Another open bucket spills 12M customer records — and nobody noticed for months
A storage bucket left world-readable exposed names, emails, and partial payment data for an estimated 12 million customers. The lesson is old but evergreen: default-deny on object storage, then verify.
The exposure was found by a researcher running routine internet-wide scans, not by the company that owned the data. By the time it was reported, the bucket had been publicly listable for months.
Leaked fields included full names, email addresses, hashed passwords, and the last four digits of payment cards — more than enough to bootstrap convincing phishing.
If you run anything on object storage, enforce block-public-access at the account level and alert on any policy change that re-opens it.
This summary was generated from open reporting. Read the full original article ↗
Related
GitHub links repo breach to TanStack npm supply-chain attack
GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension, compromised in last week's TanStack npm supply-chain attack. [...]
GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
GitHub on Wednesday officially confirmed that the breach of its internal repositories was the result of a compromise of an employee device involving a poisoned version of the Nx Console Microsoft Visual Studio Code (VS Code) extension. The development comes as the Nx team revealed that the extension, nrwl.angular-console, was breached after one of its developers' systems was hacked in the
Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks
Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org.
Discussion
Loading discussion…