The LeakyLooker Vulnerabilities in Google’s Analytics Platform

Imagine a business intelligence tool designed to visualize data becoming a backdoor to the cloud itself. That was the startling reality uncovered by Tenable Research, which identified a cluster of nine security flaws in Google Looker Studio. Dubbed ‘LeakyLooker,’ these cross-tenant vulnerabilities resided in the platform formerly known as Google Data Studio.

Looker Studio is a popular service for creating dashboards and reports. It pulls data from sources like Google BigQuery, Sheets, and other SQL databases. This deep integration with Google’s cloud infrastructure, however, painted an unexpectedly large target for attackers. The platform’s architecture inadvertently created a broad attack surface where a single compromised report could have far-reaching consequences.

Two Paths to Exploitation: Zero-Click and One-Click Attacks

Tenable’s investigation pinpointed weaknesses in the platform’s authentication and data connector systems. The core issue? Looker Studio can run queries using either the report creator’s credentials or the viewer’s credentials. This design flaw opened up two distinct avenues for malicious activity.

The first path required no user interaction. In a ‘0-click’ attack, a threat actor could craft server-side requests that triggered SQL queries executed with the report owner’s high-level permissions. No button click needed; the damage could be done remotely.

The second method was a ‘1-click’ attack. Here, a victim only needed to open a manipulated report or a malicious link. Upon viewing it, malicious SQL queries would run using the viewer’s own database credentials, potentially compromising their data.

Underlying Flaws That Enabled the Attacks

These attack techniques were powered by several critical underlying issues. Researchers found SQL injection flaws in the platform’s database connectors. Sensitive data could also leak through seemingly benign report elements like hyperlinks or embedded images. A particularly concerning flaw, dubbed a ‘denial-of-wallet’ issue, could have allowed attackers to run up massive bills on a victim’s BigQuery resources.

Potential Impact and the Path to Remediation

The scope was significant. Connectors for BigQuery, Cloud Spanner, PostgreSQL, MySQL, Google Sheets, and Cloud Storage were all affected. An attacker could have scoured the web for publicly shared Looker reports. These reports could then serve as a launchpad to steal data, insert false records, or even delete entire tables in connected databases.

One subtle but dangerous feature was the report copy function. When a viewer duplicated a report, it sometimes preserved the original database credentials. The new owner of the copied report could then run custom SQL queries against the original database, all without ever knowing the password.

Tenable responsibly disclosed all nine vulnerabilities to Google. The tech giant collaborated with the researchers to investigate and roll out fixes. Since Looker Studio is a fully managed service, Google deployed the patches globally. Customers did not need to take any action to be protected.

Securing Your Business Intelligence Front

This episode serves as a crucial reminder. Analytics and business intelligence platforms are often overlooked in security assessments. They are powerful tools that connect directly to crown-jewel data stores, making them attractive targets.

Organizations should proactively manage this risk. Regularly audit report-sharing settings and ensure only necessary individuals have access. Limit or remove unused data connectors to shrink the attack surface. Most importantly, treat BI and analytics integrations as a core component of your cloud security strategy, not an afterthought. The line between data visualization and data vulnerability can be thinner than it appears.

Russian Hackers Target WhatsApp and Signal in Global Espionage Campaign

A sophisticated Russian espionage operation is systematically hijacking accounts on encrypted messaging platforms. Dutch intelligence services have exposed a global campaign where state-backed hackers are targeting government employees, military personnel, and journalists.

The goal is simple: bypass the end-to-end encryption of Signal and WhatsApp by stealing the accounts themselves. Once inside, attackers can read private conversations and impersonate trusted contacts.

How the Russian Account Hijacking Works

The attacks are clever and multi-pronged. One primary method involves impersonation. Hackers send messages pretending to be a ‘Signal Support’ chatbot. The message claims suspicious activity on the user’s account and urgently requests their SMS verification code or Signal PIN.

Signal has been unequivocal in its warning. “Signal Support will *never* initiate contact to ask for your verification code or PIN,” the company stated. If anyone asks for these codes, it is definitively a scam.

