Hirewall
Hirewall
Weekly Threat Roundup March 3, 2026 8-12 min read

Weekly Threat Roundup: Feb 24 - Mar 2

The Conduent breach balloons to 25 million victims across the US, Congress reveals data brokers have cost Americans $20 billion, and Google API keys that were supposed to be harmless can now unlock your Gemini AI data.

data-breach ransomware api-security phishing data-brokers

The Big Story: Conduent Breach Balloons to 25 Million Victims

A ransomware attack on a company most people have never heard of just became one of the largest data breaches in US history, and you might be in it without knowing.

Conduent, a New Jersey-based tech contractor that processes data for state governments, healthcare programs, and major corporations, is now sending notifications to over 25 million Americans whose personal data was stolen. That number started at 10 million a few months ago. Texas alone revised its count from 4 million affected residents to 15.4 million, roughly half the state’s population. Oregon confirmed another 10.5 million.

The SafePay ransomware group carried out the attack, spending about three months inside Conduent’s systems starting in October 2024 before anyone noticed. They reportedly exfiltrated around 8 terabytes of data before being discovered in January 2025.

What makes this particularly bad is what was stolen: full legal names, addresses, dates of birth, Social Security numbers, medical information, and health insurance details. That’s the full identity theft starter kit.

Here’s the part that matters for everyone reading this. Conduent operates behind the scenes for Medicaid, SNAP benefits, child support systems, and corporate payroll/HR across more than 30 states. You don’t have to have ever heard of Conduent to be affected. If you’ve received state benefits, used certain healthcare programs, or worked for a company that outsources HR to a third party, your data may have flowed through their systems. Multiple class-action lawsuits have already been consolidated in federal court, and the Texas Attorney General has launched an investigation.

What to do right now: If you get a letter from Conduent in the mail, it’s real. Freeze your credit at all three bureaus (Equifax, Experian, TransUnion). It’s free and takes about 10 minutes. You should do this even if you haven’t gotten a letter yet, because the notification process is still ongoing and your data may have been exposed without your knowledge.

Also This Week

Congress: Data Brokers Have Cost Americans $20 Billion

A congressional investigation by the Joint Economic Committee put a dollar figure on the data broker problem, and it’s staggering. Just four major data broker breaches in the last decade have cost US consumers an estimated $20.8 billion in identity theft losses.

The four breaches: Equifax in 2017 (147 million people), Exactis in 2018 (230 million), National Public in 2023 (270 million), and TransUnion in 2025 (4.4 million). The investigation was led by Senator Maggie Hassan and triggered by CalMatters and The Markup’s reporting that found data brokers were actively hiding their legally mandated opt-out pages from search engines.

Good news: after the investigation launched, several major brokers committed to making their opt-out processes easier to find and use. If you’re in California, there’s now a state website that lets you remove your personal information from hundreds of brokers at once.

Google API Keys Now Unlock Your Gemini AI Data

Security researchers at Truffle Security disclosed a vulnerability that reads like a cautionary tale about how fast AI is changing the security landscape.

For years, Google told developers that API keys for services like Maps and YouTube were safe to embed in public-facing website code. They were just billing identifiers, not secrets. Then Google launched Gemini AI and enabled it on existing projects. Suddenly, those same public API keys could authenticate to Gemini and access uploaded files, cached content, and run up thousands of dollars in AI usage charges.

Truffle Security found nearly 3,000 live API keys sitting in public website code that could access Gemini, including keys belonging to major financial institutions, security companies, and even Google itself. One Reddit user reported $82,000 in charges over two days from a stolen key.

Google initially dismissed the report as “intended behavior” before reclassifying it as a tier 1 vulnerability. They’ve since started blocking known leaked keys and will default new AI Studio keys to Gemini-only scope. But legacy projects remain at risk.

France’s National Bank Registry Breached Via Single Stolen Password

A hacker used stolen credentials from one French government official to access FICOBA, France’s national bank account registry, and view data tied to 1.2 million accounts. FICOBA holds records on roughly 300 million accounts belonging to 80 million individuals.

The exposed information includes IBANs (international bank account numbers), account holder names, addresses, and in some cases tax identification numbers. While the attacker couldn’t access balances or move money, the stolen data is ideal fuel for targeted phishing and fraudulent direct debit mandates.

What stands out here is how simple the attack was. No sophisticated exploit, no zero-day vulnerability. Just one compromised credential with no multi-factor authentication. As one French cybersecurity professional put it on X, France’s digital infrastructure currently feels “like a sieve.” This follows a separate December 2025 breach of the French Interior Ministry where employees were found sharing passwords in plaintext emails.

Phishing Reports Jump 14% as Data Breaches Fuel Targeting

Netsafe reported that daily phishing reports were 14% higher in February compared to January, and warned that recent data breaches are directly feeding more sophisticated phishing campaigns.

This connects directly to the Conduent and FICOBA stories above. When attackers have your real name, address, SSN, or bank account number, they can craft phishing emails that reference real details about your life. These aren’t the generic “Dear Customer” emails from five years ago. They’re messages that know your name, your employer, your health insurer, and maybe your account number.

The trend line is clear: massive breaches create the raw material, and phishing campaigns use that material to build convincing attacks.

By the Numbers

  • 25 million+ Americans affected by the Conduent breach, up from 10 million just months ago (Malwarebytes)
  • $20.8 billion in estimated consumer losses from just four data broker breaches over the last decade (Joint Economic Committee)
  • 2,863 Google API keys found publicly exposed that could authenticate to Gemini AI (Truffle Security)
  • 1.2 million French bank accounts exposed through a single stolen government credential (Help Net Security)
  • 8 terabytes of data exfiltrated from Conduent’s systems during the three-month intrusion (TechRepublic)
  • 14% increase in daily phishing reports in February vs. January (Netsafe)

What to Watch This Week

Tax season phishing is ramping up. With April approaching, expect IRS impersonation emails and texts to spike. The IRS never initiates contact via email, text, or social media to ask for personal or financial information. If you get one, it’s a scam.

Conduent notification letters are still rolling out. More states will likely revise their numbers upward. If you’ve ever used state benefit programs, now is a good time to freeze your credit even if you haven’t received a notification yet.

The Gemini API key issue isn’t fully resolved. Google has started blocking known leaked keys, but if your organization uses Google Cloud and has enabled Gemini, you should audit your API keys immediately. Check whether the Generative Language API is enabled on any project with publicly exposed keys.