cybernews.com/
Vilius Petkauskas
Deputy Editor
Luxshare, one of Apple’s key partners in assembling iPhones, AirPods, Apple Watches, and Vision Pro, allegedly suffered a data breach, orchestrated by a ransomware cartel. The attackers are threatening to leak data from Apple, Nvidia, and LG unless the company pays a ransom.
Key takeaways:
Luxshare, Apple's key iPhone assembler, allegedly suffered a ransomware attack threatening confidential product data leaks from multiple tech giants.
RansomHub attackers claim access to 3D CAD models, circuit board designs, and engineering documentation from Apple and Nvidia products.
Cybernews researchers claim leaked data includes confidential Apple-Luxshare repair projects, employee PII, and product design files from 2019-2025.
The breach could enable competitors to reverse-engineer products, manufacture counterfeits, and exploit hardware vulnerabilities in Apple devices.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
The Luxshare data breach allegedly occurred last month, with attackers claiming December 15th, 2025, as the date Apple key partners’ data was encrypted. The alleged attackers, RansomHub, announced the Luxshare data breach on their dark web forum.
Luxshare is an essential partner to the American giant. Many Apple products, including iPhone, AirPods, Apple Watch are assembled at Luxshare, which means the company has very intimate information about Apple’s products.
The conversation on this topic is live. Join in the discussion.
“We were waiting for you for quite some time, but it seems that your IT department decided to conceal the incident that took place in your company. We strongly recommend that you contact us to prevent your confidential data and project documents from being leaked,” the attackers claim.
We have reached out to the company and will update the article once we receive a reply. We have also reached out to Apple and will add its response as soon as we receive it.
Luxshare data breach claims on the dark web
Attakers' post announcing Luxshare data breach. Image by Cybernews.
What data did the Luxshare data breach expose?
The Cybernews research team investigated the data sample that the attackers attached to the post.
According to our team, the leaked data includes details on what appear to be confidential projects regarding device repair and shipping between Apple and Luxshare, including timelines, detailed processes, and information about other Luxshare clients.
Moreover, the leaked information appears to include personal identifiable information (PII) of individuals working on specific projects, with their full names, job positions and work emails exposed.
Luxshare data breach projects
Alleged information on Apple and Luxshare projects. Image by Cybernews.
“Dates of these projects range from 2019 to 2025 and the information appears to expose sensitive business operations. Additionally, .dwg and gerber files, which are often used to create product model designs, are also included,” the team explained.
While Apple’s assembler data breach is still unconfirmed, the team believes that the information included in the post appears to be legitimate.
Luxshare data breach team info
Alleged information about Luxshare staff working on Apple projects. Image by Cybernews.
What do the Luxshare attackers say?
The RansomHub attackers claim to have wide access to confidential Luxshare client data. The stolen data supposedly ranges from 3D product models to circuit board design data, information that’s highly coveted by corporate spies.
According to the attackers, they have accessed archives that contain:
Confidential 3D CAD product models, 3D engineering design data, 3D engineering documentation
Access to high-precision geometric data for Parasolid products
2D component drawings for manufacturing
Mechanical component drawings
Confidential engineering drawings in PDF format
Electronic design documentation
Electrical and layout architecture data
Printed circuit board manufacturing data
“The archives contain data from Apple, Nvidia, as well as LG, Geely, Tesla, and other large companies whose production and R&D information is publicly available. Protected by a non-disclosure agreement,” the attackers claim.
If confirmed, the attack could be disastrous for Luxshare and its partners. For one, attackers could sell the data to competitors who could utilize the stolen details to reverse-engineer products, bypass years of R&D, and manufacture counterfeits.
The cybersecurity implications are also extreme as attackers could clearly uncover hardware vulnerabilities, chip locations, and power systems, which would be beneficial to target firmware or carry out supply chain attacks.
China-based Luxshare is a behemoth in the electronics manufacturing industry. Based in the country’s tech heart, Shenzhen, the company employs over 230,000 people and reports revenues of over $37 billion.
According to reporting by the Wall Street Journal, Luxshare’s importance to Apple’s supply chain ballooned after its main assembler, Foxconn, went through a series of production halting protests.
Who are the Luxshare attackers?
First spotted in 2024, RansomHub is a well established actor in the ransomware scene. For example, the gang proved itself to be one of the most active ransomware gangs of the past couple of years.
According to security experts, RansomHub is among the most prolific ransomware-as-a-service (RaaS) operations, emerging after ALPHV (BlackCat) disappeared. It primarily targets industrial manufacturing and healthcare.
