China’s largest data leak exposes billions.

Summary

CyberWire Daily: China’s Largest Data Leak Exposes Billions Release Date: June 5, 2025

Introduction

On the June 5, 2025, episode of CyberWire Daily, host Dave Bittner delved into a series of critical cybersecurity incidents impacting global organizations. The episode, titled "China’s Largest Data Leak Exposes Billions," provided in-depth analysis and expert insights on significant breaches, ransomware activities, and emerging threats. The discussion included an exclusive interview with Anika Gupta, Chief Product Officer at Rubrik, who explored the complexities of managing security across diverse systems.

China’s Unprecedented Data Leak

The episode opened with alarming news about what might be China's largest data leak ever. Over 4 billion personal records, totaling 631 gigabytes, were exposed from an unsecured database. This massive breach included sensitive financial data, WeChat and Alipay information, ID numbers, and addresses, potentially affecting hundreds of millions of users.

Discovery and Impact: CyberNews and researcher Bob Dychenko uncovered 16 data collections containing extensive databases with hundreds of millions of records each. The meticulous compilation suggests the data might be intended for surveillance or profiling purposes. The database was swiftly taken offline, leaving no clear attribution or immediate recourse for affected individuals.
Expert Warnings: Experts caution that the leaked data could be exploited for phishing fraud, blackmail, or even state-level espionage. This breach significantly surpasses previous Chinese data compromises, highlighting severe privacy vulnerabilities.

Notable Quote:

“The data appears to be meticulously compiled, likely for surveillance or profiling purposes,” noted Bob Dychenko (01:30).

CrowdStrike Collaborates with Federal Authorities

CrowdStrike is currently cooperating with federal authorities following a major software bug that occurred in July 2024, which led to a significant outage affecting millions of computers.

Incident Details: The flaw in the Falcon software resulted in a July 19 outage that disrupted flights, backend systems, and user devices.
Regulatory Scrutiny: In a recent SEC filing, CrowdStrike disclosed that the Justice Department and SEC are investigating not only the incident but also the company's revenue recognition practices and reporting of annual recurring revenue. Additionally, other agencies and third parties have requested information, with some customers threatening legal action.
Financial Impact: CrowdStrike reported a fiscal quarter one loss and a weaker outlook due to ongoing costs from the incident. Despite a 35% stock increase over the last year, shares dropped 5.3% following the disclosure.

Sensitive Insurance Documents Exposed

Last month, researcher JLT discovered a misconfigured cloud server exposing over 571,000 sensitive insurance documents belonging to Triangle Insurance in the U.S. The records, spanning from 2006 to April 2025, included health claim forms, declaration pages, and decision letters.

Response Efforts: An initial email alert sent on May 8 went unanswered, likely due to spam filters. JLT, with the assistance of ogowasright@data breaches.net, successfully contacted Triangle Insurance on May 12, and the exposure was secured by May 13.
Company Actions: Triangle's COO confirmed the fix and expressed gratitude to the researcher. The company is now investigating the issue with its software vendor, has notified its regulator, and may inform affected individuals based on their findings. The server had been exposed since at least July 2021.

Notable Quote:

“The server was exposed since at least July 2021,” stated Triangle Insurance's representative (06:45).

Microsoft’s Free Cybersecurity Programs for Europe

In response to the escalating threat of AI-powered cyberattacks, Microsoft has launched a free cybersecurity program for European governments aimed at bolstering defenses against state-backed actors from countries such as Russia, China, Iran, and North Korea.

Program Focus: The initiative emphasizes improving intelligence sharing and preventing cyberattacks. Microsoft President Brad Smith highlighted the defensive use of AI, noting, “AI tools can still detect AI-driven threats” (09:30).
Recent Threats Addressed: The program addresses notable attacks, including deepfakes targeting Ukraine's president and interference in Slovakia's 2023 election.

FBI on Play Ransomware Gang

The FBI has issued an advisory regarding the Play ransomware gang, which has targeted over 900 organizations since its emergence in 2022, making it one of the most dangerous active cybercrime groups.

