WEEKLY TOP TEN: October 06, 2025, 16:00 GMT
- Red Hat Confirms Security Incident After Gitlab Breach Claims
Red Hat confirmed a breach of a GitLab instance used by its Consulting team after the “Crimson Collective” boasted of exfiltrating ~570GB across 28,000 private repositories. Red Hat says core products and main developer platforms were not impacted, but stolen data could include source, credentials, and customer engagement materials—raising possible downstream risk to clients. The company is rotating secrets, notifying affected parties, and auditing access. The report breaks down what was (and wasn’t) touched, attacker claims, and defensive steps enterprises using Red Hat services should consider. - Allianz Life Data Breach Impacted 1.5 Million People
Allianz Life (U.S.) confirmed a July breach of a cloud-hosted CRM, now assessed at ~1.5M affected. Stolen data includes names, contact details, dates of birth, and Social Security numbers for customers, financial professionals, and some employees. The article provides an updated impact window, data elements, and risk guidance for identity theft. It also ties the case to earlier notifications and discusses insurers’ exposure from SaaS/CRM platforms. - Hackers Launch Extortion Campaign Targeting Oracle E-Business Suite Customers
Executives at multiple enterprises reported extortion emails alleging theft from Oracle E-Business Suite environments. Researchers see overlaps with Cl0p/FIN11 tactics used during other enterprise SaaS extortion waves. While attribution and data-theft claims are still being validated, the campaign’s scale and targeting pose immediate phishing and social-engineering risks for Oracle EBS customers. The report outlines indicators, social-proof techniques, and defensive guidance for ERP admins (log reviews, SSO token hygiene, and third-party integration audits). - Greynoise Detects 500% Surge in Scans Targeting Palo Alto Networks Portals
Telemetry vendor GreyNoise observed a 500% spike (Oct 3) in internet-wide scanning of Palo Alto Networks login portals, with most IPs flagged as suspicious or malicious. While not a confirmed breach, the activity indicates mass reconnaissance that could precede credential stuffing or exploit attempts. The post includes counts, timing, and the short-term hardening steps PAN customers should take (MFA enforcement, geo-IP rules, lockout thresholds, and monitoring failed logins). - Ransomware Gang Sought BBC Reporter’s Help in Hacking Media Giant
A threat actor posing as Medusa approached a BBC journalist, proposing he act as an insider to gain corporate access—and even offering a cut of any ransom. The reporter disclosed the approach, and the piece analyzes the social-engineering tradecraft, motivations, and why media organizations face unique targeting risks (sources, embargoed content, and backend editorial systems). It also covers the BBC’s security posture and the broader insider-recruitment trend among ransomware crews. - Chinese Apt ‘Phantom Taurus’ Targeting Gov’t and Telco Orgs With Net-Star Malware
Palo Alto Networks reported long-running espionage by Phantom Taurus against government and telecommunications organizations, using a custom “Net-Star” backdoor and tailored TTPs. While this is an ongoing campaign rather than a single breach, the report names sectors and techniques relevant to current defenses during this window. The article summarizes infection chains, infrastructure, and recommended mitigations for targeted enterprises. - Microsoft Disables Risky Inline SVG in Outlook After Active Abuse in Attacks
Microsoft announced Outlook on the web and the New Outlook for Windows will stop rendering inline SVG images due to exploitation in real-world phishing/malware campaigns. The change (rolling out in September and completing by mid-October) directly responds to attacker abuse of embedded SVG for payload delivery. The article explains the attack chain, affected Outlook clients, and what security teams should update in mail-flow policies and content filters. While not a breach of Microsoft, it’s an immediate incident-driven protection for Microsoft 365 tenants. - Data Breach at Dealership Software Provider Impacts 766,000 Clients
More than 766,000 people are being notified by Motility Software Solutions (RV/powersports dealership software) that servers that support business operations were compromised by a ransomware intrusion. Customer and employee PII used across dealer networks is among the stolen data. The article describes the data scope, the discovery timeline, and the reasons vertical SaaS providers make a desirable target (high-value, concentrated datasets). It also highlights next steps for dealerships downstream of Motility’s platform. - Harrods Suffers New Data Breach Exposing 430,000 Customer Records
Luxury retailer Harrods disclosed that a compromised third-party supplier led to the theft of ~430,000 e-commerce customer records. Exposed data reportedly includes names and contact details; payment data was processed elsewhere. Harrods is resetting credentials where relevant and warning about phishing that impersonates its support channels. The story centers on supply chain risk in retail e-commerce stacks and what controls can reduce vendor blast radius (tokenization, segregation, and minimal data retention). - Westjet Data Breach Exposes Travel Details of 1.2 Million Customers
WestJet is notifying ~1.2M people that personal data—including passport and government ID numbers collected during travel—was stolen in a June cyberattack. While payment data wasn’t stored, exposed PII raises identity theft and targeted phishing risks. The airline outlined the timeline, investigation status, and remediation (credit monitoring, regulator notifications). The write-up details where data resided, what was taken, and potential crossover to loyalty accounts and partner systems. It also cites the regulatory posture in Canada for breach disclosures in the aviation sector.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available: