EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Canva among ~100 targets of ShinyHunters Okta identity-theft campaign
The identity-theft operation set its sights on more than 100 Okta SSO accounts across "high-value enterprises." The cyber threat hunters also listed all of the companies across which they have "detected active targeting or infrastructure preparation directed at your domain" in the last 30 days.
Head over to the Silent Push blog to check out the organizations, which span multiple industries - but the technology and software firms include Atlassian, AppLovin, Canva, Epic Games, Genesys, HubSpot, Iron Mountain, RingCentral, and ZoomInfo.
[rG: Healthcare: Bayshore Healthcare, Globus Medical, GoodRx, ResMed, Surgery Partners, UCHealth.]
To be clear: this doesn't mean any of these companies have been breached. While these identity attacks are not caused by a security flaw in the products or infrastructure, Mandiant "strongly" recommends organizations use phishing-resistant multi-factor authentication (MFA), such as FIDO2 security keys (like YubiKeys) or passkeys.
ShinyHunters said it had gained access to Crunchbase and Betterment by voice-phishing their Okta single sign-on codes. The criminals also leaked what they claimed to be more than 20 million records belonging to Betterment and 2 million belonging to Crunchbase.

Let them eat sourdough: ShinyHunters claims Panera Bread, CarMax, and Edmunds as stolen credentials victim
The criminals' claims allege that they stole more than 14 million records from casual bakery-cafe chain Panera Bread, including names, email and home addresses, phone numbers and account details totaling 760 MB of compressed data. They allegedly stole similar types of personally identifiable information (PII) from used-car-buying platform CarMax (over 500,000 records totaling 1.7 GB compressed), and vehicle-review site Edmunds ("millions" of records totaling 12 GB compressed).
ShinyHunters claim it gained access to Panera via a Microsoft Entra single-sign-on (SSO) code, while the CarMax and Edmunds breaches were from earlier, unrelated intrusions.

Thousands more Oregon residents learn their health data was stolen in Cognizant owned TriZetto breach
The breach occurred back in November 2024, with intruders snooping through protected health information (PHI) and other sensitive personal information belonging to 700,000 patients and insurance policy holders. TriZetto Provider Solutions (TPS) did not discover the digital thieves on their network until almost a year later.
Cognizant, which owns TriZetto, has been hit with multiple class action lawsuits as a result of the compromise.

Security flaw at AI toy company exposed over 50,000 chat logs of kids
Bondu, a company that makes AI toys, had left over 50,000 chat logs of kids unprotected on its web portal. Researchers, claim that the toys may be using Google’s Gemini and OpenAI’s GPT-5 models, and therefore, sharing the data with those companies.
Anyone with a Gmail account could log in to Bondu’s web portal, which is meant for parents to check their kids’ conversations and for company staff to monitor the product's performance. Once logged in, they could see transcripts of nearly every conversation the children had with their Bondu toys. Details included kids’ names, birth dates, family members’ names, and other sensitive information. These kinds of details are a kidnapper’s dream.
The issue was fixed within hours, company CEO stated, adding that they “found no evidence of access beyond the researchers involved.”
[rG SSDLC: An example of insecure design and lack of pre-production attack simulation testing. Nothing that would have been prevented through use of automated vulnerability scanners or pen testing.]

Massive Chat & Ask AI App Leaked Millions of Users Private Conversations
Chat & Ask AI is a “wrapper” that plugs into various large language models from bigger companies users can choose from, Including OpenAI’s ChatGPT, Anthropic's Claude, and Google’s Gemini.
The issue is a misconfiguration in the app’s usage of the mobile app development platform Google Firebase, which by default makes it easy for anyone to make themselves an “authenticated” user who can access the app’s backend storage where in many instances user data is stored. Security researcher said that he had access to 300 million messages from more than 25 million users in the exposed database, and that he extracted and analyzed a sample of 60,000 users and a million messages. The database contained user files with a complete history of their chats with the AI, timestamps of those chats, the name they gave the app’s chatbot, how they configured the model, and which specific model they used.

Have I Been Pwned: SoundCloud data breach impacts 29.8 million accounts
In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users.
The impacted data included unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user's country. The attackers later attempted to extort SoundCloud before publicly releasing the data the following month."