Attack Methods: Play often exploits vulnerabilities in the Simple Help remote monitoring tool and customizes its ransomware for each attack to evade detection. Their tactics include using email or phone threats to coerce victims into paying ransoms.
High-Profile Victims: Notable targets include cities like Oakland and Dallas County, as well as the Swiss government.
Possible State Ties: The FBI noted potential connections between Play and North Korean hackers, suggesting possible collaboration in some breaches.

Notable Quote:

“Play remains highly active, especially against U.S.-based organizations,” reported the FBI (12:15).

Google Alerts on UNC6040 Threat Group

Google has issued a warning about the threat group UNC6040, which is targeting Salesforce customers through a widespread voice phishing and data extortion campaign.

Attack Strategy: UNC6040 impersonates IT support staff in phone calls to trick employees into approving access for a modified Salesforce data loader app. This unauthorized tool allows attackers to exfiltrate sensitive data for extortion purposes.
Affected Organizations: Approximately 20 organizations across sectors like education, retail, and hospitality in the Americas and Europe have been impacted.
Operational Tactics: The group leverages social engineering without exploiting Salesforce vulnerabilities. Once access is gained, they move laterally to platforms like Microsoft 365 and Okta.
Attribution: UNC6040 claims ties to Shiny Hunters and exhibits overlaps with tactics used by the COM Collective, including Scattered Spider.

Notable Quote:

“This is part of a rising trend of attackers targeting IT support roles for initial access,” explained a Google spokesperson (14:50).

Insights from Anika Gupta, Chief Product Officer at Rubrik

In an exclusive interview, Anika Gupta discussed the challenges of managing security across diverse systems in modern organizations.

Complex Infrastructure: Gupta highlighted the shift from traditional data centers to cloud and SaaS applications, resulting in over 100 SaaS applications per organization, multiple public clouds, and sometimes on-premises data centers. This fragmentation makes visibility and control over applications and data a daunting task.

Notable Quote:

“An average organization uses over 100 SaaS applications. Understanding where your data lives becomes an overwhelming challenge,” stated Anika Gupta (12:50).
Cyber Risk Management: The abundance of data and applications increases the risk of cyberattacks. Gupta emphasized the difficulty in identifying sensitive data and critical applications, which hampers an organization’s ability to protect valuable assets.

Notable Quote:

“Organizations are spending more and yet getting breached more often,” Gupta explained (14:20).
Proactive Visibility: Gupta advocated for a proactive approach to visibility, suggesting that organizations prioritize understanding where sensitive data resides and which applications are critical. This foundation allows for better protection of "crown jewels" and reduces the noise from less important alerts.
Implementation Strategy: She advised organizations to approach visibility incrementally, starting with key applications and data types, and expanding coverage over time. Selecting technologies that offer centralized management across on-premises, cloud, and SaaS environments is crucial.

Notable Quote:

“Leaders have to figure out how to articulate the risk and mitigate those risks by gaining visibility,” Gupta advised (19:05).

FDA’s ELSA AI Tool Faces Scrutiny

The episode also touched upon the FDA's introduction of ELSA, a generative AI tool intended to enhance operational efficiency. However, internal feedback suggests ELSA may not yet be ready for critical tasks.

Intended Benefits: ELSA aims to assist scientific reviewers and inspectors in analyzing data and identifying health risks swiftly.
Challenges: Insiders report that ELSA has produced inaccuracies and partial truths, leading staff to describe it as "rushed, buggy, and more hype than help."
FDA’s Stance: Despite the issues, the FDA maintains that ELSA is secure and holds promise, advising caution in its application to clinical decisions for the time being.

Redline Infostealer Malware Reward

The U.S. State Department is offering up to $10 million for information on hackers using the Redline infostealer malware or on its suspected creator, Maxim Alexandrovich Rudomatov.

