Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: fintech (2 articles)Clear

Colombian fintech Addi confirms 34.5M-account breach after ShinyHunters published credit and ID data

Have I Been Pwned has added Colombian buy-now-pay-later fintech Addi to its breach corpus with 34,532,941 unique email addresses. Addi acknowledged unauthorized activity on its platform back in March 2026 and warned customers that personal data might have been compromised. ShinyHunters then claimed responsibility and published the dataset, which goes well beyond emails: credit-scoring requests, credit bureau records, customer identity files, email-validation logs, Cedula de Ciudadania national ID numbers, estimated income, socioeconomic level, and purchase history. Addi is a Bogota-based BNPL lender with $1B+ in funding and is one of the larger Latin American fintech breaches publicly documented this year.

Check
If your org operates in Colombia or onboards Colombian customers, search fraud and KYC pipelines for accounts created since March 2026 using a Cedula present in the leak. Monitor for synthetic-identity signals.
Affected
Anyone who held an Addi account before March 2026, plus organizations that rely on Colombian credit-bureau attributes or Cedula numbers for customer verification. ShinyHunters has now publicly released the data.
Fix
Individuals: freeze credit at DataCredito and TransUnion CIFIN, assume your Cedula and income data are public. Organizations: switch from Cedula-only verification to multi-factor identity proofing for new Colombian accounts.

Lazarus 'Mach-O Man' macOS malware kit hitting fintech and crypto execs through fake Telegram meeting invites and ClickFix terminal commands

ANY.RUN and Dark Reading published research on Mach-O Man, a new macOS malware kit Lazarus is deploying against fintech and crypto executives. The chain begins on Telegram with what looks like a legitimate meeting invite from a known contact, leading to a fake Zoom/Teams/Meet page that displays a fake 'connection issue' and instructs the executive to copy-paste a command into Mac Terminal. That ClickFix command grabs credentials, browser sessions, and Keychain data and exfiltrates over Telegram bot APIs. Lazarus has used the same template across the Drift and KelpDAO compromises, totaling more than $500M stolen in two weeks.

Check
Brief executive, finance, and treasury staff who use Telegram for business communication this week. The lure is a meeting invite from someone they trust, not a cold approach.
Affected
macOS users in executive, finance, business development, and partner-relations roles - particularly those who use Telegram for business. The technique works because the user runs the command themselves, bypassing most preventive controls including macOS endpoint protection. Mach-O Man is not Lazarus-only; other criminal groups have already adopted the kit.
Fix
Train executives never to copy-paste a 'fix' command into Terminal at a meeting page's request, regardless of how legitimate the invite looks. Log and alert on Terminal launches that fetch and execute remote content via curl, wget, osascript, or bash. Hunt for processes in tight infinite loops with Keychain access. Consider Lockdown Mode for high-risk roles.