The #Discord breach is yet another example of why no online service should ever be required or even permitted to accept uploaded ID images. If it's necessary to verify ID, or at least age, either do it on device or through an in-person service, or cease operating in the jurisdiction till that necessity ends.

Every one of these services is a data breach waiting to happen, and once the identity documents are breached, as well as being means to identity theft, they can be used for impersonation on every other service requiring uploaded ID. And the ability to re-use the uploaded ID proves the futility of that form of verification anyway.

Just like biometrics, visual verification of ID cards only has security value when done in-person. All the requirements of ID image uploading are just security theatre, which shift liability from the service to the user while magnifying the harm to which they're exposed.

#DiscordBreach #dataBreach #privacy #ageVerification #chatControl

🐮 Dairy Farmers of America confirms June cyberattack leaked personal data / @therecord_media

｢ The Kansas-based organization is a farmer-owned dairy cooperative that markets and sells milk and ancillary products produced by its 9,500 farmer-owners. It has about 19,000 employees and reported $24.5 billion in revenue in 2022, producing about 23% of all U.S. milk ｣

https://therecord.media/dairy-farm-leaked-info-ransomware

#ransomware #databreach #cybersecurity

Hackers can steal 2FA codes and private messages from Android phones

> Android devices are vulnerable to a new attack that can covertly steal 2FA codes, location timelines, and other private data in less than 30 seconds.

> The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet.

> The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.
https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-hackers-pluck-2fa-codes-from-android-phones/ #Android #Cybersecurity #InfoSec #2FA #Privacy #Pixnapping #GooglePixel #Samsung #MobileSecurity #DataBreach #ZeroDay #TechNews #Hacking

Hackers can steal 2FA codes and private messages from Android phones

> Android devices are vulnerable to a new attack that can covertly steal 2FA codes, location timelines, and other private data in less than 30 seconds.

> The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet.

> The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.
https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-hackers-pluck-2fa-codes-from-android-phones/ #Android #Cybersecurity #InfoSec #2FA #Privacy #Pixnapping #GooglePixel #Samsung #MobileSecurity #DataBreach #ZeroDay #TechNews #Hacking

Welp, there it is. Can't say much about the data due to the injunction Qantas took out, but it's now public, on both the clear- and dark webs.

#qantas #databreach #ransomware #cybersecurity

https://www.cyberdaily.au/security/12759-qantas-hackers-dump-more-than-5-million-customer-records-to-clear-and-darkweb-leak-sites

Welp, there it is. Can't say much about the data due to the injunction Qantas took out, but it's now public, on both the clear- and dark webs.

#qantas #databreach #ransomware #cybersecurity

https://www.cyberdaily.au/security/12759-qantas-hackers-dump-more-than-5-million-customer-records-to-clear-and-darkweb-leak-sites

"A catastrophic breach has impacted Discord user data including selfies and identity documents uploaded as part of the app’s verification process, email addresses, phone numbers, approximately where the user lives, and much more.
The hack, carried out by a group that is attempting to extort Discord, shows in stark terms the risk of tech companies collecting users’ identity documents, and specifically in the context of verifying their age. Discord started asking users in the UK, for example, to upload a selfie with their ID as part of the country’s age verification law recently.

“This is about to get really ugly,” the hackers wrote in a Telegram channel, which 404 Media joined, while posting user data on Wednesday. A source with knowledge of the breach confirmed to 404 Media that the data is legitimate. 404 Media granted the source anonymity to speak candidly about a sensitive incident."

https://www.404media.co/the-discord-hack-is-every-users-worst-nightmare/

#CyberSecurity #Hacking #Discord #DataBreach

Well, that didn't take very long.

https://www.theguardian.com/games/2025/oct/07/discord-data-breach-proof-of-age-id-leaked

#OSA #Databreach #Discord #UKPol

Well, that didn't take very long.

https://www.theguardian.com/games/2025/oct/07/discord-data-breach-proof-of-age-id-leaked

#OSA #Databreach #Discord #UKPol

The #Discord breach is yet another example of why no online service should ever be required or even permitted to accept uploaded ID images. If it's necessary to verify ID, or at least age, either do it on device or through an in-person service, or cease operating in the jurisdiction till that necessity ends.

Every one of these services is a data breach waiting to happen, and once the identity documents are breached, as well as being means to identity theft, they can be used for impersonation on every other service requiring uploaded ID. And the ability to re-use the uploaded ID proves the futility of that form of verification anyway.

Just like biometrics, visual verification of ID cards only has security value when done in-person. All the requirements of ID image uploading are just security theatre, which shift liability from the service to the user while magnifying the harm to which they're exposed.

