TechCrunch Desktop Logo
TechCrunch Mobile Logo
An illuminated logo above the Cisco Systems Inc. stand on the opening day of the MWC Barcelona at the Fira de Barcelona venue in Barcelona, Spain, on Monday, Feb. 28, 2022. Over 1,800 exhibitors and attendees from 183 countries will attend the annual event, which runs from Feb. 28 to March 3. Photographer: Angel Garcia/Bloomberg
Image Credits:Angel Garcia/Bloomberg / Getty Images
Security

Cisco says Chinese hackers are exploiting its customers with a new zero-day

Lorenzo Franceschi-Bicchierai

On Wednesday, Cisco announced hackers are exploiting a critical vulnerability in some of its most popular products that allows the full takeover of affected devices. Worse, there are no patches available at this time.

In a security advisory, Cisco said it discovered a hacking campaign on December 10 targeting Cisco AsyncOS software, and in particular the physical and virtual appliances Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. The advisory said affected devices have a feature called “Spam Quarantine” enabled and are reachable from the internet. 

Cisco noted that this feature is not enabled by default and does not need to be exposed to the internet, which may be good news. Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, told TechCrunch that “the requirement of an internet-facing management interface and certain features being enabled will limit the attack surface for this vulnerability.”

However, Kevin Beaumont, a security researcher who tracks hacking campaigns, told TechCrunch that this appears to be a particularly problematic hacking campaign since a lot of big organizations use the affected products, there are no patches available, and it’s unclear how long the hackers had backdoors in the affected systems. 

At this point Cisco is not saying how many customers are affected.

When reached by TechCrunch, Cisco spokesperson Meredith Corley did not answer a series of questions, and instead said that the company “is actively investigating the issue and developing a permanent remediation.”

Contact Us

Do you have more information about this hacking campaign? Such as what companies were targeted? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.

The solution Cisco is suggesting to customers right now is essentially to wipe and rebuild the affected products’ software, as there is no patch available. 

“​​In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” the company wrote. 

The hackers behind the campaign are linked to China and other known Chinese government hacking groups, according to Cisco Talos, the company’s threat intelligence research team, which published a blog post about the hacking campaign. 

The researchers wrote that the hackers are taking advantage of the vulnerability, which at this point is a zero-day, to install persistent backdoors, and that the campaign has been ongoing “since at least late November 2025.”

Topics

, , , , , ,
Lorenzo Franceschi-Bicchierai

Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy.

You can contact or verify outreach from Lorenzo by emailing lorenzo@techcrunch.com, via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.

View Bio
Dates TBD
Locations TBA


Plan ahead for the 2026 StrictlyVC events. Hear straight-from-the-source candid insights in on-stage fireside sessions and meet the builders and backers shaping the industry. Join the waitlist to get first access to the lowest-priced tickets and important updates.

Waitlist Now
Keep reading
Pornhub logo
Image Credits:Bryce Durbin / TechCrunch
Security

Hacking group says it’s extorting Pornhub after stealing users’ viewing data

Lorenzo Franceschi-Bicchierai

The hacking group Scattered Lapsus$ Hunters, which includes members of a gang known as ShinyHunters, said it is attempting to extort porn site Pornhub, after claiming to have stolen personal information belonging to the website’s premium members. 

On Friday, Pornhub confirmed it was among several companies affected by an earlier breach at the widely used web and mobile analytics provider Mixpanel, which exposed unspecified “analytics events” of some Pornhub Premium users.

On Monday, Bleeping Computer reported seeing a sample of the stolen Pornhub data, which included personal information associated with Pornhub Premium members, including their registered email addresses and location; activity type, such as which videos and channels they watched, including the video name and web address; keywords associated with the video; and the date and time that the event was recorded.

Mixpanel chief executive Jen Taylor did not respond to TechCrunch’s request for comment. A Pornhub spokesperson, who did not provide their full name, did not answer questions sent by TechCrunch about the incident, referring us instead to the company’s published statement. 

A spokesperson for the ShinyHunters gang told TechCrunch that the hackers have sent an extortion email only to Pornhub so far, and declined to say how many other companies were part of the Mixpanel incident. 

Right before the U.S. holiday of Thanksgiving, Mixpanel revealed a breach that it discovered on November 8, which affected its corporate customers, without saying which ones, nor how they were affected. OpenAI later confirmed it was one of those affected customers, as well as CoinTracker and SwissBorg.

According to Mixpanel’s website, the company has around 8,000 customers, with each customer having potentially millions of users whose data was taken in the breach.

Contact Us

Do you have more information about the Mixpanel breach? Such as what companies were affected? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.

The type of data stolen likely depends on how each customer configured their Mixpanel account to collect data.

Generally speaking, companies use Mixpanel to track what their users do on their site or apps, similar to an app developer or website owner watching over a user’s shoulder to learn what they click, view, or swipe. Mixpanel can also log information about the user’s devices, such as the size of the screen, whether they are on Wi-Fi or a cellular network, and the name of the carrier, among other data.

