svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief January 01, 2026

Private VPN — just $1.2/mo

Health Provider Fined $500K for Data Breach Affecting 650K Patients

New York Attorney General secured a $500,000 penalty from OrthopedicsNY for failing to protect patient data, exposing 656,000 individuals due to unencrypted files and lack of multi-factor authentication. Attackers used compromised credentials in 2023 to access social security numbers and healthcare data.
Impact: Sensitive data of 650K+ individuals exposed, including SSNs and health records.
Mitigation: Implement MFA, encrypt sensitive data, and conduct regular risk assessments.
Source: DataBreaches.net

Unleash Protocol Loses $3.9M in Multisig Hijack

Attackers gained administrative control of Unleash Protocol’s multisig governance, performing an unauthorized contract upgrade to drain $3.9M in crypto assets (WETH, USDC, etc.). Stolen funds were laundered via Tornado Cash.
Impact: $3.9M stolen; platform operations paused.
Mitigation: Review multisig access controls and monitor for anomalous contract upgrades.
Source: BleepingComputer

Trust Wallet Chrome Extension Hacked via Shai-Hulud Supply Chain Attack

A malicious update (v2.68) to Trust Wallet’s Chrome extension, pushed via a leaked Chrome Web Store API key, drained $8.5M from 2,520 wallets. Attackers exfiltrated mnemonic phrases via a fake metrics domain.
Impact: $8.5M stolen; 1M+ users at risk until update to v2.69.
Mitigation: Rotate API keys, enforce code-signing, and monitor GitHub secrets.
Source: The Hacker News

DarkSpectre Browser Extensions Spy on 8.8M Users

Chinese-linked threat actor DarkSpectre operated malicious extensions (e.g., “New Tab - Customized Dashboard”) for corporate espionage, stealing meeting data (Zoom, Teams) and affiliate fraud. Campaigns ran for 7+ years.
Impact: Data from 8.8M users exfiltrated, including corporate credentials.
Mitigation: Audit browser extensions, isolate IoT devices, and monitor C2 connections.
Source: The Hacker News

RondoDox Botnet Exploits React2Shell to Infect Next.js Servers

RondoDox exploited CVE-2025-55182 (React2Shell) to deploy malware (Mirai variants, coinminers) on Next.js servers. Over 94,000 systems are vulnerable.
Impact: Server compromise, cryptomining, and botnet enrollment.
Mitigation: Patch Next.js, segment IoT networks, and monitor cron jobs.
Source: BleepingComputer

IBM API Connect Critical Auth Bypass (CVE-2025-13915)

IBM warned of a 9.8/10 CVSS flaw in API Connect (v10.0.8.0–10.0.11.0) allowing unauthenticated remote access. No known exploits yet.
Impact: Unauthorized app access.
Mitigation: Upgrade or disable self-service sign-up.
Source: The Hacker News

Disney Fined $10M for Children’s Privacy Violations on YouTube

Disney mislabeled kid-directed YouTube videos, enabling illegal data collection for targeted ads. Settlement includes parental alerts and correct labeling.
Source: BleepingComputer

NYC Inauguration Bans Flipper Zero, Raspberry Pi

Event organizers specifically prohibited these devices, despite allowing laptops/phones. No technical justification provided.
Source: BleepingComputer

Share this brief: https://svo.bz/Lc4e

If you want to support us, you can donate here: Donate