In 2025, account takeover (ATO) attacks are a significant – and growing – cybersecurity threat, especially in the…

In 2025, **account takeover (ATO) attacks** are a significant – and growing – cybersecurity threat, especially in the e-commerce, banking, healthcare, and SaaS sectors. Hackers use phishing, credential stuffing, and brute force tactics to access accounts, steal data, and damage corporate reputations. Businesses need advanced ATO protection tools that incorporate powerful detection, prevention, and behavior analytics capabilities.

With attackers increasingly relying on bots, stolen credentials, and dark web marketplaces, the best modern solutions feature AI-fuelled analysis, machine learning, bot mitigation, and real-time fraud prevention. Below, we review the best eight ATO security providers to help your organization identify the very best solution for its needs.

****Why Your Business Needs Account Takeover Security Tools in 2026****

With ATO attacks on the rise, businesses must recognize the value of specialized platforms to guard against this threat. Traditional defences like passwords and firewalls are no longer enough to keep organizations safe. Unlike basic authentication tools, modern ATO solutions integrate multi-factor authentication, risk scoring, intelligent monitoring, and bot management to prevent attacks before they occur.

A 2025 report revealed that over 70% of web traffic is driven by automated bots, with ATO attacks making up a significant proportion of this. The surge reflects the need for adaptive tools that operate seamlessly across devices, channels, and global user bases. The eight platforms we look at below lead the ATO protection market, offering tailored strategies to secure digital identities.

****1\. DataDome****

DataDome is a leading ATO protection tool, well-regarded for its AI-powered bot and fraud detection capabilities. This solution identifies suspicious behavior in real-time to stop credential stuffing and brute force attacks before they affect users. Perfect for businesses of all sizes, from startups to long-established large enterprises, it integrates and scales easily without adding latency. DataDome processes billions of requests daily, providing 24/7 global protection via adaptive AI.

This solution deploys quickly, supports mobile SDKs, and can integrate with cloud, on-premises, and hybrid environments. With granular bot filtering, behavioral analysis, and seamless CDN and WAF integration, DataDome delivers powerful and always-on defence against existing and evolving threats.

****Pros****

*   Delivers accurate threat mitigation with minimal false positives.
*   Integrates easily across web apps, APIs, and mobile platforms.
*   Uses real-time machine learning to adapt to evolving attack patterns.
*   Offers flexible deployment across cloud and on-premises environments.

****Cons****

*   No free trial is currently offered.
*   Pricing may be cost-prohibitive for startups.

****2\. Imperva****

This suite of tools from Imperva is a trusted solution, offering accurate fraud protection without negatively impacting the user experience. It guards businesses against credential stuffing, fake sign-ups, scraping attacks, and other forms of cybercrime with cloud-first deployment and support for on-premises setup.

Imperva uses AI-fuelled analysis, data enrichment, and risk monitoring to detect compromised credentials and integrates with firewalls, API gateways, and identity systems with minimal latency. Key features include anomaly detection, API abuse prevention, and real-time dashboards to track fraud trends and help maintain compliance. Scalable and precise, Imperva is ideal for high-volume industries like retail and banking.

****Pros****

*   Strikes an effective balance between strong security and a smooth user experience.
*   Offers advanced risk scoring with actionable fraud insights.
*   Provides robust protection for APIs and mobile platforms.
*   Supports flexible deployment across cloud and on-premises environments.

****Cons****

*   May require comparatively more onboarding, especially for smaller teams.
*   Free trial offers limited access to the full feature set.

****3\. F5****

The F5 Distributed Cloud Bot Defence helps organizations protect their digital experiences at scale by using advanced AI to detect and block credential abuse and fraudulent login attempts. Its invisible security approach ensures bots are stopped in their tracks without disrupting legitimate users, making it perfect for customer-facing industries.

F5 deploys behavioral fingerprinting, device analytics, and adaptive risk scoring to identify and deal with threats. The solution supports hybrid and multi-cloud deployments and integrates easily with APIs and mobile platforms. Further, centralized dashboards provide insight into fraud patterns, helping teams fine-tune their defences.

****Pros****

*   Provides seamless user experience with **minimal friction**.
*   Protects mobile apps, APIs, and websites.
*   Uses AI-driven behavioral analysis to detect and block threats.
*   Supports flexible setup in a range of deployments.

****Cons****

*   Prices may be challenging for mid-size organizations.
*   Initial setup can be complex, which may be problematic for smaller teams with limited resources.

****4\. Telesign****

Telesign offers a communication-first approach to ATO prevention by combining SMS, phone verification, and identity intelligence to ensure users are legitimate before being granted access. The solution operates through robust communications APIs and handles high-volume login traffic with ease, making it ideal for enterprises and SaaS platforms.

Telesign’s key features include risk scoring and identity APIs, and it aims to strengthen multi-factor authentication processes and block fake registrations and logins without affecting the user experience.

****Pros****

*   Reliable phone verification APIs for secure user authentication.
*   Extensive global coverage for SMS and voice channels.
*   Simple integration into mobile and web applications.
*   Affordable multi-factor authentication layer for added security.

****Cons****

*   Does not offer comprehensive bot protection features.
*   SMS-related costs can rise significantly with large-scale usage.

