Massive Credential Leak: 16 Billion Passwords Exposed in Largest Data Breach
In June 2025, researchers uncovered one of the largest accumulations of stolen credentials ever discovered, with over 16 billion login details found accessible online in a single aggregated dataset. This trove includes information from major platforms and illustrates the increasing sophistication and scale of credential theft.
Discovery and Composition of the Leak
Investigators located over 30 discrete datasets, stitched together from exposures affecting major brands such as Google, Apple, IBM, and Facebook. Unlike a single catastrophic incident, this dataset is an aggregation from many breaches, typically gathered by infostealer malware over an extended period. Infostealers extract sensitive data directly from victim machines, including usernames, passwords, browser cookies, and authentication tokens, which are then aggregated for sale.
Technical Mechanisms of the Attack
The malware responsible for such accumulations often operates undetected, using advanced persistence and data exfiltration techniques. They commonly exploit insecure cloud storage for temporary aggregation before data is sold or redistributed in criminal forums. Security teams identified that much of the data was likely stored in poorly secured cloud infrastructure, at times inadvertently exposed due to misconfigurations.
Implications and Response Strategies
The appearance of such large aggregations highlights the evolving risks of widespread credential reuse, poor password hygiene, and a growing attacker economy based on trading stolen identities. There were no reports of a single-incident breach, indicating the chronic nature of this cyber threat. Experts emphasize adopting multi-factor authentication (MFA) and zero-trust frameworks as the best responses to the continued effectiveness of infostealer operations.
Exploitation of Chrome ANGLE and GPU Vulnerability (CVE-2025-6558) in the Wild
On July 30, 2025, Google Project Zero publicly disclosed the active exploitation of a critical vulnerability in Chrome, tracked as CVE-2025-6558, affecting its ANGLE and GPU components. The vulnerability had reached its 90-day disclosure window and was identified as actively targeted by cyber threat actors.
Technical Details of CVE-2025-6558
The vulnerability exists within ANGLE, an open-source graphics engine abstraction layer used by Chrome to render graphics via hardware acceleration. Successful exploitation can allow attackers to execute arbitrary code in the context of the browser, potentially leading to sandbox escapes and further system compromise. Google Threat Analysis Group (TAG) flagged this vulnerability after observing it exploited in live attacks, likely as part of highly targeted campaigns.
Attack Vectors and Outcomes
Adversaries may deliver malicious code via crafted web pages or advertisements, forcing the browser to trigger the faulty code path in affected GPU processing routines. If combined with other privilege escalation bugs, attackers can achieve persistence or access sensitive data on compromised systems.
Patching and Mitigation
Users and organizations are urged to update their Chrome installations immediately and apply all relevant security patches. Google recommends regular threat monitoring for signs of exploitation and suggests reviewing browser security settings to restrict risky permissions where feasible.
New Linux Malware “Koske” Uses AI-Assisted Code and Polyglot JPEGs for Stealth Attacks
In late July 2025, security researchers reported the emergence of a sophisticated Linux malware dubbed “Koske” that leverages AI-generated code and polyglot images to evade detection and deliver persistent rootkit-based cryptomining payloads.
Infection Vectors and Payload Delivery
Koske is spread via attacks on exposed, misconfigured JupyterLab instances—potentially utilizing vulnerabilities such as CVE-2025-30370. Attackers use seemingly innocuous JPEG images of pandas, which are polyglot files that simultaneously represent valid image data and executable malware code. This approach allows Koske to bypass traditional file-based antivirus scanning, as the malware is only assembled in memory during execution.
Rootkit Functionality and Cryptomining Operations
Once executed, Koske installs an in-memory rootkit, granting attackers full stealth access and persistence on the target Linux system. The malware then silently engages in cryptomining, directing computational resources to attacker-controlled wallets. Because the rootkit operates only in memory and uses novel AI-generated obfuscation techniques, it is highly resistant to detection and analysis.
