DraftKings disclosed a credential stuffing attack where threat actors used stolen username/password combinations from external breaches
TLDR Information Security 2025-10-09
Attacks & Vulnerabilities
DraftKings warns of account breaches in credential stuffing attacks (2 minute read)
DraftKings disclosed a credential stuffing attack where threat actors used stolen username/password combinations from external breaches to gain unauthorized access to customer accounts, exposing names, addresses, phone numbers, email addresses, and partial payment card information. The company is requiring affected users to reset passwords and enable multi-factor authentication. This is DraftKings’ second major credential stuffing incident since 2022, when attackers previously stole up to $300,000 from compromised accounts. The attack highlights the ongoing vulnerability of organizations to credential reuse attacks, where users’ poor password hygiene across multiple platforms enables account takeovers even when the targeted company’s own systems remain secure.
Rainwalk Pet Insurance Exposes 158 GB of US Customer and Pet Data (2 minute read)
Rainwalk Pet Insurance exposed 158 GB of unprotected customer data containing 85,361 files, including pet insurance claims, veterinary bills, customer names, addresses, phone numbers, partial credit card numbers, and pet medical histories with microchip numbers. Security researcher Jeremiah Fowler discovered the misconfigured database and notified the company, but it remained publicly accessible for nearly a month before being secured. The breach creates significant fraud risks as criminals could exploit the combined pet and owner data to submit fraudulent insurance claims, intercept Venmo refunds, or conduct targeted scams using legitimate claim information and emotional manipulation tactics.
Salesforce says it won’t pay extortion demand in 1 billion records breach (3 minute read)
Salesforce has refused to pay a crime group calling itself Scattered LAPSUS$ Hunters, which claims to have stolen about 1 billion records from major clients. The hackers used social engineering to breach Salesforce portals and threatened to leak customer data unless paid.
Strategies & Tactics
New Research: AI Is Already the #1 Data Exfiltration Channel in the Enterprise (4 minute read)
LayerX research reveals AI has become the #1 corporate data exfiltration channel, with 45% of enterprise employees using generative AI tools and 67% accessing them through unmanaged personal accounts outside IT control. The primary threat vector is the use of copy/paste operations in AI platforms, with employees performing an average of 14 pastes per day via personal accounts, and at least three of these containing sensitive data, such as PII or PCI information. Traditional DLP tools miss this threat entirely since they’re designed for file-based environments, while 40% of files uploaded to GenAI tools contain sensitive data, and 77% of employees paste corporate data directly into these platforms.
UNC6040 is a financially motivated threat group that utilizes voice phishing (vishing) to deceive employees into authorizing malicious Salesforce Data Loader applications, thereby enabling large-scale data theft from corporate Salesforce instances. The attackers impersonate IT support personnel to manipulate victims into granting OAuth access to fake connected apps, then systematically exfiltrate sensitive data using legitimate Salesforce tools. Organizations should implement phishing-resistant MFA, restrict API access to approved applications only, enforce network-based login restrictions, and deploy real-time detection rules that monitor for suspicious OAuth authorizations followed by bulk data exports.
Look mom HR application Look mom no job (9 minute read)
Cybercriminals are now exploiting trusted collaboration platforms, such as Zoom, to execute highly convincing phishing attacks. By sending what appears to be legitimate HR documents via Zoom, attackers redirect recipients to a fake “bot protection” page and then to a Gmail login imitation designed to steal credentials. Credentials entered on this page are exfiltrated in real-time over a WebSocket connection, allowing attackers to validate and use them swiftly.
Launches & Tools
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
pipe-intercept is a tool to intercept Windows Named Pipes communication using Burp or similar HTTP proxy tools.
UNIX-like reverse engineering framework and command-line toolset.
Miscellaneous
New Mic-E-Mouse Attack Shows Computer Mice Can Capture Conversations (2 minute read)
The “Mic-E-Mouse” attack is where high-precision computer mice can function as unintended listening devices by detecting minute desk vibrations caused by sound waves through their sensitive optical sensors. The attack converts mouse movement data into audio signals using machine learning, achieving 42-61% speech recognition accuracy without requiring malware installation—only access to normal mouse data packets. This side-channel attack illustrates how increasingly sensitive hardware can create unexpected privacy vulnerabilities, particularly as high-DPI gaming mice become more widespread and affordable.
Germany slams brakes on EU’s Chat Control device-scanning snoopfest (7 minute read)
Germany’s government has decided to block the EU’s Chat Control regulation, which aimed to compel messaging services to scan all user chats—including those on encrypted platforms—for child abuse material. This stance creates a crucial blocking minority, likely ending the proposal, as it reflects the widespread concerns about privacy, democracy, and digital rights from major tech and privacy advocacy organizations.
Disrupting malicious uses of AI: October 2025 (20 minute read)
OpenAI highlights recent efforts to block malicious use of AI, targeting scams, cybercrime, and manipulation by various threat actors. Most attackers use AI to accelerate existing tactics, rather than invent new attacks, so OpenAI has banned accounts that violate their safe usage policies.
Quick Links
Microsoft Links Storm-1175 to GoAnywhere Exploit Deploying Medusa Ransomware (2 minute read)
Microsoft linked Storm-1175 to exploiting a critical flaw in Fortra GoAnywhere, enabling Medusa ransomware deployment.
Apple turned the CrowdStrike BSOD issue into an anti-PC ad (2 minute read)
Apple released an eight-minute commercial mocking last year’s CrowdStrike update that caused a Windows Blue Screen of Death and affected millions of PCs to show how Apple’s operating system prevents such kernel-level issues.
Google AI Mode finally made available across Europe (2 minute read)
Google’s AI Mode search feature, launched across Europe in 35 languages after regulatory delays, is now facing antitrust lawsuits from publishers who claim the AI-powered search summaries use their content without consent and reduce traffic to their sites.