Krebs on Security
Nov 20, 2025
Security
Mozilla will discontinue its partnership with Onerep in December 2025 after ongoing issues related to the founder's involvement in multiple data broker services. Current Monitor Plus subscribers will receive prorated refunds for unused portions of their subscriptions.
In March 2024, Mozilla said it was winding down its collaboration with Onerep — an identity protection service offered with the Firefox web browser that promises to remove users from hundreds of people-search sites — after KrebsOnSecurity revealed Onerep’s founder had created dozens of people-search services and was continuing to operate at least one of them. Sixteen months later, however, Mozilla is still promoting Onerep. This week, Mozilla announced its partnership with Onerep will officially end next month. Mozilla Monitor. Image Mozilla Monitor Plus video on Youtube. In a statement published Tuesday, Mozilla said it will soon discontinue Monitor Plus , which offered data broker site scans and automated personal data removal from Onerep. “We will continue to offer our free Monitor data breach service, which is integrated into Firefox’s credential manager, and we are focused on integrating more of our privacy and security experiences in Firefox, including our VPN, for free,” the advisory reads. Mozilla said current Monitor Plus subscribers will retain full access through the wind-down period, which ends on Dec. 17, 2025. After that, those subscribers will automatically receive a prorated refund for the unused portion of their subscription. “We explored several options to keep Monitor Plus going, but our high standards for vendors, and the realities of the data broker ecosystem made it challenging to consistently deliver the level of value and reliability we expect for our users,” Mozilla statement reads. On March 14, 2024, KrebsOnSecurity published an investigation showing that Onerep’s Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010 , including a still-active data broker called Nuwber that sells background reports on people. Shelest released a lengthy statement wherein he acknowledged maintaining an ownership stake in Nuwber , a data broker he founded in 2015 — around the same time he launched Onerep.
NEW
FDIC Financial Institution Letters
Nov 19, 2025
Security
The FDIC Board of Directors will hold an open session meeting on Tuesday, November 25, 2025, at 10:00 a.m. ET; the meeting will be webcast and media can attend in person by contacting
[email protected].
SUNSHINE ACT MEETING NOTICE The FDIC Board of Directors will meet in an open session: Date and Time: Tuesday, November 25, 2025, at 10:00 a.m. ET Place: The Board meeting will be open to public observation by webcast . Members of the media should contact the Office of Communications by Monday, November 24, at
[email protected] to attend in person from FDIC Headquarters, 550 17th Street, NW, Washington, DC. Read Notice & Agenda The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US
Krebs on Security
Nov 19, 2025
Security
- Security experts recommend organizations review their web application firewall logs during the Cloudflare outage as it may have exposed vulnerabilities.
- The outage provides a real-world test of how organizations handle security when primary defenses are bypassed.
An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline. Some affected Cloudflare customers were able to pivot away from the platform temporarily so that visitors could still access their websites. But security experts say doing so may have also triggered an impromptu network penetration test for organizations that have come to rely on Cloudflare to block many types of abusive and malicious traffic. At around 6:30 EST/11:30 UTC on Nov. 18, Cloudflare’s status page acknowledged the company was experiencing “an internal service degradation.” After several hours of Cloudflare services coming back up and failing again, many websites behind Cloudflare found they could not migrate away from using the company’s services because the Cloudflare portal was unreachable and/or because they also were getting their domain name system (DNS) services from Cloudflare. However, some customers did manage to pivot their domains away from Cloudflare during the outage. And many of those organizations probably need to take a closer look at their web application firewall (WAF) logs during that time, said Aaron Turner , a faculty member at IANS Research . Turner said Cloudflare’s WAF does a good job filtering out malicious traffic that matches any one of the top ten types of application-layer attacks , including credential stuffing, cross-site scripting, SQL injection, bot attacks and API abuse. But he said this outage might be a good opportunity for Cloudflare customers to better understand how their own app and website defenses may be failing without Cloudflare’s help. “Your developers could have been lazy in the past for SQL injection because Cloudflare stopped that stuff at the edge,” Turner said. “Maybe you didn’t have the best security QA [quality assurance] for certain things because Cloudflare was the control layer to compensate for that.” Turner said one company he’s working with saw a huge increase in log volume and they are still trying to figure out what was “legit malicious” versus just noise. “It looks like there was about an eight hour window when several high-profile sites decided to bypass Cloudflare for the sake of availability,” Turner said. “Many companies have essentially relied on Cloudflare for the OWASP Top Ten [web application vulnerabilities] and a whole range of bot blocking. How much badness could have happened in that window? Any organization that made that decision needs to look closely at any exposed infrastructure to see if they have someone persisting after they’ve switched back to Cloudflare protections.” Turner said some cybercrime groups likely noticed when an online merchant they normally stalk stopped using Cloudflare’s services during the outage. “Let’s say you were an attacker, trying to grind your way into a target, but you felt that Cloudflare was in the way in the past,” he said. “Then you see through DNS changes that the target has eliminated Cloudflare from their web stack due to the outage. You’re now going to launch a whole bunch of new attacks because the protective layer is no longer in place.” Nicole Scott , senior product marketing manager at the McLean, Va. based Replica Cyber , called yesterday’s outage “a free tabletop exercise, whether you meant to run one or not.” “That few-hour window was a live stress test of how your organization routes around its own control plane and shadow IT blossoms under the sunlamp of time pressure,” Scott said in a post on LinkedIn. “Yes, look at the traffic that hit you while protections were weakened. But also look hard at the behavior inside your org.” Scott said organizations seeking security insights from the Cloudflare outage should ask themselves: 1. What was turned off or bypassed (WAF, bot protections, geo blocks), and for how long? 2. What emergency DNS or routing changes were made, and who approved them? 3. Did people shift work to personal devices, home Wi-Fi, or unsanctioned Software-as-a-Service providers to get around the outage? 4. Did anyone stand up new services, tunnels, or vendor accounts “just for now”? 5. Is there a plan to unwind those changes, or are they now permanent workarounds? 6. For the next incident, what’s the intentional fallback plan, instead of decentralized improvisation? In a postmortem published Tuesday evening, Cloudflare said the disruption was not caused, directly or indirectly, by a cyberattack or malicious activity of any kind. “Instead, it was triggered by a change to one of our database systems’ permissions which caused the database to output multiple entries into a ‘feature file’ used by our Bot Management system,” Cloudflare CEO Matthew Prince wrote. “That feature file, in turn, doubled in size. The larger-than-expected feature file was then propagated to all the machines that make up our network.” Cloudflare estimates that roughly 20 percent of websites use its services, and with much of the modern web relying heavily on a handful of other cloud providers including AWS and Azure , even a brief outage at one of these platforms can create a single point of failure for many organizations. Martin Greenfield , CEO at the IT consultancy Quod Orbis , said Tuesday’s outage was another reminder that many organizations may be putting too many of their eggs in one basket. “There are several practical and overdue fixes,” Greenfield advised. “Split your estate. Spread WAF and DDoS protection across multiple zones. Use multi-vendor DNS. Segment applications so a single provider outage doesn’t cascade. And continuously monitor controls to detect single-vendor dependency.”
NEW
Fed Supervision & Regulation
Nov 18, 2025
Guidance
- The Federal Reserve Board has announced enhancements to bank supervision processes.
- These changes aim to improve the effectiveness and efficiency of supervisory activities.
Federal Reserve Board releases information regarding enhancements to bank supervision
NEW
Fed Enforcement Actions
Nov 13, 2025
Enforcement
- Federal Reserve Board issues enforcement action against a former employee of Commerce Bank.
- Enforcement actions with Société Générale S.A. and Industrial and Commercial Bank of China Ltd. are terminated.
Federal Reserve Board issues enforcement action with former employee of Commerce Bank and announces termination of enforcement actions with Société Générale S.A. and Industrial and Commercial Bank of China Ltd.
