Hotel giant Marriott has recently agreed to pay a $52m settlement to 50 US states for a large multi-year data breach impacting 131.5 million American customers.  It is estimated that 339 million guest records were exposed globally in the incident.  According to the Federal Trade Commission (FTC), attackers accessed the database undetected from July 2014 to September 2018.  The impacted records included guests’ personal details, a limited number of unencrypted passport numbers, and unexpired payment card information.

According to Pillar Security's "State of Attacks on GenAI" report, attacks on Large Language Models (LLMs), on average, take 42 seconds to complete, and successful LLM attacks result in sensitive data leakage 90 percent of the time. The report shared new insights regarding LLM attacks and jailbreaks, based on telemetry data and real-world attack examples from over 2,000 AI applications.

"The Wayback Machine," an initiative of the Internet Archive, has suffered a data breach due to a threat actor compromising the website and stealing a user authentication database consisting of 31 million different records. Those who have recently visited archive.org saw a JavaScript alert created by the hacker, saying that the Internet Archive has been breached. The alert mentions "HIBP," which refers to Troy Hunt's "Have I Been Pwned" data breach notification service that allows users to check whether their personal data has been compromised by data breaches.

Researchers at Jscrambler have detailed a new digital skimmer campaign that hides "Mongolian Skimmer" using Unicode obfuscation methods. According to the researchers, the script's obfuscation seemed odd due to all the accented characters. The code's heavy use of Unicode characters, many of which are invisible, makes it difficult for humans to read. At its core, the script utilizes JavaScript's capability to use any Unicode character in identifiers in order to hide malicious functionality. The malware steals sensitive data entered on e-commerce checkout or admin pages.

The US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have warned about Iranian threat actors targeting the email accounts of individuals associated with national political organizations and campaigns. According to the agencies' joint advisory, threat actors linked to the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) have targeted government officials, activists, journalists, lobbyists, and more to incite conflict and undermine confidence in US democracy.

Apple's new iPhone mirroring feature has a privacy flaw. Cybersecurity researchers at Sevco found the bug, which allows personal apps on an iPhone to be listed in a company's software inventory when the feature is used on work computers, posing a major privacy risk for employees. This flaw could expose an employee's use of a Virtual Private Network (VPN), dating apps, health apps, and more. This article continues to discuss the root and potential risks of Apple's iPhone mirroring flaw.

The United Nations Office on Drugs and Crime (UNODC) examined Artificial Intelligence (AI) threats in its latest report on cybercrime in Southeast Asia. Cybercriminals have been using generative AI (GenAI) to produce phishing messages in different languages, manipulative chatbots, mass disinformation on social media, and fake documents to get around Know-Your-Customer (KYC) checks. They have also been using it for polymorphic malware that can dodge security software. However, AI-powered cyberattacks involving deepfakes have grown increasingly popular.

According to F5, 70 percent of customer-facing Application Programming Interfaces (APIs) are HTTPS-secured, leaving nearly one-third unprotected. The average organization manages 421 APIs, mostly in public cloud environments. The security model must cover inbound and outbound API traffic as APIs increasingly connect to AI services such as OpenAI. Current practices prioritize inbound traffic, leaving outbound API calls vulnerable. This article continues to discuss the vulnerability of customer-facing APIs and the problem of divided responsibility for API security within organizations.

The UK government has recently launched a new competition designed to encourage young people to pursue careers in cybersecurity.  The UK Cyber Team Competition is open to 18–25-year-olds, who will undertake hands-on cyber exercises designed to push their technical expertise and problem-solving abilities.  According to the government, the competition will include simulations of real-world scenarios in areas like cryptography, digital forensics, web exploitation, and network security, designed to mirror the day-to-day challenges cybersecurity professionals face.

ADT recently announced that an unauthorized party stole encrypted internal data related to employee user accounts.