Welcome to today's edition of Secret CISO, where we delve into the ever-evolving landscape of cybersecurity threats and defenses. In this issue, we uncover a series of alarming data breaches and vulnerabilities that highlight the critical importance of robust security measures across various sectors.

Neighbourly, a community-based platform, has been temporarily taken offline due to claims of a data breach, emphasizing the need for swift action in safeguarding user data. Meanwhile, over 108,000 individuals in South Carolina and 284,000 Mainers have been affected by significant data breaches, raising concerns about the security of personal information.

In the realm of healthcare, ManageMyHealth faces a cyber incident potentially impacting up to 126,000 users, underscoring the urgency for enhanced cybersecurity in protecting sensitive health data. Similarly, Sentinel Security and Atlantic Coast Life Insurance have experienced breaches, prompting affected individuals to secure their data vigilantly.

On the cutting edge of cybersecurity, a record year for wrench attacks poses new challenges for cryptocurrency holders, while a British ethical hacker's discovery of a critical vulnerability in a government site showcases the value of cybersecurity skills. Additionally, vulnerabilities in everyday devices, such as wheelchairs and NVIDIA Tegra X2 chips, highlight the need for robust security measures in our increasingly connected world.

Finally, we explore critical vulnerabilities in Apache StreamPipes and Apache NuttX RTOS, urging users to upgrade and secure their systems against potential exploits. As we navigate these complex threats, today's insights serve as a reminder of the ever-present need for vigilance and proactive security strategies.

Data Breaches

1. Neighbourly Taken Down After Claims of Data Breach: Neighbourly, a community-based platform, has been temporarily taken offline following claims of a data breach. The company, along with an external data security team, is investigating the situation to ensure user data integrity. This precautionary measure highlights the importance of swift action in potential data breach scenarios. Source: 1News
2. Data Breach May Impact Over 108,000 in South Carolina: The South Carolina Department of Consumer Affairs has reported a data breach potentially affecting over 108,000 individuals. The compromised data includes sensitive information such as names, addresses, dates of birth, and Social Security numbers, underscoring the critical need for robust data protection measures. Source: WLTX
3. Sentinel Security & Atlantic Coast Life Insurance Companies Data Breach: A data breach at Sentinel Security and Atlantic Coast Life Insurance has exposed personal information, including names, Social Security numbers, and medical data. Affected individuals are advised to take steps to secure their data and monitor for any unusual activity. Source: Claim Depot
4. Covenant Health Reports Expanded Data Breach Affecting 284,000 Mainers: Covenant Health has disclosed an expanded data breach affecting 284,000 individuals in Maine. The breach is larger than initially reported, raising concerns about the security of patient data and the potential for identity theft. Source: WGME
5. Up to 126,000 ManageMyHealth Users Believed to Be Affected by Cyber Data Breach: ManageMyHealth, New Zealand's largest patient information portal, has confirmed a cyber security incident potentially affecting up to 126,000 users. The breach has raised alarms about the security of sensitive health information and the need for enhanced cybersecurity measures in healthcare. Source: Newstalk ZB

Security Research

1. A record year for wrench attacks: How crypto holders can maintain physical security amid rising risks: This research highlights the increasing physical threats faced by cryptocurrency holders, emphasizing the need for enhanced security measures. Jameson Lopp, a seasoned security expert, has been tracking these incidents for over a decade, providing valuable insights into the evolving landscape of crypto-related physical security risks. Source: The Block.
2. British ethical hacker granted rare visa after finding 'critical vulnerability' in government site: Jacob Riggs, a cybersecurity expert from London, uncovered a critical vulnerability in a government website in under two hours. His discovery not only highlights the importance of ethical hacking but also earned him a rare visa, showcasing the value of cybersecurity skills in today's digital landscape. Source: The Australian.
3. 39C3: Wheelchair Security – When a QR code bypasses all security mechanisms: An IT security researcher demonstrated how a simple QR code could bypass all security mechanisms in a wheelchair, granting access to all its comfort functions. This research underscores the potential vulnerabilities in everyday devices and the need for robust security measures. Source: Heise.
4. Critical Apache StreamPipes Flaw Allows Attackers to Take Over Admin Accounts: Security researcher Darren Xuan discovered a critical vulnerability in Apache StreamPipes that could allow attackers to take over admin accounts. This finding highlights the importance of continuous security assessments and prompt patching to protect against potential exploits. Source: GB Hackers.
5. NVIDIA Tegra X2 Vulnerability: Millions of Devices at Risk: Amber Katze, a security researcher, uncovered a vulnerability in NVIDIA Tegra X2 chips, putting millions of devices at risk. This research emphasizes the critical need for securing embedded systems and the potential widespread impact of such vulnerabilities. Source: Red Hot Cyber.

Top CVEs

1. CVE-2025-47411: A vulnerability in Apache StreamPipes allows a user with a non-administrator account to exploit the user ID creation mechanism, enabling them to swap their username with that of an administrator. This manipulation of JWT tokens can lead to unauthorized access and data tampering. Users are advised to upgrade to version 0.98.0 to mitigate this issue. Source: Vulners.
2. CVE-2025-48769: A Use After Free vulnerability in the Apache NuttX RTOS affects the fs/vfs/fsrename code, allowing arbitrary buffer reallocation and unintended virtual filesystem operations. This issue impacts users of virtual filesystem-based services, especially those exposed over the network. Upgrading to version 12.11.0 is recommended to address this vulnerability. Source: Vulners.
3. CVE-2025-11157: A high-severity remote code execution vulnerability in feast-dev/feast version 0.53.0 arises from improper deserialization of YAML files in the Kubernetes materializer job. This flaw allows attackers to execute OS commands on the worker pod, potentially leading to cluster takeover and data poisoning. Users should ensure configurations are validated to prevent exploitation. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges and opportunities. From the temporary shutdown of Neighbourly due to a data breach investigation to the critical vulnerabilities discovered in widely-used systems like NVIDIA Tegra X2 and Apache StreamPipes, the need for vigilance and proactive security measures has never been more apparent.

These stories remind us of the importance of staying informed and prepared. Whether it's understanding the implications of a data breach affecting thousands or recognizing the value of ethical hacking in uncovering vulnerabilities, knowledge is our first line of defense. The evolving threats in the world of cybersecurity demand our attention and action, ensuring that we protect not only our data but also our digital identities.

If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can build a more secure digital world by spreading awareness and fostering a community of informed and vigilant individuals. Stay safe, stay informed, and see you in the next edition of Secret CISO!