Mid-October Check-In
Here we are in mid-October, and 2025 shows no signs of slowing down on the cyber front. In just the past week, organizations across industries have suffered significant breaches, keeping threat researchers busy analyzing the fallout. From a major airline data leak affecting millions to attempted account takeovers at a sports betting giant, the cyber threats remain relentless. Below we recap some of the top incidents of the week and what they mean for security teams.
One of the most prominent incidents involves Australia’s flagship airline, Qantas. Hackers have leaked roughly 5 million Qantas customer records on a dark web site after the airline refused to pay an extortion demand. This breach was part of a broader campaign impacting about 40 companies worldwide, up to 1 billion total customer records stolen, with a cybercriminal collective dubbed “Scattered Lapsus$ Hunters” demanding ransoms to keep the data private. When Qantas (like many victims) declined to pay, the group marked the data as “leaked” and made it public. The stolen Qantas dataset (originally taken during a June cyber-attack on a third-party system) includes customers’ names, email addresses, phone numbers, dates of birth, and frequent flyer membership numbers.
Security experts warn that even without financial details, this kind of personal data trove can be weaponized for identity theft and fraud. Criminals could use leaked names, contact info, and birth dates to impersonate victims or open new accounts in their name, and the availability of these records online may fuel highly convincing phishing scams targeting Qantas customers. Qantas has been working with law enforcement and offering support to affected customers, but the incident shows how a single breach can ripple outward. Millions of people must now stay vigilant for suspicious activity on their accounts. This is why taking steps to prevent breaches is crucial.
Another key trend this week is the continued onslaught of credential stuffing attacks, with online betting firm DraftKings as a recent target. In early October, DraftKings notified a number of customers that hackers had gained unauthorized access to some accounts in a wave of automated login attempts. The attack bore all the hallmarks of credential stuffing: threat actors used username/password pairs stolen from other breaches and tried them on DraftKings, hoping some customers reused those credentials on the betting platform. Unfortunately, in several cases this tactic worked. According to DraftKings, the attackers may have temporarily accessed certain user accounts and viewed a range of personal details – including the customer’s name, address, phone number, email, date of birth, profile information, and the last four digits of a saved payment card. Crucially, the intruders did not obtain sensitive info like Social Security numbers or full financial account numbers, and DraftKings’ internal systems were not compromised. This limited the damage, but even “basic” personal data exposure can enable follow-on fraud (for instance, using those details in social engineering or identity theft schemes).
DraftKings moved quickly to contain the incident. The company reported that fewer than 30 customer accounts were affected and no one incurred financial losses from these intrusions. Impacted users had their passwords reset and were advised to review account security. In the aftermath, DraftKings also urged all customers to use unique, strong passwords and to stay alert for any unauthorized activity on not only their betting accounts but also their financial accounts and credit reports. This was not DraftKings’ first brush with credential stuffing; a similar attack in late 2022 compromised approximately 68,000 accounts and led to hundreds of thousands of dollars in fraudulent withdrawals. Law enforcement and cyber experts have been warning that credential stuffing is a growing menace, fueled by the countless leaked password lists circulating on the dark web. The takeaway for organizations is clear: password reuse among customers or employees poses a serious risk, and without defenses like rate limiting and compromised credential monitoring, these automated attacks can quickly turn into major data breaches.
Also making waves is a breach at open-source software leader Red Hat, which shows how attacks on tech providers can reverberate across many organizations. On October 2, Red Hat confirmed that threat actors had compromised a GitLab server used by its Red Hat Consulting division. This internal system stored code and project data for a large number of Red Hat’s clients, and the breach allegedly exposed information from more than 800 organizations spanning banking, telecommunications, government agencies, and more. The attackers – a newer hacking outfit calling itself “Crimson Collective” – claimed to have stolen about 570 GB of data from over 28,000 private repositories. Among the stolen files were Customer Engagement Reports and other sensitive project documents detailing these clients’ IT infrastructures. Some of the impacted names read like a who’s who of industry and government, including major U.S. banks and even federal entities. In short, this was a significant supply-chain breach, where cracking one vendor’s system potentially granted the attackers a window into hundreds of others.