****5\. Cloudflare Bot Management****

Cloudflare offers a powerful and affordable bot management solution, and is especially relevant for businesses already using the Cloudflare platform. Leveraging visibility across a vast digital network, it offers strong protection against account takeover and a wide range of automated threats.

The suite of tools uses machine learning, behavioral analyses, and JavaScript fingerprinting trained on massive data volumes for ultimate effectiveness. Features include API protection, customizable bot rules, and adaptive scoring to detect suspicious behavior, to deliver powerful bot and ATO defence without adding complexity.

****Pros****

*   Integrates smoothly with Cloudflare services and delivers low-latency performance.
*   Offers high value at scale.
*   Effectively blocks basic and mid-level threat bots.

****Cons****

*   It may not be as precise as specialized bot protection solutions.
*   Lacks built-in dark web monitoring tools for credential exposure protection.

****6\. Darktrace****

This ATO security provider from Darktrace provides intelligent account takeover protection using self-learning AI that adapts to each business’s unique digital environment. Unlike traditional tools, it autonomously learns behavior patterns to detect anomalies and respond instantly. Its real-time defences make it a good choice for organizations with complex infrastructure, while the solution’s configurable dashboards allow for continuing monitoring and insights.

****Pros****

*   Automatically detects and responds to threats using self-learning AI.
*   Compatible with SaaS platforms and hybrid infrastructure.
*   Continuously improves detection rates with adaptive learning.
*   Delivers fast response times and minimal latency.

****Cons****

*   Pricing is relatively high, compared to similar solutions on the market.
*   Requires an initial AI training period to achieve full accuracy.

****7\. Proofpoint****

Proofpoint Account Takeover Protection provides effective defence against phishing-driven account compromises. It combines email intelligence, behavioral analytics, and login anomaly detection to identify threats early. With strong integration into its cloud security platform, Proofpoint monitors for dark web leaks, insider risks, and breach indicators to offer a comprehensive, layered solution that goes well beyond basic controls.

****Pros****

*   Excellent protection against phishing-driven account takeover attempts.
*   Seamless integration with the broader Proofpoint security ecosystem.
*   Monitors the dark web for exposed credentials.
*   Provides clear, actionable risk reports.

****Cons****

*   Most effective when used in conjunction with the full Proofpoint platform.
*   Primarily focused on email-related threats, with limited coverage beyond this.

****8\. Akamai****

This ATO protection option from Akamai could be a good choice for global enterprises needing scalable, real-time account security. Leveraging its huge content delivery and edge computing network, it detects suspicious logins before malicious bots access applications.

The platform uses device fingerprinting, behavioral analysis, and adaptive authentication to block bots and credential stuffing attempts without negatively impacting legitimate users. Akamai supports multi-cloud and hybrid environments to deliver detailed risk scoring and low-latency protection.

****Pros****

*   Extensive global coverage and traffic visibility.
*   Effective bot mitigation at the edge level.
*   Advanced behavioral risk analysis to detect suspicious activity.

****Cons****

*   May be more expensive than other similar options on the market.
*   Setup can be complex for smaller teams with limited resources.

****Protecting Your Business from ATO Attacks is Vital in 2026 and Beyond****

As ATO attacks grow more sophisticated, businesses must adopt intelligent, scalable protection that goes beyond basic authentication processes. The platforms reviewed above offer advanced AI, behavioral analytics, and bot mitigation tools to safeguard digital identities, now and in the future.

(Photo by Zulfugar Karimov on Unsplash)

8 Recommended Account Takeover Security Providers

Cl0p ransomware lists NHS UK as a victim days after The Washington Post confirms a major Oracle E-Business breach linked to CVE-2025-61882.

Cl0p is claiming responsibility for a new data breach affecting the National Health Service (NHS UK). On November 11, 2026, the ransomware group posted on its dark web leak site, accusing the healthcare provider of neglecting its security, stating, “The company doesn’t care about its customers; it ignored their security.”

Although the group has not revealed the volume of stolen data, the announcement aligns with ongoing attacks and reports pointing out CL0p of exploiting vulnerabilities in Oracle’s E-Business Suite (EBS).

NHS officials have not confirmed a breach, but their cybersecurity division did issue alerts in October about critical flaws in Oracle EBS. That alert warned healthcare and public sector systems relying on Oracle’s enterprise software to apply immediate patches and restrict internet exposure. The timing of the Cl0p post now suggests the group may have exploited the same vulnerabilities NHS had already flagged a month earlier.

NHS UK data breach claims from the Cl0p ransomware group (Image credit: Hackread.com)

****The Washington Post****

While the NHS claim is still being investigated, Cl0p’s campaign has already proven its reach. Just days earlier, on November 7, the group announced it had breached The Washington Post by exploiting the same Oracle EBS flaws.

As seen by Hackread.com, the hackers published what they claim is 183GB of data under a folder labeled ebs.washpost.com. The Washington Post later confirmed it was impacted, saying it was among the victims of a “breach of the Oracle E-Business Suite platform.”

The Washington Post’s data details (Image credit: Hackread.com)

****What Experts Think****

Security experts say the Washington Post attack fits Cl0p’s pattern of large-scale, data-theft operations targeting enterprise software used across multiple sectors. Lidia Lopez, Senior Threat Intelligence Analyst at Outpost24, noted that the incident highlights Cl0p’s focus on exploiting high-value business systems rather than random targets.