CFPB Final Rules
Nov 13, 2025
Rules
• Compliance dates for small business lending under Regulation B have been extended until June 2025.
• The CFPB finalized an interim final rule that amends Regulation B, making other adjustments.
CFPB finalizes its June 2025 interim final rule amending Regulation B, extending compliance dates in its 2023 small business lending rule and making other adjustments.
CFPB Newsroom
Nov 11, 2025
Enforcement
• The CFPB informed the court it cannot legally request funds from the Federal Reserve under Dodd-Frank.
• This decision affects how the CFPB can access funding, potentially impacting its operations and regulatory activities.
Washington, D.C.—Today, the Consumer Financial Protection Bureau (CFPB) filed a notice informing the court in NTEU v. Vought that the Department of Justice’s Office of Legal Counsel (OLC) has determined that the Bureau may not legally request funds at this time from the Federal Reserve under Dodd-Frank.
NEW
Fed Enforcement Actions
Nov 06, 2025
Enforcement
The Federal Reserve Board issued enforcement actions against Belt Valley Bank and The Halstead Bank. These actions are part of the ongoing regulatory oversight to ensure financial institutions meet compliance standards.
Federal Reserve Board issues enforcement actions with Belt Valley Bank and The Halstead Bank
NEW
Fed Supervision & Regulation
Nov 05, 2025
Rules
- The Federal Reserve Board has finalized changes to its supervisory rating framework for large bank holding companies.
- These changes will affect how the Fed evaluates and rates these institutions.
Federal Reserve Board finalizes changes to its supervisory rating framework for large bank holding companies
NEW
Fed Enforcement Actions
Nov 04, 2025
Enforcement
The Federal Reserve Board has terminated enforcement actions with Riverbend Financial Corporation, Northwest Bancorporation of Illinois, Inc., and First Citizens Bank of Butte.
Federal Reserve Board announces termination of enforcement actions with Riverbend Financial Corporation, Northwest Bancorporation of Illinois, Inc., and First Citizens Bank of Butte
NEW
Fed Enforcement Actions
Oct 30, 2025
Enforcement
The Federal Reserve Board has issued enforcement actions against a former employee of First Horizon Bank and a former employee of NobleBank & Trust. No specific details about the violations or actions taken are provided.
Federal Reserve Board issues enforcement actions with former employee of First Horizon Bank and former employee of NobleBank & Trust
NEW
FDIC Financial Institution Letters
Oct 07, 2025
Proposals
The FDIC Board of Directors met on October 7, 2025, addressing two Notice of Proposed Rulemakings: one regarding unsafe or unsound practices and matters requiring attention, and another prohibiting the use of reputation risk by regulators. A full webcast recording is available.
BOARD MEETING | OCTOBER 7, 2025 FDIC Board of Directors Meeting Today, the Federal Deposit Insurance Corporation's Board of Directors met in open and closed sessions. Materials and information relative to the open Board actions are available on the Board Matters webpage . Items Addressed in Open Session: Notice of Proposed Rulemaking regarding Unsafe or Unsound Practices, Matters Requiring Attention Press Release Statement by Acting Chairman Hill Financial Institution Letter Notice of Proposed Rulemaking regarding Prohibition on Use of Reputation Risk by Regulators Press Release Statement by Acting Chairman Hill A recording of the full webcast of the open session is available. Board Materials The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US
NEW
FDIC Financial Institution Letters
Oct 02, 2025
Security
The FDIC Board of Directors will meet in an open session on Tuesday, October 7, 2025, at 10:00 a.m. ET; media can attend in person from the FDIC Headquarters or via webcast.
SUNSHINE ACT MEETING NOTICE The FDIC Board of Directors will meet in an open session: Date and Time: Tuesday, October 7, 2025, at 10:00 a.m. ET Place: The Board meeting will be open to public observation by webcast . Members of the media should contact the Office of Communications by Monday, October 6, at
[email protected] to attend in person from FDIC Headquarters, 550 17th Street, NW, Washington, DC. Read Notice & Agenda The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US
NEW
Fed Enforcement Actions
Sep 25, 2025
Enforcement
The Federal Reserve Board has issued an enforcement action against a former employee of Dacotah Bank. No specific details about the nature of the violation or the actions taken are provided.