#DiscordBreach #dataBreach #privacy #ageVerification #chatControl

🔥 Qantas penalizes executives for July cyberattack
Senior leaders at Australian airline Qantas have had their annual bonuses reduced by 15% following a cyberattack in July that caused a range of issues for the company.

https://therecord.media/qantas-airline-reduces-bonuses-executives-data-breach

#qantas #databreach #security

🏫 Texas sues PowerSchool for breach exposing the data of students and teachers

｢ The state of Texas is suing education tech provider PowerSchool following a 2024 data breach that exposed sensitive information belonging to 62.4 million students and 9.5 million teachers ｣

https://therecord.media/powerschool-data-breach-texas-lawsuit-ken-paxton

#databreach #privacy #security

2.5B Gmail users endangered after Google database hack

https://www.pcworld.com/article/2880822/2-5-billion-gmail-users-endangered-after-google-database-hack.html

#HackerNews#GmailHack#GoogleDatabase#CyberSecurity#DataBreach#UserSafety

2.5B Gmail users endangered after Google database hack

https://www.pcworld.com/article/2880822/2-5-billion-gmail-users-endangered-after-google-database-hack.html

#HackerNews#GmailHack#GoogleDatabase#CyberSecurity#DataBreach#UserSafety

Hacked Monster Energy 💀

They think their customers are "lower income Caucasian males (skews Hispanic)" and left their ENTIRE file system exposed.

https://bobdahacker.com/blog/monster-energy

#InfoSec#Security#DataBreach#MonsterEnergy#Vulnerability#CyberSecurity#ResponsibleDisclosure#BugBounty

Hacked Monster Energy 💀

They think their customers are "lower income Caucasian males (skews Hispanic)" and left their ENTIRE file system exposed.

https://bobdahacker.com/blog/monster-energy

#InfoSec#Security#DataBreach#MonsterEnergy#Vulnerability#CyberSecurity#ResponsibleDisclosure#BugBounty

So yesterday, I emailed a state court system that appears to be linked to the exposed data I mentioned recently and that the host notified on or about July 28.

No reply was received.

Today, I sent a contact form message to the lawyer for a juvenile whose records were sealed. Sealed, except 11 of them were exposed to anyone who can access the data. I told him what was going on and suggested he contact the court and tell them to get the data secured.

No reply was received.

Today, I sent an email to the judge who ordered the juvenile's records sealed and I cc:d the district attorney. I gave them the juvenile's name, case number and that I could see all the sealed records. I urged them to have their IT or vendor call me and I could give them the IP address over the phone, etc.

No reply was received.

Dear Russia, China, and North Korea:

You do not need to hack our courts. They are leaking like sieves and do not respond when we try to tell them they need to secure the data.

Yours in total frustration,

/Dissent

#infosec #cybersecurity #incident_response #dataleak #databreach#WAKETHEFUCKUP

So yesterday, I emailed a state court system that appears to be linked to the exposed data I mentioned recently and that the host notified on or about July 28.

No reply was received.

Today, I sent a contact form message to the lawyer for a juvenile whose records were sealed. Sealed, except 11 of them were exposed to anyone who can access the data. I told him what was going on and suggested he contact the court and tell them to get the data secured.

No reply was received.

Today, I sent an email to the judge who ordered the juvenile's records sealed and I cc:d the district attorney. I gave them the juvenile's name, case number and that I could see all the sealed records. I urged them to have their IT or vendor call me and I could give them the IP address over the phone, etc.

No reply was received.

Dear Russia, China, and North Korea:

You do not need to hack our courts. They are leaking like sieves and do not respond when we try to tell them they need to secure the data.

Yours in total frustration,

/Dissent

#infosec #cybersecurity #incident_response #dataleak #databreach#WAKETHEFUCKUP

¯⁠\⁠_⁠(⁠ツ⁠)⁠_⁠/⁠¯

｢ The information stolen includes demographic data, names, addresses, dates of birth, Social Security numbers, health insurance information and other clinical information like health conditions, dialysis lab test results and treatment information ｣

#ransomware #databreach #cybersecurity
https://therecord.media/davita-dialysis-company-ransomware-attack-data-breach-notifications

💧 Supabase MCP can leak your entire SQL database

｢ The cursor assistant operates the Supabase database with elevated access via the service_role, which bypasses all row-level security (RLS) protections. At the same time, it reads customer-submitted messages as part of its input. If one of those messages contains carefully crafted instructions, the assistant may interpret them as commands and execute SQL unintentionally ｣

https://simonwillison.net/2025/Jul/6/supabase-mcp-lethal-trifecta/

#supabase #databreach#mcp #sql