Welcome to today's edition of Secret CISO, your daily dose of cybersecurity news. Today, we're diving into a series of data breaches that have left hundreds of Americans eligible for a chunk of a multi-million dollar payout. We'll also explore allegations against the Department of Government Efficiency (DOGE) for jeopardizing safety and accessing security clearance data.

In other news, the Philippine Charity Sweepstakes Office (PCSO) dismisses reports of a data breach on lotto winners, while Robert F. Kennedy Jr. is sworn in as HHS Secretary, raising questions about his views on data privacy and security issues. We'll also discuss a lawsuit hearing in New York where state attorneys general allege DOGE is behind the largest data breach in American history.

Meanwhile, Levi & Korsinsky, LLP investigates a data breach at Star Solution Services, Inc. In healthcare, Fillmore County Hospital announces a data breach, and the Coast Guard suffers a data breach resulting in pay delays for over a thousand members. We'll also cover a data breach at the San Francisco-Marin Food Bank affecting more than 60,000 people, and a massive data breach at Zacks Investment, potentially putting 12 million users at risk.

In research news, a new study reveals that CISOs are struggling to balance security and business objectives, and a bill that would limit the ability to sue over data breaches clears its first hurdle. Stay tuned for all this and more in today's Secret CISO newsletter.

Data Breaches

1. Multi-million Dollar Data Breach Settlement: Hundreds of Americans affected by a data breach are eligible for a portion of a multi-million dollar payout. The exact details of the breach and the company involved are not specified. Source: The Sun
2. DOGE Accused of Jeopardizing Safety: A lawsuit against the Department of Government Efficiency (DOGE) alleges that DOGE workers improperly accessed security clearance data at USAID, potentially jeopardizing employee safety. Source: The Record Media
3. Star Solution Services Data Breach: Star Solution Services, Inc. is under investigation for a data breach that could potentially cause long-term damage to affected individuals. The nature of the exposed data is not specified. Source: WATE
4. Coast Guard Data Breach: The Coast Guard's personnel and payroll system experienced a data breach, resulting in a pay delay for 1,135 service members. The nature of the exposed data is not specified. Source: USNI News
5. Zacks Investment Data Breach: Zacks Investment was hit by a data breach, potentially putting 12 million users at risk. The company has yet to comment on the claims of a data breach. Source: TechRadar

Security Research

1. "North Korean hackers taint open-source code to steal crypto and developers' data": North Korean hackers have been found to be corrupting open-source code to steal cryptocurrency and developers' data in a campaign named "Operation Marstech Mayhem". Source: NK PRO
2. "New Research: Ransomware Data Extortion Skyrocketing": A new research by Nuspire reveals a significant increase in ransomware data extortion. The firm recommends security awareness training as a countermeasure. Source: KnowBe4 Blog
3. "New "whoAMI" Attack Exploits AWS AMI Name Confusion for Remote Code Execution": A new attack dubbed "whoAMI" has been discovered by Datadog Security Labs, exploiting AWS AMI name confusion to execute remote code. The attack could potentially compromise thousands of accounts if executed at scale. Source: The Hacker News
4. "Open Source AI Models: Big Risks for Malicious Code, Vulns": A study by application security firm Checkmarx has found multiple ways to bypass scanners like PickleScan used by Hugging Face, highlighting the risks of malicious code and vulnerabilities in open-source AI models. Source: Dark Reading
5. "PostgreSQL bug played key role in zero-day Treasury attack": A bug in PostgreSQL, disclosed by Rapid7's principal security researcher, Stephen Fewer, played a key role in a zero-day attack on the Treasury. Source: The Register

Top CVEs

1. CVE-2022-28693: Intel(R) Processors are found to have an unprotected alternative channel of return branch target prediction. This vulnerability could potentially enable information disclosure via local access. Source: CVE-2022-28693
2. CVE-2024-31144: Xapi, a part of Xen Project, has a vulnerability that could allow a malicious guest to manipulate its disk to appear as a metadata backup. This could potentially lead to unauthorized access and data breach. Source: CVE-2024-31144
3. CVE-2025-0821: Bit Assist plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter. This vulnerability could potentially allow authenticated attackers to extract sensitive information from the database. Source: CVE-2025-0821
4. CVE-2024-5462: Brocade Fabric OS before Fabric OS 9.2.0 has a vulnerability that could expose SNMP privsecret / authsecret fields in plaintext if configuration settings are not set to encrypt SNMP passwords. Source: CVE-2024-5462
5. CVE-2024-56463: IBM QRadar SIEM 7.5 is vulnerable to cross-site scripting. This vulnerability could potentially allow a privileged user to embed arbitrary JavaScript code in the Web UI, leading to credentials disclosure. Source: CVE-2024-56463

API Security

1. CVE-2024-31144: Xapi, a tool for managing Virtual Machines and Storage Repositories (SRs), has a vulnerability that allows a malicious guest to manipulate its disk to appear as a metadata backup. This could potentially lead to unauthorized access or data manipulation. Source: CVE-2024-31144
2. CVE-2025-25297: Label Studio, an open-source data labeling tool, has a Server-Side Request Forgery (SSRF) vulnerability in its S3 storage integration feature. This allows an attacker to make the application send HTTP requests to arbitrary internal services by specifying them as the S3 endpoint. Source: CVE-2025-25297
3. CVE-2025-25288: The Octokit plugin, @octokit/plugin-paginate-rest, has a vulnerability that can trigger a ReDoS attack when calling octokit.paginate.iterator() with a malicious link parameter in the headers section of the request. Source: CVE-2025-25288
4. CVE-2025-25285: @octokit/endpoint, a tool that turns REST API endpoints into generic request options, has a vulnerability that can lead to a regular expression denial-of-service (ReDoS) attack when processing specific options parameters. Source: CVE-2025-25285
5. CVE-2025-24641: The Better WishList API by rickonline_nl has a vulnerability that allows Stored XSS due to improper neutralization of input during web page generation. Source: CVE-2025-24641

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, we leave you with a reminder that the digital landscape is constantly evolving, and with it, the threats we face. From data breaches affecting millions of Americans to lawsuits shedding light on questionable security practices, it's clear that vigilance and proactive measures are more important than ever.

Remember, the security of your data and systems isn't just about protecting your own interests. It's about safeguarding the trust and privacy of your customers, your employees, and your stakeholders.

So, stay informed, stay prepared, and stay secure. If you found today's newsletter helpful, please consider sharing it with your colleagues and friends. Let's work together to create a safer digital world. Until next time, stay safe and secure.