Federal Reserve Board issues enforcement action with former employee of Dacotah Bank
NEW
Fed Enforcement Actions
Sep 18, 2025
Enforcement
The Federal Reserve Board has issued enforcement actions against former employees of First Horizon Bank and Manufacturers and Traders Trust Company. No specific details on the nature of the violations or actions are provided.
Federal Reserve Board issues enforcement actions with former employee of First Horizon Bank and former employee of Manufacturers and Traders Trust Company
NEW
FDIC Financial Institution Letters
Aug 19, 2025
Proposals
The FDIC Board approved a proposal to amend official signs and advertising requirements. The changes will be detailed in a Notice of Proposed Rulemaking available on the FDIC's webpage.
BOARD MATTERS | AUGUST 19, 2025 FDIC Board Approves Proposal to Amend Official Signs and Advertising Requirements By notational vote, the Federal Deposit Insurance Corporation's Board of Directors today unanimously approved the following matter. Materials and information related to this Board action are available on the Board Matters webpage . Notice of Proposed Rulemaking: FDIC Official Signs, Advertisement of Membership, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo Press Release Financial Institution Letter Board Materials The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US
NEW
FDIC Financial Institution Letters
Jul 15, 2025
Proposals
The FDIC Board of Directors met on July 15, 2025, discussing several proposed rulemakings and notices. Key items included proposed amendments to FDIC guidelines for appeals of material supervisory determinations, adjusting regulatory thresholds, community reinvestment act regulations, and establishing branch offices. A recording of the open session is available.
BOARD MEETING | JULY 15, 2025 FDIC Board of Directors Meeting Today, the Federal Deposit Insurance Corporation's Board of Directors met in open and closed sessions. Materials and information relative to the open Board actions are available on the Board Matters webpage . Items addressed in Open Session: Notice regarding Proposed Amendments to FDIC Guidelines for Appeals of Material Supervisory Determinations Press Release Statement by Acting Chairman Hill Financial Institution Letter Notice of Proposed Rulemaking regarding Adjusting and Indexing Part 363 and Certain Other FDIC Regulatory Thresholds Press Release Statement by Acting Chairman Hill Financial Institution Letter Request for Information regarding Industrial Banks and Industrial Loan Companies and Their Parent Companies; and Notice regarding Parent Companies of Industrial Banks and Industrial Loan Companies; Withdrawal of Proposed Rule Press Release Statement by Acting Chairman Hill Financial Institution Letter Notice of Proposed Rulemaking regarding Community Reinvestment Act Regulations Notice of Proposed Rulemaking regarding Establishment and Relocation of Branches and Offices Press Release Statement by Acting Chairman Hill Financial Institution Letter Notice regarding Regulatory Publication and Review Under the Economic Growth and Regulatory Paperwork Reduction Act of 1996 A recording of the full webcast of the open session is available. Board Materials The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US
CFPB Newsroom
Jul 11, 2025
Enforcement
• FirstCash, Inc., and its nineteen subsidiaries agreed to a settlement with the CFPB for Military Lending Act violations.
• The stipulated final judgment and proposed order will resolve the lawsuit if approved by the court.
Today, in the Consumer Financial Protection Bureau’s (CFPB) November 12, 2021 lawsuit against FirstCash, Inc., and nineteen subsidiaries alleging violations of the Military Lending Act (MLA), the parties reached a settlement and jointly filed a stipulated final judgment and proposed order, which if entered by the court, would resolve the lawsuit.
NEW
FDIC Financial Institution Letters
Jul 09, 2025
Security
The FDIC Board of Directors will hold an open meeting on Tuesday, July 15, 2025, at 10:00 a.m. ET, which can be observed via webcast; media should contact the Office of Communications by Monday, July 14, to attend in person.
