Lovable Denies Data Breach After User Exposes Security Flaw in AI Coding Platform Swedish no-code startup Lovable has refuted claims of a mass data breach after an anonymous user alleged that sensitive user information including chat histories, emails, names, and dates of birth was accessible through a security flaw. The incident surfaced on X (formerly Twitter) when the user demonstrated how they could view and download other customers’ project data, including full chat logs and website source code, simply by creating a free account. The user, who reported the bug 48 days prior, claimed Lovable had marked the issue as a duplicate and left it unresolved. Their post, viewed over 500,000 times by 6 PM BST, included screenshots appearing to confirm the exposure. Lovable responded hours later, denying a breach but acknowledging poor communication about data visibility settings. The company stated that while public project chats were once visible, this functionality had since been disabled though only for enterprise customers as of May 25, 2025. Founded in 2024, Lovable enables users to build apps and websites without coding, backed by $500 million in funding from investors like Accel, Creandum, and EQT. The incident coincides with the company’s recent partnership with security firm Aikido to offer penetration testing for user-built applications, as well as internal pressure to accelerate product updates amid reports that rival Anthropic is developing a competing tool.

Crunchyroll Data Breach Exposes 1.2 Million Email Addresses via Zendesk Crunchyroll, the popular anime streaming platform, experienced a data breach last month after attackers compromised its Zendesk support system. The incident exposed 1.2 million unique email addresses, which were later shared with the breach notification service Have I Been Pwned (HIBP). According to reports, 82% of the leaked emails were already publicly associated with LinkedIn profiles, raising concerns about potential secondary targeting by threat actors. The breach highlights vulnerabilities in third-party support systems, which are increasingly exploited as entry points for cyberattacks. No further details on the attack vector or additional compromised data have been disclosed. The incident underscores the risks of supply chain exposures in customer support platforms.

Zendesk Instances Exploited in Widespread Spam Campaign A surge of spam emails originating from legitimate Zendesk domains has raised concerns among cybersecurity experts and affected organizations. Multiple users reported receiving unsolicited messages often disguised as legal notices, bogus lawsuits, or government alerts from Zendesk instances tied to major companies, including Live Nation, Capcom, Tinder, and AI research firm ElevenLabs. The attacks appear to stem from two potential vectors: attackers abusing help desk systems to relay spam by impersonating users, or misconfigurations in Zendesk’s email infrastructure. Some emails bypassed spam filters, including iCloud’s, while others targeted users who had never interacted with the services in question. The goal, as with most spam campaigns, is to harvest credentials, gain initial access, or extort payments. Zendesk acknowledged the issue but clarified that it was not the result of a software vulnerability or breach. The company advised users to ignore or delete suspicious emails and recommended customers adjust first-reply triggers and restrict ticket submissions to authorized users. Security researchers noted similarities between the spam tactics and past activity linked to the threat group Scattered Lapsus$ Hunters, though Zendesk denied any direct connection. The scale of the campaign remains unclear, with no official response from Zendesk on the number of affected organizations or users. Social media and Reddit threads, however, indicate widespread disruption, with some companies reporting "mass spam attacks" on their ticketing systems. ElevenLabs confirmed it was working with Zendesk to resolve the issue, while other impacted firms have yet to publicly address the matter. The incident highlights the risks of misconfigured help desk systems and the challenges of defending against relay-based spam attacks. As investigations continue, the full extent of the campaign and whether it represents a coordinated effort or opportunistic exploitation remains under scrutiny.

