💧 Supabase MCP can leak your entire SQL database

｢ The cursor assistant operates the Supabase database with elevated access via the service_role, which bypasses all row-level security (RLS) protections. At the same time, it reads customer-submitted messages as part of its input. If one of those messages contains carefully crafted instructions, the assistant may interpret them as commands and execute SQL unintentionally ｣

https://simonwillison.net/2025/Jul/6/supabase-mcp-lethal-trifecta/

#supabase #databreach#mcp #sql

TalentHook leaks resumes of 26 Million job seekers

TalentHook, a cloud-based applicant tracking system, exposed nearly 26 million job seekers' resumes and personal information through a misconfigured Azure Blob storage container that was publicly accessible to anyone with the URL.

****
#cybersecurity #infosec #incident #databreach
https://beyondmachines.net/event_details/talenthook-leaks-resumes-of-26-million-job-seekers-7-7-s-s-2/gD2P6Ple2L

"No doubt hoping to mitigate worries about exposing physical addresses, the airline said its investigations showed that many of these were years old and potentially outdated,"

Why were you still storing them, then?

https://www.theregister.com/2025/07/09/qantas_begins_telling_customers_data

#qantas #databreach

Paraguay hit by catastrophic data breach as hacktivists leak personal data of entire population

Paraguay suffered one of the most devastating national data breaches in history when hackers leaked personal information of approximately 7.4 million citizens (essentially the entire population) on June 13, 2025, after the government refused to pay a $7.4 million ransom demand from "Brigada Cyber PMC." The attack began with Redline infostealer malware compromising government employee credentials at the Ministry of Public Health and Social Welfare, enabling hackers to slowly exfiltrate data.

Infostealers are extremely dangerous. Especially on government system accounts.
#cybersecurity #infosec #incident #databreach
https://beyondmachines.net/event_details/paraguay-hit-by-catastrophic-data-breach-as-hacktivists-leak-personal-data-of-entire-population-0-p-p-d-m/gD2P6Ple2L

As expected, more details are emerging in other news outlets about the arrest of #ShinyHunters.

One detail I noted is that ShinyHunters is suspected of being responsible for the attacks on #LVMH, which is the high-end brand associated with Tiffany and Dior, who both reported breaches this year. Although there had been some speculation that #ScatteredSpider might be responsible for those breaches, it appears that ShinyHunters was allegedly responsible.

There have been a number of hacks this year where it is not clear -- in the absence of law enforcement confirmation -- whether a #databreach has been by Scattered Spider or ShinyHunters, or whether they have collaborated with one doing the hacking and the other doing the extortion. I predict in weeks/months to come, we will be given a pretty big list of big hacks that ShinyHunters has been involved in this year.

As I reported in my coverage of the PowerSchool hack and prosecution of Matthew Lane, ShinyHunters' name has been linked to that one, too, but was not named as a co-conspirator.

This is where I should write "This is a developing story..." huh?

@campuscodi

😮‍💨 16 Billion Apple, Facebook, Google And Other Passwords Leaked — Act Now

“This is not just a leak – it’s a blueprint for mass exploitation,” the researchers said. And they are right. These credentials are ground zero for phishing attacks and account takeover. “These aren’t just old breaches being recycled,” they warned, “this is fresh, weaponizable intelligence at scale.”

https://www.forbes.com/sites/daveywinder/2025/06/19/16-billion-apple-facebook-google-passwords-leaked---change-yours-now/

#databreach #privacy #cybersecurity

Coinbase says its data breach affects at least 69,000 customers• @TechCrunch

｢ In a blog post, Coinbase said the hacker demanded $20 million in a ransom payment to delete the data, which Coinbase refused to pay. The company said the hacker bribed Coinbase customer support workers into accessing customers’ data over a period of several months ｣

https://techcrunch.com/2025/05/21/coinbase-says-its-data-breach-affects-at-least-69000-customers/

#coinbase #databreach #cybersecurity