Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and breakthroughs. In this issue, we delve into a series of alarming data breaches that have left millions vulnerable, from Allianz Life's massive customer data exposure to the Tea app's unsettling privacy invasion. These incidents underscore the critical need for fortified supply chain security and robust data protection strategies.

Meanwhile, the tech world grapples with vulnerabilities in AI systems and development environments. Microsoft's proactive defense against indirect prompt injection attacks highlights the evolving landscape of AI security, while Wiz's discovery of a critical flaw in the Base44 platform serves as a stark reminder of the ongoing challenges in safeguarding AI-powered technologies.

In the realm of software vulnerabilities, we explore a range of issues, from SQL injections in popular platforms to cross-site scripting threats. The Amazon Q Developer Visual Studio Code extension and Koa's open redirect vulnerability further illustrate the pressing need for vigilant software security practices.

Join us as we navigate these complex stories, offering insights and strategies to help you stay ahead in the ever-evolving cybersecurity landscape. Stay informed, stay secure.

Data Breaches

1. Allianz Life Data Breach Hits 1.4 Million Customers: Allianz Life Insurance confirmed a data breach in July 2025, affecting 1.4 million customers, financial professionals, and employees. The breach involved a third-party vendor, highlighting vulnerabilities in supply chain security. Source: Hackread.
2. Union Home Mortgage Data Breach: Union Home Mortgage experienced a data breach, prompting discussions of a potential class action lawsuit. Affected individuals received notifications, and legal actions are being considered to address the incident and seek compensation. Source: Class Action.
3. Tea App Hacked: A Second Data Breach Exposes Private Chats Of Over 1 Million Women: The Tea app, known for allowing women to share feedback about men, suffered a second data breach. This incident exposed private chats of over 1 million users, raising significant privacy concerns. Source: NDTV.
4. 23andMe Data Breach: 23andMe faced a data breach in October 2023, which many experts deemed avoidable. The incident has become a focal point in the company's ongoing bankruptcy case, emphasizing the importance of robust data security measures. Source: The Source - WashU.
5. PowerSchool Data Breach: Education technology company PowerSchool committed to enhancing its security measures following a significant cyberattack. The breach leaked sensitive information, prompting the company to reassess its data protection strategies. Source: Lexpert.

Security Research

1. Lovense was told its sex toy app leaked users' emails and didn't fix it: A security researcher discovered a vulnerability in Lovense's app that allowed them to generate users' email addresses from their usernames, potentially leading to account takeovers. Despite being informed, Lovense did not promptly address the issue, raising concerns about user privacy and security. Source: The Verge.
2. How Microsoft defends against indirect prompt injection attacks: Microsoft has developed strategies to combat indirect prompt injection attacks, a sophisticated form of cyber threat targeting AI systems. This research highlights the importance of proactive defense mechanisms to protect AI-driven technologies from emerging vulnerabilities. Source: MSRC Blog.
3. Tea app's second data breach exposed over a million private messages: The Tea app experienced a significant data breach, exposing over a million private messages, including sensitive topics like abortions and cheating. This breach, reported by 404 Media, underscores the critical need for robust security measures in messaging platforms. Source: TechCrunch.
4. Wiz Uncovers Critical Access Bypass Flaw in AI-Powered Vibe Coding Platform Base44: Wiz researchers identified a critical security flaw in the Base44 platform, which could have allowed unauthorized access to sensitive data. The vulnerability has since been patched, but it highlights the ongoing challenges in securing AI-powered development environments. Source: The Hacker News.
5. Browser DevTools' gaps leave millions exposed to threats: SquareX security research revealed significant gaps in browser DevTools that could expose millions of users to potential threats. This finding emphasizes the need for enhanced security measures in browser extensions to protect user data and privacy. Source: SecurityBrief Australia.

Top CVEs

1. CVE-2025-4674: The go command may execute unexpected commands when operating in untrusted VCS repositories. This vulnerability arises when a repository fetched via one VCS contains metadata for another, potentially leading to execution of unintended commands. Developers using the go command line should be cautious when dealing with repositories from untrusted sources. Source: Vulners.
2. CVE-2025-51970: A SQL Injection vulnerability exists in the action.php endpoint of PuneethReddyHC Online Shopping System Advanced 1.0. The flaw is due to improper sanitization of user-supplied input, allowing attackers to manipulate database queries. This vulnerability could lead to unauthorized data access or modification. Source: Vulners.
3. CVE-2025-52358: A cross-site scripting vulnerability affects Vivaldi United Group iCONTROL+ Server, including Firmware version 4.7.8.0.eden Logic version 5.32 and below. Attackers can inject JavaScript payloads within certain parameters, which are executed in the victim's browser, potentially leading to data theft or session hijacking. Source: Vulners.
4. CVE-2025-45346: SQL Injection vulnerability in Bacula-web before version 9.7.1 allows remote attackers to execute arbitrary code. This is achieved via a crafted HTTP GET request, which can manipulate database queries and potentially compromise the server. Source: Vulners.

API Security

1. Amazon Q Developer Visual Studio Code Extension Vulnerability: The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains injected code that fails to execute due to a syntax error, preventing successful API calls. Users are advised to upgrade to version v1.85.0 to mitigate this issue. Source.
2. Koa Open Redirect via Referrer Header: The latest version of Koa has an insecure implementation in its redirect operations, using a user-controllable referrer header as the redirect target. This vulnerability could be exploited to redirect users to malicious sites. Source.
3. Umbraco Delivery API Caching Issue: Umbraco's content delivery API can return cached responses even with an invalid API key due to improper caching mechanisms. This issue allows unauthorized users to access cached data. Patches are expected in upcoming versions. Source.
4. Progress Software Hybrid Data Pipeline Server Vulnerability (CVE-2025-6505): Unauthorized access and impersonation can occur in certain versions of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, leading to potential unauthorized access. Source.
5. VMware vCenter Denial-of-Service Vulnerability (CVE-2025-41241): VMware vCenter contains a denial-of-service vulnerability that can be triggered by a malicious actor with API call permissions, potentially disrupting service availability. Source.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever. From the Allianz Life data breach affecting millions to the vulnerabilities in AI systems and popular apps, the stories we've shared today underscore the critical importance of robust cybersecurity measures. Each incident serves as a reminder of the ever-evolving threats we face and the need for constant vigilance and innovation in our security strategies.

Whether it's a breach in a major insurance company or a vulnerability in a widely-used app, these stories highlight the interconnected nature of our digital world and the ripple effects a single security lapse can have. As cybersecurity professionals, staying informed and prepared is our best defense against these challenges.

If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. By spreading awareness, we can collectively enhance our defenses and foster a more secure digital environment for everyone.

Thank you for joining us today. Stay safe, stay informed, and we'll see you in the next edition of Secret CISO!