Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

Breach Roundup: Google AI Blunders Go Viral

Also: Okta Alert on Credential Stuffing; Data Breaches in Spain
Breach Roundup: Google AI Blunders Go Viral
Image: Shutterstock

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, Google's AI search provided wrong answers, the Internet Archive suffered a DDos attack, Okta warned of credential stuffing attacks, Canada shut down two tech firms, attackers delivered malware with Stack Overflow, Telefónica is probing a breach, Iberdrola was breached and RansomHub said it attacked Christie's.

See Also: Supporting Malware Analysis at Scale

Google AI Blunders Go Viral

Google's new AI search feature, AI Overviews, came under fire this week for providing bizarre and incorrect answers. Users reported instances in which the tool suggested using "non-toxic glue" to make cheese stick to pizza and said that geologists recommend eating one rock per day. These answers appeared to be derived from satirical sources such as Reddit comments and The Onion.

A Google spokesperson called the outlandish AI responses "isolated examples" and said the feature generally works well. "The vast majority of AI overviews provide high-quality information, with links to dig deeper on the web," the company stated.

A Business Insider reporter who followed the AI's advice reported that the addition of glue did successfully prevent cheese from sliding off but that the pizza "wasn't the best."

This isn't Google's first issue with AI products. In February, it paused chatbot Gemini due to criticisms of "woke" responses such as saying it wouldn't promote meat or fossil fuels.

Internet Archive Faces Sustained DDoS Attack

The Internet Archive reported a persistent distributed denial-of-service attack that disrupted services for three days.

Founder Brewster Kahle said the site received "tens of thousands" of requests per second but that digital collections remain safe. Kahle described the attack as "sustained, impactful, targeted, adaptive, and mean," and said the source of the attack is unknown.

The Internet Archive hosts the Wayback Machine, an archive holding cached versions of websites through time. Its collection includes classic video games and more than 400,000 digitized magazines and historical documents.

Okta Warns of Credential Stuffing Attacks

Identity company Okta issued a warning about ongoing credential stuffing attacks that began mid-April and target its Customer Identity Cloud feature. The suspicious activity specifically targets the cross-origin authentication feature of CIC.

Threat actors are focused on endpoints supporting cross-origin authentication. Cross-Origin Resource Sharing allows web pages to make AJAX calls to different domains, which would otherwise be restricted by the same-origin policy.

Okta said users should review logs for suspicious activity from April 15 onward and particularly look for events such as failed or successful cross-origin authentication and attempts to log in with leaked passwords.

Okta's Identity Threat Research team observed a significant increase in credential stuffing attacks between April 19 to 26, facilitated by residential proxy services, lists of compromised credentials and scripting tools.

Canada Orders Shutdown of 2 Tech Firms

The Canadian government mandated the dissolution of two technology firms - Bluvec Technologies Inc. and Pegauni Technology Inc. - citing national security concerns. Canada ordered the firms to cease all operations under the Investment Canada Act, according to a statement from the Innovation, Science and Economic Development Department.

Details regarding the specific investments or security concerns were not disclosed.

The Vancouver Sun reported Thursday that the two companies produce anti-drone technology and possibly made illicit technology transfers to China, Russia or Iran.

Malicious PyPI Package Exploits Stack Overflow

Cybercriminals are using online developer forum Stack Overflow to distribute a malicious PyPI package, Sonatype researchers said. Disguised as an API management tool, "pytoileur" conceals Trojanized Windows binaries. Despite appearing clean initially, the package's hidden malicious code is camouflaged with extensive whitespace in the setup file. Once executed, the payload retrieves and activates a malicious binary from an external server, which persists on the victim's system and deploys additional spyware.

Criminals behind the malware suggested the library as a solution to community queries on debugging. Sonatype links pytoileur to last year's Cool package campaign, which used similar distribution and obfuscation techniques.

Telefónica Probes Data Breach

Spanish telecom giant Telefónica is investigating a potential data breach last March involving the data of more than 2 million customers and employees - 120,000 records appear to belong to customers. Cybersecurity firm Hackmanac identified the data on sale, which includes full names, phone numbers and physical and email addresses.

The affected users represent a small fraction of Telefónica's 37.4 million customers, which include 20.1 million mobile and 7.9 million fixed-line users.

Electric Utility Iberdrola Acknowledges Data Breach

Spanish multinational electrical utility Iberdrola on Wednesday said a cyber incident in the beginning of May resulted in a data breach involving 850,000 Spanish customers.

News agency EFE reported that the company said affected data includes names, national ID numbers and contact information. The company is warning customers that cybercriminals may use stolen contact data for phishing. Iberdrola is telling customers that it will never ask customers for data such as account number, payment cards or PIN numbers over email or SMS, El Español reported.

RansomHub Claims Cyberattack on Christies

Ransomware-as-a-service group RansomHub claimed responsibility for an attack on Christie's, the world's largest auction house. The criminal group posted samples of data stolen from Christie's on its darknet extortion site. Christie's CEO Guillaume Cerutti, previously announced that the company had taken its website offline due to a "technology security incident."

In a LinkedIn post, Cerutti confirmed unauthorized access by a third party to parts of Christie's network and said some personal data of clients was stolen. He said no financial or transactional data was compromised.

RansomHub threatened to publish the stolen data after Christie's refused to negotiate an extortion payment. Despite the attack, Christie's is continuing its operations, and its website is fully functional. A jewels sale took place in Hong Kong on Monday as scheduled.

Other Coverage From Last Week

With reporting from Information Security Media Group's Prajeet Nair in Bengaluru, India, and David Perera in Washington, D.C.

About the Author

Anviksha More

Anviksha More

Senior Subeditor, ISMG Global News Desk

More has seven years of experience in journalism, writing and editing. She previously worked with Janes Defense and the Bangalore Mirror.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.