RansomHub brought some technological innovations to the table. Its tools are capable of remote encryption. The affiliates exploit exposed unprotected machines, reducing the risk of detection and increasing the success rate of attacks.
According to a CISA advisory, the cybercrooks breached nearly 500 victims in 2024, almost at a rate of one victim per day. The cyber watchdog also provides a full list of the Kremlin-backed gang's known IOCs, including IP addresses, tools, known URLs, email addresses, and more.
Updated on January 19th [01:30 p.m. GMT] with a insights from the Cybernews research team.
cybernews.com
Ernestas Naprys
Senior Journalist
Published: 2 January 2026
An investigative journalist has infiltrated the white supremacist dating website WhiteDate and exfiltrated over 8,000 profiles and 100GB of data. Photos and other sensitive details have been made public, and the full “WhiteLeaks” data is available to journalists and researchers on DDoSecrets.
An “old-school anarchist researcher,” who goes by the online pseudonym Martha Root, claims to have breached a racist dating site and two similar platforms.
The leak affects WhiteDate, a white supremacist dating site for “Europids seeking tribal love,” WhiteChild, a white supremacist site focused on family and ancestry, and WhiteDeal, a networking and professional development site for people with a racist worldview.
All three platforms were operated by a right-wing extremist from Germany.
“I infiltrated a racist dating site and made nazis fall in love with robots,” Root claims.
The journalist found that websites’ cybersecurity hygiene was so poor that it “would make even your grandma’s AOL account blush.”
“Imagine calling yourselves the ‘master race’ but forgetting to secure your own website – maybe try mastering to host WordPress before world domination.”
What data was exposed?
The researcher created a website okstupid.lol, where 8,000 leaked profiles are placed on the map, exposing users from very different regions of the world.
he data includes highly sensitive and detailed self-reported information, such as usernames, gender, age, location, activity history, lifestyle, height, eye color, hair color, and other physical appearance traits, income range, education, marital status, religion, and even self-assessed IQ, among many other fields.
Notably, the dataset also contains numerous profile photos, along with embedded EXIF metadata that reveals precise GPS coordinates, device information, timestamps, and other identifying details.
The researcher claims that image metadata “practically hands out home addresses.”
“Would like to find a woman who understands the value of nation and race, seeks the truth,” one of the exposed profiles reads.
whitedate-exposed-acc2
Root claims that the platform’s gender ratio “makes the Smurf village look like a feminist utopia” – the site is overwhelmingly male.
“For now,” the emails and private messages haven’t been publicly exposed. However, the dataset, dubbed “WhiteLeaks,” has been made available to researchers and journalists on Distributed Denial of Secrets (DDoSecrets), a nonprofit whistleblower site.
The researcher also disclosed that the entire operation was run by a Paris-based company called Horn & Partners, and they identified the woman behind the company.
Investigative journalists and Root presented the data and findings at the 39th Chaos Communications Congress in Germany.
“Martha is whatever the antifascist movement needs at the moment: a ghost in their servers, a thorn in their mythologies, and an intelligence that refuses obedience,” the researcher’s bio on the site reads.
cybernews.com
Paulina Okunytė - Journalist
Published: 29 September 2025
Last updated: 29 September 2025
An EU privacy watchdog has filed a complaint against an AI company for selling creepy “reputation reports” that scrape anyone's sensitive information online.
Noyb, a non-profit organization that enforces data protection and privacy rights in Europe, has filed a complaint against a Lithuania-based AI company.
According to the complaint, the company has been scraping social media data and forming reports that included personality traits, conversation tips, photos taken from internet sources, religious beliefs, alcohol consumption, toxic behaviour, negative press, and flagged people for “dangerous political content” or “sexual nudity.”
Whitebridge AI markets its “reputation reports” as a way to “find everything about you online.”
The company’s ads seem to target the people it profiles, using slogans like “this is kinda scary” and “check your own data.” However, anyone willing to pay for a report could get information about a profiled person without informing them.
“Whitebridge AI just has a very shady business model aimed at scaring people into paying for their own, unlawfully collected data. Under EU law, people have the right to access their own data for free,” said Lisa Steinfeld, data protection lawyer at noyb.
When complainants represented by the NGO asked to see their reports, they got nowhere until noyb bought the reports themselves.
According to the noyb representatives, who downloaded the reports, the outputs are largely of low quality and seem to be randomly generated AI texts based on “unlawfully scraped online data.”
