FreeCity-Linked Data Leaks Hit Malaysia, Vietnam; ShinyHunters Targets US Firms

Summary

Today's threat landscape is defined by a high volume of alleged data breaches, with actor FreeCity claiming responsibility for a series of large-scale leaks targeting government and commercial databases in Malaysia and Vietnam. The concentration of incidents against Indonesian government and state-owned entities also stands out, suggesting a coordinated campaign by multiple actors. Defenders should prioritize patching CVE-2026-31431, a Linux privilege escalation flaw now listed on CISA's KEV catalog, as active exploitation has been confirmed.

Today's developments

The most significant signal today comes from the actor FreeCity, who claims to have compromised multiple databases across Southeast Asia. Alleged breaches include a database of 7.05 million entries related to "Overseas Chinese" in Malaysia, alongside a separate database of 3.38 million records of high-net-worth citizens. In Vietnam, FreeCity claims to have accessed tourism data (4.8 million records), insurance user data (620,000 records), and property owner data (1.9 million records). These claims, if verified, represent a substantial aggregation of sensitive demographic and financial data.

The ShinyHunters actor remains active, alleging breaches of two US-based firms: Instructure, Inc., an e-learning platform, and Cushman & Wakefield, a global real estate services company. These claims follow the group's established pattern of targeting enterprise SaaS and professional services firms. Separately, actor Chronus leaks has alleged breaches of the Mexican Institute of Social Security and the municipal water utility OOAPAS in Mexico, indicating continued interest in Latin American government and public sector targets.

A notable cluster of activity targets Indonesia, with multiple actors claiming breaches against state institutions. Alleged victims include the Directorate General of Population and Civil Registration, Bank Negara Indonesia, the Ministry of Education and Culture, and the state electricity company Perusahaan Listrik Negara (PLN). This concentration suggests a broad, possibly opportunistic, campaign against Indonesian digital infrastructure.

On the vulnerability front, industry researchers report that CISA has added CVE-2026-31431, a local privilege escalation flaw in Linux kernel components, to its Known Exploited Vulnerabilities catalog. The vulnerability carries a CVSS score of 7.8 and is being actively exploited. This is a critical patch for any organization running affected Linux distributions, particularly in server and cloud environments.

Threat landscape signals

The event data reveals a clear geographic and sectoral concentration. Indonesia is the most targeted country today, with at least 10 alleged breaches spanning government, banking, and energy sectors. This is followed by the United States and the United Kingdom, where breaches target financial services, e-learning, and real estate. The actor FreeCity is responsible for the largest volume of claimed data, with 11 events, many involving records in the hundreds of thousands to millions.

The distribution of event types shows a high proportion of data breaches (65) relative to ransomware (14) and DDoS (61). While DDoS remains a common nuisance, the volume of alleged data exposure events suggests that data theft and extortion remain the primary threat vector. The presence of multiple actors targeting Indonesian state infrastructure, combined with FreeCity's focus on Southeast Asian databases, indicates a regional shift in targeting that defenders in those areas should monitor closely.