We welcome summer by highlighting a traditional selection of information security incidents, involving insiders and beyond.

Cat and mouse

What happened: Support staff at Coinbase, the largest US cryptocurrency exchange, sold hundreds of thousands of customers' data to cybercriminals, raising serious security concerns; however, the company remained determined and announced an active investigation to track down the fraudsters.

How it happened: On May 11, an unknown party sent Coinbase a ransom demand of $20 million, threatening to release purportedly stolen data. In response, the exchange swiftly launched an investigation.

It was confirmed that the cybercriminals were not bluffing, as they indeed obtained data on approximately 1 million Coinbase clients along with some internal documents. The attackers gained access by bribing support employees at a remote branch outside the US. Additionally, the company was aware that some employees had unnecessarily accessed client data, but failed to connect these incidents or anticipate that the data might eventually fall into hackers' hands.

This information was revealed in Coinbase's leak disclosure filed with the US Securities and Exchange Commission, which also stated that the stolen customer data includes names, addresses, phone numbers, email addresses, the last four digits of Social Security numbers, bank account details, and images of passports, driver's licenses, and other identification documents.

On May 15, Coinbase officially acknowledged the incident and announced that they do not plan to pay the ransom; instead, they will allocate the funds to a "prize" fund, offering $20 million for any information that can help identify and prosecute the perpetrators of the attack.

Coinbase has already dismissed the internal staff involved and plans to pursue criminal charges against them, while also preparing to open a new US support center, compensate affected customers, and boost investments in internal threat detection; the total costs for addressing the incident and compensating victims are estimated to range from $180 to $400 million.

Maybe they won't notice?

What happened: Intel sues fired employee, former supplier for nearly $1 million in fraud.

How it happened: On May 26, an Israeli media outlet reported that Intel Israel has filed a lawsuit against former employee Natalia Avtsin and component supplier Yafim Tsibolevsky, accusing them of embezzling over 3 million shekels (approximately 70 million rubles).

Avtsin worked in the equipment manufacturing department until her dismissal in November 2024, which the company states was part of general layoffs unrelated to fraud.

After her departure, the company discovered her scheme: she would request component prices from Tsibolevsky, send them for management approval, then change the transaction classification from "components" to "services," allowing her to receive funds without actual payments or supporting documents.

To avoid suspicion, she purchased "Schrödinger's goods" for no more than $20,000 at a time. Intel is now demanding the return of the stolen money and profits, while Avtsin and Tsibolevsky have not yet responded to the allegations.

Gemini-pests

What happened: An American government software developer hired former hackers and later regretted the decision.

How it happened: Between 2023 and 2024, twins Muneeb and Suhaib The Akhters were employed at Opexus despite their criminal histories – in 2015, they pleaded guilty to hacking the US State Department and multiple private companies.

According to the vendor, the company was unaware of the twins' criminal past until Suhaib needed a security clearance to access a client’s system.

On February 18, 2025, the brothers were summoned to a virtual meeting with HR and informed of their termination. Muneeb, visibly upset, quickly retaliated by blocking access to one database and deleting 33 others before the meeting concluded.

Just an hour later, he deleted 1,805 files related to an unidentified government project. Subsequently, Suhaib emailed numerous federal employees associated with Opexus, warning that the company still employed many unvetted staff with access to sensitive data and that the databases were insecure, sharing common logins and passwords.

The brothers' actions disrupted the functioning of Opexus's eCase and FOIAXpress platforms, leading to significant operational issues. The company was initially slow to disclose the full extent of the incident and minimized its severity, prompting the involvement of Mandiant, a cybersecurity firm owned by Google.

Mandiant investigators uncovered a serious breach: Muneeb copied 1,805 highly sensitive files onto a USB drive using his account, a violation that should have been prevented by software restrictions.

On May 21, the incident and its details were reported by Bloomberg, attracting widespread attention, and further revelations about the case are likely to follow soon.

AI-Prometheus

What happened: An employee of Elon Musk's company unintentionally leaked the private API key of xAI on GitHub. 

