The recent mass-theft of authentication tokens from Salesloft, whose AI chatbot is used by a broad swath of corporate America to convert customer interaction into Salesforce leads, has left many companies racing to invalidate the stolen credentials before hackers can exploit them. Now Google warns the breach goes far beyond access to Salesforce data, noting the hackers responsible also stole valid authentication tokens for hundreds of online services that customers can integrate with Salesloft. READ MORE...
The FBI's Internet Crime Complaint Center (IC3) says that the elderly are more at risk from falling victim to online fraud and internet scammers than ever before. In fact, according to the IC3's latest published annual report, seniors suffered a staggering US $4.885 billion dollars worth of losses last year - a 43% increase from 2023. With an average loss of US $83,000 and an astonishing 7,500 complainants reporting that they have lost in excess of US $100,000, it's clearly essential that more is done to raise awareness amongst those who are vulnerable. READ MORE...
Microsoft says the August 2025 security updates are triggering unexpected User Account Control (UAC) prompts and app installation issues for non-admin users across all supported Windows versions. This known issue is caused by a security patch that addresses the CVE-2025-50173 Windows Installer privilege escalation vulnerability, which can allow authenticated attackers to gain SYSTEM privileges due to a weak authentication issue. READ MORE...
Threat actors have been using multiple websites promoted through Google ads to distribute a convincing PDF editing app that delivers an info-stealing malware called TamperedChef. The campaign is part of a larger operation with multiple apps that can download each other, some of them tricking users into enrolling their system into residential proxies. More than 50 domains have been identified to host deceiving apps signed with fraudulent certificates issued by at least four different companies. READ MORE...
Adversaries used a sample machine key that was included in Sitecore deployment guides from 2017 and earlier and executed a ViewState deserialization attack against internet-accessible Sitecore instances. The issue, tracked as CVE-2025-53690 (CVSS score of 9.0), is described as a deserialization of untrusted data bug affecting Sitecore Experience Manager (XM) and Experience Platform (XP) prior to version 9.0 that were deployed using the sample key exposed in the guides. READ MORE...
People use VPNs for different security and privacy reasons, to access content anonymously, or to bypass content controls and age verification by pretending to be in different places. But not all VPNs are created equal. A recent report has revealed that many of them might allow others to sniff your data-and they're not being honest about who's behind them. The report, called Hidden Links: Analyzing Secret Families of VPN Apps, comes from researchers at the University of Toronto's Citizen Lab, and Arizona State University. READ MORE...
Attackers are exploiting a WhatsApp security vulnerability affecting iPhone iOS in a "sophisticated" zero-click attack against targeted Apple users. The campaign also uses a previously discovered and patched iOS flaw, CVE-2025-43300, known to be used in other attacks. The incidents, which have affected about 200 people so far, have spurred the US government to urge users across its federal workforce to update their devices immediately. READ MORE...