Background: Rudomatov, charged in October, is accused of managing Redline's infrastructure and laundering payments via cryptocurrency. The reward is part of the Rewards for Justice program targeting individuals involved in cyberattacks against U.S. critical infrastructure.
Operation Magnus: A recent joint international effort involving Dutch authorities and Eurojust successfully disrupted Redline and Meta malware platforms, resulting in server seizures and arrests. Eset assisted by mapping 1,200 related servers and releasing a tool for detecting infections.

Conclusion

The June 5, 2025, episode of CyberWire Daily underscored the pervasive and evolving nature of cybersecurity threats. From unprecedented data leaks and sophisticated ransomware gangs to proactive measures by tech giants and government agencies, the landscape demands continuous vigilance and adaptive strategies. The insights provided by Anika Gupta highlighted the essential need for enhanced visibility and proactive risk management in an increasingly complex digital ecosystem.

For a comprehensive understanding of today’s cybersecurity landscape, tuning into CyberWire Daily provides invaluable knowledge and expert analysis essential for industry leaders and professionals.

For more detailed insights and updates, visit CyberWire Daily.

Summary

CyberWire Daily: China’s Largest Data Leak Exposes Billions Release Date: June 5, 2025

Introduction

China’s Unprecedented Data Leak

Discovery and Impact: CyberNews and researcher Bob Dychenko uncovered 16 data collections containing extensive databases with hundreds of millions of records each. The meticulous compilation suggests the data might be intended for surveillance or profiling purposes. The database was swiftly taken offline, leaving no clear attribution or immediate recourse for affected individuals.
Expert Warnings: Experts caution that the leaked data could be exploited for phishing fraud, blackmail, or even state-level espionage. This breach significantly surpasses previous Chinese data compromises, highlighting severe privacy vulnerabilities.

Notable Quote:

“The data appears to be meticulously compiled, likely for surveillance or profiling purposes,” noted Bob Dychenko (01:30).

CrowdStrike Collaborates with Federal Authorities

CrowdStrike is currently cooperating with federal authorities following a major software bug that occurred in July 2024, which led to a significant outage affecting millions of computers.

Incident Details: The flaw in the Falcon software resulted in a July 19 outage that disrupted flights, backend systems, and user devices.
Regulatory Scrutiny: In a recent SEC filing, CrowdStrike disclosed that the Justice Department and SEC are investigating not only the incident but also the company's revenue recognition practices and reporting of annual recurring revenue. Additionally, other agencies and third parties have requested information, with some customers threatening legal action.
Financial Impact: CrowdStrike reported a fiscal quarter one loss and a weaker outlook due to ongoing costs from the incident. Despite a 35% stock increase over the last year, shares dropped 5.3% following the disclosure.

Sensitive Insurance Documents Exposed

Response Efforts: An initial email alert sent on May 8 went unanswered, likely due to spam filters. JLT, with the assistance of ogowasright@data breaches.net, successfully contacted Triangle Insurance on May 12, and the exposure was secured by May 13.
Company Actions: Triangle's COO confirmed the fix and expressed gratitude to the researcher. The company is now investigating the issue with its software vendor, has notified its regulator, and may inform affected individuals based on their findings. The server had been exposed since at least July 2021.

Notable Quote:

“The server was exposed since at least July 2021,” stated Triangle Insurance's representative (06:45).

Microsoft’s Free Cybersecurity Programs for Europe

Program Focus: The initiative emphasizes improving intelligence sharing and preventing cyberattacks. Microsoft President Brad Smith highlighted the defensive use of AI, noting, “AI tools can still detect AI-driven threats” (09:30).
Recent Threats Addressed: The program addresses notable attacks, including deepfakes targeting Ukraine's president and interference in Slovakia's 2023 election.

FBI on Play Ransomware Gang

Attack Methods: Play often exploits vulnerabilities in the Simple Help remote monitoring tool and customizes its ransomware for each attack to evade detection. Their tactics include using email or phone threats to coerce victims into paying ransoms.
High-Profile Victims: Notable targets include cities like Oakland and Dallas County, as well as the Swiss government.
Possible State Ties: The FBI noted potential connections between Play and North Korean hackers, suggesting possible collaboration in some breaches.