She explained that the group has moved away from traditional ransomware encryption toward coordinated data-exfiltration campaigns that leverage zero-day flaws in critical software such as MOVEit, GoAnywhere, and Oracle EBS.

Unlike affiliate-based ransomware operations, Cl0p’s structure is centralised and technical. Lopez said this setup allows the group to conduct synchronised attacks against hundreds of organisations before vendors release patches.

Their tactics often involve scanning for vulnerable systems, gaining remote access, maintaining persistence, and quietly siphoning data for months before making demands or publishing leaks.

The Washington Post data breach claims from the Cl0p ransomware group (Image credit: Hackread.com)

Faik Emre Derin, Technical Content Manager at SOCRadar, added that the Oracle EBS campaign revolves around CVE-2025-61882, a severe remote code execution flaw with a CVSS score of 9.8.

His team’s analysis shows the exploitation began around August 2025, months before Oracle issued an emergency patch on October 4. The affected versions range from 12.2.3 to 12.2.14, with attackers focusing on the BI Publisher Integration module that allows unauthenticated access to vulnerable systems.

Derin said the exploit’s spread accelerated when a separate group called Scattered Lapsus$ Hunters leaked proof-of-concept code on October 3. This leak allowed additional threat actors, including Cl0p and FIN11, to expand attacks on a global scale.

He recommended that organisations running Oracle EBS install the October 2025 patch immediately, conduct forensic reviews dating back to August, and monitor for connections to suspicious IPs such as 200.107.207.26 and 185.181.60.11.

The ongoing campaign has also affected other high-profile organisations, including Harvard University and American Airlines’ subsidiary Envoy. Investigations by Mandiant and Google’s Threat Intelligence Group suggest the activity started in late September 2025, targeting companies that rely heavily on Oracle EBS for finance, HR, and supply-chain management.

Oracle has since released patches addressing the vulnerabilities and urged customers to update without delay. Despite those efforts, many systems remain exposed, providing Cl0p and affiliated groups with continued opportunities for exploitation.

The inclusion of NHS UK and The Washington Post in the victim list places the Cl0p campaign among the most significant enterprise-software breaches in recent years. With stolen data already circulating online and more victims expected to surface, experts warn that the threat from unpatched Oracle systems is far from over.

Cl0p Ransomware Lists NHS UK as Victim, Days After Washington Post Breach

Have I Been Pwned (HIBP), the popular breach notification service, has added another massive dataset to its platform.…

Have I Been Pwned (HIBP), the popular breach notification service, has added another massive dataset to its platform. This time, 1.96 billion accounts connected to the Synthient Credential Stuffing Threat Data, in collaboration with the threat-intelligence firm Synthient.

Users who subscribe to HIBP alerts, including this writer, received an email notification stating: “You’ve been pwned in the Synthient Credential Stuffing Threat Data data breach.”

According to the message, the incident involves nearly two billion unique email addresses and around 1.3 billion passwords. The data includes email addresses and passwords that were compiled from previous breaches and circulated within credential-stuffing lists. These lists are commonly used by attackers to target accounts where users have reused passwords across multiple platforms.

The notification specifies that the breach occurred in April 2025, but notes that data like this can take months or even years before it becomes publicly accessible and is processed by HIBP. The platform aims to alert users as soon as the data becomes verifiable and available for inclusion.

****What the Data Is and How It Originated****

HIBP’s description explains that the information was not taken directly from a single hacked service. Instead, it was aggregated by Synthient, a threat-intelligence firm that collects and analyses credential-stuffing data from malicious sources across the internet.

During 2025, Synthient compiled nearly 2 billion unique email addresses from various breached databases, many already circulating in **clear and dark web forums**. These credentials are often used by cybercriminals to automate login attempts on unrelated platforms in hopes of gaining access to additional accounts through password reuse.

Email sent by Have I Been Pwned (Image credit: Hackread.com)

****Not the First Synthient Dataset Added to HIBP****

This isn’t the first time Synthient data has appeared on Have I Been Pwned. In October 2025, as **reported by Hackread.com**, HIBP added another dataset titled Synthient Stealer Credentials, which contained 183 million stolen credentials harvested from stealer logs.

That earlier collection represented information directly extracted from infected devices, while this new addition is a compilation of credentials gathered from credential-stuffing lists rather than live malware infections.

****What Users Should Do****

The addition of this data shows the risks of password reuse and large-scale **credential aggregation**. Even if the data isn’t from a new direct breach, having your email and password appear in such lists means your accounts could be at risk.

For now, it is recommended that anyone notified through the service should change reused passwords immediately, enable two-factor authentication, and avoid using the same password across multiple accounts.

****Avoid the Clickbait Confusion****

Readers should be cautious about exaggerated or misleading reports that may surface following this update. This incident is not a direct data breach. The dataset combines information from previously exposed credentials found in multiple sources and compiled by Synthient.

The collection includes email addresses from many providers such as Hotmail, Gmail, Yahoo, and others, but that does not mean these services were hacked. Claims like “2 billion Gmail accounts hacked” or “Google breached” will be false and misleading.

