Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

Resecurity found a breach in Brazil’s CIEE One platform, exposing PII and documents, later sold by data broker “888” on the dark web. Resecurity identified a data breach of one of the major platforms in Brazil connecting businesses and trainees called CIEE One – leading to the compromise of sensitive PII, including ID records, contact […]

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

Resecurity found a breach in Brazil’s CIEE One platform, exposing PII and documents, later sold by data broker “888” on the dark web.

Resecurity identified a data breach of one of the major platforms in Brazil connecting businesses and trainees called CIEE One – leading to the compromise of sensitive PII, including ID records, contact information, medical reports, scans of documents, and other related data. Notably, the stolen data was offered for sale by underground data broker “888.”

CIEE One is a personalized recruitment and selection service offered by CIEE Centro de Integração Empresa-Escola (Business-School Integration Center) for companies seeking candidates for internships and apprenticeship programs. It connects specialists and businesses, ranging from major international corporations to local entities in Brazil. The service is widely used by top financial institutions in Brazil, as well as popular online platforms, energy, oil & gas, telecommunications, and technology providers. According to the CIEE official web-site, the service “connects talent with the largest companies” in Brazil – including Bradesco, Caixa, Claro, BRF, and many others.

Why do threat actors target such services? Primarily, because they aggregate large amounts of sensitive PII collected for due diligence and recruitment processes, making them valuable targets for cybercriminals. Stolen data can be easily monetized on the Dark Web and used for further identity theft and financial fraud.

According to the company’s HUNTER team the exposed Google Cloud Storage bucket was the root cause of the compromise. The company alerted the affected party, and shared further intelligence with Computer Emergency Response Team Brazil (CERT.br). Unfortunately, the exposed cloud buckets remain very widely exploitable by threat actors for data theft, due to a lack of protection for cloud services and inadequate configuration hardening.

The profile of “888” has existed since at least 2024, when he was successfully targeting corporations, including Microsoft, BMW (Hong Kong), and others in the tech, freight, and oil & gas industries. This actor is known to be a “straight shooter,” selling acquired databases exclusively due to his great reputation and a proven track record of leaks within the underground community.

Resecurity characterizes “888” as a sophisticated underground data broker operating for profit (financially motivated), targeting public-facing services and applications. Notably, his previous activities overlap with those of notable actors such as IntelBroker, who the Federal Bureau of Investigation (FBI) recently indicted for monetizing stolen data on the Dark Web belonging to various corporations and government agencies.

According to the expert statistics, 41% of cloud breaches are caused by misconfigurations, with exposed buckets being a leading contributor.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CIEE One)