August 2025, this alliance merges Scattered Spider, LAPSUS$, and ShinyHunters, combining expertise in social engineering, help desk compromise, and ransomware deployment. The group ran a Salesforce campaign in August and October 2025, exposing data from Toyota, FedEx, and Disney. Though its leak site was seized in October 2025, the collective’s loose structure and technical sophistication suggest it remains a persistent threat. ### Key Trends - RaaS Dominance: Most groups operate under affiliate models, lowering the barrier for entry. - Double Extortion: Nearly all groups now steal data before encryption to increase leverage. - Geopolitical Ties: Many operations are linked to Russia or North Korea, though direct state sponsorship remains debated. - Rebranding & Adaptation: Disrupted groups often reemerge under new names (e.g., Lynx, RansomHub). - Critical Infrastructure Targeting: Energy, healthcare, and government sectors remain prime targets. As ransomware groups refine their tactics and expand their reach, the threat landscape continues to evolve, with law enforcement actions only temporarily slowing their operations.

In June 2025, the Qilin ransomware group targeted an automotive manufacturer, highlighting a strategic shift toward high-impact targets. The attack methodology demonstrated expertise in identifying vulnerabilities within interconnected systems, focusing on entities critical to global supply chains. This sophisticated approach compromised essential nodes, triggering widespread operational disruptions. The group's technical prowess, incorporating advanced reconnaissance and persistent access mechanisms, ensured prolonged network infiltration, rendering initial detection and remediation attempts ineffective.

For much of the summer, Snowflake, a cloud data storage provider, was targeted by a series of data breaches affecting over 165 customers, exposing hundreds of millions of records. These customers included large corporations such as AT&T, Santander, and Live Nation Entertainment. Despite the breach's extensive reach, Snowflake has since implemented mandatory multifactor authentication. The disruptions caused by these incidents highlight the importance of robust cybersecurity practices.

Xfinity by Comcast reports a data breach following a cyberattack that took use of the CitrixBleed vulnerability. By taking use of this vulnerability, threat actors were able to take over active authenticated connections and get around multifactor authentication and other stringent authentication regulations. The security company Mandiant saw threat actors taking control of sessions in which the threat actor used session data that had been taken prior to the patch being deployed. The business discovered that hashed passwords and usernames are among the different client data that is exposed.

Toyota Motor Corp. disclosed the discovery of yet another data breach, this time involving the leakage of 260,000 automobile owners' personal data over the course of two improperly setup cloud services. After revealing earlier in the month that the data of 2.15 million customers was accessible to anyone online for more than 10 years, the automaker looked into the cloud features and made this revelation. It should be assumed that all of this data was repeatedly hacked given how long it was available. Information about customers, including names, contact information (including phone and email addresses), and vehicle identification numbers, may have been externally available.

A data breach revealed by Toyota Motor Corporation exposed information on more than 2 million consumers over ten years. A misconfigured database that was open to everyone without authentication was the source of the data breach. The security breach impacted customers who used the company’s T-Connect G-Link, G-Link Lite, or G-BOOK services. Exposed records include customer names, credit card data, and phone numbers have not been compromised as they weren’t stored in the exposed database.

Comcast Nears $117.5M Settlement Over 2023 Data Breach Affecting 30M Customers A federal judge in Pennsylvania’s Eastern District has granted preliminary approval for a $117.5 million settlement in a class-action lawsuit against Comcast, stemming from a 2023 cyber intrusion that potentially exposed sensitive data of over 30 million current and former customers. If finalized, the agreement would resolve two dozen lawsuits filed against the telecommunications giant. Affected customers would receive one of two remedies: - Three years of financial monitoring and identity theft protection, or - A choice between reimbursement for documented losses up to $10,000 or a $50 cash payment. The settlement structure allows for proof-based compensation for those who can demonstrate harm, while others may opt for a flat payout. Comcast, while not opposing the settlement, has denied liability for the breach, disputing the plaintiffs’ claims in court filings. The company has not commented publicly on the matter. The final court review will determine whether the agreement is approved.

Japanese automaker Toyota had to suspend its domestic factory operations after Kojima Industries, which supplies the plastic parts and electronic components to the company was targeted in a cyber attack. The attack resulted in a halt at its 14 plants in Japan which contribute about a third of its global production.

Toyota was affected by a cyber-attack by an unauthorized access from a third party. Toyota subsidiary Auto Parts Manufacturing Mississippi has revealed a ransomware attack where some financial and customer data was stolen and leaked, which is a strategy used by ransomware vendors to increase the leverage with which they can demand payment.