Brief #112: McDonald's 64M Data Breach, LLM Agent Attacks, AI Threatens Junior Roles

Happy Sunday!

I've been thinking a lot about how we measure success in cybersecurity, especially after seeing this week's research showing that customers now value security and trustworthiness over product quality and value. It's a fundamental shift that validates what we've been saying for years - security isn't just a cost center, it's a competitive advantage.

In this week's brief:

• McDonald's hiring platform exposed 64 million job applications using default credentials "123456" - a reminder that basic security hygiene still matters more than sophisticated threats
• AI automation is eliminating entry-level cybersecurity roles, creating a skills gap problem we need to address now
• New research confirms customers prioritize security and trust over product features when choosing services

The stories this week really highlight the tension between advancing technology and fundamental security practices. We're seeing AI create new attack vectors while simultaneously threatening the pipeline of junior talent we need to defend against them.

What's your take - are we moving too fast with AI adoption without properly securing the foundations, or is this just the natural evolution of our field?

Industry News

SLOW#TEMPEST Malware Uses Advanced Obfuscation Techniques to Evade Detection

• Unit 42 researchers discovered a SLOW#TEMPEST campaign variant using sophisticated obfuscation techniques including control flow graph manipulation and dynamic jumps to complicate analysis and evade detection.

• The malware is distributed via ISO files and employs DLL sideloading through legitimate applications, with the payload strategically separated across multiple files requiring both to be present for execution.

• An anti-sandbox check prevents execution on systems with less than 6 GB of RAM, allowing the malware to bypass automated analysis environments while targeting actual production systems.

McDonald's Hiring Platform Exposed 64 Million Job Applications Through IDOR Vulnerability

• Security researchers discovered McHire (used by 90% of McDonald's franchisees) allowed access with default credentials "123456:123456" and contained an IDOR vulnerability in the candidate information API, potentially exposing personal data of over 64 million job applicants.

• The vulnerability leaked applicants' personally identifiable information including names, email addresses, phone numbers, addresses, work preferences, and even authentication tokens that could allow unauthorized access to their chat messages.

• After disclosure on June 30th, 2025, Paradox.ai (the platform developer) quickly remediated the issues within 24 hours, with credentials disabled within 2 hours and full confirmation of resolution the following day.

Louis Vuitton UK Customer Data Compromised in Cyber-Attack

• Unauthorized third parties accessed Louis Vuitton's UK systems on July 2, stealing customer data including names, contact details, and purchase history, though financial data like bank details was not compromised.

• This is the third breach affecting LVMH brands in three months – Louis Vuitton's Korean operation experienced a similar attack last week, and Christian Dior Couture reported customer data access in May.

• The company has notified relevant authorities including the Information Commissioner's Office and warned customers about potential phishing attempts or fraud using the stolen information.

Leadership Insights

Customer Identity Trends Report 2025: Security and Trust Trump Quality and Value

• When deciding to create an account with a service provider, 74% of users consider company trustworthiness and 72% consider security measures as important factors—outranking the quality and value of products or services.

• Fraud is top of mind for customers with 64% expressing concern about identity fraud, while signup friction is costly—23% of users report always or often abandoning purchases due to signup/login issues, with younger generations and tech enthusiasts being least tolerant.

• The threat landscape is severe—46.1% of registration attempts and 16.9% of login attempts exhibit malicious behavior, with retail/ecommerce experiencing 22.2% malicious login activity and brute-force attacks exceeding legitimate signups by 120 times.

DragonForce Attacks Rival Ransomware Groups, Including RansomHub

• DragonForce, a minor ransomware operator, launched a defacement campaign targeting several competitors in March 2025, taking down the dark web sites of BlackLock, Mamona, and RansomHub - previously the top ransomware-as-a-service provider.

• Despite an overall 15% increase in ransomware attacks and a 43% growth in the number of active gangs in 2024, total ransom payments dropped by 35% according to Chainalysis, suggesting diminished victim confidence in the reliability of these criminal groups.

• RansomHub remained inactive after the DragonForce attack, which included false claims that RansomHub had voluntarily joined DragonForce's cartel, leading to a heated public exchange on the RAMP forum.

2025 Identity Theft Resource Center Report Shows Shifting Trends in Identity Crimes

• The ITRC report reveals a significant shift in identity crime patterns: fewer victims are reporting compromise of personal information (35%) than actual misuse (52%), reversing previous trends where more victims reported information exposure than actual fraud.

• Three key trends identified: AI technology is making it easier for criminals to coerce victims into revealing credentials, identity thieves are increasingly accessing various existing accounts through sophisticated techniques, and individuals are becoming more proactive about protecting their identities.

• Most common attack vectors include impersonation scams (34% of reported scams), account takeover (53% of misuse cases), and new account fraud (36% of misuse cases), with financial accounts like credit cards and checking accounts being primary targets.

Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS

Career Development

Reddit Thread Prompts Cybersecurity Professionals to Share Career-Defining Moments

• The r/cybersecurity community thread asks professionals to share their "EUREKA moments" – those pivotal realizations or experiences that shaped their understanding of the field.

• With 1.2 million members, this discussion falls under the "Career Questions & Discussion" category, highlighting the importance of knowledge sharing and mentorship in cybersecurity professional development.

• The thread presents an opportunity for cybersecurity experts to reflect on transformative learning experiences that could benefit newcomers navigating their career paths in the industry.

Reddit Cybersecurity Community Discusses Most Valuable Professional Tools

• A Reddit user in r/cybersecurity initiated a discussion thread asking professionals about the most helpful tools they use in their current positions, reaching the community of 1.2M members.

• The post was tagged under "Business Security Questions & Discussion," indicating its focus on professional applications rather than academic or theoretical cybersecurity topics.

• This thread represents an opportunity for security practitioners to share tool recommendations and best practices across different job roles and specializations within the cybersecurity field.

AI Automation Threatens Entry-Level Cybersecurity Roles

• As AI increasingly automates low-level detection and triage tasks, junior analysts are losing critical hands-on experience needed to develop core competencies for advanced positions.

• Industry experts recommend simulation-based training programs and apprenticeships as stopgaps to provide early-career professionals with necessary experience that automation has eliminated.

• Cybersecurity remains a "deeply sociotechnical problem" requiring human creativity and judgment, with the best security teams using AI "as an amplifier, not a replacement" for human expertise.

AI & Security

Researchers Introduce "Security Steerability" as New Measure for LLM Security

• Intuit AI security researchers developed "Security Steerability" - a novel metric that measures an LLM's ability to adhere to application-specific guardrails defined in system prompts, even when users attempt to circumvent them through jailbreaks or text perturbations.

• Their research revealed minimal correlation between conventional LLM security measures (resistance to generating prohibited content) and security steerability, indicating current security evaluation approaches fail to address application-level threats.

• Two new evaluation datasets were introduced - VeganRibs and ReverseText - to test 14 open-source LLMs, with findings showing that models with high scores in universal security often performed poorly in enforcing application-specific boundaries.

Researchers Identify Over 30 Attack Techniques Against LLM-Powered AI Agent Workflows

• The paper introduces the first unified threat model for LLM-agent ecosystems, categorizing attacks into four domains: Input Manipulation, Model Compromise, System and Privacy Attacks, and Protocol Vulnerabilities.

• Researchers document alarming success rates across attack types - adaptive prompt injections bypass defenses in over 50% of cases, composite backdoor attacks achieve 100% success rates, and protocol-level exploits can leak private repository data through seemingly benign GitHub issues.

• The study identifies key open challenges including securing Model Context Protocol (MCP) deployments, designing hardened Agentic Web Interfaces, and achieving resilience in multi-agent and federated environments.

LLMs Generate Vulnerable Code But Self-Correction Mechanisms Show Promise

• All tested LLMs frequently generate vulnerable code, with vulnerability rates ranging from 9.8% to 42.1% across different models and datasets, sharing similar distributions of top vulnerability types despite differences in model architectures.

• Self-generated vulnerability hints can effectively reduce vulnerabilities (by up to 13.9% in some cases), but this depends on hints being relevant, precise, and contextualized to the specific coding scenario – otherwise, they may actually increase vulnerability rates.

• Post-hoc vulnerability repair using feedback from static analysis tools works well for advanced models like GPT-4o and DeepSeek-Coder-V2, with explained feedback providing 7-28% greater reduction in vulnerabilities compared to direct feedback alone.

Market Updates

Cyberstarts Launches $300M Liquidity Fund to Help Startups Retain Top Talent

• Early-stage cybersecurity venture firm Cyberstarts announced a $300 million Employee Liquidity Fund that allows startup employees to sell vested shares without leaving their companies.

• The fund addresses the challenge of extended IPO timelines by providing a path to liquidity that helps align incentives and sustain long-term employee commitment at portfolio companies like Wiz, Fireblocks, Island, and Cyera.

• This initiative brings Cyberstarts' total capital commitments to over $1 billion across six funds, with implementation handled by each company's HR team based on their specific talent needs.

AirMDR Secures $15.5 Million Funding for AI-Powered MDR Solution

• AirMDR, an AI-native MDR startup founded in 2023, has raised $15.5 million in combined seed and infusion funding led by Race Capital with support from Foundation Capital and Storm Ventures.

• The company's solution features an AI analyst that autonomously triages security alerts in real-time, while human experts provide verification of findings, creating a hybrid defense model suitable for both enterprises and SMBs.

• Funds will be used to accelerate R&D efforts, enhance AI analyst capabilities, and scale the company's sales and marketing team as they pursue their mission of bringing "Fortune 500 quality SOC to every enterprise at an affordable price."

Virtru Secures $50 Million Series D Funding, Doubles Valuation To $500 Million

• Data security company Virtru has raised $50 million in Series D funding led by Iconiq, with participation from Bessemer Venture Partners, Foundry, and The Chertoff Group, doubling its previous valuation to $500 million.

• Founded in 2012 by brothers John and Will Ackerly, who previously worked in the Bush Administration and NSA respectively, Virtru leverages Trusted Data Format (TDF) to provide data protection for 6,700 customers including Equifax, Capital One, JPMorganChase, and the U.S. Department of Defense.

• The company plans to expand its platform to become a data security leader in an AI-driven landscape, focusing on its mission of "securing all data everywhere" by tagging and managing data wherever it goes.

Tools

InSights by Inquest

InSights by InQuest is a threat intelligence platform that delivers curated feeds of IOCs and C2 information to help security teams detect and respond to emerging threats.

CTIChef.com Detection Feeds

A tiered cyber threat intelligence service providing detection rules from public repositories with varying levels of analysis, processing, and guidance for security teams.

PlexTrac

PlexTrac is a centralized platform for penetration test reporting and threat exposure management that helps security teams streamline assessment workflows, prioritize remediation, and track security posture improvements.

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity, leadership and AI updates, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz