Daily Digest

LexisNexis Confirms Major Breach, Cloudflare Reports Identity-Based Attack Shift, and Law Enforcement Dismantles Hacker Forums

LexisNexis Confirms Major Breach, Cloudflare Reports Identity-Based Attack Shift, and Law Enforcement Dismantles Hacker Forums

March 4, 2026
9 articles (7 new, 2 updated)
27 min read

Summary

In a significant day for cybersecurity, data analytics giant LexisNexis confirmed a major data breach impacting nearly 400,000 users, including U.S. government employees, after a hacker group exploited a known vulnerability. A new Cloudflare report highlights a strategic shift by attackers from malware to stolen credentials to 'log in' to networks. Meanwhile, international law enforcement agencies announced successful takedowns of the 'LeakBase' cybercrime forum and the 'Tycoon 2FA' phishing platform. Other major incidents include a critical, actively exploited vulnerability patched in Android and data breaches at ManoMano and CarGurus, affecting millions of customers.

Filter by Category

New Articles (7)

LexisNexis Confirms Breach After Hacker 'FulcrumSec' Leaks Data of 400,000 Users, Including U.S. Gov Employees

HIGH

LexisNexis Acknowledges Data Breach After 'FulcrumSec' Exploits React2Shell Vulnerability and Leaks Internal Data

Data analytics and legal research firm LexisNexis Legal & Professional has confirmed a significant data breach that occurred on February 24, 2026. The incident was initiated by a threat actor known as 'FulcrumSec' who exploited a critical vulnerability, CVE-2025-55182 (React2Shell), in an unpatched front-end application. The attackers then leveraged severe AWS cloud misconfigurations, including overly permissive IAM roles and hardcoded credentials, to escalate privileges and move laterally. On March 3, FulcrumSec publicly leaked 2GB of stolen data, which reportedly includes information on nearly 400,000 user profiles and over 21,000 enterprise accounts. The compromised data contains names, emails, and phone numbers, and notably affects over 100 U.S. government employees. LexisNexis stated the breach was contained and primarily impacted legacy data, with no exposure of sensitive legal research, financial information, or Social Security numbers.

March 4, 2026
6 min read
data breachReact2ShellAWScloud securityIAM +2 more
LexisNexis Confirms Breach After Hacker 'FulcrumSec' Leaks Data of 400,000 Users, Including U.S. Gov Employees

Cloudflare Report: Attackers Ditch Malware for Stolen Credentials, Shifting from 'Breaking In' to 'Logging In'

INFORMATIONAL

Cloudflare's 2026 Threat Report Reveals Strategic Shift to Identity-Based Attacks and Credential Abuse

Cloudflare's 2026 Threat Report, released March 3, reveals a fundamental change in cyberattack methodology. Threat actors are increasingly abandoning traditional malware in favor of using stolen credentials to 'log in' to target networks. This identity-centric approach allows attackers to blend in with legitimate traffic, making detection significantly harder and rendering identity and access management a critical security battleground. The report highlights that this tactic is now the primary vector for high-impact ransomware attacks. Furthermore, attackers are leveraging AI and LLMs to accelerate exploit development and network mapping. Nation-state actors are also adapting, with Chinese groups like Salt Typhoon and Linen Typhoon focusing on stealthy persistence in critical infrastructure, and other groups abusing legitimate cloud services like Google Calendar and Microsoft Azure for command-and-control operations. The findings underscore the need for automated defenses and a security strategy centered on identity verification and zero trust principles.

March 4, 2026
6 min read
threat intelligenceidentitycredential stuffingransomwarenation-state +3 more
Cloudflare Report: Attackers Ditch Malware for Stolen Credentials, Shifting from 'Breaking In' to 'Logging In'

International Law Enforcement Dismantles 'LeakBase' Hacker Forum in Coordinated Takedown

MEDIUM

U.S. Leads Global Operation to Seize LeakBase, a Major Cybercrime Marketplace for Stolen Data

In a major blow to the cybercrime economy, an international law enforcement operation led by the U.S. Department of Justice has seized and dismantled the 'LeakBase' hacker forum. The coordinated action, which took place on March 3-4, 2026, involved agents in 14 countries and was supported by Europol. LeakBase was a prominent English-language marketplace on the open web with over 142,000 members, used for buying and selling vast quantities of stolen data, including credentials from corporate breaches, credit card numbers, and other personally identifiable information. As part of the takedown, authorities seized the forum's infrastructure and collected user data, including private messages and IP logs, for evidentiary purposes. This operation follows similar successful disruptions of criminal forums like RaidForums and BreachForums, signaling a continued commitment by global law enforcement to disrupt the infrastructure that underpins cybercrime.

March 4, 2026
5 min read
law enforcementtakedowncybercrimehacker forumDOJ +2 more
International Law Enforcement Dismantles 'LeakBase' Hacker Forum in Coordinated Takedown

Half of Private Equity-Backed Firms Have High Cyber Risk, New Report Finds

INFORMATIONAL

ACA Group Report Reveals 50% of PE Portfolio Companies Exhibit Elevated or High Cybersecurity Risk

A new report from ACA Group, released March 3, 2026, reveals a concerning state of cybersecurity within companies backed by private equity. The study, which assessed over 300 portfolio companies across 18 industries, found that half are operating with an 'elevated' or 'high' level of cyber risk. The Health Services and Producer Manufacturing sectors were identified as having the highest average risk scores. The report pinpoints two consistent areas of major weakness across the board: Third-Party Risk Management and Penetration Testing. The findings suggest that many firms are failing to adequately manage the security of their supply chains and are not effectively identifying and remediating their own vulnerabilities. The report underscores the need for stronger governance and programmatic controls to mitigate the growing risk of these companies being used as entry points for attacks on larger enterprises.

