Dark Web Leak Claims Target Multiple Organizations, Including Salesfloor and Republic
Dark web monitoring reports surfaced multiple alleged data leaks affecting unrelated organizations, with several listings offering databases for sale or direct download. Reports claim Republic (republic.com) user data (~4.94M users) was listed for sale for $2,400, allegedly including names, emails, physical addresses, and phone numbers. Separate dark web listings also alleged exposure of rueducommerce.fr user data (linked in reporting to Carrefour) totaling ~2.17M records with similar PII, as well as alleged leaks involving Dunzo (~3.4M records) and Menulux (~93K records). Additional reporting highlighted a historical breach dataset for the YouHack forum (2013; ~107K users) containing usernames, emails, passwords, IPs, posts, and private messages, and a smaller exposure tied to buylottoonline.com (~38.5K email records).
One of the most consequential claims involved Salesfloor / People Powered E-Commerce (salesfloor.net), attributed in reporting to LAPSUS$, alleging theft of roughly 4 TB uncompressed (1 TB compressed) data including source code, logs, and customer information, with potential downstream impact to retail brands using the platform. Separately from the dark-web-leak theme, other items in the set describe distinct vulnerability-driven risks rather than breach listings: Zoom Node MMRs command injection (CVE-2026-22844, CVSS 9.9) enabling arbitrary code execution in certain hybrid meeting deployments; SmarterMail auth bypass (CVE-2026-23760) enabling admin password reset via force-reset-password and potential RCE; Vite improper access control (CVE-2025-31125) enabling sensitive file exposure via query parameters such as ?inline&import / ?raw&import (noted as added to CISA KEV); and Appsmith password-reset token exposure (CVE-2026-22794) enabling account takeover, with internet-exposed instances identified via Shodan and remediation via upgrade to Appsmith 1.93. These vulnerability reports are separate from the dark web leak claims and should be tracked as independent patching priorities rather than as part of a single breach event.
Related Entities
Threat Actors
Sources
4 more from sources like upguard blog
Related Stories
Dark Web Leak Claims Target Colis Privé and Multiple Online Services
Dark web monitoring reports described **unverified data leak claims** involving several organizations, including French parcel delivery firm **Colis Privé**. One post on **BreachForums** allegedly offered an upload of **22,564,381 records** attributed to Colis Privé, described as `.jsonl` files totaling **~4.1 GB**; no specific threat actor attribution or company confirmation was cited, and the notice characterized the situation as informational while scope is assessed. If authentic, the scale and format of the dataset would materially increase risk of **identity theft, credential stuffing, and targeted phishing** against customers. Separate dark web forum posts also alleged database exposures affecting **JobsGO** (Vietnam recruitment platform), **MyVete** (veterinary management platform), **PIXPAY** (Senegalese payment service), and **Groupe Fondasol** (France-based engineering). The claimed datasets reportedly include **CV/personal records**, and in some cases **API credentials and employee metadata**, with example figures including **~2.3 million records** for JobsGO and **~5.57 million records** for MyVete (verification not indicated). Across the claims, the primary business risk is downstream abuse of exposed personal and operational data for **social engineering, recruitment fraud, and account takeover**, rather than immediate exploitation of a specific software vulnerability.
1 months ago
Multiple Actively Exploited Vulnerabilities and Social-Engineering Breaches Reported Across Zoom, SmarterMail, Vite, and Appsmith
Several vendors and security trackers reported **high-impact vulnerabilities** with exploitation risk, alongside separate **social-engineering-driven breaches**. Zoom disclosed a **command injection** issue in Zoom Node Multimedia Routers (MMRs) used in certain hybrid meeting environments, tracked as **CVE-2026-22844** (reported with a high technical severity), which could allow meeting participants to execute arbitrary code; administrators were advised to update to *Zoom* version **5.2.1716.0**. SmarterTools reported a critical **authentication bypass** in *SmarterMail* (**CVE-2026-23760**) that could allow unauthenticated attackers to reset admin passwords via the `force-reset-password` API endpoint and potentially reach OS command execution and full remote code execution; mitigations included upgrading to **Build 9511**, resetting admin passwords, and enabling MFA. Separately, *Vite* was reported as affected by an **improper access control** flaw (**CVE-2025-31125**) enabling exposure of sensitive files by bypassing `server.fs.deny` protections using crafted query parameters (e.g., `?inline&import` or `?raw&import`); the issue was noted as being exploited in the wild and added to the **CISA Known Exploited Vulnerabilities** catalog. SC Media also reported active exploitation of an *Appsmith* **authentication flaw** (**CVE-2026-22794**) tied to the password reset flow, enabling account takeover by leaking reset tokens; defenders were urged to upgrade to **Appsmith 1.93**, which tightens Origin header validation and trusted base URL enforcement. In parallel to these vulnerability-driven risks, the Canadian Investment Regulatory Organization (**CIRO**) disclosed a **phishing-led breach** affecting ~**750,000** investors with exposure of highly sensitive identifiers (including social insurance numbers and investment information), while Betterment confirmed **unauthorized access via social engineering** that exposed customer contact/identity data and was used to send fraudulent cryptocurrency-scam notifications to users.
1 months ago
Multiple Unrelated Cybersecurity Reports: Iranian Spear-Phishing, Alleged Mexican Government Data Leak, and Lazarus ‘Contagious Interview’ Findings
The provided items do not describe a single cohesive cybersecurity event; they cover **separate incidents and research**. Dark Reading reported an **Iran-linked credential theft and surveillance effort** targeting people of interest abroad (including Iranian expats and regional targets) using **spear-phishing and social engineering**, including lures delivered via **WhatsApp** and phishing infrastructure that was rapidly stood up and taken down as campaigns shifted targets. Separately, Dark Reading covered allegations that the **Chronus Group** leaked **2.3TB** of data purportedly sourced from **25+ Mexican government institutions**, claiming exposure affecting **36 million** people; Mexico’s **ATDT** disputed that it represented a new breach, stating it appeared to be **aggregated data from prior incidents** and that impacted systems were largely **obsolete, third-party administered** state-level platforms. In parallel, Red Asgard published new technical findings on the **Lazarus-linked “Contagious Interview”** activity targeting **developers/freelancers** via fake recruiting, reporting recovery of **241,764 plaintext credentials** from unauthenticated endpoints, identification of an **AnyDesk-based RAT** with persistent remote access and hardcoded attacker credentials, and additional detection content (e.g., **YARA** and **Snort** rules).
1 months ago