SUNSHINE ACT NOTICE The FDIC Board of Directors will meet in an open session: Date and Time: Tuesday, July 15, 2025, at 10:00 a.m. ET Place: The Board meeting will be open to public observation by webcast . Members of the media should contact the Office of Communications by Monday, July 14, at
[email protected] to attend in person from FDIC Headquarters, 550 17th Street, NW, Washington, DC. Read Notice & Agenda The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . STAY CONNECTED
NEW
FDIC Financial Institution Letters
Jun 27, 2025
Rules|guidance
The FDIC Board of Directors approved modifications to the Enhanced Supplementary Leverage Ratio Standards and issued an exemption order for the Customer Identification Program Rule. These actions are available on the Board Matters webpage.
BOARD MATTERS | JUNE 27, 2025 FDIC Board of Directors Approve New Actions Today, the Federal Deposit Insurance Corporation's Board of Directors unanimously approved the following matters. Materials and information related to these Board actions are available on the Board Matters webpage . Regulatory Capital Rule: Modifications to the Enhanced Supplementary Leverage Ratio Standards Press Release Financial Institutions Letter Statement by Acting Chairman Hill Customer Identification Program Rule Exemption Order Press Release Financial Institutions Letter Board Materials The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . STAY CONNECTED
NEW
FDIC Financial Institution Letters
Jun 26, 2025
Guidance
The FDIC Board of Directors decided to handle today's matters notationally. Related materials will be available on the Board Matters webpage.
BOARD MEETING | JUNE 26, 2025 FDIC Board of Directors Meeting After consultation among Board members, the Federal Deposit Insurance Corporation decided to handle today's Board matters notationally. Related materials will be available on the Board Matters webpage . The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . STAY CONNECTED
NEW
FDIC Financial Institution Letters
Jun 18, 2025
Security
The FDIC Board of Directors will meet in open session on June 26, 2025, at 10:00 a.m. The meeting will be webcast and media can attend in person by contacting the Office of Communications.
SUNSHINE ACT NOTICE The FDIC Board of Directors will meet in open session: Date and Time: Thursday, June 26, 2025, at 10:00 a.m. Place: The Board meeting will be open to public observation by webcast . Members of the media should contact the Office of Communications by Tuesday, June 24, at
[email protected] to attend in person from FDIC Headquarters, 550 17th Street, NW, Washington, DC. Read Notice & Agenda The FDIC does not send unsolicited e-mail. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . STAY CONNECTED
CFPB Final Rules
Jun 18, 2025
Rules
The Equal Credit Opportunity Act (Regulation B) compliance dates for small business lending have been extended until 2025. This extension applies to all credit unions, including those in Texas.
Small business lending rule extension of compliance dates 2025
NEW
FDIC Financial Institution Letters
May 20, 2025
Guidance
Key points: The FDIC Board of Directors met on May 20, 2025, with a semiannual update on the Deposit Insurance Fund Restoration Plan. A press release and Acting Chairman Hill's statement were also provided. A recording of the open session is available.
BOARD MEETING | MAY 20, 2025 FDIC Board of Directors Meeting Today, the Federal Deposit Insurance Corporation's Board of Directors met in open and closed sessions. Materials and information relative to the open Board actions are available on the Board Matters webpage . Items addressed in Open Session: Deposit Insurance Fund Restoration Plan Semiannual Update Press Release Statement by Acting Chairman Hill Recission of the 2024 FDIC Statement of Policy on Bank Merger Transactions and Reinstatement of Prior FDIC Statement of Policy Financial Institutions Letter A recording of the full webcast of the open session is available. Board Materials The FDIC does not send unsolicited e-mail. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . STAY CONNECTED
CFPB Newsroom
May 15, 2025
Enforcement
• The CFPB amended a January 30, 2025 consent order with Wise regarding inaccurate fee advertising and improper disclosure of exchange rates.
• This amendment addresses issues related to remittance practices.
The CFPB amended its January 30, 2025 consent order with the international remittance company Wise resolving claims including advertising inaccurate fees and failing to properly disclose exchange rates and other costs.