Daily Dark web and others have been covering claims that first surfaced earlier this month that Brightspeed has been pwned. The latest news is that there are aspects of this incident that have not yet been explored in public reporting. Suzu Labs independent analysis suggests the risk profile may extend beyond a simple customer-record exposure.
Dark web monitoring shows Brightspeed customer credentials circulating in infostealer markets before the breach claims surfaced publicly.
That sequencing matters.
When credential compromise predates an alleged breach, attackers can correlate datasets in ways that accelerate fraud, phishing, and account takeover, even absent confirmed exfiltration.
There is also unexamined context around the threat actor involved. Prior activity attributed to this group shows a focus on cloud and development environments, not just consumer databases, raising questions about investigative scope and why confirmation timelines in cases like this are rarely straightforward.
Suzu Labs CEO Michael Bell offers this analysis.
Additional context examined:
- The actor behind the claims has previously targeted cloud and development environments, suggesting potential exposure beyond customer records.
- Infostealer-derived customer credentials linked to Brightspeed were circulating prior to the breach claims, increasing the likelihood of correlated fraud.
- The timing of litigation and public pressure may be influencing disclosure pace more than investigative readiness.
Additional intelligence:
1. Crimson Collective’s Track Record: Brightspeed isn’t Crimson Collective’s first high-profile target. Dark web monitoring shows this group has also claimed:
- Red Hat (October 2025): 570 GB compressed data from 28,000+ internal GitLab repositories, including Customer Engagement Reports with infrastructure designs, authentication tokens, and database connection strings
- Nintendo: Production assets, developer files, and backups
- Nissan: Similar repository-focused attack
This pattern matters. Crimson Collective targets cloud-hosted environments and development infrastructure, not just customer databases. If the Brightspeed claims are legitimate, the attack surface may extend beyond customer PII.
2. Infostealer Logs Already Circulating: Multiple Vidar infostealer logs containing Brightspeed customer credentials are already being sold on Russian Market and similar platforms. These logs predate the breach claims and show compromised credentials for:
- Discord, Spotify, Roblox accounts
- Verizon Wireless logins
- Netflix, Peacock streaming services
- Various gaming platforms
This creates a compounding problem where customers whose credentials were already compromised through infostealers now face potential exposure of their billing and account data from the alleged breach. Cross-referencing these datasets gives attackers a more complete picture for identity theft and account takeover.
3. Brightspeed IPs in SOCKS Proxy Lists: Brightspeed IP addresses appear in active SOCKS proxy lists being sold on dark web forums. This could indicate:
- Compromised customer devices being used as proxy nodes
- Broader infrastructure compromise beyond customer data
- Residential proxy networks leveraging Brightspeed’s network
Thoughts from Michael re the above:
On the breach claims themselves: “Crimson Collective has a track record. They hit Red Hat’s GitLab instance in October and claimed 570 GB from 28,000 repositories. They’ve gone after Nintendo and Nissan. This group targets cloud environments and development infrastructure, not just customer databases. If the Brightspeed claims are legitimate, the exposure may go deeper than customer PII.”
On the infostealer: “The timing here is worth noting. Vidar infostealer logs containing Brightspeed customer credentials were already circulating on Russian Market before this breach was announced. Now those same customers potentially have their billing addresses and payment history exposed. Cross-reference the two datasets and you have everything needed for convincing phishing campaigns or identity theft.”
Re the class action timing: “A class action lawsuit filed three days after unverified breach claims is aggressive. Brightspeed hasn’t confirmed data exfiltration. The plaintiffs are betting the claims are legitimate, or they’re positioning early to lead the litigation if confirmation comes later. Either way, it puts pressure on Brightspeed to disclose faster than they might want to.”
Investigation challenges: “Brightspeed is in a difficult position. They can’t confirm or deny without completing forensics, but every day of silence lets the narrative build. Crimson Collective knows this. The Telegram posts and data samples are designed to create pressure. The company has to balance thorough investigation against reputational damage from appearing unresponsive.”
Broader telecom risk: “Telecom providers are high-value targets for a reason. They have billing relationships with millions of customers, which means names, addresses, payment methods, and service records all in one place. The data is valuable for fraud, and the customer base is large enough that even unverified breach claims generate headlines.”
Summary: “Crimson Collective has a track record. They hit Red Hat’s GitLab in October, claimed 570 GB from 28,000 repositories. They’ve targeted Nintendo and Nissan. This group goes after cloud environments and development infrastructure, not just customer databases. If the Brightspeed claims are legitimate, the exposure may extend beyond customer PII. The other angle: Vidar infostealer logs with Brightspeed customer credentials were already circulating before this breach was announced. Cross-reference those with billing data and you have everything needed for targeted phishing or identity theft.”
On 12-29-25 we see bright speed credentials being listed for sale. Then a little over a week later we see big breach news.
The Company Reviewing Meta Glasses Footage Has a Security Problem
Posted in Commentary with tags Suzu Labs on March 6, 2026 by itnerdMike Bell, Founder and CEO of Suzu Labs, has just published the research blog “The Company Reviewing Your Meta Glasses Footage Has a Security Problem.”
“Last week, Swedish journalists revealed that Meta sends video footage from Meta Ray-Ban smart glasses to human data annotators at Sama, a San Francisco-based outsourcing company that runs its annotation workforce out of Nairobi, Kenya. Workers described seeing footage of people in bathrooms, bedrooms, and intimate situations. The UK’s Information Commissioner opened a probe. The story dominated privacy news for days,” Bell said.
“Nobody asked the obvious follow-up question. How secure is Sama? We did. And the answer isn’t reassuring.”
Sama Credential Exposure on the Dark Web: Suzu Labs ran dark web intelligence against Sama’s corporate domain (sama.com) using its threat intelligence platform. Within the last 90 days alone, Suzu Labs identified 118 credential entries tied to sama.com circulating across Telegram channels, underground forums, and breach databases. The results were alarming, including the fact that eighty-three of the entries included plaintext passwords.
Suzu Labs research reveals just how shaky Sama’s current (December 2025-Feb. 2026) security posture is. “Most of these credentials didn’t come from some third-party breach where Sama employees happened to have accounts. Roughly 87% came from info-stealer malware logs. That means malware was running on machines used by people with sama.com email addresses, pulling credentials and session tokens directly off the endpoint. The stealer takes everything on the machine. It doesn’t filter by importance.”
The research also evaluates risks to AI training data and other Sama clients, and offers recommendations – for Meta, for Sama, and for every organization.
The Company Reviewing Your Meta Glasses Footage Has a Security Problem: https://suzulabs.com/suzu-labs-blog/the-company-reviewing-your-meta-glasses-footage-has-a-security-problem
Leave a comment »