**Summary**

1.  **Breach Name:** Synthient Credential Stuffing Threat Data
2.  **Date of Breach:** April 2025
3.  **Accounts Affected:** 1.96 billion
4.  **Data Exposed:** Email addresses and passwords
5.  **Source:** Aggregated credential-stuffing lists collected by Synthient
6.  **Related Incident:** Synthient Stealer Credentials (183 million accounts, added October 2025)

Have I Been Pwned Adds 1.96B Accounts From Synthient Credential Data

Veracode Threat Research exposed a targeted typosquatting attack on npm, where the malicious package @acitons/artifact stole GitHub tokens. Learn how this supply chain failure threatened the GitHub organisation's code.

Cybersecurity researchers at Veracode discovered a campaign that was aimed at stealing critical credentials from GitHub’s own code base. The attack involved hackers planting a fake software component on npm (Node Package Manager), which is a massive public library that developers use to share JavaScript code.

For your information, an npm package is a folder containing code, documentation, and metadata that developers can easily share and integrate into their projects. These help them build modern applications by reusing existing, tested code components instead of writing everything from scratch.

Cybersecurity firm Veracode’s threat research team flagged the malicious npm package, a GitHub Actions Toolkit named “@acitons/artifact", on Friday, November 7. This name is a clear example of how scammers use a trick called typosquatting to deceive unsuspecting users.

This type of attack involves registering a name that intentionally looks like a typo of a legitimate one (the real package is @actions/artifact), hoping developers will accidentally download the wrong one. The malicious package was surprisingly popular, having been downloaded over 206,000 times.

Screenshot taken after the malware author took down the malicious package (Source: Veracode)

****How the Supply Chain Was Compromised****

This type of breach, technically called a Software Supply Chain Failure, has become a major concern, even making it onto the OWASP TOP 10 2025 (RC1) list of top risks, researchers noted in the blog post shared with Hackread.com.

The fake code package was set up to launch a dangerous sequence immediately after installation. It contained a post-install hook (basically a special script) that would download and run malware to steal GitHub tokens.

Think of these tokens as temporary access keys for the code environment. Veracode’s researchers believe the ultimate motivation was to “exfiltrate the tokens available to the build environment, and then use those tokens to publish new malicious artifacts as GitHub.”

Further investigation showed the malware was extremely focused. It was programmed to check whose repository it was in, and specifically targeted repositories owned by the GitHub organisation. A check within the harmful code ensured it would “exit if the organisation was not GitHub,” confirming the attackers were aiming at the core platform.

****Package Removal Timeline****

It is worth noting that when the researchers first found the malware, even popular anti-virus software did not catch it. The attackers had also included an expiration date, setting the code to stop working after 2025-11-06 UTC. The research also identified and blocked another fake package called “8jfiesaf83“.

By Monday, November 10, the malicious versions of the package were taken down, likely by the attackers themselves or by GitHub. The good news is that Veracode confirmed that customers using their security service, Package Firewall, were protected instantly after the threat was identified on Friday.

Fake NPM Package With 206K Downloads Targeted GitHub for Credentials

Cisco’s new research shows that open-weight AI models, while driving innovation, face serious security risks as multi-turn attacks, including conversational persistence, can bypass safeguards and expose data.

When companies open doors to their **AI models**, innovation often follows. But according to new research from Cisco, so do attackers. In a comprehensive study released this week, Cisco AI Threat Research found that open-weight models, those with freely available parameters, are highly vulnerable to adversarial manipulation, especially during longer user interactions.

For your information, an open-weight model is a **type of AI model** where the trained parameters (the “weights”) are publicly released. Those weights are what give the model its learned abilities; they define how it processes language, generates text, or performs other tasks after training.

The report, titled **Death by a Thousand Prompts: Open Model Vulnerability Analysis**, analysed eight leading open-weight language models and found that multi-turn attacks, where an attacker engages the model across multiple conversational steps, were up to ten times more effective than one-shot attempts. The highest success rate reached a staggering 92.78% on Mistral’s Large-2 model, while Alibaba’s Qwen3-32B wasn’t far behind at 86.18%.

Comparison of open-weight models showing how often single-turn and multi-turn attacks succeeded, along with the performance gap between them (Image via Cisco)

Cisco’s researchers explained that attackers can build up trust with the model through a series of harmless exchanges, then slowly steer it toward producing disallowed or harmful outputs. This gradual escalation often slips past typical moderation systems, which are designed for single-turn interactions.

The report attributes this issue to a simple yet dangerous flaw, including models that struggle to maintain safety context over time. Once an adversary learns how to reframe or redirect their queries, many of these systems lose track of earlier safety constraints.

The researchers observed that this behaviour allowed models to generate restricted content, reveal sensitive data, or create malicious code without tripping any internal safeguards.

However, not all models fared equally. Cisco’s data showed that alignment strategies how developers train a model to follow rules, played a large role in security performance. Models like Google’s Gemma-3-1B-IT, which focus heavily on safety during alignment, showed lower multi-turn attack success rates at around 25%.

On the other hand, capability-driven models such as Llama 3.3 and Qwen3-32B, which prioritise broad functionality, proved far easier to manipulate once a conversation stretched beyond a few exchanges.

In total, Cisco evaluated 102 different sub-threats and found that the top fifteen accounted for the most frequent and severe breaches. These included manipulation, misinformation, and malicious code generation, all of which could lead to data leaks or misuse when integrated into customer-facing tools like chatbots or virtual assistants.

