It's time to share the security incidents that caught our attention last month. In this overview: a white hat hacker confesses to ChatGPT, MrBeast’s employee films his own reality show, contractors steal tickets from Taylor Swift fans, and other incidents.

Without me everything will fall apart

What happened: A vengeful developer left a "surprise" in his employer's IT systems before leaving.

How it happened: Davis Lu worked as a software developer for more than a decade at an unnamed tech company headquartered in Beachwood. However, in 2018, during a company restructuring, Davis was demoted. He realised that he could be fired in the short term, so he started to prepare a revenge plan in advance.

By the time Davis was officially fired in 2019, his plan was already in motion: he had injected malicious code into the IT company's systems that caused system errors and prevented users from logging in. Davis also deleted his colleagues’ profiles and installed a “kill switch” that was activated when Davis’ data was deleted from the corporate domain controller, blocking his colleagues’ accounts.

An investigation later revealed that the ex-employee had been googling how to elevate his privileges in the system and hide traces of file deletions. As a result of Lu's actions, thousands of company’s users and employees around the world were unable to access the systems.

The damage is not disclosed, but it could be hundreds of thousands of dollars. The court found Davis Lu guilty of computer crime, now he faces up to 10 years in prison.

All that is secret becomes clear

What happened: Oracle experienced two data leaks in a row and tried to cover them up.

How it happened: The first leak was reported on March 20, when a hacker nicknamed rose87168 announced that Oracle's cloud service had been hacked. An unknown intruder put 6 million lines of client data up for sale: private keys, encrypted credentials, etc. As a proof, the hacker uploaded a text file with his email address to the Oracle server.

Oracle initially denied the incident, but on March 21, security company CloudSEK conducted its own investigation and confirmed the leak. According to them, it occurred due to outdated Oracle software Fusion Middleware that has not been updated since 2014.

Oracle then informed some customers about the leak of outdated data from an outdated server. However, the hacker did not allow Oracle to downgrade of the incident and provided the media with samples of quite “fresh” data – from 2024 and 2025.

Information about the second leak appeared on March 28. Then it turned out that in February 2025, an unknown perpetrator stole medical data of Oracle Health clients using compromised customer accounts.

The company acted in the same "open" manner as it did with Oracle Cloud: it did not officially notify either regulators or the public about the incident, only contacted some of the victims. The hackers took a much more radical approach and began to extort millions of dollars from Oracle Health clients en masse for non-disclosure of stolen information.

An attempt to hide the elephant in the room has led to a lawsuit. Oracle is accused of covering up data breaches and failing to implement standard data security practices.

Now trending: break-up live reality

What happened: A former employee stole the credentials of MrBeast, US youtuber Jimmy Donaldson, and appears to have installed hidden cameras in his office.

How it happened: In 2023, Leroy Nabors took a job as an IT contractor at Beast Industries, a company owned by YouTuber Jimmy Donaldson. He was then promoted to the company's development team, where he worked until his termination in October of that year.

After Nabors left, it was discovered that he had moved hundreds of corporate files containing financial information to an unidentified device and a personal DropBox. Donaldson asked the former employee to delete the data, but Nabors said he had already done so on his last day of work.

To get to the truth and get his way, MrBeast went to court. Court documents say that logs on the insider's work laptop confirm the attempted data theft and its concealment. Company officials also said Neighbours knew about the impending termination and therefore prepared for the leak.

What is noteworthy is that the court documents say nothing about the usual fines and compensations for such cases, and the blogger's only demand is to delete the stolen data. We are waiting for the outcome of the story in YouTube trends.

Do cybercriminals dream of confession?

What happened: Microsoft bug hunter turned out to be a criminal - cyber illiteracy gave him away.

How it happened: In April 2025, the information security company Outpost-24 released a large article about the EncryptHub hacker. In it, experts claim that the cybercriminal who hacked 618 companies is also a bug hunter under the nickname SkorikARI with SkorikARI. According to investigators, it turned out to be a researcher who received a commendation from Microsoft's Threat Response Centre for finding two zero-day vulnerabilities in Windows.

The conclusion that the bug hunter is playing a double game at Outpost-24 was made due to the hacker's operational security bugs. For example, he mixed his hacker and personal life using personal accounts in the infrastructure for developing and testing viruses. The attacker also ignored basic rules of cyber hygiene: he used the same passwords, ignored two-factor authentication, etc.

These errors exposed critical elements of the hacker's infrastructure, allowing researchers to determine that the account through which SkorikARI sent information to Microsoft belonged to EncryptHub.

Outpost-24 also gained access to the hacker's correspondence with ChatGPT. The attacker used the chatbot for literally everything: writing malicious code, researching vulnerabilities, writing text, and even having conversations on deeply personal topics. For example, he asked an AI to help him figure out whether he was a cool hacker or a talented information security researcher on the "light side."

Cybercrime “crew” vs. Taylor Swift

What happened: IT contractor employees "hacked the system" and got rich on Taylor Swift tickets.

How it happened: On March 3, the New York prosecutor's office arrested Tyrone Rose and Shamar Simmons. They are accused of stealing and reselling more than 1,000 tickets worth $635,000.

The scam was simple. Rose worked for an IT company that ran the ticket-buying platform StubHub. He used his access to log into a private part of the platform’s network that assigned URLs to tickets that had already been sold.

Rose then copied the URLs of the tickets and sent them to Simmons, who would resell the tickets on StubHub at inflated prices. In total, Rose and Simmons stole over 900 tickets from June 2022 to July 2023 alone. Notably, almost all of them were for Taylor Swift's concert tour.

If found guilty, each of the perpetrators faces a maximum sentence of three to fifteen years in prison.

There was a reason

What happened: Competitors hacked the 4chan imageboard

How it happened: On the evening of April 14, the web forum 4chan was hacked and suspended. Responsibility for the incident was claimed by members of a competing imageboard Soyjak.party.

They reported that they had been inside 4chan for over a year and published screenshots of the admin panels and the site's source code as evidence. The unknown individuals also temporarily revived the previously banned forum section /qa/ and posted the inscription "U GOT HACKED XD" there.

Later, the hackers shared details of the hack. According to them, some sections of 4chan supported the upload of PDF files. However, the site did not check in any way that the user was uploading a PDF file and not something else. This allowed the PostScript file to be uploaded, which was then interpreted by an outdated version of Ghostscript with many vulnerabilities, and to gain a foothold on the forum.