Notable Quote:

“Play remains highly active, especially against U.S.-based organizations,” reported the FBI (12:15).

Google Alerts on UNC6040 Threat Group

Google has issued a warning about the threat group UNC6040, which is targeting Salesforce customers through a widespread voice phishing and data extortion campaign.

Attack Strategy: UNC6040 impersonates IT support staff in phone calls to trick employees into approving access for a modified Salesforce data loader app. This unauthorized tool allows attackers to exfiltrate sensitive data for extortion purposes.
Affected Organizations: Approximately 20 organizations across sectors like education, retail, and hospitality in the Americas and Europe have been impacted.
Operational Tactics: The group leverages social engineering without exploiting Salesforce vulnerabilities. Once access is gained, they move laterally to platforms like Microsoft 365 and Okta.
Attribution: UNC6040 claims ties to Shiny Hunters and exhibits overlaps with tactics used by the COM Collective, including Scattered Spider.

Notable Quote:

“This is part of a rising trend of attackers targeting IT support roles for initial access,” explained a Google spokesperson (14:50).

Insights from Anika Gupta, Chief Product Officer at Rubrik

In an exclusive interview, Anika Gupta discussed the challenges of managing security across diverse systems in modern organizations.

Complex Infrastructure: Gupta highlighted the shift from traditional data centers to cloud and SaaS applications, resulting in over 100 SaaS applications per organization, multiple public clouds, and sometimes on-premises data centers. This fragmentation makes visibility and control over applications and data a daunting task.

Notable Quote:

“An average organization uses over 100 SaaS applications. Understanding where your data lives becomes an overwhelming challenge,” stated Anika Gupta (12:50).
Cyber Risk Management: The abundance of data and applications increases the risk of cyberattacks. Gupta emphasized the difficulty in identifying sensitive data and critical applications, which hampers an organization’s ability to protect valuable assets.

Notable Quote:

“Organizations are spending more and yet getting breached more often,” Gupta explained (14:20).
Proactive Visibility: Gupta advocated for a proactive approach to visibility, suggesting that organizations prioritize understanding where sensitive data resides and which applications are critical. This foundation allows for better protection of "crown jewels" and reduces the noise from less important alerts.
Implementation Strategy: She advised organizations to approach visibility incrementally, starting with key applications and data types, and expanding coverage over time. Selecting technologies that offer centralized management across on-premises, cloud, and SaaS environments is crucial.

Notable Quote:

“Leaders have to figure out how to articulate the risk and mitigate those risks by gaining visibility,” Gupta advised (19:05).

FDA’s ELSA AI Tool Faces Scrutiny

Intended Benefits: ELSA aims to assist scientific reviewers and inspectors in analyzing data and identifying health risks swiftly.
Challenges: Insiders report that ELSA has produced inaccuracies and partial truths, leading staff to describe it as "rushed, buggy, and more hype than help."
FDA’s Stance: Despite the issues, the FDA maintains that ELSA is secure and holds promise, advising caution in its application to clinical decisions for the time being.

Redline Infostealer Malware Reward

The U.S. State Department is offering up to $10 million for information on hackers using the Redline infostealer malware or on its suspected creator, Maxim Alexandrovich Rudomatov.

Background: Rudomatov, charged in October, is accused of managing Redline's infrastructure and laundering payments via cryptocurrency. The reward is part of the Rewards for Justice program targeting individuals involved in cyberattacks against U.S. critical infrastructure.
Operation Magnus: A recent joint international effort involving Dutch authorities and Eurojust successfully disrupted Redline and Meta malware platforms, resulting in server seizures and arrests. Eset assisted by mapping 1,200 related servers and releasing a tool for detecting infections.

Conclusion

For more detailed insights and updates, visit CyberWire Daily.

wavePod

Powered by Wave AI

Summary

Summary