Defensive Recommendations
Security teams are advised to audit all JupyterLab and similar exposed infrastructure for misconfigurations, disable unnecessary services, and implement strict access controls. Network and endpoint detection rules should be regularly updated to detect the unique patterns associated with AI-assisted and polyglot file-based threats.
SharePoint Hacking Campaigns Target Hundreds of Organizations Worldwide
As of July 2025, a widespread hacking campaign is actively targeting on-premises SharePoint servers, affecting hundreds of organizations globally, including numerous U.S. federal, state, and local government entities. The campaign appears linked to both state-backed and criminal actors exploiting unpatched vulnerabilities.
Attack Chain and Exploited Vulnerabilities
Attackers are exploiting known, but frequently unpatched, vulnerabilities in SharePoint to achieve initial access. One particular flaw, patched in July, was apparently leveraged for months prior to Microsoft’s emergency update release. Exploitation often allows attackers to execute code remotely on the vulnerable server, establish persistence, and laterally move within victim networks.
Impact and Attribution
The campaign compromised systems in both the public and private sectors, including critical infrastructure and manufacturing. Microsoft and CISA both detected activity by suspected China-backed and financially motivated groups. Compromised organizations report widespread credential theft and in some cases, ransomware deployment or espionage-motivated data exfiltration.
Incident Response and Best Practices
CISA coordinated incident response across several affected federal agencies and regional governments. Organizations are strongly advised to immediately update and patch all on-premises SharePoint instances, perform thorough compromise assessments, and implement network segmentation to limit lateral movement options for attackers.
Large-Scale Social Engineering Breach at Allianz Life Insurance Exposes CRM Data for 1.4 Million U.S. Customers
On July 16, 2025, Allianz Life Insurance experienced a significant data breach when attackers used advanced social engineering tactics to compromise its cloud-based customer relationship management (CRM) platform, exposing personal information for nearly all U.S. policyholders.
Social Engineering Methodology
The attackers reportedly manipulated support personnel through targeted phone and email communications, successfully obtaining the credentials required to access the cloud CRM environment. Gaining entry to these administrative accounts enabled the extraction of sensitive personal details of 1.4 million individuals, alongside select internal corporate data.
Nature of Data Exposed
Exposed information includes names, contact details, policy numbers, and—according to preliminary investigations—potentially financial records and notes on claims or correspondence. There are currently no indications that full payment methods or social security numbers were included, but internal reviews are ongoing.
Immediate and Long-Term Remediation Steps
Allianz initiated mandatory resets for compromised accounts, instituted enhanced employee verification protocols, and began direct notification of impacted customers. Experts recommend that organizations dealing with high-value data undertake continuous phishing awareness training, adopt adaptive multi-factor authentication, and restrict CRM access to trusted network ranges.
National Guard Activated to Aid Saint Paul, Minnesota, After Disruptive Cyberattack
On July 30, 2025, the Governor of Minnesota called in the National Guard’s cyber response teams to help the City of Saint Paul recover from a disruptive cyberattack that impacted municipal operations. This move underscores growing concerns over the vulnerability of local government systems to cyber threats.
Scope and Impact of the Attack
Details of the attack remain limited due to ongoing investigation, but local officials noted outages in city services and a temporary shutdown of key administrative platforms. The incident has resulted in delays to city operations, including public records access and utility payments.
Technical Assistance by the National Guard
The National Guard’s cyber specialists were tasked with isolating affected systems, identifying malware or unauthorized activity, and supporting the city’s IT team in restoring essential services. Their involvement is part of growing state-federal collaboration for incident response as ransomware and destructive cyberattacks increasingly target local government bodies.
Operational Response Guidance
Cities and other public sector organizations facing similar threats are encouraged to establish direct lines of communication with state-level cyber emergency response units, pre-arrange playbooks for ransomware scenarios, and routinely test backup restoration capabilities.