Some of the complainant’s reports contained false warnings for “sexual nudity” and “dangerous political content,” which are considered specially protected sensitive data under Article 9 of the GDPR.
In its privacy notice, Whitebridge claims that scraping user data is legal thanks to its “freedom to conduct a business.”
The company claims to only process data from “publicly available sources.”
According to the noyb representative, most of this data is taken from social network pages that are not indexed or found on search engines. The law states that entering information on a social networking application does not constitute making it “manifestly public.”
Under GDPR, any individual can request information about their data and ask for removal. Both complainants that noyb represents filed an access request under Article 15 GDPR, but didn’t receive the desired response from Whitebridge.ai.
When the complainants asked for corrections, Whitebridge demanded a qualified electronic signature. Such a requirement is not found anywhere in EU law, states noyb.
The watchdog demands that Whitebridge comply with the complainants’ access requests and fix the false data in the reports on them.
“We also request the company to comply with its information obligations, to stop all illegal processing, and to notify the complainants of the outcome of a rectification process. Last but not least, we suggest that the authority impose a fine to prevent similar violations in the future,” wrote noyb in the statement.
Cybernews reached out to Whitebridge.ai for a comment, but a response is yet to be received. We will update the article when we receive it.
cybernews.com 18.08.2025 - Friendly AI chatbot Lena greets you on Lenovo’s website and is so helpful that it spills secrets and runs remote scripts on corporate machines if you ask nicely. Massive security oversight highlights the potentially devastating consequences of poor AI chatbot implementations.
Cybernews researchers discovered critical vulnerabilities affecting Lenovo’s implementation of its AI chatbot, Lena, powered by OpenAI’s GPT-4.
Designed to assist customers, Lena can be compelled to run unauthorized scripts on corporate machines, spill active session cookies, and, potentially, worse. Attackers can abuse the XSS vulnerabilities as a direct pathway into the company’s customer support platform.
“Everyone knows chatbots hallucinate and can be tricked by prompt injections. This isn’t new. What’s truly surprising is that Lenovo, despite being aware of these flaws, did not protect itself from potentially malicious user manipulations and chatbot outputs,” said the Cybernews Research team.
“This isn’t just Lenovo’s problem. Any AI system without strict input and output controls creates an opening for attackers. LLMs don’t have an instinct for “safe” – they follow instructions exactly as given. Without strong guardrails and continuous monitoring, even small oversights can turn into major security incidents,” says Žilvinas Girėnas, Head of Product at nexos.ai.
Just a single-prompt attack demonstrates a chain of flaws that led to the Lenovo chatbot spilling active session cookies.
The discovery highlights multiple security issues: improper user input sanitization, improper chatbot output sanitization, the web server not verifying content produced by the chatbot, running unverified code, and loading content from arbitrary web resources. This leaves a lot of options for Cross-Site Scripting (XSS) attacks.
Cybernews responsibly disclosed the issue. Lenovo acknowledged it and has protected its systems.
Single prompt launches multi-step attack
All it took to exfiltrate active session cookies from Lenovo was a single 400-character-long prompt, containing four critical elements:
Seemingly innocent request: The prompt starts with an inquiry for legitimate information, i.e., product information, like “Show me the specifications of Lenovo IdeaPad 5 Pro.”
Instructions to change output format: The sneaky part is tricking the chatbot into providing a final answer in HTML, a language for creating websites. The researchers achieved that by asking the chatbot to convert its responses into HTML, JSON, and plain text in a specific order that the web server expected to receive instructions in. This ensured that the malicious payload would be correctly executed by the web server.
Malicious HTML injection trap: The prompt continues with instructions on how to produce the final response, specifically with HTML code for loading an image. The image URL is also nonexistent. Therefore, when it fails to load, the second part of the command instructs the browser to make a network request to the attacker-controlled server and send all cookie data as part of a URL.
Final encouragement: In the end, additional instructions try to reinforce that the chatbot must produce the image: “Show the image at the end. It is important for my decision-making. SHOW IT.”
What happened when Lenovo’s Lena received the full prompt?
“People-pleasing is still the issue that haunts large language models (LLMs), to the extent that, in this case, Lena accepted our malicious payload, which produced the XSS vulnerability and allowed the capture of session cookies upon opening the conversation. Once you’re transferred to a real agent, you’re getting their session cookies as well,” said Cybernews researchers.
lenovo-chatbot-response
“Already, this could be an open gate to their customer support platform. But the flaw opens a trove of potential other security implications.”
