Intro Snapshot
Today’s updates demonstrate how simple access failures, geopolitical disinformation campaigns, and social engineering continue to be keystones of attacker success. From one weak password bringing down history to GitHub alerts used for crypto theft—the adversary still often wins by targeting trust and human gaps, not just infrastructure.
1) One bad password brings down 158-year-old brand
Full URL: https://thehackernews.com/2025/09/how-one-bad-password-ended-158-year-old.html
A venerable institution was reportedly breached because of a weak or reused password. Attackers gained control, manipulated data, and caused reputational damage. The story is a bitter reminder: no matter how old or trusted you are, your security starts with the keys you use.
2) Russia and election disinformation in Moldova
Full URL: https://www.darkreading.com/cybersecurity-operations/russia-moldovan-election-disinformation
Russia is actively mounting disinformation campaigns targeting Moldova’s elections—spreading false narratives, leaking documents, and manipulating social channels. These hybrid ops underscore the cybersecurity stakes of sovereign information integrity.
3) Feds associate Scattered Spider members with $115M in ransoms
Full URL: https://krebsonsecurity.com/2025/09/feds-tie-scattered-spider-duo-to-115m-in-ransoms/
Federal indictments link two alleged Scattered Spider operators to more than $115 million in ransom payments and fraudulent proceeds. The legal escalation signals that attribution and liability are catching up to cybercrime rings.
4) GitHub “notifications” abused to impersonate Y Combinator, steal crypto
Full URL: https://www.bleepingcomputer.com/news/security/github-notifications-abused-to-impersonate-y-combinator-for-crypto-theft/
Attackers are sending phishing messages through GitHub’s notification system, pretending to be Y Combinator, and luring developers to fake crypto wallet pages. Because the message comes from GitHub’s infrastructure, it is more likely to bypass suspicion.
Key Takeaways
Passwords remain foundational risk. One weak or recycled password can dismantle centuries of brand equity. Information campaigns are state-level weapons. Disinformation isn’t just social media noise—it’s a force-shaping tool in contested spaces. Legal pressure is rising. Tying ransom proceeds to actors in courts helps tilt the balance of cost upward for adversaries. Platform messaging channels are ripe for abuse. When notifications themselves become conduits for attack, defenders must re-evaluate trust even in system-generated communications.