Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity breaches and vulnerabilities that have surfaced across the globe. In a world where data is the new currency, the stakes have never been higher, and today's stories are a testament to the relentless pursuit of securing our digital lives.

We begin with 23andMe, which is seeking a $50 million settlement following a massive data breach that compromised the genetic and personal information of millions. This incident underscores the critical importance of safeguarding sensitive data, a theme echoed by the Church of England's Redress Scheme and Kerrville ISD, both of which have faced significant breaches.

Financial and personal data security continues to be a pressing concern, as evidenced by the breaches at Wealthsimple and the National Lottery of Luxembourg. Meanwhile, a vulnerability in the TeslaMate app highlights the risks of third-party applications, and NYU's PromptLocker project serves as a stark reminder of the potential for AI-driven ransomware threats.

On the global stage, misconfigured servers have exposed personal data across seven countries, while a medical cannabis firm faces legal action over health data exposure. The tech world is not immune, with TP-Link racing to patch a zero-day vulnerability and multiple CVEs revealing critical flaws in widely used software.

Finally, we delve into lessons on Cross-Site Scripting and Cross-Site Request Forgery, emphasizing the need for robust security measures in application development. As we navigate these challenges, today's newsletter serves as a crucial reminder of the ever-evolving landscape of cybersecurity threats and the imperative to stay vigilant.

Data Breaches

1. 23andMe seeks approval of larger, $50 million data breach settlement: 23andMe is pursuing a $50 million settlement to address claims from a 2023 data breach that compromised genetic and personal information of approximately 6.4 million individuals. This breach has sparked significant concern due to the sensitive nature of the data involved. Source.
2. House of Survivors Redress Scheme data breach statement: The Church of England's Redress Scheme experienced a data breach on August 27th, leaking personal details of nearly 200 survivors of abuse. This incident has raised serious privacy concerns and highlighted vulnerabilities in handling sensitive information. Source.
3. Kerrville ISD data breach exposed private information of 4300 people in August: Kerrville Independent School District suffered a data breach that exposed sensitive information, including Social Security numbers and medical data, of 4,300 individuals. The breach underscores the ongoing challenges educational institutions face in safeguarding personal information. Source.
4. SINs among customer data accessed in Wealthsimple security breach: Wealthsimple, a FinTech company, reported unauthorized access to some customer data, including Social Insurance Numbers, following a security breach on August 30th. The incident highlights the risks associated with financial data security in the digital age. Source.
5. Cyber attack: Loterie Nationale reports data breach: The National Lottery of Luxembourg disclosed a data breach where customer information such as names, addresses, and bank details were stolen. This breach has raised alarms about the security measures in place to protect sensitive customer data. Source.

Security Research

1. Vulnerability in Tesla Open Source App TeslaMate May Expose User Data: A security researcher from Turkey, known as @Sword_Sec, discovered a vulnerability in the open-source app TeslaMate, which could potentially expose user data. TeslaMate, although not officially affiliated with Tesla, is used by many Tesla owners to track their vehicle data. The vulnerability highlights the risks associated with using third-party applications for sensitive data. Source: BornCity.
2. AI-powered PromptLocker Ransomware is Just an NYU Research Project: Researchers at NYU developed a project called PromptLocker, which functions as a typical ransomware by selecting targets, exfiltrating data, and encrypting volumes. Although it was created for research purposes, the project demonstrates the potential for AI to be used in developing sophisticated ransomware attacks. This highlights the need for increased vigilance and security measures against AI-driven threats. Source: Tom's Hardware.
3. Government-level Personal Data Leaked Across Seven Countries: Cybernews security researchers identified three misconfigured servers that exposed personal data of over 250 million individuals across seven countries. The data leak underscores the critical importance of proper server configuration and data protection measures to prevent unauthorized access to sensitive information. Source: Dataconomy.
4. Medical Cannabis Firm Sued Over Health Data Exposure: A security researcher discovered an unprotected and unencrypted database belonging to a medical cannabis firm, exposing nearly one million personal records. This breach has led to a lawsuit, emphasizing the legal and financial repercussions companies face when failing to secure sensitive health data. Source: BankInfoSecurity.
5. Global Fix for TP-Link Zero-Day Imminent: Security researcher Mehrun, also known as ByteRay, discovered a zero-day vulnerability in TP-Link devices. The vulnerability has prompted TP-Link to work on a global fix, highlighting the ongoing challenges in securing IoT devices and the importance of timely patching to protect against potential exploits. Source: SC Media.