Scattered Lapsus$ Hunters is a coalition of primarily English-speaking hackers who are believed to be in Western countries. The hackers have a long history of data breaches and are responsible for some of the largest hacks this year, including data thefts targeting Salesforce and Gainsight customers, which affected hundreds of companies.

Also on Friday, SoundCloud confirmed that about 20% of its users were affected by “unauthorized activity in an ancillary service dashboard,” likely referring to Mixpanel. The audio streaming giant said the stolen data includes email addresses and “information already visible on public SoundCloud profiles.”

SoundCloud did not respond to TechCrunch’s request for comment.

Topics

, , , , , , , , , ,
Lorenzo Franceschi-Bicchierai

Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy.

You can contact or verify outreach from Lorenzo by emailing lorenzo@techcrunch.com, via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.

View Bio
Keep reading
a person holding new iPhone XS smartphone in their hand over a notepad.
Image Credits:Borchee / Getty Images
Security

Google and Apple roll out emergency security updates after zero-day attacks

Lorenzo Franceschi-Bicchierai

Apple and Google have released several software updates to protect against a hacking campaign targeting an unknown number of their users.

On Wednesday, Google released patches for a handful of security bugs in its Chrome browser, noting that one of the bugs was being actively exploited by hackers before the company had time to patch it. 

Unusually for Google, the company provided no further details at the time. 

But on Friday, Google updated the page to say that the bug was discovered by Apple’s security engineering team and Google’s Threat Analysis Group, whose security researchers primarily track government hackers and mercenary spyware makers, indicating that the hacking campaign may have been orchestrated by government-backed hackers.

At the same time, Apple released security updates for its flagship products, including iPhones, iPads, Macs, Vision Pro, Apple TV, Apple Watches, and its Safari browser.

According to the security advisory for iPhones and iPads, Apple patched two bugs and the company said it was aware “that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals” running devices prior to iOS 26.

That language is Apple’s typical way of saying that it knows some of its customers and users were targeted by hackers exploiting zero-days, meaning flaws that at the time of exploitation are unknown to the software makers. Often, these are cases where government hackers used hacking tools and spyware made by companies such as NSO Group or Paragon Solutions to target journalists, dissidents, and human rights activists. 

Apple and Google did not immediately respond to a request for comment. 

Topics

, , , , , , , , ,
Lorenzo Franceschi-Bicchierai

Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy.

You can contact or verify outreach from Lorenzo by emailing lorenzo@techcrunch.com, via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.

View Bio

Latest in Security

See More
Keep reading
The Home Depot logo is displayed outside the home improvement retail store in Los Angeles, California, on February 21, 2025.
Image Credits:PATRICK T. FALLON / AFP / Getty Images
Security

Home Depot exposed access to internal systems for a year, says researcher

Zack Whittaker

A security researcher said Home Depot exposed access to its internal systems for a year after one of its employees published a private access token online, likely by mistake. The researcher found the exposed token and tried to privately alert Home Depot to its security lapse but was ignored for several weeks. 

The exposure is now fixed after TechCrunch contacted company representatives last week.

Security researcher Ben Zimmermann told TechCrunch that, in early November, he found a published GitHub access token belonging to a Home Depot employee, which was exposed sometime in early 2024. 

When he tested the token, Zimmermann said that it granted access to hundreds of private Home Depot source code repositories hosted on GitHub and allowed the ability to modify their contents. 

The researcher said the keys allowed access to Home Depot’s cloud infrastructure, including its order fulfillment and inventory management systems, and code development pipelines, among other systems. Home Depot has hosted much of its developer and engineering infrastructure on GitHub since 2015, according to a customer profile on GitHub’s website.

Zimmermann said he sent several emails to Home Depot but didn’t hear back. 

Nor did he get a response from Home Depot’s chief information security officer, Chris Lanzilotta, after sending a message over LinkedIn.

Zimmermann told TechCrunch that he has disclosed several similar exposures in recent months to companies, which have thanked him for his findings. 

“Home Depot is the only company that ignored me,” he said.

Given that Home Depot does not have a way to report security flaws, such as a vulnerability disclosure or bug bounty program, Zimmermann contacted TechCrunch in an effort to get the exposure fixed.

When reached by TechCrunch on December 5, Home Depot spokesperson George Lane acknowledged receipt of our email but did not respond to follow-up emails asking for comment. The exposed token is no longer online, and the researcher said the token’s access was revoked soon after our outreach.

We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back.

Topics

, , , , ,
Zack Whittaker

Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security.

He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com.

View Bio
Dates TBD
Locations TBA


Plan ahead for the 2026 StrictlyVC events. Hear straight-from-the-source candid insights in on-stage fireside sessions and meet the builders and backers shaping the industry. Join the waitlist to get first access to the lowest-priced tickets and important updates.

Waitlist Now
Loading the next article
Some areas of this page may shift around if you resize the browser window. Be sure to check heading and document order.

Support Us by Disabling Your Adblocker

Our content is made possible by the support of our advertisers. Please consider disabling your adblocker to help us continue delivering quality content you love.
| Contact support
Powered By