Daily Brief

Co-op reported a significant data theft affecting a large number of current and past members following a cybersecurity breach. Personal data including names and contact details were compromised; however, passwords and financial information were not accessed. Initial reports underestimated the impact, later confirmed to be a serious breach by DragonForce ransomware affiliates. The method of attack involved social engineering which led to resetting an employee's password and accessing network data including Windows account password hashes. Co-op is now rebuilding its IT infrastructure and strengthening security measures with assistance from Microsoft DART and KPMG. The threat actors, identified as affiliates of the DragonForce ransomware operation, boast about stealing data from approximately 20 million people registered in Co-op’s membership program. They have also engaged directly with Co-op executives through Microsoft Teams, displaying the urgency and personalized approach of their extortion tactics. This ransomware-as-a-service operation threatens to publish stolen data if ransoms are not paid, significantly raising stakes for affected organizations.

A supply chain attack compromised 500 to 1,000 e-commerce stores by injecting backdoors into 21 Magento extensions. Extensions from Tigren, Meetanshi, and MGS were affected, including a prominent plugin by Weltpixel concerning GoogleTagManager. The malicious code was hidden in licensing files, enabling attackers to take over admin functions and upload malicious PHP scripts. Sansec discovered that compromised extensions had been planted as early as 2019, but were only activated in April 2025. The backdoors allow significant backend access, potentially enabling data theft, unauthorized admin account creation, and more. Sansec alerted the affected vendors; MGS did not respond, Tigren denied the breach, and Meetanshi acknowledged a server hack but not extension tampering. Sansec and BleepingComputer urge users of the impacted extensions to conduct thorough server scans and restore systems from clean backups if possible.

A 25-year-old from California, Ryan Mitchell Kramer, confessed to hacking Disney and stealing 1.1TB of data, initially thought to be the work of Russian activists. Kramer is charged with illegally accessing a computer to obtain information and threatening to damage a protected computer. He faces up to ten years in prison under a plea agreement following his admission of guilt to the U.S. Department of Justice. The breach originated from a deceptive AI art generation app created by Kramer, which installed malware granting him remote access. Using stolen login credentials, Kramer infiltrated Disney’s Slack workspace, accessing thousands of channels and downloading sensitive information. He threatened an employee via email and Discord to leak personal data, proceeding to do so upon non-compliance, including sensitive banking and medical details. The incident prompted Disney to switch communication platforms from Slack to Microsoft Teams, affecting employee workflows. Kramer also admitted to similar offenses involving at least two other victims who downloaded his malware-infected software.

Generative AI has significantly improved the quality and localization of phishing and scam messages, reducing spelling and grammatical errors that were typical identifiers of spam. Scammers are now able to target non-English speaking regions more effectively by crafting messages in local dialects, like Québécois and European Portuguese, which previously helped residents identify spam. The conversational capabilities of AI systems are enhancing the effectiveness of romance scams by managing initial interactions before human scammers take over for financial exploitation. Real-time audio deepfakes are currently being used to impersonate individuals in sensitive positions, misleading employees into revealing confidential information. Skepticism exists around the state of real-time video deepfakes as truly convincing versions are not yet affordable or technologically feasible without significant investment, though this is expected to change within a few years. Future threats are anticipated to require strengthened personal verification processes to counter sophisticated AI-enabled scams and impersonations.

A 36-year-old Yemeni, Rami Khaled Ahmed, is indicted for orchestrating 1,500 ransomware attacks on Microsoft Exchange servers globally. The malware deployed, known as Black Kingdom, demanded $10,000 in Bitcoin as a ransom for each attack. Victims of these attacks included diverse U.S. entities such as medical billing companies, ski resorts, school districts, and health clinics. Black Kingdom ransomware exploited the ProxyLogon vulnerability in Microsoft Exchange servers to gain unauthorized access. This vulnerability suite in Microsoft Exchange was first identified and exploited widely in early 2021. In addition to Exchange server attacks, Ahmed had previously targeted vulnerabilities in Pulse Secure VPN to breach networks. If convicted on all counts, Ahmed faces up to 15 years in federal prison, charged with conspiracy and causing intentional damage to protected computers. The suspect, Rami Khaled Ahmed, is currently believed to be residing in Yemen.

