Cyber News Bytes: What’s Happening in Cybersecurity This Week

Hey friends! It’s been another crazy week for cybersecurity news.

Before we dig into the headlines, a quick note for anyone looking to level up.

If reading about these breaches makes you want to actually build the skills to defend against them, my 5 Technical Cybersecurity Projects course is built for exactly that.

It walks you through five hands-on projects designed to take you from theory to real, resume-ready experience, whether you are just breaking in or sharpening skills you already have.

This is one of the fastest ways to turn what you read here into things you can actually do!

Now, four stories worth your time this week, from millions of leaked data records to a Nintendo breach, let’s get into it!

1. "FortiBleed" exposes credentials for tens of thousands of Fortinet firewalls

CISA issued an urgent advisory after a sprawling credential leak nicknamed FortiBleed hit internet-facing Fortinet FortiGate firewalls and VPN gateways.

Researchers at SOCRadar say the attackers assembled a verified database of more than 86,000 working credentials across 194 countries, which works out to roughly half of all internet-reachable FortiGate devices.

The operation runs on full automation, where each compromised firewall becomes a listening post that harvests more credentials and feeds them right back into the attack.

CISA is urging affected organizations to reset credentials, terminate all active VPN and administrative sessions, and lock down their management interfaces right away.

Why it matters: Perimeter devices are prime targets, and this campaign shows how a reused or never-rotated password can turn one old leak into a brand new breach. Get those management interfaces off the public internet and turn on MFA everywhere.

Read more at SecurityWeek

2. Kodak confirms a breach as ShinyHunters threatens to leak 2.2 million records

Eastman Kodak confirmed that an unauthorized third party gained temporary access to a limited amount of company data.

The ShinyHunters extortion group claimed responsibility on its dark web leak site, alleging it stole more than 2.2 million records containing customer personal information and internal corporate data.

The group set a June 18 deadline and threatened to publish everything if Kodak failed to make contact.

Kodak says it promptly brought in external cybersecurity experts and law enforcement, and that it is confident there is no threat to its systems or operations.

Why it matters: A household name that has been around since 1880 landing on an extortion leak site is proof that brand legacy is no protection. Notice too how far apart the attacker's 2.2 million figure sits from Kodak's "limited amount" wording, because that uncertainty is exactly the leverage these groups are selling.

Read more at BleepingComputer

3. Nintendo confirms employee data stolen through a third-party survey vendor

Nintendo of America confirmed that data was stolen through TinyPulse, a third-party employee survey service owned by WebMD Health Services, while stressing that its own systems were not compromised.

An extortion crew calling itself Shadowbyt3$ claimed it grabbed roughly 859 megabytes of data, including employee names, bank statements, and W-9 tax forms stretching from 2016 to 2026, and demanded a 2 million dollar ransom.

Nintendo declined to pay, and the company says no customer or financial data was accessed.

It characterized the stolen material as old internal survey responses from a small group of staff.

Why it matters: Even a company as locked down as Nintendo can be hit through a vendor it trusted with sensitive employee files. Third-party risk is not a footnote, and any service holding your people's data is part of your own attack surface.

Read more at SC Media

4. Salesforce disables the Klue app after stolen access tokens expose customer data

Salesforce disabled the Klue Battlecards app integration after detecting unusual activity tied to a security incident that began at competitive intelligence vendor Klue on June 11.

According to Huntress, the attackers first slipped into Klue's backend using a long-dormant credential left over from an abandoned integration, then pushed malicious code that harvested the OAuth tokens customers used to connect Klue to Salesforce and other platforms.

With those tokens in hand they queried connected Salesforce environments directly and exfiltrated CRM data from companies including Huntress, Recorded Future, Jamf, and Tanium.

An extortion group known as Icarus has been linked to the theft.

Why it matters: OAuth tokens are keys that sail right past passwords and MFA, so a single compromised SaaS vendor can cascade into hundreds of connected environments at once. As one researcher put it, the attackers did not need a password or a phished employee, they simply had the token. Inventory your third-party integrations and scope them to the bare minimum.

Read more at The Hacker News

The thread tying it all together

Four very different targets, one shared lesson.

None of these started with someone kicking in the front door, they started with stolen credentials, abused tokens, and trusted vendors, which is the slice of the attack surface that is easiest to forget and hardest to see.

If you do one thing this week, rotate and tighten the credentials and integrations linking your most important systems, and start treating your vendors as part of your perimeter too.

Stay patched. Stay skeptical. Talk soon.

Sandra

Cyber With Sandra | www.withcybersecurity.com