Well, dang, aren't I lucky. You made it back here even after all that turkey...so I guess you earned some news? Alrighty, here it is!

.\ OpenAI’s Mixpanel breach is a clean lesson in vendor risk, not AI doom

OpenAI spent Thanksgiving week explaining that no, ChatGPT itself wasn’t “hacked”—but its analytics vendor Mixpanel was, and some API customer metadata went with it. A smishing campaign against Mixpanel led to unauthorized access and export of an analytics dataset, including developer names, email addresses, approximate locations, and tech telemetry for OpenAI’s API platform. Reports stress what wasn’t taken—no passwords, no API keys, no payment data, no chat content—but that’s cold comfort when you’ve just handed phishers a pre-filtered list of technical contacts building on your platform. OpenAI says it has cut off Mixpanel, is doing a broader vendor review, and is warning affected users about targeted phishing waves that will absolutely follow.

.\ Source shelf: OpenAI · Mixpanel · BleepingComputer

.\ Ransomware knocks out CodeRED emergency alerts, and yes, passwords were in clear text

The CodeRED emergency notification platform, run by Crisis24/OnSolve and used by cities and counties across the US, was hit by a ransomware attack that forced a shutdown of its legacy environment and caused service outages. Local governments from Cambridge, MA to University Park, TX have warned residents that subscriber data was likely compromised and urged password changes after the INC Ransom group posted screenshots of stolen data—including email addresses and clear-text passwords—on its leak site. Investigators say Crisis24 refused to meet the gang’s ransom demand, instead rebuilding CodeRED on new, isolated infrastructure, while some customers have already terminated contracts over the outage. This is one of those incidents where uptime and integrity actually map to physical safety: missed evacuation notices and weather alerts aren’t theoretical impact. If you support municipalities, schools, or hospitals, treat CodeRED credentials as burned, assume password reuse elsewhere, and push multi-factor auth and password-manager adoption like it’s your job, because here, it is.

.\ Source shelf: Malwarebytes · Cambridge alert · BleepingComputer

.\ Harvard breach exposes alumni and donor CRM data after phone-based phishing

Harvard University disclosed that its Alumni Affairs and Development systems were compromised after staff fell for a voice-phishing attack, exposing contact and relationship data for alumni, donors, some parents, students, faculty, and staff. According to the notification letters and follow-up statements, the attackers accessed email and postal addresses, phone numbers, event attendance records, donation history, and biographical notes used for fundraising; Social Security numbers, passwords, and payment card data were reportedly not stored in those systems. The incident follows a separate breach earlier this fall tied to Oracle E-Business Suite exploitation, suggesting Harvard is having a rough quarter on the vendor and CRM front. The practical risk is targeted social engineering: expect highly personalized scam emails and calls that reference real donations, events, or staff members.

.\ Source shelf: Harvard AA&D notice · Harvard statement · BleepingComputer

.\ Real-estate back office giant SitusAMC says client and borrower data was stolen

Real-estate finance outsourcer SitusAMC—which quietly runs back-office operations for lenders including Citi, Morgan Stanley, and JPMorgan Chase—disclosed a mid-November breach that led to theft of client and customer data. The company says it received a security alert on November 12, confirmed a breach by November 15, and began notifying affected residential customers and institutional clients over the following week. While forensic work is ongoing, SitusAMC’s statement and subsequent reporting say the attackers stole corporate data like accounting records and legal agreements, plus at least some borrower information tied to its clients’ relationships, but did not deploy encrypting ransomware. Translation: this is an exfiltration play against a high-leverage middleman, not a noisy smash-and-grab. The impact will likely cascade through mortgage servicers and investors who now have to figure out whether their loan portfolios were part of the haul. MSPs with financial-services customers should assume phishing and fraud attempts will follow, push for contract reviews around data minimization at third-party processors, and get ahead of client questions by mapping which workflows ride on vendors like SitusAMC in the first place.

