Descriptive Alt Text

This Week in Cybersecurity: Looking Back at Week 22

May 30, 2025 Reading Time: 4 minutes

This week’s major security stories highlight the growing scale, complexity, and diversity of modern attacks, spanning massive credential leaks, third-party supply chain risks, AI abuse, and cloud misconfigurations.

A staggering data breach has exposed 184 million login credentials tied to major platforms like Google and Microsoft, while Adidas has confirmed a breach stemming from a compromised third-party service provider. Meanwhile, the ViciousTrap botnet is actively exploiting a Cisco vulnerability to hijack over 5,000 devices globally.

On the software front, GitLab’s AI assistant has been found vulnerable to prompt injection, raising serious concerns about trust and safety in developer tools. Lastly, CISA has issued a warning about a wave of SaaS-focused attacks exploiting poor cloud configurations and leaked application secrets.

Data Breach Exposes 184 Million Login Credentials Across Major Platforms

In May 2025, cybersecurity researcher Jeremiah Fowler uncovered an unsecured Elastic database containing over 184 million plaintext login credentials, including usernames and passwords for services such as Apple, Facebook, Google, and Microsoft.

The 47 GB dataset also included 220 government email addresses from at least 29 countries, posing significant national security concerns. The database lacked metadata identifying its owner, suggesting it may have been compiled by cybercriminals using infostealing malware.

Upon discovery, Fowler alerted the hosting provider, World Host Group, which promptly took the database offline. The full extent of prior access to the data remains unknown.

View Source

Adidas Discloses Data Breach Following Third-Party Provider Hack

German sportswear giant Adidas has announced a data breach after attackers compromised a third-party customer service provider, leading to unauthorised access to certain consumer data. The company clarified that the breach did not involve payment-related information or passwords, as the threat actors only obtained contact information of affected customers.

Upon discovery, Adidas promptly initiated containment measures and launched a comprehensive investigation in collaboration with leading information security experts.

The company is in the process of informing potentially affected consumers and has notified relevant data protection and law enforcement authorities in accordance with applicable laws.

Adidas has not disclosed the name of the impacted service provider or the specific timeline of the incident.

View Source

ViciousTrap Botnet Uses Cisco Flaw to Hijack 5,300 Devices

Cybersecurity researchers have identified a threat actor, dubbed “ViciousTrap,” exploiting a critical vulnerability, noted as CVE-2023-20118, in Cisco Small Business routers. The vulnerability compromised approximately 5,300 devices across 84 countries.

The attackers deploy a shell script named “NetGhost” to redirect network traffic from these compromised routers to infrastructure under their control, facilitating adversary-in-the-middle (AitM) attacks and enabling the collection of exploitation attempts and potentially sensitive data.

The campaign, active since March 2025, primarily originates from IP addresses in Malaysia and targets a range of internet-facing equipment, including devices from brands like ASUS, D-Link, and QNAP. While the ultimate objective of ViciousTrap remains unclear, the operation appears to establish a honeypot-style network for surveillance and intelligence gathering.

View Source

GitLab Duo AI Assistant Vulnerable to Prompt Injection

Cybersecurity researchers have identified an indirect prompt injection vulnerability in GitLab’s AI-powered coding assistant, Duo. This flaw allowed attackers to embed hidden prompts within merge requests, commit messages, issue descriptions, and source code.

When processed by Duo, these prompts could manipulate the AI’s responses, leading to unauthorised actions such as exfiltrating private source code and injecting malicious HTML. Such manipulations could redirect users to phishing sites or include harmful JavaScript packages in code suggestions.

The vulnerability stemmed from Duo’s comprehensive analysis of page content without adequate input sanitisation. GitLab addressed the issue following responsible disclosure in February 2025.

View Source

CISA Warns of SaaS Attacks Exploiting Cloud Misconfigurations and App Secrets

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a series of cyberattacks targeting software-as-a-service (SaaS) providers, exploiting cloud misconfigurations and improperly secured application secrets.

The alert follows reports from Commvault, a data protection company, which detected unauthorised access to client secrets within its Microsoft Azure-hosted Metallic Microsoft 365 backup solution.

This breach potentially allowed threat actors to infiltrate customers’ Microsoft 365 environments. CISA suggests these incidents may be part of a broader campaign aimed at SaaS infrastructures with default configurations and elevated permissions.

In response, CISA recommends that organisations monitor Entra audit logs for unauthorised credential modifications, implement conditional access policies to restrict authentication to approved IP addresses, and review application registrations and service principals for unnecessary administrative privileges.

View Source

Have questions about your cybersecurity posture? We’re here to help! Contact us using the form below to get started 👇.

Let's Talk About Your Project

Leave us your details and one of our team will reach out to explore how we can assist with your cybersecurity requirements.

Postal address

The BASE Enterprise Centre

Railway Road

Stranorlar

Co. Donegal

Ireland

F93 VAK6

Phone number
IE: +353 74 970 7876 | UK: +44 20 4538 2818

To learn more about your data and privacy rights, visit our Privacy Statement.