The week in breach news

North America

Gmail

A massive email breach has been uncovered, reportedly compromising more than 183 million email accounts, including millions of Gmail users.

Data breach notification service Have I Been Pwned revealed that the stolen emails and passwords were collected through infostealer malware. The breach, which occurred in April, saw cybercriminals quietly gather login details over time. The discovery has raised serious concerns across the tech industry about personal data security and the growing threat of infostealers that harvest sensitive information undetected for sale on the dark web.

North America

Nethereum (Open-source .NET integration library for Ethereum)

A sophisticated supply chain attack has been discovered, targeting cryptocurrency developers through malicious NuGet packages designed to resemble the popular Nethereum project.

Cybersecurity researchers found counterfeit packages impersonating Nethereum, a trusted .NET library used for Ethereum blockchain interactions with tens of millions of downloads. The fake packages, named Netherеum.All and NethereumNet, used advanced obfuscation techniques to steal private keys, mnemonics, keystore JSON files and signed transaction data.

Attackers used a homoglyph typosquatting trick — swapping the Latin letter “e” with a nearly identical Cyrillic character (U+0435) — to make the malicious version appear legitimate to unsuspecting developers. To boost their credibility, the threat actors also inflated the fake package’s download count, making it appear as though it had been downloaded 11.7 million times.

North America

Toys “R” Us Canada

In yet another cyberattack targeting the retail sector, Toys “R” Us Canada has alerted customers to a data breach that exposed personal information from its databases.

The Canadian toy retailer said the incident dates back to July, when threat actors accessed and later leaked customer data online. Notifications sent to affected customers revealed that the compromised information includes names, email addresses, physical addresses and phone numbers. While no financial details or passwords were exposed, the stolen data still poses serious risks for phishing and identity theft.

The breach came to light after Toys “R” Us discovered leaked data circulating online. A subsequent investigation confirmed that an unauthorized third party had illegally copied the information from the company’s internal systems.

Latin America & the Caribbean

FictorPay

The Brazilian financial sector was caught off guard after a cyberattack on fintech FictorPay led to the theft of roughly R$26 million.

According to reports, the Central Bank of Brazil detected unusual transactions through FictorPay on Sunday and promptly alerted Celcoin, the company providing Banking-as-a-Service (BaaS) infrastructure to FictorPay. Celcoin is directly connected to Pix, the Central Bank’s instant payment platform. The attack, which lasted only a few hours, allowed threat actors to exploit a system flaw and carry out at least 280 fraudulent Pix transactions.

In a statement, FictorPay said it was alerted to irregular activity within the environment of a third-party service provider that supports multiple companies, including theirs. The fintech noted that an investigation is underway with the provider and cybersecurity experts and that, so far, there’s no indication of a direct impact on FictorPay’s internal systems.

Australia

Western Sydney University

Western Sydney University has confirmed a major cyberattack that stole sensitive student data, including tax file numbers, passport details and private health and disability information.

On October 23, the university revealed that the breach occurred through its student management system, which is hosted by a third-party provider on a cloud-based platform. Its investigation found that a daisy chain of suppliers had been exploited during the breach, starting at an additional external system, which itself was linked to the third-party cloud platform. The breach of the third- and fourth-party systems allowed hackers to access and exfiltrate data from the student management system.

The stolen information includes names, dates of birth, ethnicity, employment and payroll details, bank account numbers, tax file and driver’s license numbers, passport and visa information, and even complaint, health, disability and legal records — making it one of the most severe education-sector breaches in recent months.

North America

Visual Studio Code (VS Code)

A newly discovered malware strain called GlassWorm is spreading rapidly, marking one of the most advanced supply chain attacks ever seen in developer ecosystems. It is the first self-propagating worm to target Visual Studio Code (VS Code) extensions.

The attack was first detected on October 17, 2025, when seven malicious extensions appeared on OpenVSX, followed by one infected extension on Microsoft Marketplace. In total, the infected extensions were downloaded more than 35,000 times. Experts report that GlassWorm hides its code using invisible Unicode variation selectors, allowing it to slip past static analysis tools and manual reviews.

Once installed, the malware steals credentials, deploys hidden remote-access tools and uses compromised developer accounts to publish more infected extensions, turning the VS Code ecosystem into a self-propagating network of infections.