Good Morning Security Gang
We’ve got SoundCloud confirming a data breach after its VPN access was disrupted, Jaguar Land Rover admitting staff information was stolen, France’s Interior Ministry confirming a cyberattack, and Japanese retailer Askul disclosing that 740,000 customer records were taken. On top of that, Pornhub is facing extortion, Chinese APTs are exploiting the new React2Shell vulnerability, and MI6 is warning Europe about Russia’s growing cyber aggression.
I’ll say it now — when we were prepping for today’s episode, we had more than an hour of material to cover.
coffee cup cheers, y’all — and let’s get rolling.
SoundCloud Confirms Breach After VPN Access Outage
SoundCloud has confirmed a data breach after days of unexplained VPN connectivity issues that left creators unable to access internal tools and dashboards. The company’s response included disabling employee VPN access to contain the intrusion.
The attack appears tied to ShinyHunters, the same group now extorting Pornhub. Internal sources told reporters that identity tokens and third-party API keys may have been exposed, potentially impacting support tools, email vendors, and payment partners.
If you’re a creator or enterprise using SoundCloud integrations, rotate all SSO and API keys, enforce phishing-resistant MFA, and add anomaly detection for bulk exports or suspicious CRM activity.
As I said on the show: “In an outage like this, communication is your lifeline — your users can handle bad news, but they can’t handle silence.”
Jaguar Land Rover Confirms Employee Data Theft
Jaguar Land Rover (JLR) has confirmed that employee data was exfiltrated during its cyberattack earlier this year. While production resumed, HR, payroll, and contractor details are among the compromised records.
The company continues operating at half its normal production capacity, with full recovery not expected until March or April 2026.
This type of breach opens the door to union-targeted phishing, benefits fraud, and impersonation. Organizations should monitor for fake job postings or internal HR lookalike domains, notify employees proactively, and lock down benefit and payroll portals with stronger MFA.
France’s Interior Ministry Hacked
France’s Interior Ministry confirmed a cyberattack on its email servers, disrupting communications for several hours. Interior Minister Laurent Nuñez said that attackers accessed some document files, though the full scope remains unclear.
In his public statement, Nuñez admitted that “it could be foreign interference or simply cybercrime” — which, let’s be honest, doesn’t exactly inspire confidence.
As I joked on the show: “That’s reassuring if you’re a French taxpayer. Someone hacked our Interior Ministry emails. They stole a bunch of stuff. We don’t know who it is. What’s the reason for it? But hey, trust us. We’re competent government people who know what we’re doing.”
Given France’s increasing targeting by Russian-linked APTs, ministries and public agencies need to segregate systems, audit all third-party accounts, and publish incident communications fast to prevent panic or misinformation.
Askul Ransomware Breach Exposes 740,000 Customer Records
Japanese retail and e-commerce giant Askul confirmed that 740,000 customer records were stolen during last month’s ransomware attack by RansomHouse.
The stolen data includes contact information and order details for both consumers and corporate buyers. Askul now faces elevated risks of refund fraud, supplier impersonation, and lookalike domain phishing.
If you’re a vendor tied to Askul, rotate all marketplace tokens, deploy velocity checks on transactions, and hunt for data staging tools like RClone or Mega in your logs.
Pornhub Extorted Over Premium Member Activity Data
Pornhub is being extorted by threat actors claiming to have stolen over 200 million records of premium member activity, including watch history and search data.
The data reportedly stems from a breach at Mixpanel, Pornhub’s analytics vendor, which was compromised in early November via SMS phishing. This data could be weaponized for blackmail, credential stuffing, or social extortion.
Third-party analytics partners remain a high-risk blind spot for digital businesses. Limit shared datasets, anonymize analytics logs, and implement multi-party data segregation to prevent cascade breaches.
Chinese APTs Exploiting React2Shell Vulnerability
Google Threat Intelligence has confirmed that five Chinese state-linked threat groups are now exploiting the React2Shell vulnerability (CVE-2025-55182) — just two weeks after it was publicly disclosed.
