The DOT Report: Formula 1 Hacked, “Jingle Thief” Steals Millions in Gift Cards

The DOT Report is a monthly news series that covers the most pressing headlines in cybersecurity. Each story gives us a chance to examine the real-world impact of breaches, malware, and other digital threats.

Let’s dive into October’s biggest cybersecurity headlines.

Get your monthly dose of cybersecurity news by subscribing to The DOT Report.

Formula 1 Driver Portal Flaw Revealed, Driver Max Verstappen’s PII Accessed

Researchers discovered a critical vulnerability in the Fédération Internationale de l’Automobile (FIA) Driver Categorisation portal, a service used by competitive racing drivers worldwide—including top-tier names like Max Verstappen.

Security analyst Ian Carroll revealed that by exploiting a mass-assignment bug, they were able to elevate their user role to “ADMIN” and view password hashes, passport data, resumes, driver licenses, and other sensitive personal information.

One of the most striking findings: the portal allowed a PUT request to update user profiles that included a “roles” field—an attribute meant only for internal use. Amending this field granted admin privileges instantly, opening access to thousands of driver profiles and internal comments.

The researchers stopped once they confirmed access to Verstappen’s Personally Identifiable Information (PII), including his passport and driver’s license, then responsibly disclosed the bug.

Beyond the headline driver, the real risk here lies in how such vulnerabilities impact trust in athlete- and event-centric systems. The portal processed countless documents from aspiring and professional drivers globally—identity records, licenses, medical reports, and more.

This single security lapse exposed individuals and entire datasets tied to global sporting infrastructure.

New Android Trojan “Herodotus” Beats Anti-Fraud Systems

In late October 2025, cybersecurity researchers uncovered a new Android banking trojan named Herodotus, which is actively targeting users in Italy and Brazil, and raising the bar on mobile threat sophistication. Distributed via dropper apps masquerading as Google Chrome (package name “com.cd3.app”), the malware takes control of compromised devices by abusing Android’s Accessibility Services, overlays malicious screens, intercepts SMS one‑time passwords, and installs remote APKs — in short, full device takeover functions.

What distinguishes Herodotus is its human‑like behavior: it introduces random delays (ranging from 0.3 to 3 seconds) between text input events when interacting with the screen, a tactic designed to evade behavior‑based anti‑fraud systems that detect robotic or automated input patterns.

In effect, Herodotus illustrates that mobile malware is no longer just about gaining permissions or dropping payloads; it’s about behavioral mimicry and making malicious actions look like legitimate user behavior. That shift changes how organizations should approach mobile security.

For enterprises managing mobile fleets, especially with BYOD policies or large user bases in banking and financial services, oversight must extend beyond installed apps to device behavior, permission use, and anomaly detection on the endpoints themselves. The age of “good enough” mobile protection is fading.

Compromised Chrome Extensions Use WhatsApp for Spam Campaign

This month, researchers also discovered a coordinated campaign in which 131 Google Chrome WhatsApp web automation extensions were compromised and used to send spam at scale, primarily targeting Brazilian users.

These extensions, collectively used by about 20,905 active users, shared a common codebase and infrastructure, according to supply‑chain security firm Socket. What looked like legitimate tools for “turning WhatsApp into a sales funnel” were instead running hidden automation, blasting bulk messages without users being aware.

The campaign worked through a franchise model: a company called DBX Tecnologia offered white‑label versions of these extensions, allowing affiliates to distribute clones under various names while tapping the same backend platform.

Many of the extensions claimed to provide CRM or marketing functionality, but in practice they were spam bots, often pushing unsolicited offers, phishing links, or malware to contacts via WhatsApp.

What’s especially alarming is the dual‑risk this poses. First, from the user perspective, installing what seems like a productivity tool but unwittingly participating in a spam network; and second, from the enterprise/platform perspective, WhatsApp’s ecosystem being exploited as a mass‑spam delivery system, eroding trust and increasing risk.

Because the extensions automated WhatsApp Web actions within the browser, they were able to bypass many of the platform’s anti‑spam protections by mimicking human‑like behavior.

“Jingle Thief” Steals Millions in Gift Cards

A financially motivated cybercrime campaign dubbed “Jingle Thief”, which targets cloud infrastructures within the retail and consumer‑services sectors to carry out large‑scale gift‑card fraud, was discovered by Palo Alto Networks Unit 42 researchers.

The attackers begin with phishing or smishing campaigns to harvest credentials, particularly for Microsoft 365 services. Once access is gained, they conduct deep reconnaissance of SharePoint, OneDrive, and Entra ID environments to locate gift‑card issuing workflows and internal documentation.

What makes this campaign particularly dangerous is how little it relies on malware or endpoint exploits. Instead, the threat actors operate almost entirely within legitimate cloud services, blending into normal user behavior.

In one observed intrusion, they maintained access for approximately ten months and compromised more than 60 user accounts in a single organization before executing unauthorized gift‑card issuance.

Gift cards make an attractive target as they’re easily monetized, hard to trace, and often treated as low‑risk assets within organizations. The Jingle Thief operation exploits that by quietly generating and redeeming gift cards through legitimate issuance systems, often timed to retail‑heavy holiday seasons when oversight is weaker.

Modern threats are about identity abuse, internal workflow manipulation, and cloud‑native persistence. Monitoring for unusual account behavior, enforcing conditional access policies, and maintaining visibility into gift‑card issuance processes are now critical layers of defense.

The DOT Report Signing Off

From mobile devices to cloud platforms, October’s cybersecurity stories underscore that threats are evolving faster than ever.

Whether it’s malware mimicking human behavior, flaws exposing sensitive personal data, or fraud quietly executed in cloud systems, vigilance, proactive defenses, and careful monitoring are essential to staying secure.

Subscribe to The DOT Report to stay up to date on all the biggest headlines in cybersecurity every month.