The fifteen subthreat categories showed the highest vulnerability across all tested models. (Image via Cisco)

The company’s researchers used their proprietary AI Validation platform to run automated, algorithmic tests across all models, simulating both single-turn and multi-turn adversarial attacks. Each model was treated as a black box, meaning no inside information about safety systems or architecture was used during testing. Despite that, the team achieved high attack success rates across nearly every tested model.

> _“Across all models, multi-turn jailbreak attacks proved highly effective, with success rates reaching 92.78 percent. The sharp rise from single-turn to multi-turn vulnerability shows how models struggle to maintain safety guardrails across longer conversations.”_
> 
> – Amy Chang (Lead Author), Nicholas Conley (Co-author), Harish Santhanalakshmi Ganesan, and Adam Swanda, Cisco AI Threat Research & Security

Cisco’s findings may be recent, but the concern itself isn’t. Security experts have long warned that open-weight AI models can be easily altered into unsafe versions. The ability to fine-tune these systems so freely gives attackers a way to strip away built-in safeguards and repurpose them for harmful use.

Because the weights are publicly accessible, anyone can retrain the model with malicious goals, either to **weaken its guardrails** or trick it into producing content that closed models would reject.

Some well-known open-weight AI models include:

1.  **Meta Llama 3 and Llama 3.3** – released by Meta for research and commercial use, widely used as a base for custom chatbots and coding assistants.
2.  **Mistral 7B and Mistral Large-2 (also called Large-Instruct-2047)** – from Mistral AI, known for high performance and permissive licensing.
3.  **Alibaba Qwen 2 and Qwen 3** – from Alibaba Cloud, optimised for multilingual tasks and coding.
4.  **Google Gemma 2 and Gemma 3-1B-IT** – smaller open-weight models built for safety-focused applications.
5.  **Microsoft Phi-3 and Phi-4** – compact models emphasising reasoning and efficiency.
6.  **Zhipu AI GLM-4 and GLM-4.5-Air** – large bilingual models popular across China’s AI ecosystem.
7.  **DeepSeek V3.1** – open-weight model from DeepSeek AI designed for research and engineering tasks.
8.  **Falcon 180B and Falcon 40B** – developed by the Technology Innovation Institute (TII) in the UAE.
9.  **Mixtral 8x7B** – an open mixture-of-experts model also from Mistral AI.
10.  **OpenAI GPT-OSS-20B** – OpenAI’s limited open-source research model used for evaluation and benchmarking.

The report doesn’t call for an end to open-weight development but argues for responsibility. Cisco urges AI labs to make it harder for people to remove built-in safety controls during fine-tuning and advises organisations to apply a security-first approach when deploying these systems. That means adding context-aware guardrails, real-time monitoring, and ongoing **red-teaming tests** to catch weaknesses before they can be abused.

Cisco’s research also found that attackers tend to use the same manipulation tactics that work on people. Methods such as role-play, subtle misdirection, and gradual escalation proved especially effective, showing how social engineering techniques can easily carry over into AI interactions and prompt manipulation. Each of these models comes with its trained weights available for download, allowing developers to run them on their own systems or adjust them for specific tasks and projects.

Nevertheless, Cisco’s report details that protecting AI models should be treated like any other software security job. It takes constant testing, protection, and communication about the risks involved.

The full report is available **here on arXiv** (PDF).

(Image by T Hansen from Pixabay)

Cisco Finds Open-Weight AI Models Easy to Exploit in Long Chats

Intel, the leading computer chip maker, has filed a lawsuit seeking at least $250,000 in damages from a…

Intel, the leading computer chip maker, has filed a lawsuit seeking at least $250,000 in damages from a former software engineer, Jinfeng Luo, who is accused of stealing a huge amount of confidential company data before disappearing.

This incident comes as Intel faces massive job cuts. The company, as we know it, has laid off around 35,500 employees over the last couple of years as it tries to fix its money troubles.

Luo, who had worked at Intel since 2014, was notified on July 7, 2024, that his job was ending at the end of that month. According to court filings reported by media outlets, just days before his last day, Luo allegedly copied about 18,000 files onto a Network-Attached Storage (NAS) device. A NAS is basically a special hard drive connected to a network, making it possible to store and share data.

These files were not just any documents; some were even marked as “Intel Top Secret,” which means they contained the company’s most sensitive information. However, while Luo was notified of his termination amid these layoffs, the lawsuit itself does not state the specific reason why his job was ended.

Further probing revealed that Luo first tried to copy the files to an external drive a week before his departure, but Intel’s security systems blocked that attempt. He reportedly succeeded in the transfer a few days later, before spending the rest of his time downloading as much information as he could.

Intel detected the unusual transfers and has since spent over three months trying to contact Luo through phone calls, emails, and even letters. However, with the former employee still untraceable and not responding to any of the claims, Intel was forced to file the lawsuit in a Washington federal court.

The company is seeking the return of its property and is also demanding that the court order Luo to hand over his personal electronic devices for inspection. The case is officially titled Intel Corporation v. Luo, with Case Number 2:2025cv02159.

It is worth noting that this is not Intel’s first clash with a former employee stealing data. In a recent, separate case, another former engineer named Varun Gupta was sentenced to two years of probation and had to pay a $34,000 fine for taking proprietary information. That data was later used while he worked for Microsoft, which, the court found, actually gave the rival company an advantage in negotiations with Intel.