Attackers are chaining client-side XSS and SSR injection for remote code execution, with targets including CRM portals, SaaS dashboards, and internal admin panels.
Mitigation steps include:
Updating all React and Node.js packages immediately.
Placing admin consoles behind VPN/IP allowlists.
Enforcing CSP headers and virtual patching on web firewalls.
This attack shows how quickly China weaponizes new vulnerabilities. As I said: “They don’t wait for change control — they’re already in production.”
Militant Groups Experimenting with AI Tools
New research shows terror-affiliated actors are increasingly experimenting with AI and large language models (LLMs) to improve propaganda, phishing, and disinformation.
Groups are using off-the-shelf AI platforms to mass-produce realistic phishing lures, deepfake content, and “hero” narratives for recruitment — as seen in the Sydney Hanukkah attack aftermath, where AI-generated content flooded social media.
The concern isn’t sophistication but volume — a flood of AI-generated misinformation can overwhelm truth faster than fact-checkers can respond.
MI6 Warns of Expanding Russian Cyber Pressure
The newly appointed MI6 Chief delivered her first public speech warning that Russia’s cyber operations across Europe are escalating, targeting energy, transport, and media with hack-and-leak operations timed to influence public opinion.
Her message was blunt: the “front lines are everywhere now.” Organizations tied to policy or defense supply chains should prepare for increased cyber pressure, ransomware distractions, and targeted data leaks ahead of European elections.
DraftKings Credential Stuffing Operator Pleads Guilty
Nathan Austin, the third conspirator in the DraftKings credential-stuffing campaign, pleaded guilty to his role in the 2022 attacks that drained thousands of customer accounts.
The case is a reminder that MFA and anomaly detection aren’t optional. Enforce device risk scoring, limit withdrawal velocity, and block breached password reuse.
FBI Warns of Law Enforcement Impersonation Scams
The FBI Anchorage office issued a warning about fake law enforcement and court impersonation scams, where victims receive calls or texts about missed jury duty or arrest warrants — then get pressured into paying “fines.”
No government agency will ever call demanding payment — this is pure social engineering. Security teams should educate employees and family members on vishing red flags and verify all contacts through official directories.
ServiceNow Eyes $7B Acquisition of Armis
ServiceNow is reportedly in final talks to acquire Armis for $7 billion, positioning itself as a new heavyweight in cyber asset management.
The deal would bring IoT and OT visibility into ServiceNow’s platform, putting it in direct competition with Cisco, Palo Alto, and Microsoft. If finalized, it will mark one of the largest private cybersecurity acquisitions in history and signal another wave of consolidation across the security landscape.
Action List
🎧 Rotate all API keys and SSO credentials after vendor-linked breaches.
🚗 Enforce MFA and alerting on HR and payroll systems.
🇫🇷 Segment and audit government communication infrastructure.
🛍️ Patch and rotate marketplace access tokens for vendors like Askul.
🍎 Review vendor analytics data exposure and implement isolation controls.
🌐 Patch React2Shell immediately and harden web app admin access.
🧠 Develop AI use policies and monitor for synthetic content threats.
🔐 Enable anomaly detection and MFA for all customer-facing accounts.
💼 Track M&A shifts like ServiceNow–Armis for potential ecosystem impacts.
James Azar’s CISO’s Take
Today’s stories highlight a single theme — speed and exposure. Threat actors move faster than governance frameworks, and too many organizations are still operating at the speed of policy, not risk. From SoundCloud’s breach containment to React2Shell exploitation, the lesson is simple: communication, patching, and vendor hygiene aren’t quarterly tasks — they’re continuous survival drills.
My biggest takeaway? Resilience isn’t just detection; it’s readiness. When a breach hits, the only thing worse than bad news is silence. Whether you’re a startup or a government ministry, your users, your employees, and your partners will forgive a breach — but they won’t forgive being left in the dark.
Stay alert, stay caffeinated, and as always — stay cyber safe.
