This week’s major security stories highlight the growing scale, complexity, and diversity of modern attacks, spanning massive credential leaks, third-party supply chain risks, AI abuse, and cloud misconfigurations.

A staggering data breach has exposed 184 million login credentials tied to major platforms like Google and Microsoft, while Adidas has confirmed a breach stemming from a compromised third-party service provider. Meanwhile, the ViciousTrap botnet is actively exploiting a Cisco vulnerability to hijack over 5,000 devices globally.

On the software front, GitLab’s AI assistant has been found vulnerable to prompt injection, raising serious concerns about trust and safety in developer tools. Lastly, CISA has issued a warning about a wave of SaaS-focused attacks exploiting poor cloud configurations and leaked application secrets.

Data Breach Exposes 184 Million Login Credentials Across Major Platforms

In May 2025, cybersecurity researcher Jeremiah Fowler uncovered an unsecured Elastic database containing over 184 million plaintext login credentials, including usernames and passwords for services such as Apple, Facebook, Google, and Microsoft.

The 47 GB dataset also included 220 government email addresses from at least 29 countries, posing significant national security concerns. The database lacked metadata identifying its owner, suggesting it may have been compiled by cybercriminals using infostealing malware.

Upon discovery, Fowler alerted the hosting provider, World Host Group, which promptly took the database offline. The full extent of prior access to the data remains unknown.

Adidas Discloses Data Breach Following Third-Party Provider Hack

German sportswear giant Adidas has announced a data breach after attackers compromised a third-party customer service provider, leading to unauthorised access to certain consumer data. The company clarified that the breach did not involve payment-related information or passwords, as the threat actors only obtained contact information of affected customers.

Upon discovery, Adidas promptly initiated containment measures and launched a comprehensive investigation in collaboration with leading information security experts.

The company is in the process of informing potentially affected consumers and has notified relevant data protection and law enforcement authorities in accordance with applicable laws.

Adidas has not disclosed the name of the impacted service provider or the specific timeline of the incident.

ViciousTrap Botnet Uses Cisco Flaw to Hijack 5,300 Devices

Cybersecurity researchers have identified a threat actor, dubbed “ViciousTrap,” exploiting a critical vulnerability, noted as CVE-2023-20118, in Cisco Small Business routers. The vulnerability compromised approximately 5,300 devices across 84 countries.

The attackers deploy a shell script named “NetGhost” to redirect network traffic from these compromised routers to infrastructure under their control, facilitating adversary-in-the-middle (AitM) attacks and enabling the collection of exploitation attempts and potentially sensitive data.

The campaign, active since March 2025, primarily originates from IP addresses in Malaysia and targets a range of internet-facing equipment, including devices from brands like ASUS, D-Link, and QNAP. While the ultimate objective of ViciousTrap remains unclear, the operation appears to establish a honeypot-style network for surveillance and intelligence gathering.

GitLab Duo AI Assistant Vulnerable to Prompt Injection

Cybersecurity researchers have identified an indirect prompt injection vulnerability in GitLab’s AI-powered coding assistant, Duo. This flaw allowed attackers to embed hidden prompts within merge requests, commit messages, issue descriptions, and source code.

When processed by Duo, these prompts could manipulate the AI’s responses, leading to unauthorised actions such as exfiltrating private source code and injecting malicious HTML. Such manipulations could redirect users to phishing sites or include harmful JavaScript packages in code suggestions.

The vulnerability stemmed from Duo’s comprehensive analysis of page content without adequate input sanitisation. GitLab addressed the issue following responsible disclosure in February 2025.

CISA Warns of SaaS Attacks Exploiting Cloud Misconfigurations and App Secrets

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a series of cyberattacks targeting software-as-a-service (SaaS) providers, exploiting cloud misconfigurations and improperly secured application secrets.

The alert follows reports from Commvault, a data protection company, which detected unauthorised access to client secrets within its Microsoft Azure-hosted Metallic Microsoft 365 backup solution.

This breach potentially allowed threat actors to infiltrate customers’ Microsoft 365 environments. CISA suggests these incidents may be part of a broader campaign aimed at SaaS infrastructures with default configurations and elevated permissions.

In response, CISA recommends that organisations monitor Entra audit logs for unauthorised credential modifications, implement conditional access policies to restrict authentication to approved IP addresses, and review application registrations and service principals for unnecessary administrative privileges.

Have questions about your cybersecurity posture? We’re here to help! Contact us using the form below to get started 👇.