Attacks Linked to Ivanti Zero-Days Continues to Spread

Fallout from latest Ivanti zero-days spreads to nearly 100 victims

Ivanti customers, including major government agencies, face mounting pressure as attackers expand their scope of targets to exploit a pair of vulnerabilities the vendor disclosed late January after in-the-wild attacks already occurred.

The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary confirmed both agencies were impacted by attacks linked to the Ivanti Endpoint Manager Mobile (EPMM) zero-day vulnerabilities, according to a notice sent to the country’s parliament Friday. The European Commission also said it found evidence of a cyberattack on its “central infrastructure managing mobile devices,” but it did not identify the vendor in a statement Thursday.

The attacks were publicly disclosed as researchers and threat hunters scrambled to assess the fallout and observed consistent waves of attacks linked to the Ivanti defects. As of Monday afternoon, Shadowserver scans identified 86 compromised instances based on artifacts of exploitation, Piotr Kijewski, CEO of the nonprofit, told CyberScoop.

AI chat app leak exposes 300 million messages tied to 25 million users

An independent security researcher uncovered a major data breach affecting Chat & Ask AI, one of the most popular AI chat apps on Google Play and Apple App Store, with more than 50 million users.

The researcher claims to have accessed 300 million messages from over 25 million users due to an exposed database. These messages reportedly included, among other things, discussions of illegal activities and requests for suicide assistance.

Behind the scenes, Chat & Ask AI is a “wrapper” app that plugs into various large language models (LLMs) from other companies, including OpenAI’s ChatGPT, Anthropic’s Claude, and Google’s Gemini. Users can choose which model they want to interact with.

The exposed data included user files containing their entire chat history, the models used, and other settings. But it also revealed data belonging to users of other apps developed by Codeway—the developer of Chat & Ask AI.

FTC data highlights online threats to consumers and businesses

Ransomware and other cyberattacks represent a tiny fraction of the fraud complaints that Americans file with the Federal Trade Commission, the FTC said in a report published on Friday.

The newly released data, contained in an annual report mandated by Congress, underscore the fact that other schemes, such as tech-support scams, are a more persistent threat to consumers and should be top of mind for businesses hoping to avoid their own potential security incidents.

“Imposter scams — a general category of fraud complaints where someone pretends to be a trusted person to get consumers to send money or give personal information — are the most common category of fraud reported by consumers since July 1, 2023,” the FTC said in its report.

…

As for ransomware and other malware-based attacks, the FTC said it had received roughly 128,000 reports of such attacks between July 2023 and July 2025, accounting for less than 3% of all fraud complaints.

Crypto.com drops $70M on AI.com in record domain deal

Crypto.com founder Kris Marszalek just rewrote the domain name playbook with the most expensive internet address ever sold. The $70 million all-cryptocurrency purchase of AI.com, revealed just days before Super Bowl Sunday, obliterates the previous record by over $20 million and signals an audacious bet that premium domains still matter in an age of search and social media.

…

The crypto executive paid an unknown seller entirely in digital currency, with domain broker Larry Fischer facilitating what he's calling a once-in-a-generation transaction. "With assets like AI.com, there are no substitutes," Fischer told the FT. "When one becomes available, the opportunity may never present itself again."

Marszalek's vision for the domain centers on accessibility. The platform … will offer consumers a personal AI agent capable of handling messaging, controlling apps, and executing stock trades.

69% of CISOs open to career move — including leaving role entirely

Enterprise CISOs are increasingly willing — and eager — to jump ship, with some frustrated enough to want to leave cybersecurity entirely.

A recent survey of security leaders from IANS Research and Artico Search found that 69% of security executives “are open to making a career move within the next year, often targeting CISO roles at a larger company or in a different industry, but also other non-CISO roles such as CTO, CIO, board member, or a second-in-command security leadership role at a larger company,” according to the report.

Cybersecurity analysts and consultants attributed this shift to a variety of issues based on what they’ve seen and heard from CISOs.

“It’s not so much about chasing a slightly better or higher title. The sheer exhaustion, organizational misalignment, and a growing sense that the job, as it is currently structured in many organizations, is not sustainable” is the primary cause, says Erik Avakian, technical counselor at Info-Tech Research Group.

2025 CTDPA Enforcement Report Issued

The Connecticut Office of the Attorney General (OAG) issued its 2025 enforcement report under the Connecticut Data Privacy Act (CTDPA) last week. This is the third report since the CTDPA went into effect in July 2023. The report provides an update on (1) privacy-related consumer complaints, (2) data breach notice review and enforcement, and (3) enforcement efforts and priorities. Importantly, the OAG emphasized that protecting “kids online remains a topmost priority” and that it would continue to pursue investigations and enforcement actions focused on companies that offer online services, products, or features to consumers under 18.

In the report, the OAG also outlined recent amendments to the CTDPA, which will take effect on July 1, 2026. For more information regarding these amendments, see the recording of our webinar on 2025 Key Updates on State Privacy and AI Laws.

This article summarizes the OAG’s report and the positions the OAG takes on various issues. While the report highlights the OAG’s strong pro-consumer stance and illustrates the OAG’s expansive view of the CTDPA and its provisions, in breaking down the report, this article takes no position on the substance of those positions.