Insider Threat: CISA chief uploaded sensitive government files to public ChatGPT
The acting director of the US Cybersecurity and Infrastructure Security Agency Madhu Gottumukkala uploaded multiple “for official use only” contracting documents to OpenAI’s public platform, bypassing DHS-approved AI tools and triggering automated cyber alerts. The documents contained contracting information not intended for public release. Unlike DHS-approved AI tools with controls preventing inputs from leaving federal networks, the public ChatGPT retains uploaded information on OpenAI servers.
The pattern mirrors early enterprise incidents where employees pasted confidential material into ChatGPT. The critical difference is that controls reportedly existed at CISA, and the breach occurred through an exception pathway. That highlights a core governance failure. Exceptions and senior access are often where AI controls break down.

AV vendor eScan lawyers up after Morphisec claimed 'critical supply-chain compromise'
An unauthorized user gained access to configuration on an update server, resulting in a rogue file appearing in the update path. eScan detected suspicious activity through their internal monitoring systems on January 20, 2026, and issued a preliminary security advisory to customers on January 21, 2026, along with a remediation patch.
The advisory instructs many customers to manually download and run a remediation tool on individual machines, often with support assistance, to restore update functionality. In other words, the fix existed, but in many cases it still required hands-on work.
eScan also pulled its update infrastructure offline for checks, rebuilt the affected systems, rotated credentials, and tightened monitoring before bringing everything back online.

There’s a rash of scam spam coming from a real Microsoft address
There are reports that a legitimate Microsoft email address—which Microsoft explicitly says customers should add to their allow list—is delivering scam spam.
Scammers are abusing a Power Bi function that allows external email addresses to be added as subscribers for the Power Bi reports.
The emails originate from no-reply-powerbi[@]microsoft[.]com, an address tied to Power BI, and Microsoft documentation says that the address is used to send subscription emails to mail-enabled security groups. To prevent spam filters from blocking the address, the company advises users to add it to allow lists.

Why has Microsoft been routing example.com traffic to a company in Japan?
This appears to be a simple misconfiguration. The result is that anyone who tries to set up an Outlook account on an example[.]com domain might accidentally send test credentials to those sei[.]co[.]jp subdomains.
Under the RFC2606—an official standard maintained by the Internet Engineering Task Force—example[.]com resolves to IP addresses assigned to Internet Assiged Names Authority. The designation is intended to prevent third parties from being bombarded with traffic when developers, penetration testers, and others need a domain for testing or discussing technical issues. Instead of naming an Internet-routable domain, they are to choose example[.]com or two others, example[.]net and example[.]org.
Output from the terminal command cURL shows that devices inside Azure and other Microsoft networks have been routing some traffic to subdomains of sei[.]co[.]jp, a domain belonging to Sumitomo Electric.
Subsequent to being reported, Microsoft “updated the service to no longer provide suggested server information for example[.]com.” The new JSON response suggested that Microsoft hadn’t fixed the endpoint routing traffic to the Sumitomo Electric servers. Instead, the JSON response no longer occurs. Where the output was occurring on Friday, the command now simply sits and hangs for 10 or 20 seconds and then terminates with a not found error. It looks like they may have outright removed the endpoint that validates the email.
There doesn’t appear to be anything nefarious about the improper routing, and as long as people inside Microsoft’s network weren’t sending live credentials in tests, there was no danger posed.

When Zoom Phishes You: Unmasking a Novel TOAD Attack Hidden in Legitimate Infrastructure
The specific danger here is the erosion of trust. Users are trained to look for legitimate senders. When they see an email that is genuinely from Zoom (or forwarded from a genuine source), their guard drops.
The email is technically safe—it contains no malicious links or malware—but the text itself is a social engineering trap designed to panic the user into calling the fraudulent support number.

By identifying the discrepancy between the sender (Zoom) and the content (PayPal financial urgency), Prophet AI successfully identified the trap as a real attack before it could result in financial loss.
[rG: The Zoom design security failure is not validating the input allowed for display names which leads to the application abuse.]

Office zero-day exploited in the wild forces Microsoft OOB patch
The flaw, tracked as CVE-2026-21509, and slapped with a CVSS score of 7.8, falls into Microsoft's "security feature bypass" bucket. In practice, this means attackers can dodge protections that are supposed to stop unsafe legacy components from running. Those components include COM and OLE – old Windows plumbing that's been at the heart of document-based attacks for years and clearly hasn't earned its retirement yet.
According to Microsoft, exploitation doesn't hinge on the Office preview pane – often a red flag in past campaigns – but still requires little effort once a victim is persuaded to open a booby-trapped file. "Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally," Microsoft said. "An attacker must send a user a malicious Office file and convince them to open it."
 