Intel’s lawsuit against Luo seeks the return of all the confidential data and the large sum of money for damages, as the company fights to protect its business secrets.

1.  German army’s sensitive data found on a laptop bought from eBay
2.  Ex-employee stole secrets of Israeli spyware firm for dark web deals
3.  Indian Ex-Employee Jailed for Wiping 180 Virtual Servers in Singapore
4.  Employee infects US govt network with malware after visiting 9k porn sites
5.  Sensitive Data of 130K+ US Navy Sailors Stolen Due to One Hacked Laptop

Intel Sues Ex-Engineer for Stealing 18,000 ‘Top Secret’ Files

Unit 42 discovered LANDFALL, commercial-grade Android spyware, which used a hidden image vulnerability (CVE-2025-21042) to remotely spy on Samsung Galaxy users via WhatsApp. Update your phone now.

Security researchers from Palo Alto Networks’ Unit 42 have discovered a dangerous new commercial-grade spyware called LANDFALL that secretly targeted Samsung Galaxy smartphones for months.

This sophisticated campaign relied on a hidden flaw to turn everyday image files sent over apps like WhatsApp into a tool for comprehensive surveillance. As detailed in Unit 42’s technical blog post, the foundation of this attack was a previously unknown zero-day vulnerability in a special Samsung software library (libimagecodec.quram.so) that handles image processing.

This vulnerability, tracked as CVE-2025-21042, allowed attackers to sneak the LANDFALL spyware onto a device without the user doing anything, not even clicking on a link. This is called a zero-click exploit, which is among the most dangerous attacks as it requires no user action and offers no viable defence.

For your information, CVE-2025-21042 was an ‘out-of-bounds write’ in the Samsung library and rated CVSS 9.8 (Critical). The issue basically means the spyware tricked the phone into writing malicious data outside its designated memory box.

Attackers delivered the spyware hidden inside specially created, malformed DNG (Digital Negative) image files. These images, with filenames suggesting they were sent via WhatsApp (e.g., WhatsApp Image… or WA0000.jpg), were used to exploit the Samsung vulnerability. Unit 42 confirmed they found no unknown flaws in WhatsApp itself.

Unit 42’s investigation further revealed that the LANDFALL operation was active in mid-2024, months before Samsung released a fix for the problem in April 2025. Researchers noted that a similar vulnerability (CVE-2025-21043) was patched in September 2024, showing this method of attack is part of a broader trend.

****A Powerful Spy Tool****

Once installed on a Samsung Galaxy device (including models like the S22, S23, S24, Z Flip4, and Z Fold4), LANDFALL acts as a full-featured digital spy. Its capabilities include everything from data exfiltration (stealing recorded calls, photos, contacts, and browsing history) and device fingerprinting (capturing critical identifiers like IMEI) to advanced persistence and evasion features. It can burrow deep into the system by manipulating security layers (like SELinux) and hide from security apps for long-term surveillance.

Timeline for recent exploit activity and LANDFALL spyware flowchart (Source: Palo Alto Networks)

The research suggests this was a targeted effort, not a widespread infection, with evidence pointing to activities in the Middle East, including possible victims in Iraq, Iran, Turkey, and Morocco. While no group is officially blamed, Unit 42 observed that the digital patterns and infrastructure share similarities with those of a known surveillance group called Stealth Falcon.

Current Samsung Galaxy users who have kept their devices updated are protected, as the critical flaw was fixed back in April 2025. However, the discovery of LANDFALL itself shows how advanced threats can operate for a long time, completely hidden from the average person.

LANDFALL Spyware Targeted Samsung Galaxy Phones via Malicious Images

In an era where digital ecosystems extend far beyond a company’s internal network, enterprise cybersecurity is no longer…

In an era where digital ecosystems extend far beyond a company’s internal network, enterprise cybersecurity is no longer solely about firewalls and endpoint protection. It’s about the unseen connections, the suppliers, service providers, cloud vendors and subcontractors who form part of the operational supply chain. One critical practice at the heart of this challenge is vendor risk assessment: the process of evaluating the risks that third parties pose to an organisation’s data, operations and reputation.

The rise in supply-chain attacks and third-party breaches means that vendor risk is now business risk. According to the U.S. National Institute of Standards and Technology (NIST), managing external dependencies is a key component of cyber resilience. When a vendor with access to internal systems or sensitive data is compromised, the fallout can be swift, severe and far-reaching.

****The Expanding Threat Surface Through Vendor Networks****

Modern organisations often rely on dozens, sometimes hundreds, of external partners for services ranging from cloud storage and analytics to logistics and marketing platforms. While these vendors enable agility and scale, they also introduce additional attack vectors. According to one cyber-risk platform, vendor risk assessments are essential for “strengthening an organisation’s security posture.”

A breach at a vendor can open the door to an organisation’s entire ecosystem. For example, a weak vendor may lead to lateral movement into the main network, exfiltration of sensitive data, disruption of service delivery or exposure of client information. As supply-chain dependencies grow, so does the urgency of accurately assessing vendor risk.

****What a High-Quality Vendor Risk Assessment Looks Like****

So what does an effective vendor risk assessment entail? Key elements include:

*   **Vendor inventory and classification** – Understanding which vendors you work with, what systems or data they access, and how critical they are to your business.  
    
