San Mateo, CA, September 8, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Disney fined $10M for mislabeling kids’ YouTube content
Disney has agreed to pay $10 million to settle U.S. Federal Trade Commission claims that it mislabeled children’s videos on YouTube. “The complaint says the mislabeling allowed Disney, through YouTube, to collect personal data from children under 13 viewing child-directed videos and use that data for targeted advertising to children,” the FTC said. Regulators said Disney improperly tagged child-directed content as “Not Made for Kids,” allowing targeted ads on videos from franchises like Frozen and Toy Story. Despite YouTube flagging misclassifications, the issue persisted. Beyond the fine, Disney must implement safeguards to ensure accurate labeling and parental notification before data collection. The FTC warned that mislabeling fueled unlawful data monetization. Read more.
Hackers hijack Grok to push malware on X
Researchers have uncovered a new malvertising technique abusing X’s AI assistant Grok to spread malicious links. Guardio Labs’ Nati Tal dubbed the method “Grokking,” which uses adult video card ads with hidden links in metadata fields that evade X’s ad filters. Fraudsters then tag Grok in replies, prompting it to surface the malicious link to millions of users, boosting its visibility and reputation. Guardio found the links lead to fake CAPTCHAs, malware, and other scams routed through shady ad networks. Hundreds of accounts were observed using this tactic in a coordinated campaign before they were suspended. Read more.
Healthcare lags all industries in fixing cyber flaws
Healthcare organizations are among the slowest industries at remediating serious vulnerabilities, according to Cobalt’s State of Pentesting in Healthcare 2025 report. Drawing on a decade of data and a survey of 500 U.S. security leaders, Cobalt found that HCOs remediate just 57% of serious findings, take a median of 58 days to resolve them, and need 244 days to fix half of all flaws. Cobalt CTO Gunter Ollmann warned that this creates a “dangerous window of exposure.” While critical issues on business assets are often fixed within a week, experts caution that lingering vulnerabilities still leave HCOs open to exploitation. “The takeaway is clear: prevention alone isn’t enough – healthcare must close the remediation gap and address structural barriers like scheduling delays if it wants to safeguard patient trust and maintain compliance,” said Ollmann. Read more.
Cyberattack disrupts Bridgestone plants in U.S. and Canada
Bridgestone Americas is investigating a cyberattack that disrupted operations at manufacturing facilities in South Carolina and Quebec, raising concerns over potential supply chain impacts. The tire company said it acted quickly to contain the incident, stressing that no customer data or interfaces were compromised. “We remain confident that we were able to contain this limited cyber incident early,” the company told BleepingComputer, adding that they will “continue to work diligently to meet our customer obligations and to address any potential further impacts associated with this cyber incident.” While Bridgestone has not confirmed whether ransomware is involved, no groups have claimed responsibility. The incident follows a 2022 LockBit ransomware attack on the company. Read more.
Tycoon phishing kit evolves with stealthier obfuscation
Researchers at Barracuda have warned that the Tycoon Phishing-as-a-Service kit has adopted new obfuscation tactics to evade detection, including advanced URL encoding, redundant protocol prefixes, and subdomain abuse. The updates, observed in September, allow attackers to insert invisible spaces, odd characters, and misleading symbols into web addresses to disguise malicious content. In one example, encoded “%20” spaces pushed harmful portions of a link out of view, while fake CAPTCHA pages added legitimacy. Attackers also used tricks like placing “office365” before an “@” symbol or creating deceptive subdomains to mislead users. “Attackers are constantly inventing new and more sophisticated ways to disguise dangerous links in phishing emails. They use tricks with spaces, symbols, and web addresses in a way that looks trustworthy at first glance. These methods make it much harder for people – and traditional security software – to tell if they are being lured to a risky website,” Barracuda commented. Read more.
Tesla loses $243M crash trial after hacker finds hidden data
A Miami jury has ordered Tesla to pay $243 million after finding it partially liable for a 2019 Autopilot crash in Key Largo that killed 22-year-old Naibel Benavides Leon and seriously injured her boyfriend, Dillon Angulo. Central to the case was a “collision snapshot” recorded by the car’s systems moments before impact. Tesla had said that it had been unable to access this data, but an independent hacker found it within minutes on the vehicle’s Autopilot computer while at a Starbucks. Plaintiffs argued Tesla misled investigators and families by deliberately concealing the file, while Tesla countered that the driver failed to remain attentive. The verdict, a rare courtroom defeat for Tesla, has sparked new lawsuits and raised broader questions about the company’s crash data practices. Tesla’s trial attorney, Joel Smith, stated that the company had been “clumsy” with its investigation but denied any wrongdoing. Read more.
WhatsApp device-linking trick lets attackers steal chats
Security researchers have uncovered a WhatsApp scam exploiting the platform’s device linking feature to hijack accounts and steal user data. Victims receive a message from a known contact claiming “Hi, I accidentally found your photo!” with a shortened link that leads to a fake Facebook login page. Once credentials are entered, attackers harvest them to generate valid WhatsApp Web sessions, granting full access to chats, media, and contacts. Gen Threat Labs found that the scam uses stealthy server clusters, subdomains that rotate hourly, and injected scripts to refresh stolen tokens and block revocation attempts. The attack, first seen in Central Europe, spreads quickly and poses risks of fraud, identity theft, and further targeted exploitation. Read more.
Jaguar Land Rover halts production after major cyberattack
Jaguar Land Rover (JLR) confirmed a cyberattack forced it to shut down systems supporting production and retail operations, disrupting dealerships and manufacturing, including its Solihull plant that produces the Discovery, Range Rover, and Range Rover Sport. The automaker said that “at this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted.” The company has not revealed the nature of the attack or provided a timeline for recovery. Dealers in the U.K. first reported disruptions over the weekend when they were unable to register new vehicles or supply parts. JLR, which generates more than $38 billion annually and employs 39,000 people, said it is working to restore applications in a controlled manner. No ransomware group has taken credit for the attack at this time. Read more.
TransUnion breach exposes data of 4.4M U.S. customers
TransUnion has disclosed a data breach impacting over 4.4 million U.S. customers, caused by unauthorized access to a third-party application tied to its consumer support operations. While the credit bureau insisted “no credit information was accessed,” separate filings with state attorneys general confirmed that stolen data included names, dates of birth, and Social Security numbers. TransUnion, which holds financial data on more than 260 million Americans, has not revealed who is behind the attack or whether demands were made. The breach follows a wave of hacks targeting major firms across industries, some linked to the extortion group ShinyHunters. TransUnion has not provided evidence supporting its claims of limited exposure. Read more.
WhatsApp patches zero-click spyware exploit
WhatsApp has patched a critical zero-day vulnerability, CVE-2025-55177, tied to “incomplete authorization of linked device synchronization messages.” The company said that the flaw “could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.” It is believed that the vulnerability was used in a commercial spyware campaign. Such exploits are especially dangerous as they require no user interaction, giving attackers access to cameras, microphones, and messages. WhatsApp users should update immediately to iOS v2.25.21.73 or later. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