How it happened: The leak was discovered by cybersecurity researcher Philippe Caturegli, who identified the API key and reported it on LinkedIn. This prompted GitGuardian, a French cybersecurity firm, to initiate its own investigation into the breach.

Experts determined that the leaked API key granted access to at least 60 large language models belonging to SpaceX, Tesla, and X, raising significant security concerns. GitGuardian notified the xAI employee responsible for the leak, but after a month of silence, the French cybersecurity firm directly contacted xAI's IT department.

Musk's company responded unusually by advising researchers to report the issue through HackerOne's bug bounty platform, though they swiftly removed the compromised API key from GitHub.

Later GitGuardian reported the leak to renowned security journalist Brian Krebs, who then reported the incident to a wider audience. Representatives of xAI and the employee who leaked the information have not commented on the incident.

Such a reaction is not surprising – few can admit the problem, much less do it publicly. There will always be reputational risks and costs. According to our research, most domestic companies share approximately the same opinion. Only 3% of them will publicly acknowledge the incident and apologize to clients.

Following the discovery, GitGuardian alerted renowned security journalist Brian Krebs, who subsequently brought wider public attention to the incident. Neither xAI representatives nor the employee responsible for the leak have issued public comments, a common stance given the reputational risks involved.

Everyone knows everything about you

What happened: The developers of employee productivity monitoring software left millions of screenshots of user data publicly available.

How it happened: WorkComposer is an application that records employee activity on PCs, monitors application usage, and takes screenshots every few minutes. It is used by more than 8,000 companies, with over 200,000 corporate PCs under its control.

On February 20, 2025, Cybernews researchers discovered that screenshots from WorkComposer client companies' staff were stored in unprotected Amazon S3 cloud storage. In total, over 21 million images were publicly accessible, most containing sensitive corporate information such as documents, email correspondence, login credentials, passwords, API keys, and more.

Cybernews reported the leak to WorkComposer developers on February 21, but access to the database was only closed on April 1. A similar incident occurred in July 2024 when Cybernews researchers discovered over 13 million employee screenshots publicly accessible. The responsible entity was WebWork, a company that develops productivity-tracking software. Although journalists reported the leak to them on August 13, 2024, they only confirmed the database's closure in January 2025.

Hacker Klondike

What happened: More than 184 million logins and passwords were stored in the public domain.

How it happened: On May 22, security researcher Jeremiah Fowler reported the discovery of an unprotected database containing over 184 million logins and passwords, including accounts for Apple, Microsoft, Google, email services, as well as access to bank accounts, medical platforms, and government portals from various countries. Since the beginning of 2025, this has been the largest breach of its kind.

Fowler contacted some individuals whose data appeared in the database, and they confirmed the authenticity of the logins and passwords. He also suggested that the information was collected using infostealers.

The specialist reported the discovery to the web hosting company responsible for storing the database, which responded promptly by blocking access. The company did not disclose the ownership of the suspicious database.

Flash drives of discord

What happened: Printer developer Procolored spent six months distributing drivers that contained malware.

How it happened: In early May 2025, the vendor sent one of its printers to Cameron Coward, a YouTuber known as Serial Hobbyism, for review. The blogger connected the flash drive containing the drivers that came with the printer to his PC and received a Windows Defender notification indicating the presence of a worm and a trojan on the removable media.

The Chinese company assured Cameron Coward that the malware alerts were false positives, but he remained skeptical and sought expert advice, contacting malware researcher Carsten Hahn, whom he found on the Reddit thread "r/computerviruses."

Hahn discovered that drivers for at least six Procolored printer models, uploaded to the Mega.nz platform in October 2024, contained malware – including a Trojan and a cryptocurrency thief – raising serious concerns about the security of the drivers and the vendor’s practices.

While the exact number of affected printer owners remains unknown, malware researcher Carsten Hahn used a blockchain explorer to estimate that the malware developer stole nearly $1 million in cryptocurrency.

Around May 8, Procolored removed the compromised drivers from public access and initiated an internal investigation, assuring that the files would only be restored after rigorous security checks. The company also suggested that the infection might have originated from the flash drive used by a Procolored employee to upload the drivers to Mega.nz, implying a possible point of entry for the malware.