The UK's National Cyber Security Centre (NCSC) has issued a warning regarding multiple cyberattacks on UK retail chains, highlighting these incidents as a critical wake-up call for the sector. These attacks have affected prominent retailers including Harrods, Marks & Spencer, and the Co-operative Group, with varying impacts on their operations and services. Harrods responded to the cyber threats by restricting internet access, although it has not confirmed if its systems were breached. The Co-op experienced disruptions which prompted the disablement of VPN access, suggesting containment measures following a breach. Marks & Spencer suffered a ransomware attack that disrupted online ordering and contactless payment services, attributed to the Scattered Spider threat group deploying DragonForce ransomware. The NCSC is actively collaborating with impacted organizations to understand the nature and consequences of these cyber incidents. Advisory statements have been issued urging business leaders to follow recommended cyber defense strategies available on the NCSC website to enhance resilience against such threats.

Three young men from the UK have been charged with making false emergency calls across the US and Canada, a practice known as swatting. The charges follow a joint effort between the FBI and Merseyside Police after a recent crackdown on politically motivated swatting incidents in the US. The individuals involved, Liam White, Dylan Ash, and Keiron Ellison, are accused of belonging to an online group that organized and executed these fake emergency calls. Swatting incidents can provoke dangerous police responses, and in a noted case in 2017, led to the fatal shooting of an innocent man in Wichita, Kansas. This case in the UK marks an increasing attempt to legislate and prosecute swatting under existing laws due to the significant dangers it poses. The FBI has also launched a public awareness campaign to educate on the reality and dangers of swatting, contrary to perceptions of it as a harmless prank. There is currently no specific legislation for swatting in the UK; those involved are typically charged with perverting the course of justice.

TikTok has been fined €530 million by Ireland's Data Protection Commission (DPC) for violating GDPR by transferring European user data to China. The fine follows a probe initiated in September 2021, which investigated TikTok's adherence to EU data protection laws regarding transfers to third countries. The DPC's decision mandates that TikTok must halt any data transfer processes to China within six months and ensure their data handling complies with GDPR. The investigation revealed that TikTok incorrectly informed the DPC that no European user data were stored on Chinese servers, a claim later contradicted by the revelation of data storage identified in February 2025. TikTok's Deputy Commissioner criticized the company for not sufficiently protecting European user data from potential exploitation by Chinese authorities under national security laws. TikTok argued that the DPC decision overlooked its Project Clover, an initiative designed to enhance the security of European data. This penalty comes after a previous €345 million fine in September 2023 for mishandling data related to children under GDPR.

The Irish Data Protection Commission (DPC) fined TikTok €530 million for violating GDPR by transferring European user data to China. The fine consists of €485 million for unlawful data transfers under GDPR Article 46(1) and €45 million for lack of transparency per Article 13(1)(f). TikTok must align its data processing practices with EU law within six months to avoid a complete suspension of data transfers to China. The DPC raised concerns about the potential access of Chinese authorities to European data under China’s domestic laws contrasting with EU standards. In violation notices, TikTok had previously claimed European data was not stored in China, but in 2025 they admitted storing some data on Chinese servers. TikTok plans to appeal the fine, arguing that the DPC did not consider the safeguards provided in its Project Clover initiative. The fine is among the largest issued by the DPC, trailing only behind penalties against Amazon and Facebook for data protection violations.

Harrods has become the third major UK retailer to report an attempted cyberattack, following incidents at M&S and Co-op. Neither Harrods, M&S, nor Co-op have announced that ransomware was the cause, though speculation surrounds involvement of Scattered Spider, a ransomware group affiliate. The UK's National Cyber Security Centre (NCSC) is currently assisting the affected retailers, underlining the seriousness of these security breaches. Cybersecurity advisory warnings are in place for UK retailers, with a threat of ongoing ransomware campaigns aimed specifically at this sector. There has been no clear attribution of the cyberattacks to any particular group as of yet, nor has any group claimed responsibility. Retail operations, including online and physical stores, continue to function, although some retailers are experiencing disruptions in service. The incidents have triggered warnings to all organizations to reinforce cyber defenses and follow stringent cybersecurity practices.

