WEEKLY TOP TEN: February 23, 2025, 16:00 GMT
- PayPal Data Breach — Personal Info Exposed for Months
PayPal disclosed that a coding error in its PayPal Working Capital (PPWC) loan app left sensitive customer personal data—including Social Security numbers, dates of birth and contact information—exposed to unauthorized individuals from July 1 to December 13, 2025. The fintech giant identified and rolled back the faulty code in mid-December and has sent breach notifications to affected users, while resetting passwords and offering credit monitoring. Although the affected cohort is relatively small, the exposure of high-value identity attributes introduces elevated risk for targeted fraud and identity theft. - ShinyHunters Demand Ransom from Wynn Resorts Breach
The ShinyHunters extortion group claimed to have exfiltrated data from Wynn Resorts, the Las Vegas hotel and casino giant, demanding a $1.5 million ransom. While details remain sparse, initial reports suggest the threat actor obtained sensitive corporate data from Wynn’s systems, consistent with ShinyHunters’ history of selling or leaking stolen information when extortion demands go unmet. This underscores ongoing exposure of hospitality and entertainment sectors to data theft and extortion risks. - Honeywell CCTV Authentication Bypass Vulnerability
CISA warned of a critical authentication bypass flaw (CVE-2026-1670) affecting multiple Honeywell CCTV models used in commercial and industrial environments. The issue allows unauthenticated attackers to change recovery email addresses and gain unauthorized access to camera feeds, potentially jeopardizing surveillance integrity. Although public exploitation hasn’t been reported yet, risk remains high due to the critical nature of affected devices in physical security and monitoring systems. Administrators should isolate devices and apply controls to minimize network exposure. - CISA Orders Emergency Patch for Dell Vulnerability
CISA ordered U.S. federal agencies to patch an actively exploited Dell RecoverPoint vulnerability (CVE-2026-22769) within three days. Suspected Chinese-linked threat actors exploited the hardcoded credential flaw since mid-2024, deploying a backdoor called Grimbolt and other malware. RecoverPoint is used in VMware VM backup/recovery environments; exploitation allows persistent unauthorized access. Federal systems are at risk until patched, and the order underscores urgency in defending against long-running exploit campaigns affecting critical infrastructure. - Mississippi Medical System Ransomware Disrupts Clinics
A ransomware attack knocked out critical IT systems at the University of Mississippi Medical Center (UMMC), forcing closure of all statewide clinics and cancellation of elective procedures. The attack disrupted its electronic medical records platform and other infrastructure, with hospitals reverting to manual workflows and downtime protocols. Emergency and urgent care continued, but the outage severely hampered non-urgent operations. Federal and state authorities, including the FBI, are involved as UMMC works to restore systems and assess any compromise of patient data. - Fortinet Breach Highlights Weak Credential Risks
The Fortinet firewall breaches show that even without software vulnerabilities, weak credentials and lack of multi-factor authentication can lead to mass compromises when paired with automated tools. This underscores the importance of rigorous access management, especially for internet-facing network devices. - Credential Theft Enables French Registry Compromise
Hackers breached France’s national bank account registry (FICOBA), stealing sensitive banking information tied to 1.2 million accounts. The French Ministry of Finance reported that the attacker gained access using stolen credentials from a civil servant who had authorized access to the interministerial information sharing platform. The compromised data includes account identifiers, account holder identities and addresses, and in some cases taxpayer IDs. The incident amplifies concerns about credential-based compromises within government data systems. - AI-Assisted Hacker Breaches 600+ Fortinet Firewalls
Amazon Integrated Security disclosed that a Russian-speaking threat actor breached more than 600 Fortinet FortiGate firewalls across 55 countries over five weeks using generative AI, not exploits. The attacker targeted exposed management interfaces and weak credentials without multi-factor authentication, then leveraged generative AI tools to automate lateral movement and access propagation. The campaign highlights how AI can be weaponized to scale reconnaissance and takeover operations against network infrastructure at enterprise scale. - CarGurus Data Grab Claimed by ShinyHunters
Cybercrime group ShinyHunters posted what it claims to be a data haul from CarGurus, the online vehicle marketplace, asserting theft of 1.7 million corporate records. While independent verification is pending, the incident illustrates persistent threats against online marketplaces that maintain large datasets of user and transaction information, and the potential for threat actors to monetize or leak such data after unauthorized access. - Advantest Hit by Ransomware Attack
Japanese semiconductor test equipment maker Advantest Corporation confirmed a ransomware attack detected on February 15, 2026 that impacted portions of its corporate network. The global supplier—which serves major chip manufacturers—activated incident response protocols and isolated affected systems. While initial reports point to potential data exposure, Advantest has not confirmed any customer or employee data exfiltration. The ongoing investigation aims to determine the full impact and whether sensitive information was accessed, with notifications to be issued if compromise is confirmed.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.