*   **Risk tiering based on criticality** – Vendors with access to sensitive data or mission-critical systems should receive deeper scrutiny.  
    
*   **Security control evaluation** – Assessing a vendor’s cyber hygiene (patching habits, access controls, incident response, encryption, etc.).  
    
*   **Continuous monitoring** – Since risk isn’t static, assessments should evolve. Vendors must be re-evaluated regularly or when their risk profile changes.  
    
*   **Contractual safeguards and SLAs** – Setting clear requirements in contracts for cybersecurity controls, audit rights, data access and breach notification.  
    
*   **Third- and fourth-party awareness** – Recognising that vendors often use subcontractors, which magnifies risk exposure.  
    

When executed methodically, this process becomes foundational for enterprise cyber resilience.

****Business Impacts of Vendor Risk Mismanagement****

The consequences of failing to manage vendor risk go beyond IT headaches. They touch every part of the organisation. Some of the tangible impacts include:

*   **Operational disruption** – If a key service provider is compromised or fails, the business may face outages, lost revenue and diminished capability.  
    
*   **Regulatory and compliance liability** – Many regulations mandate oversight of third parties who handle data or services on your behalf. A vendor’s breach may trigger sanctions or fines.  
    
*   **Reputational damage** – Clients and partners presume you control your vendors; when you don’t, trust is eroded.  
    
*   **Security posture degradation** – Your organisation’s overall readiness is only as strong as the weakest link in your network of relationships.  
    

By proactively performing vendor risk assessments, organisations can anticipate issues, prioritise controls, and build resilience in their cyber-ecosystem.

****Integrating Cybersecurity into Vendor Risk Assessment****

Vendor risk assessment is deeply intertwined with enterprise cybersecurity strategy. It fosters outcomes such as:

*   **Improved visibility and control** – You understand which vendors touch critical systems and what controls they apply.  
    
*   **Reduced attack surface** – By identifying high-risk vendors and remediating or removing weak links, you shrink exposure.  
    
*   **Enhanced incident response** – With vendor risk known and mapped, you can respond faster when an incident involves a third party.  
    
*   **Better alignment with frameworks** – Vendor monitoring helps organisations adhere to standards like NIST CSF, ISO 27001 and supply-chain risk guidelines. 

The practice transforms vendor oversight from a compliance-only task into a strategic component of cyber-defence.

**Best Practices for Organisations Conducting Vendor Risk Assessments**

To maximise the value of vendor risk assessment, teams should adopt several best practices:

1.  **Keep vendor inventories up to date** – Include all providers, subcontractors and cloud services with system access.  
    
2.  **Apply tiered assessment protocols** – Use quick screening for low-risk vendors; deep assessments for high-risk ones.  
    
3.  **Automate where possible** – Use tools and platforms to gather vendor-security data, flag changes and issue alerts.  
    
4.  **Re-evaluate regularly** – Schedule reassessments, monitor for new risk indicators and update vendor ratings.  
    
5.  **Embed in procurement and onboarding** – Make vendor risk assessment part of the vendor lifecycle, not just before contract signature.  
    
6.  **Foster cross-functional collaboration** – Bring in legal, procurement, IT and security teams to ensure all angles are covered.  
    
7.  **Use real-world data** – Don’t solely rely on vendor questionnaires; incorporate independent security ratings, breach history and monitoring.  
    

By following these steps, organisations build a vendor ecosystem that supports business growth while maintaining cyber-resilience.

****The Future of Vendor Risk: Automation, AI and Supply-Chain Analytics****

As third-party networks proliferate, manual risk assessment workflows struggle to keep pace. Cutting-edge organisations are now using artificial intelligence and machine-learning tools to automate vendor monitoring, analyse supply-chain risk paths and identify vendor-related threat signals early. One study found that supply-chain features meaningfully improve predictive models of breach risk. 

Automation enables real-time alerts when vendors’ risk profiles change, unauthorised access patterns emerge or subcontracting layers expand. The future of vendor risk assessment is continuous, intelligent and integrated, not periodic, manual and isolated.

****Final Thoughts****

In a world where digital ecosystems span countless external links, vendor risk assessment is not optional; it’s essential. Organisations that treat vendor risk as a strategic element of their cybersecurity posture are far better equipped to detect threats early, limit exposure and preserve operational continuity.

By adopting rigorous assessment frameworks, monitoring vendor ecosystems, leveraging automation and aligning vendor oversight with broader cyber strategy, enterprises reinforce their defences across every link in the chain. As threats evolve, so must vendor governance, ensuring that the vendors you trust don’t become the vulnerability you regret.

(Image by Mohamed Hassan from Pixabay)

Why Organizations Can’t Ignore Vendor Risk Assessment in Today’s Cyber-Threat Landscape

Menlo Park, CA, USA, 10th November 2025, CyberNewsWire

**Menlo Park, CA, USA, November 10th, 2025, CyberNewsWire**

AccuKnox, a leader in Zero Trust Cloud-Native Application Protection Platforms (CNAPP), announced a strategic partnership with **Incident Response Team SA DE CV** (**ShieldForce)** and **DeepRoot Technologies****,** a global cybersecurity service provider and managed services partner, to accelerate Zero Trust adoption and AI Security innovation across Mexico and parts of Latin America. 