Top CVEs

1. CVE-2025-32318: In Skia, a heap buffer overflow vulnerability could lead to remote escalation of privilege without requiring additional execution privileges or user interaction. This flaw poses a significant risk as it allows attackers to potentially execute arbitrary code remotely. Source: Vulners.
2. CVE-2025-58367: DeepDiff, a Python project, is vulnerable to class pollution via the Delta class constructor, leading to Denial of Service and Remote Code Execution through insecure Pickle deserialization. This vulnerability allows execution of arbitrary Python code if the input to Delta is user-controlled, posing a severe threat depending on the application context. Source: Vulners.
3. CVE-2024-0028: A missing permission check in Audio Service allows potential attackers to obtain MAC addresses of nearby Bluetooth devices, leading to local escalation of privilege. This vulnerability does not require user interaction, making it a critical concern for privacy and security. Source: Vulners.
4. CVE-2025-53791: Microsoft Edge (Chromium-based) has an improper access control vulnerability that allows unauthorized attackers to bypass a security feature. This flaw could enable attackers to execute unauthorized actions, posing a significant threat to user security. Source: Vulners.
5. CVE-2025-58794: A Cross-Site Request Forgery (CSRF) vulnerability in the Notification for Telegram plugin allows attackers to perform unauthorized actions on behalf of users. This vulnerability affects versions up to a certain point, highlighting the need for users to update to secure versions promptly. Source: Vulners.

API Security

1. react-xss-csrf: This lesson introduces Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) using a simple banking application. It demonstrates how JWT authentication is used to verify user identity and authorize access to protected resources. The demo highlights the importance of securing JWTs and preventing XSS vulnerabilities by ensuring that user inputs are properly sanitized. Source: Vulners.
2. CVE-2025-58366: Onyxia, a data science environment for Kubernetes, had a vulnerability in versions 4.6.0 through 4.8.0 where the API leaked credentials of private helm repositories via the /public/catalogs endpoint. This issue affected instances using private helm repositories and was fixed in later versions. Source: Vulners.
3. Atlantis Exposes Service Version Publicly on /status API Endpoint: Atlantis exposed detailed version information on its /status endpoint, which could allow attackers to identify and exploit known vulnerabilities. This information disclosure violates best practices for minimizing exposed sensitive metadata. Source: Vulners.
4. Coder vulnerable to privilege escalation could lead to a cross workspace compromise: Insecure session handling in Coder allowed for privilege escalation, potentially compromising prebuilt workspaces. The vulnerability stemmed from session tokens not being properly expired, leading to unauthorized access. Source: Vulners.
5. ImageMagick BlobStream Forward-Seek Under-Allocation: A vulnerability in ImageMagick's BlobStream component allowed for a heap out-of-bounds write, potentially leading to memory corruption and code execution. This issue was due to improper handling of stream offsets and capacity adjustments. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape continues to present both challenges and opportunities. From the $50 million settlement sought by 23andMe to address a massive data breach, to the vulnerabilities found in TeslaMate and TP-Link devices, each story underscores the critical importance of vigilance and proactive security measures.

The breaches and vulnerabilities we've discussed today highlight the ongoing battle to protect sensitive information across various sectors, including healthcare, education, finance, and technology. Whether it's the exposure of genetic data, financial information, or personal records, the need for robust security protocols and timely updates is more pressing than ever.

As we navigate these complex issues, remember that sharing knowledge is a powerful tool in our collective defense against cyber threats. If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can foster a more informed and secure digital community.

Thank you for joining us today. Stay vigilant, stay informed, and we'll see you in the next edition of Secret CISO.