SecureFact – Cyber Security News – Week of October 27, 2025

Toys “R” Us Canada reported a data breach but did not disclose the number of affected customers.
The exposed information included customer names, physical addresses, email addresses, and phone numbers, while account passwords, payment details, and other confidential data were confirmed to be safe.
In response, the company engaged third-party cybersecurity experts to investigate the incident, strengthened its IT security systems, and notified relevant Canadian privacy regulators.

The breach at SimonMed Imaging affected approximately 1.2 million + patients, with estimates up to around 1,275,669 individuals.
The types of data exposed included full names, addresses, dates of birth, driver’s license/government ID numbers, financial account/payment details, health insurance information, medical record numbers, dates of service, diagnoses and treatment information, prescribed medications, and raw imaging scans.
response, SimonMed reset passwords, enforced multifactor authentication, implemented endpoint detection & response monitoring, removed third-party vendor direct access to its systems, restricted inbound/outbound traffic, engaged cybersecurity experts, notified law enforcement, and offered complimentary credit monitoring and identity theft protection to affected individuals.

A database containing approximately 183 million email addresses and corresponding plain-text passwords, primarily linked to Gmail accounts, was leaked online following an infostealer malware incident.
The compromised data included only email IDs and passwords, with no financial or personal identification details reported.
The credentials were subsequently added to the Have I Been Pwned database on October 21, 2025, to help affected users identify if their accounts were exposed.
The incident was traced to malware infections on individual devices rather than a direct breach of Google’s systems.

The Brazilian non-profit organization Gerar suffered a major data breach in which attackers claimed to have stolen approximately 546 GB of sensitive data.
The compromised information includes names, taxpayer identification numbers, addresses, contact details, educational records, family income data, and scanned documents such as military service forms, medical records, internship contracts, and identity cards.
This breach potentially exposes thousands of youth participants to risks of identity theft and fraud.
As of now, Gerar has not publicly disclosed any mitigation measures or response actions, and there is no confirmation of law enforcement involvement or user protection steps being taken.

LastPass has warned of a new phishing campaign by the group CryptoChameleon, using fake death and inheritance claims to steal user credentials.
Attackers send emails saying a family member requested emergency vault access, even attaching fake death certificates for credibility.
Victims are directed to spoofed recovery sites like lastpassrecovery[.]com to enter their master passwords.
Some attackers also impersonate LastPass staff through phone calls. The campaign now targets both passwords and passkeys, showing evolving social engineering tactics.
LastPass urges users to ignore suspicious inheritance requests, verify URLs, and enable multi-factor authentication for protection.