The Good | Poland Detains Russian Hacker Amid Rising Moscow-Linked Sabotage
Poland’s Central Bureau for Combating Cybercrime (CBZC) has arrested a Russian national in Kraków on suspicion of breaching the IT systems of local companies, marking the latest incident tied to what Warsaw describes as Russia’s expanding sabotage and espionage campaign across Europe. According to Polish Interior Minister Marcin Kierwiński, the suspect allegedly compromised corporate-level security defenses to access and manipulate company databases in ways that could have disrupted operations and endangered customers.
Investigators say the man illegally entered Poland in 2022 and later obtained refugee status. He was detained on November 16 by Polish authorities and has since been interrogated, charged, and placed in three months of pre-trial custody. Authorities also believe he may be connected to additional cyberattacks affecting firms in Poland and other EU states, and they are still determining the full scope of the damage.
The arrest comes amid heightened concern over Russian hybrid warfare since Moscow’s invasion of Ukraine in 2022. Poland has linked recent incidents, including sabotage of a railway line and a fire at a major shopping mall, to Russian intelligence activities. The country has shut down all Russian consulates following the events.
EU officials warn that cyberattacks against regional companies and institutions have surged, with many attributed to GRU-backed actors. Other recent disruptions have included payment service outages and leaks of customer data from Polish firms. In response, Polish Digital Affairs Minister Krzysztof Gawkowski plans to invest a record €930 million on bolstering the county’s cybersecurity, underscoring what authorities describe as the urgent need for stronger corporate defenses and deeper international cooperation against increasingly aggressive cyber threats.
The Bad | FBI Warns of Banking Fraud & Account Takeover Schemes Ahead of Holidays
The FBI has issued a PSA about a sharp rise in account takeover (ATO) fraud, with cybercriminals impersonating financial institutions to steal more than $262 million since January 2025. The agency’s Internet Crime Complaint Center (IC3) has received over 5,100 reports this year from victims across individuals, businesses, and organizations across every sector.
The schemes start off with deceiving victims through texts, calls, and emails, posing as bank staff or customer support. They trick targets into revealing their login credentials, multi-factor authentication (MFA) codes, or one-time passcodes (OTPs). Criminals have also been luring victims onto phishing websites engineered to mimic legitimate banking or payroll sites, sometimes boosted through SEO poisoning to appear at the top of search results.
Once inside the victim’s account, fraudsters reset passwords, lock out the rightful owners, and quickly transfer funds into crypto-linked accounts, which makes recovery extremely difficult. Some victims report being manipulated with fabricated claims of fraudulent purchases, or even firearm transactions to incite panic, before being redirected to a second scammer impersonating law enforcement.
As we enter the holiday season, the FBI urges consumers and organizations to monitor their accounts closely, use strong unique passwords, enable MFA, verify URLs, and avoid visiting personal banking sites through search engine results. Victims should immediately contact their financial institutions to request recalls and provide indemnification documents, and then file detailed reports with IC3.
Officials and security experts stress that most ATO cases stem from compromised credentials. Stronger identity verification such as passwordless authentication and enabling manual verification steps remain basic security hygiene necessary for reducing these types of attacks.
The Ugly | OpenAI Alerts API Users After Mixpanel Breach Exposes Limited Data
OpenAI is alerting some ChatGPT API customers that limited personally identifiable information (PII) was exposed after its third-party analytics provider, Mixpanel, was breached. The compromise, stemming from an smishing campaign detected on November 8, affected “limited analytics data related to some users of the API”, but did not compromise ChatGPT or other OpenAI products.
While OpenAI confirmed that sensitive information such as credentials, API keys, requests, and usage data, payment and chat details, or government IDs remained secure, the exposed data may include usernames, email addresses, approximate user location, browser and operating system details, referring websites, and account or organization IDs.
OpenAI said users do not need to reset passwords or regenerate API keys. Some users have reported that CoinTracker, a cryptocurrency tracking platform, may also have been affected, with limited device metadata and transaction counts exposed.
Has @mixpanel not disclosed this breach? Sent from @CoinTracker. pic.twitter.com/xk9nmGVmfm
— Daniel Harrison (@danielh9277) November 27, 2025
OpenAI has begun an investigation, removed Mixpanel from production services, and is notifying affected users directly. The company warns that the leaked data could be used for phishing or social engineering attacks and advises users to verify any messages claiming to relate to the incident, enable MFA, and to never share account credentials via email, text, or chat.
Mixpanel, in turn, has responded to the incident by securing accounts, revoking active sessions, rotating compromised credentials, blocking the threat actor’s IPs, resetting employee passwords, and implementing new controls to prevent future incidents. The analytics firm also reached out to all impacted customers directly.
The incident highlights the risks posed by third-party service providers and the importance of awareness against phishing, even when no core systems or highly sensitive information are directly compromised.
