China’s largest data leak exposes billions.
Researchers discover what may be China’s largest ever data leak. CrowdStrike cooperates with federal authorities following last year’s major software bug. A researcher discovers over half a million sensitive insurance documents exposed online. Microsoft offers free cybersecurity programs to European governments. The FBI chronicles the Play ransomware gang. Google warns a threat group is targeting Salesforce customers. A former Biden cybersecurity official warns that U.S. critical infrastructure remains highly vulnerable to cyberattacks. The State Department offers up to $10 million for information on the RedLine infostealer malware. Our guest is Anneka Gupta, Chief Product Officer at Rubrik, on the challenges of managing security across systems. Some FDA workers want to put their new Elsa AI on ice.
Today is Thursday June 5th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Researchers discover what may be China’s largest ever data leak.
In what may be China’s largest data leak ever, over 4 billion personal records—totaling 631 GB—were exposed from an unsecured database. The leak includes sensitive financial data, WeChat and Alipay information, ID numbers, addresses, and more, potentially affecting hundreds of millions of users. Cybernews and researcher Bob Dyachenko discovered 16 data collections containing massive databases with hundreds of millions of records each. The data appears to be meticulously compiled, likely for surveillance or profiling purposes. The database was quickly taken offline, leaving no clear attribution or recourse for victims. Experts warn the data could fuel phishing, fraud, blackmail, or state-level espionage. This leak dwarfs previous Chinese breaches and underscores the severe privacy risks at play.
CrowdStrike cooperates with federal authorities following last year’s major software bug.
CrowdStrike is cooperating with federal authorities following a major software bug last July that knocked millions of computers offline. In a recent SEC filing, the company revealed that the Justice Department and SEC are investigating the incident, as well as CrowdStrike’s revenue-recognition practices and reporting of annual recurring revenue. Other agencies and third parties have also requested information, with some customers threatening legal action. The July 19 outage, triggered by a flaw in the Falcon software, disrupted flights, back-end systems, and user devices. CrowdStrike disclosed the update alongside its fiscal Q1 report, showing a swing to a loss and a weaker outlook due to ongoing costs from the incident. Shares dropped 5.3% following the news, though the stock remains up 35% over the past year.
A researcher discovers over half a million sensitive insurance documents exposed online.
Last month, researcher JayeLTee discovered a misconfigured cloud server exposing over 571,000 sensitive insurance documents belonging to Triangle Insurance in the U.S. The records, dating from 2006 to April 2025, included health claim forms, declaration pages, and decision letters. Despite an initial email alert sent on May 8, Triangle didn’t respond—likely due to spam filters. The researcher then enlisted help from @PogoWasRight at DataBreaches.net, who successfully contacted the company on May 12. The exposure was secured by May 13. Triangle’s COO later confirmed the fix and thanked the researcher, explaining the delay. The company is now investigating the issue with its software vendor, has notified its regulator, and may inform affected individuals depending on findings. The server had been exposed since at least July 2021.
Microsoft offers free cybersecurity programs to European governments.
Microsoft has launched a free cybersecurity program for European governments to strengthen defenses against AI-powered cyber threats, many linked to state-backed actors from Russia, China, Iran, and North Korea. The initiative focuses on improving intelligence-sharing and preventing attacks. Microsoft President Brad Smith emphasized using AI defensively, noting their tools can still detect AI-driven threats. Microsoft also monitors the use of its AI to block cybercriminals. Notable recent threats include deepfakes targeting Ukraine’s president and Slovakia’s 2023 election.
The FBI chronicles the Play ransomware gang.
Since emerging in 2022, the Play ransomware gang has hit over 900 organizations, making it one of the most dangerous active cybercrime groups, according to a new FBI advisory. This is a sharp rise from 300 attacks reported in its first year. The group targets organizations across the Americas and Europe, often using email or phone threats to pressure victims into paying ransoms. Play frequently exploits flaws in the SimpleHelp remote monitoring tool, including CVE-2024-57727, and customizes its ransomware for each attack to evade detection. High-profile victims include cities like Oakland and Dallas County, and even the Swiss government. The FBI also noted possible links between Play and North Korean hackers, suggesting collaboration in some breaches. The group remains highly active, especially against U.S.-based organizations.
Google warns a threat group is targeting Salesforce customers.
Google has warned that threat group UNC6040 is targeting Salesforce customers in a widespread voice phishing (vishing) and data extortion campaign. The group impersonates IT support staff in phone calls, tricking employees into approving access for a modified Salesforce Data Loader app. This unauthorized tool allows attackers to exfiltrate sensitive data, which is later used for extortion. Around 20 organizations across sectors like education, retail, and hospitality in the Americas and Europe have been hit. UNC6040 often leverages social engineering alone—no Salesforce vulnerabilities were exploited. Once inside, they move laterally to platforms like Microsoft 365 and Okta. The group claims ties to ShinyHunters and shows overlap with tactics used by ‘The Com’ collective, including Scattered Spider. Google highlights this as part of a rising trend of attackers targeting IT support roles for initial access.
A former Biden cybersecurity official warns that U.S. critical infrastructure remains highly vulnerable to cyberattacks.
At the AI Expo for National Competitiveness, former Biden cybersecurity official Anne Neuberger warned that U.S. critical infrastructure remains highly vulnerable to cyberattacks. “I do not have confidence that any part of our infrastructure couldn’t be brought down,” she said, citing outdated tech, internet-exposed systems, and weaker defenses for operational technology. Neuberger emphasized using AI to identify flaws in legacy systems, including through “digital twins” for testing. She also stressed the importance of allied intelligence-sharing, referencing past cooperation with Israel and Asian partners on threats like election interference and North Korean crypto theft. Now a Stanford lecturer, Neuberger called ongoing federal cyber staffing cuts troubling but sees AI as a chance to rethink cyber defense, focusing on patching the most critical vulnerabilities before adversaries like China or Russia exploit them.
The State Department offers up to $10 million for information on the RedLine infostealer malware.
The U.S. State Department is offering up to $10 million for information on foreign government-backed hackers using the RedLine infostealer malware, or on its suspected creator, Russian national Maxim Alexandrovich Rudometov. This reward, part of the Rewards for Justice program, targets individuals involved in cyberattacks against U.S. critical infrastructure. Rudometov, charged in October, allegedly managed RedLine’s infrastructure and laundered payments via crypto. The reward also applies to any associates or state-linked use of the malware. RedLine and META malware platforms were disrupted during “Operation Magnus,” a joint international effort involving Dutch authorities and Eurojust, leading to server seizures and arrests. ESET helped map 1,200 related servers and released a tool for detecting infections. Rudometov remains at large and faces up to 35 years in prison if convicted.
Some FDA workers want to put their new Elsa AI on ice.
And finally, in what could be described as the FDA’s leap into the future—or a fast-forward stumble—the agency has rolled out “Elsa,” a generative AI tool built to make government work more high-tech and, ideally, less glacial. Heralded as the dawn of a new AI era, Elsa is supposed to help everyone from scientific reviewers to inspectors whip through data and spot health risks faster than a caffeine-fueled intern. But according to FDA insiders, Elsa might be better suited to writing office memos than evaluating life-saving drugs. The system, based on Anthropic’s Claude and developed by Deloitte to the tune of $28.5 million, has already been caught spouting inaccuracies and offering partial truths—which, to be fair, is very on-brand for Washington. Staff have labeled it rushed, buggy, and more hype than help. Still, the FDA insists it’s secure and promising. Just… maybe keep Elsa away from the clinical decisions for now.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