March 4, 2026
5 min read
private equitycyber riskcomplianceGRCthird-party risk +1 more
Half of Private Equity-Backed Firms Have High Cyber Risk, New Report Finds

Global Coalition Disrupts 'Tycoon 2FA' Phishing Platform Used to Bypass MFA on Microsoft 365 and Gmail

MEDIUM

Law Enforcement and Tech Giants Coordinate to Disrupt Tycoon 2FA Phishing-as-a-Service

An international coalition of law enforcement and private technology companies has disrupted the 'Tycoon 2FA' Phishing-as-a-Service (PaaS) platform. Announced on March 4, 2026, the operation involved Europol, Microsoft, Proofpoint, Cloudflare, and SpyCloud, leading to the seizure of 330 of the platform's control panel domains. Tycoon 2FA, active since at least 2023 and sold via Telegram, enabled cybercriminals to conduct adversary-in-the-middle (AiTM) phishing attacks. The service used a transparent proxy to intercept user credentials and, crucially, session cookies for Microsoft 365 and Gmail accounts, allowing attackers to bypass multi-factor authentication (MFA) and hijack active sessions. The takedown highlights the industrialization of cybercrime and the growing threat of session hijacking as a primary method for gaining unauthorized access to corporate accounts.

March 4, 2026
5 min read
phishingMFAAiTMsession hijackingtakedown +2 more
Global Coalition Disrupts 'Tycoon 2FA' Phishing Platform Used to Bypass MFA on Microsoft 365 and Gmail

EU and Australia Issue New Cybersecurity Guidance as Regulatory Focus Sharpens

INFORMATIONAL

European Commission and Australian Regulator Release New Cybersecurity and Privacy Directives

Governments are continuing to tighten cybersecurity regulations, with new guidance issued in the European Union and Australia on March 4, 2026. The European Commission launched a public consultation for its upcoming Cyber Resilience Act (CRA), aimed at helping manufacturers of connected devices prepare for new security obligations. Simultaneously, the Office of the Australian Information Commissioner (OAIC) released guidance clarifying the balance between privacy obligations and reporting requirements under Australia's Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act. These moves, along with legislative proposals being developed in Sweden and new internet code guidance in Nigeria, signal a growing global trend toward more stringent, government-mandated cybersecurity standards.

March 4, 2026
5 min read
regulationcomplianceEUAustraliaCyber Resilience Act +1 more
EU and Australia Issue New Cybersecurity Guidance as Regulatory Focus Sharpens

Trend Micro Warns of Severe RCE Flaws in Apex One Security Software, Allowing Protection Bypass

CRITICAL

Trend Micro Discloses Critical Remote Code Execution Vulnerabilities in Apex One Endpoint Security

Trend Micro issued a warning on March 3, 2026, about severe remote code execution (RCE) vulnerabilities in its Apex One enterprise endpoint security solution. These flaws are highly critical because they could allow an attacker to disable the very security layers designed to protect the system. By exploiting these vulnerabilities, an attacker could remotely execute code on a protected endpoint, effectively neutralizing the Apex One agent. This would leave the system blind and defenseless, allowing the attacker to deploy further malware, exfiltrate data, or move laterally across the network undetected. Given that a security product itself is the attack vector, Trend Micro is urging customers and Managed Service Providers (MSPs) to apply the necessary patches immediately to prevent their primary line of defense from being turned against them.

March 4, 2026
5 min read
vulnerabilityRCETrend MicroApex Oneendpoint security +1 more
Trend Micro Warns of Severe RCE Flaws in Apex One Security Software, Allowing Protection Bypass

Updated Articles (2)

ShinyHunters Leaks 12.4 Million CarGurus Records After Failed Extortion

HIGH

ShinyHunters Leaks 12.4 Million User Records from CarGurus, Including Finance Application Data

Update:

ShinyHunters has officially claimed responsibility for the CarGurus data breach, adding the company to its dark web leak site on March 4, 2026. The group initially claimed 1.7 million records but later escalated to a 6.1 GB archive containing 12.4 million user accounts and, notably, internal corporate data. This public claim and listing on their leak site confirm the breach and provide further details on the scope of the compromised information, including sensitive corporate assets in addition to user PII. This development underscores the ongoing threat and the group's typical extortion tactics.

February 25, 2026
Updated: March 4, 2026
5 min read
ShinyHuntersCarGurusData BreachData LeakExtortion +2 more
ShinyHunters Leaks 12.4 Million CarGurus Records After Failed Extortion

Google Patches Actively Exploited Qualcomm Zero-Day in Massive Android Update

CRITICAL

Google's March 2026 Android Update Fixes Actively Exploited Qualcomm Zero-Day (CVE-2026-21385)

Update:

The March 2026 Android Security Bulletin, released on March 3, 2026, addresses additional critical vulnerabilities beyond the actively exploited Qualcomm zero-day (CVE-2026-21385). These include CVE-2026-0006, a critical Remote Code Execution (RCE) flaw in the System component (Media Codecs Mainline) affecting Android 16, which can be exploited without user interaction. Another critical vulnerability, CVE-2025-48631, is a Denial-of-Service (DoS) flaw impacting Android versions 14 through 16. These new details emphasize the broader importance of applying the March 2026 security updates promptly.

March 2, 2026
Updated: March 4, 2026
5 min read
AndroidQualcommZero-DayMemory CorruptionPatch Management +1 more
Google Patches Actively Exploited Qualcomm Zero-Day in Massive Android Update

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.