.\ Source shelf: SitusAMC statement · BleepingComputer · Bloomberg

.\ Cox Enterprises is the latest casualty of the Oracle E-Business Suite zero-day campaign

The Oracle E-Business Suite (EBS) zero-day we talked about recently—tied to CVE-2025-61882/61884 and exploited at scale by the Cl0p/FIN11 ecosystem—just claimed another big victim: Cox Enterprises. Cox has now confirmed that attackers abused the EBS flaw between August 9–14 to access its systems, exfiltrate data, and deploy ransomware, ultimately exposing personal information for 9,479 individuals and landing the company on Cl0p’s leak site. Security research summaries say the stolen data has already been posted to dark-web markets, with the broader campaign now linked to nearly 30 Oracle EBS customers globally. Oracle released a critical patch for the bug in its October 2025 Critical Patch Update, and CISA has flagged the vulnerability as actively exploited, though many enterprises are still working through patch windows for these deeply embedded ERP stacks. If you manage Oracle workloads—or your customers rely on providers who do—this is the moment to confirm that the October CPU is applied, that EBS isn’t directly exposed to the internet, and that you’re monitoring for odd concurrent processing behavior or data exfiltration from these systems. “We’ll patch it after year-end close” is how you end up in someone else’s leak roundup.

.\ Source shelf: Oracle CPU Oct 2025 · Dark Reading · FireCompass

.\ WhatsApp API loophole let researchers map 3.5B accounts and scrape profile data

Researchers from the University of Vienna and SBA Research showed that WhatsApp’s contact-discovery API could be abused to look up more than 100 million phone numbers per hour, letting them confirm over 3.5 billion registered WhatsApp accounts worldwide. By hammering the API from a single IP and bypassing effective rate limiting, they turned a “does this number have WhatsApp?” feature into a global user enumeration feed—then chained that into other endpoints to collect profile photos, “about” text, and metadata for millions of users. The dataset included sensitive self-disclosed information in about fields, plus millions of accounts in countries where WhatsApp is banned, making it a potential goldmine for stalkers, regimes, and anyone building a facial-recognition “reverse phone book.” Meta has now tightened rate limits and claims there’s no evidence of malicious scraping, which is a brave thing to assert about an abuse pattern that leaves few obvious traces.

.\ Source shelf: Malwarebytes · SBA Research paper · University of Vienna

\Ops Bench\

.\ Oracle Identity Manager zero-day lands in KEV — treat CVE-2025-61757 as “patch immediately”

CISA added CVE-2025-61757, a pre-auth remote code execution flaw in Oracle Identity Manager, to the Known Exploited Vulnerabilities catalog after evidence of active scanning and exploitation. The bug, a missing authentication check in OIM’s REST WebServices, lets attackers bypass filters with crafted URLs (for example, appending ;.wadl) and then hit a Groovy script endpoint to execute code with no credentials. Federal civilian agencies have a December 12 patch deadline; everyone else should treat that as your de facto SLA. MSP action items: inventory any OIM instances (on-prem or cloud), confirm the October CPU is applied, ensure these endpoints are not exposed directly to the internet, and add detection for suspicious requests hitting /iam/governance/.../groovyscriptstatus. If a customer insists “we’re air-gapped” or “it’s only for internal SSO,” park that in the same bucket as “we’ll patch after the holidays.”

.\ Source shelf: CISA KEV entry · Dark Reading · CSO Online

.\ D-Link DIR-878 routers: four RCEs, no patches, still on your clients’ shelves

D-Link quietly published advisory SAP10475 for its DIR-878 router series, revealing four vulnerabilities (CVE-2025-60672 through -60676), three of which allow unauthenticated remote command execution via the web interface or configuration parameters. The catch: the routers have been end-of-life since 2021, so there will be no fixes—and proof-of-concept exploit code is already public. These boxes are common in small offices and home offices, exactly where your “one weird ISP modem plus dusty Wi-Fi router” setups live. Your move: add DIR-878 and derivative models to your asset and vulnerability discovery checks, explicitly flag them as unsupported/high risk in reports, and push hard for replacement rather than “just segment it a bit more.” If a client won’t budget for new hardware, at minimum disable remote management, ensure strong unique admin passwords, and keep these routers off any network where you’d be sad to see a botnet.

.\ Source shelf: D-Link advisory · BleepingComputer · TechRadar Pro

That'll do it for this one, folk! I hope everyone had a safe, relaxing and wonderful holiday—I sure did with the family!

If I am lucky enough, I hope you catch you here in the next one!