SecureFact – Cyber Security News – Week of December 15, 2025

700Credit, a major U.S. fintech and credit services provider for over 23,000 automotive and related dealerships, is notifying more than 5.8 million people after a data breach exposed sensitive customer information collected via dealer integrations.
The incident began when a threat actor compromised one of 700Credit’s integration partners in July 2025, found an exposed API that lacked proper validation of consumer reference IDs, and used it to copy around 20% of consumer records between May and October before the API was shut down.
Stolen data includes full names, physical addresses, dates of birth, and Social Security numbers, and 700Credit has filed consolidated breach notifications with the FTC and will handle notifications to state attorneys general while offering affected individuals 12 months of free identity protection and credit monitoring through TransUnion, advising them to monitor accounts and consider a credit freeze.

France’s Interior Ministry has confirmed that its email servers were breached in a cyberattack detected overnight between December 11 and 12, allowing attackers to access some document files, though it is still unclear whether any data was stolen.
In response, the ministry tightened security protocols, strengthened access controls for its information systems, and opened an investigation to determine the origin and scope of the intrusion, considering possibilities such as foreign interference, activist hacking, or cybercrime.
The Interior Ministry, which oversees police forces, internal security, and immigration services, has been a repeated high‑value target, with French authorities previously attributing broader campaigns against national entities to the Russian-linked APT28 group.

A new scam is abusing PayPal’s legitimate “Subscriptions” billing feature to send real emails from service@paypal.com that appear to cancel an automatic payment but embed fake high‑value purchase notices in the Customer Service URL field.
The message claims a payment of roughly $1,300–$1,600 was processed for an expensive device and lists a phone number to “cancel” the charge, using Unicode characters and unusual fonts to evade spam filters and keyword checks.
The goal is to panic recipients into calling the bogus support number, where scammers can attempt bank fraud or trick victims into installing malware, so recipients are advised to ignore such messages, avoid calling the number, and instead log directly into PayPal to verify that no unauthorized transaction exists on their account.

Jaguar Land Rover has confirmed that a major cyberattack in August 2025 led to the theft of payroll and employment-related data for thousands of current and former staff.
The stolen information reportedly includes salary and benefits details and other sensitive personal data, putting affected employees at heightened risk of fraud and identity theft.
The company has notified staff and regulators, is cooperating with ongoing investigations, and stresses that customer and vehicle data do not appear to be affected at this time.

A data breach at analytics provider Mixpanel exposed personal information linked to some OpenAI API accounts, including names, email addresses, organization IDs, approximate locations, and technical browser metadata, while leaving chat histories, passwords, payment data, and API keys unaffected.
OpenAI says its own systems were not compromised but acknowledges that the stolen metadata could fuel highly targeted phishing and impersonation attacks against developers and organizations building on its API.
The incident timeline shows attackers accessed Mixpanel’s systems on November 9 and exported OpenAI data, yet OpenAI was not informed until November 25, prompting criticism of vendor security practices and renewed calls for stronger safeguards and oversight around third‑party services in the AI ecosystem.

South Korean e‑commerce giant Coupang confirmed that a June 24, 2025 breach exposing personal data of roughly 33.7 million customers was carried out by a former employee who retained access to internal systems after leaving the company.
Exposed information includes names, email and physical addresses, and order details, though the firm says no evidence currently shows the stolen data has been published online.
The incident, now considered one of South Korea’s worst cyber breaches, has triggered police raids on Coupang’s offices, the resignation and public apology of CEO Park Dae‑Jun, and a surge in phishing attacks impersonating Coupang, prompting warnings that the company could face liability if negligence is proven.