Another technique exploits the ‘linked devices’ feature. Attackers trick victims into scanning a malicious QR code or clicking a link, which grants the hacker access to the messaging account from their own device. This method was previously used against Ukrainian officials.

Why Encrypted Apps Are Still Vulnerable

End-to-end encryption protects message content in transit, but it cannot protect against account takeover. If a hacker gains control of your account, they effectively become you within the app. They see all your messages and can communicate with your contacts.

“Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information,” warned Vice-Admiral Peter Reesink, director of the Dutch Military Intelligence and Security Service (MIVD).

Security experts note a fundamental mismatch. “Third party consumer-oriented platforms like Signal and WhatsApp are ultimately not developed with state-level usage in mind,” explained Ben Clarke, SOC manager at CybaVerse. They lack the stringent protocols of bespoke government systems, making them attractive targets for well-resourced nation-state actors.

How to Spot and Stop an Account Takeover

Dutch intelligence (AIVD and MIVD) has published clear guidance for high-risk users. Vigilance within group chats is critical. Check if any contact appears twice in your group member list—this duplication could signal a malicious actor has cloned an account.

If you see this, contact the group administrator. They should remove both identical-looking accounts, allowing the legitimate user to request re-entry. Also, watch for sudden display name changes, like a contact’s name switching to ‘Deleted Account.’ A notification of such a change is a major red flag.

The core defense is simple: never, under any circumstances, share your SMS verification code or app-specific PIN with anyone. No legitimate support service will ever ask for them.

This campaign is a stark reminder. The strongest lock is useless if someone steals your key. For sensitive communications, the platform’s trustworthiness is just as important as its encryption.

Ericsson Data Breach: 15,000+ Employee and Customer Records Exposed

A significant data breach has impacted the US subsidiary of telecommunications giant Ericsson. The incident, stemming from a compromised third-party service provider, exposed the personal information of 15,661 employees and customers. This serves as a stark reminder of the risks that lurk within complex supply chains, even for industry leaders.

How the Ericsson Breach Unfolded

The breach didn’t originate within Ericsson’s own digital walls. Instead, attackers targeted a vendor responsible for storing sensitive data on the company’s behalf. The service provider first detected suspicious activity on its systems on April 28, 2025. A subsequent investigation traced the unauthorized access back to a window between April 17 and April 22 of that year.

Ericsson Inc. quickly engaged external cybersecurity experts and alerted the FBI. A meticulous review of the potentially affected files was completed months later, on February 23, confirming the exposure of personal data. The company has chosen not to publicly name the third-party provider at the center of the incident.

What Personal Information Was Compromised?

The scope of the data involved is extensive and deeply personal. For the thousands of affected individuals, the exposed information creates a substantial risk of identity theft and fraud. The compromised files contained a range of sensitive identifiers.

Types of Data Exposed

Names and home addresses were part of the haul, providing a basic profile for each victim. Far more concerning is the exposure of key government-issued identification numbers, including Social Security Numbers and driver’s license details.

The breach also reached into financial and medical privacy. Bank account or payment card numbers were accessible, alongside medical information and dates of birth. This combination of data points is a goldmine for cybercriminals looking to commit synthetic identity fraud.

Response and Protection for Victims

In filings with state authorities, including the Texas Attorney General, Ericsson stated that investigators have found no evidence the stolen data has been misused. The notification to over 4,300 Texas residents is part of a broader effort to inform all impacted parties.

Who is behind the attack? As of now, no cybercrime group has stepped forward to claim responsibility. The silence leaves questions about the attackers’ motives—was this a targeted theft for financial gain, or something else?

To mitigate the potential harm, Ericsson is offering complimentary identity protection services through IDX. Affected individuals who enroll by June 9 will receive credit monitoring, dark web surveillance, and identity theft recovery assistance. The offering includes a significant safety net: a $1 million identity fraud reimbursement policy.

“Please note that our service provider has represented to us that they have no evidence of the misuse of any potentially impacted information since the time of the incident,” Ericsson assured in its notification letter. For the 15,661 people involved, enrolling in those protective services is a crucial next step.