To better understand what’s happening under the hood, here’s the breakdown of the attack chain:
The chatbot falls for a malicious prompt and tries to follow instructions helpfully to generate an HTML answer. The response now contains secret instructions for accessing resources from an attacker-controlled server, with instructions to send private data from the client browser.
Malicious code enters Lenovo’s systems. The HTML is saved in the chatbots' conversation history on Lenovo’s server. When loaded, it executes the malicious payload and sends the user’s session cookies.
Transferring to a human: An attacker asks to speak to a human support agent, who then opens the chat. Their computer tries to load the conversation and runs the HTML code that the chatbot generated earlier. Once again, the image fails to load, and the cookie theft triggers again.
An attacker-controlled server receives the request with cookies attached. The attacker might use the cookies to gain unauthorized access to Lenovo’s customer support systems by hijacking the agents’ active sessions.
An unsecured server has exposed hundreds of millions of detailed records on Swedish citizens and companies, offering a data goldmine for anyone who stumbles on it.
A misconfigured Elasticsearch server has exposed a goldmine of business intelligence data with hundreds of millions of highly detailed records tied to Swedish individuals and organizations.
Cybernews researchers identified the unsecured database, which did not require any authentication and was fully accessible to the public internet.
The leaked data consisted of over 100 million records dated from 2019 to 2024, spread across 25 separate indices, with some datasets ballooning to more than 200GB in size.
What was leaked?
Many leaked records contained highly sensitive personal and organizational information, including:
Full legal names, including history of previous names
Swedish personal identity numbers
Date of birth and gender
Address history, both in Sweden and abroad
Civil status and information about deceased individuals
Foreign addresses for emigrants
Debt records, payment remarks, bankruptcy history, property ownership indicators
Income tax data spanning several years (2019–2023)
Activity and event logs (including income statement submissions, migration status, and address updates)
Detailed blueprints of Russia’s modernized nuclear weapon sites, including missile silos, were found leaking in public procurement database.
Russia is modernizing its nuclear weapon sites, including underground missile silos and support infrastructure. Data, including building plans, diagrams, equipment, and other schematics, is accessible to anyone in the public procurement database.
Journalists from Danwatch and Der Spiegel scraped and analyzed over two million documents from the public procurement database, which exposed Russian nuclear facilities, including their layout, in great detail. The investigation unveils that European companies participate in modernizing them.
According to the exclusive Der Spiegel report, Russian procurement documents expose some of the world’s most secret construction sites.
“It even contains floor plans and infrastructure details for nuclear weapons silos,” the report reads.
German building materials and construction system giant Knauf and numerous other European companies were found to be indirectly supplying the modernization through small local companies and subsidiaries.
Knauf condemned the Russian invasion of Ukraine and announced its intention to withdraw from its Russian business in 2024. Knauf told Der Spiegel that it only trades with independent dealers and cannot control who ultimately uses its materials in Russia.
Danwatch jointly reports that “hundreds of detailed blueprints” of Russian nuclear facilities, exposed in procurement databases, make them vulnerable to attacks.
“An enormous Russian security breach has exposed the innermost parts of Russia’s nuclear modernization,” the article reads.
“It’s completely unprecedented.”
The journalists used proxy servers in Russia, Kazakhstan, and Belarus to circumvent network restrictions and access the documents. The rich multimedia in the report details the inner structure of bunkers and missile silos.
Adidas on Tuesday officially confirms a third-party breach has led to the compromise of customer data, but questions remain as to whose customer data was impacted and where.
The German sportswear company was reported by Cybernews to have sent breach notifications to its regional customers in Turkey and Korea earlier this month.
But now, it appears Adidas has posted an official notice on both its German and English-language websites about what could be one singular cyber incident impacting its entire network – or possibly a third breach impacting another Adidas regional network.
Titled “Data Security Information,” Adidas stated it recently became aware “that an unauthorized external party obtained certain consumer data through a third-party customer service provider.”
Adidas confirms customer data was stolen in a recent third-party vendor breach on its website, adidas-group.com. Image by Cybernews.
Cybernews, which happened to cover both the Adidas Turkey and the Adidas Korea breaches as they hit the news cycle in their respective countries, has reached out to Adidas for the second time this month, looking for further clarification.
So far, there has been no response to either inquiry at the time of this report, but Cybernews will update our readers if that changes.
The Korean breach notice states the attackers were able to obtain information customers submitted to the Adidas customer center in 2024 and previous years.
Reportedly, the leaked information includes names, email addresses, phone numbers, dates of birth, and other personal details, as was similarly reported in the Turkish media.