ManoMano Data Breach: Customer Support Subcontractor Targeted in January 2026 Cyberattack French DIY e-commerce giant ManoMano has disclosed a data breach affecting customers who interacted with its support service. The incident, traced to a cyberattack on a third-party subcontractor in January 2026, resulted in the theft of personal data, though financial and login credentials remain secure. ### What Happened? Hackers compromised a subcontractor managing ManoMano’s customer support, gaining unauthorized access to records of clients who had contacted the service. The stolen data includes: - Names - Email addresses - Phone numbers - Conversation histories Critically, passwords and banking details were not exposed, as ManoMano does not store such information with the subcontractor. ### Response & Mitigation Upon detecting the breach, ManoMano’s cybersecurity team disabled the compromised account and launched an internal investigation to assess the scope of the incident. The company has notified: - CNIL (France’s data protection authority) - ANSSI (National Cybersecurity Agency) - Urgence Cyber Île-de-France (regional cybersecurity response platform) ManoMano has also set up a dedicated helpline (+33(1) 87 52 80 89) for affected customers and warned of potential phishing attempts, as attackers may use the stolen data to craft convincing scams via email, SMS, or phone calls. ### Impact & Risks While no immediate financial fraud has been reported, the breach heightens the risk of social engineering attacks, with cybercriminals leveraging the stolen details to impersonate ManoMano or its partners. Customers are advised to verify sender addresses before engaging with communications and avoid sharing sensitive information without confirmation of legitimacy. The incident underscores the supply chain vulnerabilities in cybersecurity, as attackers increasingly target third-party vendors to bypass primary defenses. ManoMano continues to reinforce security measures across its subcontractor network to prevent future breaches.

Zendesk was targeted by a sophisticated phishing campaign leveraging Cloudflare Pages to create convincing fake login screens, impersonating trusted Zendesk interfaces. Attackers tricked users into submitting sensitive credentials, exploiting vulnerabilities in the email support system. The breach exposed customer data to significant risk, with potential unauthorized access to personal and account-related information. The incident underscores the growing threat of evolved phishing tactics in digital customer support platforms, where third-party tools (like Cloudflare Pages) can be weaponized to bypass traditional security measures. While the exact scale of data compromise remains undisclosed, the attack highlights systemic weaknesses in authentication protocols and the urgent need for enhanced monitoring, employee training, and multi-layered defenses to prevent credential harvesting and subsequent data leaks. The reputational and operational impact on Zendesk and its clients could be substantial, given the reliance on secure customer support infrastructure.

PcComponentes Denies Data Breach but Confirms Credential Stuffing Attack Impacting Customers Spain’s leading technology retailer, PcComponentes, has refuted claims of a major data breach affecting 16 million customers but confirmed a credential stuffing attack exposed sensitive account details. The incident emerged after a threat actor, daghetiaw, posted a purported database containing 16.3 million records on hacker forums, leaking 500,000 entries and offering the remainder for sale. The leaked data included order histories, physical addresses, full names, phone numbers, IP addresses, product wishlists, and customer support messages exchanged via Zendesk. However, PcComponentes stated that no financial details or passwords were stored on its systems and that the claimed 16 million affected accounts was exaggerated, as its active user base is significantly smaller. An investigation revealed the attack stemmed from credential stuffing where attackers used reused login credentials from previous breaches to access accounts. Threat intelligence firm Hudson Rock traced the compromised credentials to info-stealing malware infections, with some logins dating back to 2020. A sample of verified emails from the leak matched records in existing infostealer logs. For affected accounts, exposed data included: - Full names - National ID numbers - Physical addresses - IP addresses - Email addresses - Phone numbers In response, PcComponentes implemented CAPTCHA protections, mandatory two-factor authentication (2FA) for all accounts, and invalidated active sessions, forcing users to re-authenticate with 2FA enabled. The company did not disclose the exact number of impacted customers.

Zendesk has acknowledged a data blunder that affects 10,000 customers, but only those who used the company's helpdesk solutions prior to 1 November 2016. The business informed its clients that they had just learned about a security issue that might have affected users of Zendesk Support and Chat products who had their subscriptions authorized before November 1, 2016, as well as those customers. Regarding the security breach, Zendesk believes that no unauthorized use of stolen login credentials has occurred as of yet. A "third-party" contacted Zendesk, which led to an internal investigation and the notification of regulatory bodies.