Disturbingly, the Red Hat Consulting breach appears to be linked to the same extortion campaign behind the Qantas incident. The Crimson Collective operators have reportedly aligned themselves with the Scattered Lapsus$ Hunterscollective and even listed Red Hat’s stolen data on that group’s dark web leak site. They issued Red Hat an October 10 ransom deadline (identical to deadlines given in other recent extortion cases) and leaked samples of the data to ratchet up the pressure. Red Hat stated that the compromise was limited to its isolated consulting environment and that its core products and services remain unaffected. However, the company’s initial investigation may be incomplete – the attackers continue to drip-release evidence from the haul and insist the breach is larger than Red Hat has acknowledged. This incident should raise awareness for any business that relies on third-party software providers. When a major vendor is compromised, client organizations must act quickly to assess their own exposure. In Red Hat’s case, hundreds of enterprises are now scrutinizing any shared credentials, API keys, or data that might have been stored in the breached repositories, ensuring that nothing sensitive can be leveraged to access their systems. This is why it’s important to ensure any vendor you work with is continually monitoring their employee’s passwords for compromise to stop breaches before they occur.
Rounding out this week’s breach roster is a case from the healthcare sector, illustrating how third-party access and stolen credentials can open the door to highly sensitive data. Veradigm, a Chicago-based healthcare technology company (formerly known as Allscripts), has begun notifying tens of thousands of individuals about a data breach discovered over the summer. Back on July 1, Veradigm learned that an unauthorized party had accessed one of its cloud storage accounts, and that the intrusion had actually occurred in late 2024. Upon investigation, the company traced the root cause to a partner’s security lapse: a Veradigm customer experienced its own incident in which login credentials were stolen, and those stolen credentials were subsequently used by attackers to get into Veradigm’s storage environment. In effect, a hacker piggybacked on a trusted third-party’s access to breach the healthcare provider’s systems. The outcome was a significant exposure of patient data. Veradigm says that at least 65,000 individuals across California, South Carolina, and Texas had personal information impacted. The compromised dataset potentially includes names, dates of birth, Social Security numbers, driver’s license numbers, medical record information, health insurance details, and even payment or billing information, which is precisely the kind of comprehensive personal data that cybercriminals prize.
Veradigm has since implemented additional security measures and controls to prevent similar incidents, and it is offering resources to assist affected patients. But this breach highlights the cascading risk in today’s interconnected networks: an attack on one smaller entity that is not actively checking for compromised passwords in their environment (in this case, a client clinic or partner) can lead to a breach of a larger provider’s data if access is not tightly regulated. Healthcare data in particular is extremely sensitive and valuable. Complete personal profiles including medical and insurance info can be sold on criminal marketplaces for identity theft or leveraged in fraud schemes (for example, false insurance claims or prescription fraud). This incident demonstrates the importance of scrutinizing third-party relationships and enforcing the principle of least privilege. Had Veradigm limited what its partner account could do, or had stronger oversight on credential use, the damage might have been contained. More broadly, it’s a reminder that compromised credentials remain one of the most common causes of data breaches, whether in healthcare or any other industry. Organizations must stay vigilant about any login that could serve as a foothold for attackers.
Faced with this barrage of breaches, it’s easy for security teams (and the public) to feel overwhelmed. However, these incidents reinforce that many attacks can be mitigated – or even prevented – by focusing on cybersecurity fundamentals. In each case above, a compromised credential was a key factor, whether it was an admin password from a Qantas contractor, a reused consumer password exploited on DraftKings, or stolen partner logins abused to penetrate Veradigm. This means that defending against a large share of such threats comes down to credential hygiene and proactive monitoring.
Practicing good credential hygiene starts with ensuring that both employees and customers use strong, unique passwords for every account. Password reuse is a dangerous habit that turns one breach into a domino effect of account takeovers. Companies should consider educating their user base about password managers or passphrases to reduce reuse without sacrificing convenience. Equally important is staying alert to the fate of those credentials out in the wild. If a password does leak in a breach, early awareness is critical. Utilizing a credential monitoring solution (like the services Enzoic provides) can help catch when an email/password combination associated with your organization appears in a new data dump or dark web listing. With such an alert, security teams can quickly force a password reset or take other protective steps before criminals leverage the exposed credential. In the DraftKings case, for example, catching the reused passwords earlier could have prevented the attackers from logging in at all.
Basic cyber hygiene still pays dividends. Keeping software and security tools updated (to close known vulnerabilities), training staff to recognize phishing and social engineering, and screening for compromised credentials on an ongoing basis are all measures that dramatically lower an organization’s risk profile. The breaches of this past week may span different industries: airlines, online betting, tech, healthcare; but they all echo a common lesson: defense starts with the basics. By shoring up password practices and monitoring for early signs of credential compromise, companies can stay one step ahead of threat actors and prevent today’s breach from becoming tomorrow’s catastrophe.
AUTHOR
Josh Parsons
Josh is the Product Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.