Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity threats and vulnerabilities that continue to challenge our digital landscape. In this issue, we delve into a series of alarming data breaches and vulnerabilities that have shaken both corporate giants and critical infrastructures.

Google finds itself in the crosshairs of the notorious ShinyHunters group, suffering a significant data breach that underscores the relentless threat of ransomware on major corporations. Meanwhile, Columbia University faces a massive breach affecting 870,000 individuals, raising serious concerns about the security of personal information in educational institutions.

The U.S. Judiciary's electronic records service has also fallen victim to a breach, highlighting the vulnerabilities within government infrastructure. In the retail sector, Pandora grapples with a breach that exposes customer data, while the Tea dating app reveals major privacy gaps, compromising over 1.1 million direct messages.

On the technological frontier, AI's role in cyber threats is becoming increasingly sophisticated. A Chinese business is leveraging AI to target U.S. politicians and influencers with propaganda, while researchers at Black Hat USA demonstrate zero-click exploits on popular AI agents, posing new risks to AI security.

In the realm of vulnerabilities, a data dump from an APT actor provides crucial insights into attacker capabilities, and security researchers uncover techniques to open high-security safes in seconds. Additionally, a biometric vulnerability in Windows Hello for Business raises alarms about the robustness of biometric authentication systems.

Finally, we explore critical vulnerabilities in software systems, including Assemblyline 4 and OpenBao, where path traversal, MFA bypass, and user lockout bypass issues have been identified and patched. These revelations serve as a stark reminder of the ever-evolving landscape of cybersecurity threats and the urgent need for vigilant defenses.

Stay informed, stay secure, and join us as we navigate the complexities of cybersecurity in today's digital age.

Data Breaches

1. Google Suffers a Serious Data Breach at the Hands of a Ransomware Group: Google's Threat Intelligence Group reported a data breach that affected the company itself. The breach was orchestrated by the ShinyHunters group, known for their aggressive tactics. The incident highlights the ongoing threat of ransomware attacks on major corporations. Source: PhoneArena.
2. Columbia University Data Breach Affected 870,000 Students, Applicants: Columbia University disclosed a data breach impacting approximately 870,000 individuals, including students and applicants. The breach was first reported by Bloomberg News and has raised concerns about the security of personal information at educational institutions. Source: GazetteXtra.
3. U.S. Judiciary Confirms Breach of Court Electronic Records Service: The U.S. Judiciary has confirmed a breach of its electronic records service, prompting efforts to enhance system security and prevent future attacks. This incident underscores the vulnerability of critical government infrastructure to cyber threats. Source: Bleeping Computer.
4. Pandora Suffers Data Breach, Reports Say: Jewelry giant Pandora has notified customers of a data breach where hackers accessed customer data. This breach highlights the ongoing risks faced by retail companies in protecting customer information. Source: JCK Online.
5. Tea Dating App Breach Reveals Major Data Privacy Gaps: A security researcher uncovered a significant vulnerability in the Tea dating app, exposing over 1.1 million direct messages. This breach highlights the privacy challenges faced by rapidly growing platforms in the digital age. Source: JD Supra.

Security Research

1. Chinese biz using AI to hit US politicians, influencers with propaganda: A Vanderbilt security researcher has uncovered that GoLaxy is utilizing AI to create and map social media profiles for spreading propaganda targeting US politicians and influencers. This revelation highlights the growing sophistication of AI in manipulating social media landscapes for political influence. Source: The Register.
2. Researchers demonstrate zero-click prompt injection attacks in popular AI agents: At the Black Hat USA security conference, researchers from Zenity showcased zero-click and one-click exploits targeting popular AI agents. These vulnerabilities allow attackers to manipulate AI systems without user interaction, posing significant risks to AI security. Source: CSO Online.
3. Data Dump From APT Actor Yields Clues to Attacker Capabilities: A significant data dump from an APT actor has been analyzed by Trend Micro researchers, providing valuable insights into the attacker's tools and methods. This disclosure is crucial for understanding and defending against sophisticated cyber threats. Source: Dark Reading.
4. Hackers Went Looking for a Backdoor in High-Security Safes—and Now Can Open Them in Seconds: Security researchers have discovered techniques to exploit vulnerabilities in electronic safes, allowing them to be opened in seconds. This finding exposes critical security flaws in devices meant to protect valuable assets. Source: Wired.
5. Security researchers find biometrics vulnerability in Windows Hello for Business: German cybersecurity researchers have identified a flaw in Windows Hello for Business that could allow unauthorized access using biometric data. This vulnerability underscores the importance of robust security measures in biometric authentication systems. Source: Biometric Update.

API Security

1. Assemblyline 4 Service Client Path Traversal Vulnerability: A critical vulnerability in Assemblyline 4 Service Client allows a malicious server to exploit path traversal, potentially writing files to arbitrary locations on disk. This issue is resolved in version 4.6.1.dev138. Source: CVE-2025-55013.
2. OpenBao Login MFA Bypass: OpenBao's MFA system was vulnerable to bypass due to whitespace normalization in TOTP codes, allowing attackers to reuse MFA codes. This vulnerability is patched in version 2.3.2. Source: CVE-2025-55003.
3. OpenBao User Enumeration via Timing Side-Channel: A timing side-channel vulnerability in OpenBao's userpass auth method allowed user enumeration. This issue is fixed in version 2.3.2. Source: CVE-2025-54999.
4. OpenBao User Lockout Bypass: Attackers could bypass user lockout mechanisms in OpenBao's Userpass and LDAP auth systems due to aliasing issues. The vulnerability is resolved in version 2.3.2. Source: CVE-2025-54998.
5. OpenBao Privileged Operator Code Execution: Privileged OpenBao operators could execute unauthorized code and make network connections via the audit subsystem. This vulnerability is patched in version 2.3.2. Source: CVE-2025-54997.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with threats evolving at a rapid pace. From the high-profile breaches at Google and Columbia University to vulnerabilities in AI systems and biometric authentication, the need for robust cybersecurity measures has never been more pressing.

These stories remind us of the importance of staying informed and vigilant in the face of ever-present cyber threats. Whether it's a ransomware attack on a tech giant, a data breach at an educational institution, or a vulnerability in a popular app, each incident underscores the critical need for proactive security strategies.

We hope you found today's insights valuable and that they empower you to better protect your digital assets. If you enjoyed this newsletter, please consider sharing it with your friends and colleagues. Together, we can build a more secure digital world, one informed reader at a time.

Stay safe and see you in the next edition of Secret CISO!