Japanese beer giant Asahi says data breach hit 1.5 million people

• Asahi Group Holdings, Japan’s largest beer producer, completed investigation into September cyberattack confirming impact on up to 1.9 million individuals.
• The Qilin ransomware attack compromised personal data including full names, genders, physical addresses, phone numbers, and email addresses.
• Affected individuals include 1,525,000 customer service contacts, 114,000 external telegram recipients, and 275,000 current/retired employees and family members.
• For customers, exposed data includes name, gender, physical and email addresses, and phone numbers, while employee data may also include dates of birth.
• No payment card information was exposed in the incident, and the company established a dedicated contact line for affected parties.
• The company is implementing redesigned communication routes, tightened network controls, restrictions on external internet connections, and upgraded threat-detection systems.
• System restoration is ongoing two months after initial compromise, with shipments resuming in stages as recovery progresses.
• Preventative measures include security audits and redesigned backup and business-continuity plans to prevent future incidents.

*Source

French Football Federation discloses data breach after cyberattack

• The French Football Federation disclosed a data breach after attackers used a compromised account to access administrative management software used by football clubs.
• Personal and contact information from members of French football clubs was stolen before the security team detected and evicted the threat actors.
• Compromised data is limited to names, surnames, gender, date and place of birth, nationality, postal address, email address, telephone number and license number.
• FFF’s security team immediately disabled the compromised account and reset all user passwords across the system upon detection of unauthorized access.
• The organization filed a criminal complaint and notified France’s National Cybersecurity Agency (ANSSI) and the National Commission on Informatics and Liberty (CNIL).
• FFF will directly notify all individuals whose email addresses appear in the compromised database about the incident.
• Members are urged to be suspicious of messages claiming to originate from the federation requesting attachments or credentials.
• The organization is strengthening security measures to cope with increasing cyberattacks affecting many actors in the sector.

*Source

OpenAI discloses API customer data breach via Mixpanel vendor hack

• OpenAI notified ChatGPT API customers that limited identifying information was exposed following a breach at third-party analytics provider Mixpanel.
• The cyber incident affected limited analytics data related to some API users but did not impact ChatGPT or other product users.
• Exposed information may include API account names, email addresses, approximate coarse location data, operating system and browser information, referring websites, and organization/user IDs.
• The breach resulted from a smishing (SMS phishing) campaign that Mixpanel detected on November 8, with OpenAI receiving details on November 25.
• No chat data, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised.
• OpenAI removed Mixpanel from production services as a precaution and is notifying organizations, administrators, and individual users directly.
• The company warns that leaked data could be leveraged in phishing or social-engineering attacks and advises users to watch for credible-looking malicious messages.
• Users are urged to enable 2FA and never send sensitive information including passwords, API keys, or verification codes through email, text, or chat.

*Source

Comcast to pay $1.5M fine for vendor breach affecting 270K customers

• Comcast will pay a $1.5 million fine to settle an FCC investigation into a February 2024 vendor data breach affecting nearly 275,000 customers.
• The breach occurred when attackers hacked Financial Business and Consumer Solutions (FBCS), a debt collector Comcast had stopped using two years earlier.
• Threat actors stole personal and financial information between February 14-26, including names, addresses, Social Security numbers, dates of birth, and Comcast account numbers.
• Affected customers had used Comcast’s Xfinity-branded internet, television, streaming, VoIP, and home security services with data from current and former customers exposed.
• Under the consent decree, Comcast must implement enhanced vendor oversight, ensure proper data disposal, and conduct risk assessments every two years.
• The company must appoint a compliance officer, file compliance reports with the FCC every six months for three years, and report material violations within 30 days.
• Comcast stated it was not responsible for the incident and noted its network wasn’t breached, with FBCS contractually required to comply with security requirements.
• The telecommunications giant has over 182,000 employees, hundreds of millions of customers worldwide, and reported revenues of $123.7 billion in 2024.

*Source

Real-estate finance services giant SitusAMC breach exposes client data

• SitusAMC, a real-estate financing firm providing back-office operations for banks and investors, disclosed a data breach discovered on November 12, 2025.
• The company generates around $1 billion in annual revenue from 1,500 clients, including banking giants like Citi, Morgan Stanley, and JPMorgan Chase.
• Corporate data associated with certain client relationships including accounting records and legal agreements has been impacted by the breach.
• Certain data relating to some of the company’s clients’ customers may also have been compromised in the incident.
• Business operations haven’t been affected and no encrypting malware was deployed on the company’s systems during the attack.
• SitusAMC received a security alert on November 12, determined it was a breach on November 15, and began informing residential customers on November 16.
• The company continued delivering updates to customers and contacted those impacted individually up to November 22 when it notified all clients.
• Due to the complexity of operations and data involved, determining the full scope of impacted customers will take considerable time.

*Source

Harvard University discloses data breach affecting alumni, donors

• Disclosed that its Alumni Affairs and Development systems were compromised in a voice phishing attack affecting students, alumni, donors, staff, and faculty.
• The private Ivy League research university has over 20,000 faculty and staff, more than 24,500 students, and over 400,000 alumni worldwide.
• Exposed data includes email addresses, telephone numbers, home and business addresses, event attendance records, donation details, and biographical information for fundraising activities.
• The compromised systems did not contain Social Security numbers, passwords, payment card information, or financial information according to university officials.
• Affected groups include alumni, alumni spouses/partners/widows, donors to Harvard University, parents of current and former students, some current students, and some faculty and staff.
• The university discovered the unauthorized access on November 18, 2025, and immediately removed the attacker’s access to prevent further unauthorized access.
• Harvard is working with law enforcement and third-party cybersecurity experts to investigate the incident and sent breach notifications on November 22.
• The university urged potentially affected individuals to be suspicious of calls, texts, or emails claiming to be from the university requesting sensitive information.

*Source

Over 18 lakh users of society management app Adda exposed in alleged data breach: Report

• A hacker alias ‘Blinkers’ claimed a March 2025 breach of Adda.io, a society management app, exposing data of over 1.86 million users via a 145 MB dump posted to a hacking forum on November 23, 2025.
• Leaked details include owner IDs, names, phone numbers, emails, and MD5-hashed passwords, now circulating in cybercrime groups.
• Risks involve phishing attacks using names and phones, plus credential stuffing on other sites if hashes crack.
• This follows India’s DPDP Rules 2025 notification, but breach reporting rules activate only after 18 months.
• Adda.io, serving 3,500+ communities for billing and visitor management, has not commented publicly.
• The incident highlights surveillance concerns in such apps.

*Source