A prolific threat actor has claimed to have breached tech giants AMD and Apple, stealing source code for internal tools, employees’ personally identifiable information (PII) and more.
IntelBroker posted news of the alleged AMD breach on dark web forum BreachForums on Monday, and of the Apple leak a day later.
According to a screenshot posted on X (formerly Twitter) by Dark Web Informer, the malicious actor said they are “releasing the source code to three of Apple’s commonly used tools for their internal site,” following a June 2024 breach.
These are listed as: AppleConnect-SSO; Apple-HWE-Confluence-Advanced; and AppleMacroPlugin.
AppleConnect is apparently a single sign-on authentication system which allows internal employees to access certain applications, although it’s unclear of the significance of the other tools.
The authenticity of the leaked code has not been verified.
The same threat actor said they are selling data stolen from AMD in June.
According to screenshots again posted by Dark Web Informer, IntelBroker claimed to have compromised data on “future AMD products, spec sheets, employee databases, customer databases, property files, ROMs, source code, firmware and finances.”
They said that the employee database included “user IDs, first and last names, job functions, business phone numbers, email addresses, and employment status.”
Exposure of PII in this way could invite the scrutiny of data protection regulators.
AMD claimed in a brief statement sent to Reuters that it is “working closely with law enforcement officials and a third-party hosting partner to investigate the claim and the significance of the data.” There’s no news thus far from Apple.
However, IntelBroker has previously claimed to have stolen “DARPA-related military information” from General Electric, data from the Europol Platform for Experts (EPE), and classified documents from the Five Eyes intelligence group.
Read more on IntelBroker: General Electric Investigates Alleged DARPA Breach
In March 2023, the actor also claimed to have obtained insurance and PII belonging to House of Representative members, after breaching health insurance marketplace DC Health Link.
Alex Lanstein, chief evangelist at StrikeReady, argued that the alleged breaches highlight the importance of continuous dark web monitoring.
“When 165 Snowflake customers were breached due to a lack of multi-factor authentication, the culprit was re-used credentials, some of which were available on the dark web,” he said.
“Every day, access to thousands of organizations is offered for sale, and the vast majority do not make the news cycle. If you can plug the hole before your organization access is sold, you may be able to prevent a bad day.”
Image credit: Tada Images / Shutterstock.com