Good Morning Security Gang
I hope everyone had a wonderful Thanksgiving and actually took a few days to disconnect — no screens, no Slack, no alerts, just family, food, and a little sunshine. Now we’re back, it’s December, and the countdown is officially on — only thirty days left in 2025.
Today’s show is loaded. We’ve got a major French Soccer Federation breach, Asahi revealing 1.5 million customer records exposed, Salesforce cutting Gainsight access over suspicious activity, Comcast fined $15 million for a third-party vendor incident, OpenAI user data exposure, and even rogue in-flight Wi-Fi hackers getting seven years in prison.
“The job we do as practitioners is difficult. It’s draining mentally. And a lot of times that mental draining takes a physical toll on us. And it’s significant. So use this time, use this month to really, really just develop something for you to relax, touch grass, get away from tech for a little bit.” James Azar
So buckle up, grab that espresso, and coffee cup cheers, y’all!
French Soccer Federation Data Breach Exposes Member Details
The French Soccer Federation (FFF) confirmed a cyberattack that exposed member registration data, contact details, and metadata. Investigators say the breach likely stemmed from an exposed administrative system used by regional clubs and player associations.
While operations remain intact, the stolen data could be weaponized for phishing, identity theft, and credential stuffing — especially since many players and staff reuse emails for social and betting platforms.
Here’s the bigger picture: European sports organizations have become high-value targets for cybercriminals and betting syndicates, particularly ahead of major tournaments like the 2026 World Cup. Data on players, referees, and agents can easily be used for match-fixing or insider betting.
“Sports organizations aren’t just games — they’re billion-dollar data operations, and hackers know it.” James Azar
The FFF is now enforcing multi-factor authentication, resetting administrative credentials, and urging local clubs to block lookalike domains that could be used for phishing.
Asahi Beer Breach Affects 1.5 Million Customers
Japanese beverage giant Asahi Group Holdings has disclosed a massive data breach following an attack on its customer support systems. The incident, part of the Kalinin ransomware campaign, impacted 1.5 million customers, partners, and employees.
While payment data wasn’t exfiltrated, the attackers leaked personal contact details and internal communications on dark web forums. The breach also included employee and family records, highlighting how supply chain attacks can spill beyond core business systems.
Two months after the initial compromise, Asahi is still struggling to restore systems — proof that manufacturing and production environments are painfully slow to recover after ransomware events.
If you’re in manufacturing, lock down shared credentials, segment production systems, and deploy immutable backups that can’t be overwritten by ransomware operators.
Salesforce Restricts Gainsight Access After Suspicious Activity
Salesforce has revoked access for Gainsight applications following detection of anomalous API activity tied to customer integrations. The move disrupted data synchronization for multiple organizations as Salesforce and Gainsight jointly investigate possible data exfiltration via connected apps.
This is part of a larger SaaS-to-SaaS supply chain issue — integrations between platforms often carry excessive OAuth permissions, creating silent exposure points. Gainsight has since confirmed that several of its partner integrations, including Gong and HubSpot, temporarily disabled API connections as a precaution.
CISOs should audit all Salesforce-connected apps, remove unused integrations, and monitor for mass API exports or report downloads. Supply chain trust ends where visibility ends.
Comcast Fined $15 Million Over Vendor Breach
Comcast will pay a $15 million regulatory fine after a third-party debt collection vendor exposed data belonging to 270,000 customers. The incident stemmed from a breach at Financial Business and Consumer Solutions (FBCS) — a vendor Comcast had stopped working with two years before the compromise.
“Third-party vendors are the soft underbelly of modern enterprise security — and regulators are catching up fast.” James Azar
Despite FBCS filing for bankruptcy after the breach, regulators fined Comcast for failing to enforce vendor data retention and deletion obligations, which left old customer data exposed.
This is the latest warning shot from regulators emphasizing vendor accountability. Organizations must now ensure contracts include data destruction clauses, 72-hour breach reporting, and right-to-audit provisions for all third-party data processors.
Vanity Fair France Fined for GDPR Violations
The French privacy regulator CNIL fined Vanity Fair France €750,000 for violating cookie consent and data transparency rules under GDPR. The fine was small compared to others this year but represents a renewed focus on ad tracking and consent banner enforcement.
If you operate any customer-facing website in the EU, verify your cookie banner implementation and confirm explicit opt-in consent is functional. The CNIL has signaled that enforcement actions will escalate in 2026.
OpenAI User Data Exposed via Mixpanel Analytics
OpenAI disclosed that a Mixpanel analytics integration inadvertently exposed user metadata, including API keys, email addresses, and usage logs. No model weights or chat histories were compromised, but leaked telemetry could be used to target specific organizations using OpenAI’s enterprise API.
