Welcome to today's edition of Secret CISO, your daily source for the most impactful cybersecurity news. Today, we delve into a series of data breaches and security practices that have made headlines. In Iceland, a former special prosecutor is under investigation for data theft, while in Nigeria, over 119,000 accounts were breached in 2025 despite a global decline in cyberattacks.

Meanwhile, TechRadar reveals a sneaky new phishing technique that hackers are using to steal encrypted login credentials. On the legal front, Apple is settling a $95 million Siri privacy lawsuit, and you might be eligible for a share. Plus, find out if you qualify for a $4,000 payout from a data breach settlement. In the tech world, security researchers have discovered a new infostealer malware dropped by fake AI video generators. And TechRadar warns about 10 outdated security practices that people still swear by.

Finally, we explore the latest cybersecurity research, including a new advanced phishing attack targeting crypto users and a major data breach exposing social security numbers and financial records. Stay tuned for more updates and remember, knowledge is the best defense against cyber threats.

Data Breaches

1. Over 119,000 Nigerian Accounts Breached in 2025 Despite Global Decline in Cyberattacks: Despite a global decline in cyberattacks, over 119,000 Nigerian accounts were breached in 2025. The report places Nigeria third in Sub-Saharan Africa for total data breaches. Source: TV360 Nigeria
2. Data Breach Incident at Kelly Benefits: An American human resources company, Kelly Benefits, experienced a data breach. The company claims that there is currently 'no evidence of any information related to this incident being misused'. Source: Binance
3. Massive Dark Web Leak Exposes 1.7 Billion Passwords: A massive password leak has surfaced on the dark web, exposing data of over a billion users. This incident serves as a clear reminder of how quickly online threats can escalate. Source: Economic Times
4. Hertz Confirms Personal Data and Driver's Licenses Stolen in Data Breach: Hertz announced a massive data breach that put the personal information of millions of its customers, including the numbers on their driver's licenses, at risk. Source: MSN
5. Major Data Breach Exposes Social Security Numbers, Financial Records and Much More: A significant data breach at a human resources firm has exposed the personal information of hundreds of individuals, including social security numbers and financial records. Source: Benzinga

Security Research

1. Is Kenya's President Safe in a Crowd?: A security expert has conducted a thorough analysis of the VIP protection measures in place for President William Ruto during public appearances. The expert's findings raise questions about the effectiveness of the current security protocols. Source: eastleighvoice.co.ke
2. Bitcoin Eyes 'Crazy Numbers,' Mashinsky Gets 12 Years Prison: Cyber threat intelligence expert Heiner Garcia led an investigation into the recent fluctuations in Bitcoin's value. Garcia's research has revealed some surprising insights into the cryptocurrency's future. Source: tradingview.com
3. Cybercriminals Exploit Rare Technique to Steal Login Credentials: Security researchers have discovered a new phishing campaign that uses a rarely seen technique to steal login credentials. The campaign targets tax accounts and encrypted messages. Source: techradar.com
4. New Advanced Phishing Attack Exploits Discord to Target Crypto Users: A sophisticated new phishing attack has been discovered by security researchers. The attack exploits Discord to target cryptocurrency users, highlighting the need for increased security measures within the platform. Source: gbhackers.com
5. End-of-life Router Botnet Shut, 4 'Foreign Hackers' Charged: Security researchers have successfully shut down a botnet operating on end-of-life routers. Four foreign hackers have been charged in connection with the botnet, marking a significant victory in the fight against cybercrime. Source: theregister.com

Top CVEs

1. CVE-2025-1752: A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. Source: CVE-2025-1752
2. CVE-2025-4497: A critical vulnerability was found in code-projects Simple Banking System up to 1.0. This issue affects some unknown processing of the component Sign In. The manipulation of the argument password2 leads to buffer overflow. Attacking locally is a requirement. Source: CVE-2025-4497
3. CVE-2025-2158: The WordPress Review Plugin: The Ultimate Solution for Building a Review Website plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.3.5 via the Post custom fields. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server. Source: CVE-2025-2158
4. CVE-2025-2944: The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video Button and Countdown Widgets in all versions up to, and including, 2.6.12 due to insufficient input sanitization and output escaping on user supplied attributes. Source: CVE-2025-2944
5. CVE-2025-4499: A critical vulnerability was found in code-projects Simple Hospital Management System 1.0. Affected by this vulnerability is the function Add of the component Add Information. The manipulation of the argument x[i].name/x[i].disease leads to stack-based buffer overflow. The attack needs to be approached locally. Source: CVE-2025-4499

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. From data breaches in Nigeria to sneaky new phishing techniques, we've covered a lot of ground. Remember, staying informed is the first step towards ensuring your organization's security. If you found this newsletter helpful, don't keep it to yourself. Share it with your colleagues and friends, and help them stay on top of the latest in cybersecurity.

In tomorrow's edition, we'll dive into more security practices, data breaches, and the latest research in the field. Stay tuned, stay safe, and remember - knowledge is power. Until then, this is your Secret CISO, signing off.