**Incident Response Team SA DE CV (ShieldForce) – Cyber Resilience Partnership** 

Incident Response Team SA DE CV (ShieldForce), founded by **Francisco Villegas**, in Mexico, delivers AI-driven managed cybersecurity solutions, including Incident response, Managed SOC, endpoint protection, disaster recovery, anti-ransomware protection, and regulatory compliance management. Operating across Mexico and Latin America, Incident Response Team SA DE CV (ShieldForce) helps organizations minimize downtime, mitigate cyber risks, and protect their reputations in an increasingly complex digital landscape.

Recently, Incident Response Team SA DE CV (ShieldForce’s) CEO, Francisco Villegas, presented at one of Mexico’s largest cybersecurity conferences. They presented in Spanish on the importance of Zero Trust CNAPP strategies in modern enterprises. This topic received highly positive audience feedback, reinforcing ShieldForce’s growing leadership in the region.

**Leadership Testimonials**

> “Nuestra misión en ShieldForce siempre ha sido ayudar a los clientes a mantenerse por delante de la evolución de las amenazas a través de la automatización, la concienciación y la inteligencia,” **dijo Francisco Javier Villegas Landin, Fundador y CEO de ShieldForce.**

> “This partnership demonstrates the power of collaboration in advancing Zero Trust adoption,” said **Vineel Kurumella, Partner at DeepRoot Technologies**. 

> “We’re thrilled to collaborate with ShieldForce and DeepRoot Technologies in bringing AccuKnox’s Zero Trust and AI Security capabilities to North and Latin America,” said **Raj Panchapakesan**, **Global Head of Business Development and Partner Ecosystem at AccuKnox**. 

**Securing ‘Code to Cognition’**

AccuKnox provides comprehensive multi-cloud and on-premise security. In parallel, **AccuKnox AI Security** provides comprehensive protection for the full lifecycle of AI/ML/LLM workloads encompassing data, models, applications, and infrastructure.

**About ShieldForce**

ShieldForce is a global cybersecurity provider delivering AI-powered managed services, including SOC operations, endpoint protection, threat detection, incident response, and compliance management.

**About DeepRoot Technologies**

DeepRoot Technologies (DeepRootTech) specializes in cybersecurity and data engineering solutions that enhance detection, response, and data insight. The company designs secure data pipelines and AI-driven analytics frameworks that enable enterprises to protect critical systems without disrupting innovation.

**About AccuKnox**

AccuKnox is a Zero Trust CNAPP platform that delivers runtime protection, agentless risk assessment, and comprehensive visibility across cloud, container, and AI workloads. The company is a core contributor to leading CNCF open-source projects KubeArmor and ModelArmor. 

**Contact**

**PMM**  
**Syed Hadi**  
**AccuKnox**  
**\[email protected\]**

Incident Response Team (ShieldForce) Partners with AccuKnox for Zero Trust CNAPP in Latin America

Monsta FTP users must update now! A critical pre-authentication flaw (CVE-2025-34299) allows hackers to fully take over web servers. Patch to version 2.11.3 immediately.

A web-based file management application, Monsta FTP, was recently found to have a serious security problem that could allow hackers to completely take over a web server.

Cybersecurity firm watchTowr discovered and reported this issue in a technical blog post, shared with Hackread.com. For your information, Monsta FTP is a handy tool that lets users move and manage website files, performing uploading, downloading, and modifying directly through a web browser. This makes it a popular choice among users, from major financial institutions to individual website owners, as an alternative to installing separate computer software.

****How did it all start?****

The research that led to this discovery began when watchTowr was investigating older, known vulnerabilities in Monsta FTP, specifically looking at versions like 2.10.4. The team suspected that flaws reported in an even older version (2.10.3), which included Server-Side Request Forgery (SSRF) and arbitrary file upload issues (CVE-2022-31827, CVE-2022-27469, and CVE-2022-27468), might still exist.

Further probing revealed that the older versions shared the same lack of protection. This led the team to investigate the current version, where they ultimately found the new, major security gap.

****Critical Flaw: Unauthenticated Access****

The problem, now officially tracked as CVE-2025-34299, was a serious pre-authentication flaw. This means that attackers could use it before they even had to log in, without needing a username or password, leading to Remote Code Execution (RCE).

RCE is the worst kind of vulnerability because it allows a remote hacker to run their own code on the target server. In this case, CVE-2025-34299 allowed the hacker to trick the Monsta FTP system into downloading a file they controlled (which held the malicious code) and saving it anywhere they wanted on the victim’s server.

In its report, WatchTowr confirmed this method worked, noting, “It connected, pulled our payload, and wrote it to the specified path.” This ability to drop a malicious file, sometimes called a ‘web shell,’ means the attacker could grab full control of the entire server or hosting environment. According to their analysis, a minimum of 5,000 Monsta FTP instances were available on the internet, which means a large number of web servers were at risk.

****The Fix****

WatchTowr alerted the Monsta FTP development team about this critical security flaw on August 13, 2025. Developers quickly responded, and a patched version, Monsta FTP 2.11.3, was released on August 26, 2025. If you or your organisation uses Monsta FTP, you must update to version 2.11.3 or later immediately to keep your web server safe.

Source

HackRead