This breach highlights the blind spot in AI stack security — telemetry data often reveals who is using AI, how, and for what purpose, creating intelligence value for attackers.
Companies should scrub sensitive data from analytics streams and restrict egress traffic to vendor endpoints to prevent external exfiltration via telemetry APIs.
Factory AI Platform Disrupted in State-Linked Cyberattack
AI startup Factory, which provides AI-driven campaign management tools, has suspended operations after identifying a state-linked intrusion on its software development environment. Attackers reportedly tried to repurpose Factory’s platform to run automated fraud and misinformation campaigns.
The company says at least one China-based state actor used AI agents to modify Factory’s defenses in real time, essentially turning the system into a self-defending botnet controller.
This attack is another reminder that AI infrastructure itself is becoming a strategic cyber weapon. CISOs managing AI platforms should enforce code-signing pipelines, monitor agent orchestration, and isolate training environments.
Google Meet ClickFix Attacks Spread via Fake Update Prompts
A new ClickFix attack campaign is spreading malware using fake Google Meet or Docs update prompts. Victims are shown realistic full-screen browser overlays asking them to “update Google security settings,” which then triggers PowerShell payloads.
The attack combines social engineering, credential theft, and local privilege escalation. Organizations should block unsigned installers, enforce non-admin privileges, and enable AMSI script logging to detect malicious browser-initiated scripts.
GitLab Leak Reveals 17,000 Active Secrets
A public scan of GitLab repositories uncovered over 17,000 live secrets, including API keys, database passwords, and cloud credentials. Researchers found credentials for AWS, Slack, Google Cloud, MongoDB, and Telegram bots, many still valid.
Enterprises should immediately deploy automated secret scanning, rotate all discovered credentials, and move secrets into managed vault systems. Development teams must use commit hooks that prevent sensitive keys from being pushed to repositories.
CISA Adds PLC SCADA Vulnerability to Known Exploited List
CISA added a 2021 cross-site scripting vulnerability (CVE-2021-26829) in OpenPLC SCADA BR systems to its Known Exploited Vulnerabilities (KEV) catalog after observing active exploitation by pro-Russian hacktivist group Tunet targeting critical infrastructure honeypots.
The vulnerability affects both Windows and Linux builds, allowing attackers to alter system configurations remotely. Organizations should patch immediately or restrict access to internal networks only.
California Browser Privacy Law Could Reshape U.S. Compliance
California passed a new amendment to the California Consumer Privacy Act (CCPA) that mandates web browsers provide a single-click opt-out control for all state residents. The law takes effect in January 2027, effectively forcing nationwide adoption as most companies will apply changes universally.
This is expected to create a new baseline standard for digital privacy, pushing other states to harmonize compliance frameworks and potentially triggering federal privacy debates.
Australian “Evil Twin” Wi-Fi Hacker Sentenced to Seven Years
An Australian man dubbed the “Evil Twin Wi-Fi Operator” has been sentenced to seven years in prison for setting up rogue access points on airplanes and in airports using Wi-Fi Pineapple devices.
He cloned legitimate SSIDs like “Qantas Wi-Fi” and “Airport Free Wi-Fi” to intercept passenger traffic and capture credentials. The arrest underscores the growing threat of man-in-the-middle attacks in transient networks.
Travelers should avoid connecting to unverified Wi-Fi, use VPNs, and disable auto-connect features on mobile devices.
Action List
⚽ Enforce MFA for sports and membership organizations after the FFF breach.
🍺 Segment production systems and secure backups in manufacturing post-Asahi attack.
☁️ Audit Salesforce integrations and remove excessive OAuth scopes.
📜 Add data destruction clauses in all vendor contracts.
🧠 Scrub sensitive analytics fields from telemetry streams.
🤖 Monitor AI systems for autonomous agent modification.
🧱 Patch GitLab repos, SCADA systems, and enforce code commit scanning.
💻 Educate users on ClickFix and fake update malware tactics.
🌐 Implement privacy-by-design ahead of California’s 2027 browser opt-out rule.
✈️ Ban unverified Wi-Fi use for traveling employees and executives.
James Azar’s CISO’s Take
Today’s episode connects every major theme we’ve been talking about all year — from vendor risk and SaaS exposure to AI misuse and data transparency. Every story today shows that trust boundaries are dissolving, whether it’s Salesforce apps talking to third-party CRMs or AI tools weaponized against their own platforms.
My biggest takeaway is simple: visibility is the new perimeter. You can’t defend what you can’t see — and attackers are thriving in those blind spots between integrations, analytics tools, and forgotten vendors. The best CISOs in 2025 aren’t just security leaders — they’re ecosystem architects, building resilience across every connection that fuels the business.
Stay vigilant, stay caffeinated, and as always — stay cyber safe.