LivePerson utilized Tines, an AI and workflow orchestration platform, to automate the monitoring of security advisories and vulnerability responses. This new automated workflow helps in tracking and responding to advisories issued by CISA and enriched with CrowdStrike threat intelligence. Automation reduced the manual ticket creation time from 150 minutes to 60 minutes for 45 vulnerability advisories, enhancing efficiency by 60%. The workflow preserves critical analyst involvement in decision-making, thus maintaining quality control while speeding up the process. Implementation steps include setting up Tines account, importing workflows, configuring actions, and testing with real-world advisories before going live. The case study demonstrates significant time savings and reduction in manual errors, boosting both team morale and operational efficiency.

Microsoft fixed a machine learning model that incorrectly tagged Gmail emails as spam in Exchange Online, identified as EX1064599. The issue began on April 25 at 09:24 UTC, causing legitimate emails to be automatically moved to junk folders. The model misidentification was due to similarities between legitimate emails and those typically used in spam attacks. Microsoft reverted the ML model to its previous version on May 1 at 16:31 UTC, effectively resolving the false positive issue. Users and admins were advised to set custom allow rules to bypass the filtering glitch temporarily. Microsoft is continuing to refine their ML detection processes to minimize future false positives and improve email handling. The company confirmed the problem was resolved after monitoring and did not disclose the affected regions or the number of impacted users. This incident is part of a series of similar email misclassifications by Microsoft’s machine learning models throughout the year.

MintsLoader, a malware loader, uses obfuscated JavaScript and PowerShell to deliver the GhostWeaver remote access trojan. Utilizes evasion tactics like sandbox and virtual machine dodging, domain generation algorithms (DGA), and secure HTTP-based command-and-control communications. Detected in phishing and drive-by download attacks targeting sectors such as industrial, legal, and energy since early 2023. Employs a social engineering tactic known as ClickFix to deceive users into executing malicious scripts, often distributed via spam emails. MintsLoader's main function is to fetch next-stage payloads using a DGA domain, enhancing stealth and complicating detection. GhostWeaver maintains persistent C2 communications, supports additional payload deployment, and uses TLS encryption with an obfuscated self-signed certificate. Related attack campaigns like CLEARFAKE are exploiting similar tactics to deploy malware like Lumma Stealer through deceived user interactions.

Microsoft has announced that all new Microsoft accounts will be set to "passwordless by default," enhancing security against common password attacks. This change follows recent updates to user sign-in and registration flows on both web and mobile platforms, aimed at promoting passwordless and passkey-first authentication options. According to Microsoft executives Joy Chik and Vasu Jakkal, new users will not need to set up a password but will use passwordless methods like biometrics for account access. The company is encouraging the adoption of passkeys, which are viewed as a more secure alternative to traditional passwords, utilizing biometric identifiers such as fingerprints and facial recognition. Once users set up their account, they will be prompted to enroll a passkey, which will become their primary authentication method on subsequent logins. Microsoft claims the new passwordless system has already reduced password use by over 20% in trials and aims to continue decreasing reliance on passwords. Microsoft is a key player in the FIDO Alliance, promoting passkeys as a standard method for passwordless authentication across the industry.

Microsoft has configured new accounts to be passwordless by default, a move aimed at enhancing security and simplifying the user experience. New users are provided with various passwordless sign-in options, removing the need to set up a traditional password. Existing Microsoft account users can also eliminate their passwords by adjusting their account settings. The sign-in process now automatically detects and promotes the most secure method available for the user. Microsoft continues to support the broader shift toward a passwordless environment, mirroring actions by other tech giants including Apple and Google. Passkeys, supported by public/private key cryptography, do not require users to remember their passwords, thereby reducing the risk of phishing attacks. Implemented in Windows 11 and approved for global use by Google, passkeys have been adopted by over 15 billion user accounts. The FIDO Alliance, which backs the technology, is enhancing passkey interoperability and exploring its use in secure payments.