HACKING

Nobel Committee says Peace Prize winner likely revealed early by digital spying
Bets on Venezuelan opposition leader Maria ⁠Corina Machado winning the prize ‌spiked, hours before the name of the 2025 laureate was due to be announced. An initial bet was placed on Machado's name to win the prize, rising quickly to some $2.2 million as others followed.
One of Norway's three intelligence agencies was involved in the ensuing investigation of whether there was an internal leak or whether it was the result of spying, either by a criminal actor or a state entity, but it remains unclear who was behind the ⁠leak and how it unfolded. And while financial bets were placed, it was not known whether the ultimate purpose was to profit from the incident or to inflict damage to the credibility ‍of the prize.

China-linked group accused of spying on phones of UK prime ministers' aides – for years
The activity focused on phones used by senior aides around former prime ministers Boris Johnson, Liz Truss, and Rishi Sunak, with the suspected access stretching back to 2021. Salt Typhoon, the Chinese-linked group previously blamed for telecom intrusions overseas, has been named as a likely culprit in the reported snooping. The espionage outfit is known for breaking into telecoms providers, enabling them to skim metadata and communications without ever needing to install anything on a handset.
The breaches were reportedly discovered only in 2024, after the US disclosed that Chinese-linked hacking groups had gained deep access to telecommunications providers worldwide. US officials have since acknowledged that attackers could, in some cases, record calls "at will," underlining concerns that state-backed groups had embedded themselves deep inside communications networks.

Former Google engineer found guilty of stealing AI secrets for Chinese firms
Leon Ding stole more than 2,000 pages of confidential information containing Google AI trade secrets between May 2022 and April 2023. He uploaded the information to his personal Google Cloud account. Google uncovered the uploads after finding out that Ding presented himself as CEO of one of the companies during an Beijing investor conference. Around the same time, Ding told his manager he was leaving the company and booked a one-way flight to Beijing.
He faces a maximum sentence of 10 years in prison for each count of theft of trade secrets and 15 years for each count of economic espionage.

WorldLeaks Extortion Group Claims It Stole 1.4TB of Nike Data
The ransomware group World Leaks said on its website that it had ⁠published 1.4 terabytes of data ‌from Nike. Reuters could not download the data or verify the claim. An attempt to locate contact ‍information for the hackers was not immediately successful. Nike said in a statement. "We are investigating a potential cyber security incident and are actively assessing the situation." Nike declined to comment on the specifics of its investigation or on whether any ransom was paid. 

APPSEC, DEVSECOPS, DEV

Patch or perish: Vulnerability exploits now dominate intrusions
Exploited flaws were behind nearly 40% of all intrusions in Q4 2025, and the speed at which attackers were harnessing those weaknesses should serve as a wake-up call for defenders. This marks the second quarter in a row that exploits led the charge for initial access, but represented a drop from Q3's rate of 62%, which was driven largely by widespread ToolShell attacks.
More recently, the team pointed to the Oracle EBS and React2Shell vulnerabilities as examples of two high-profile vectors that continued to fuel the trend, both of which were taken up by attackers within hours of disclosure.
A functional proof-of-concept exploit for React2Shell began circulating online within 30 hours of disclosure.
Whether organizations heed this warning is another matter, however. Patching systems, especially in large organizations, can be a painful process, with private sector admins taking months, not hours, to patch the most serious flaws.
[rG SSDLC: Highlighting the importance of running SCA daily vulnerability scans on production released, active code repositories, with automated alerting and prioritized remediation. Refer to vendor advisories from React and Next.js.]

NIST IR 8446: Bridging the Gap Between Standards on Random Number Generation
Compares Germany’s BSI AIS 20/31 and NIST’s SP 800-90 series to help clarify similarities and differences in terminology, assumptions, and requirements. 

VENDORS & PLATFORMS

Top 10 AI security tools for enterprises in 2026

Qualys: Top 10 Cloud Compliance Tools for Enterprise Security and Audit Readiness in 2026

IBM says AI is insane in the mainframe as z17 sales surge
Sovereignty was a key issue, and "more and more clients have woken up to that for certain workloads, the mainframe is actually the lowest unit cost economics platform, and that is really important."
At the same time, GenAI made mainframes easier to leverage and modernize. "The GenAI tools we have provided with the Watson Code Assistant for Z really takes that onus away. It can refactor COBOL into Java... It can help you refactor that code if you want to keep it exactly as it is."
"I'm incredibly excited by our ability to do AI right in line. If you can do it right in line with the transactions, that's a milliseconds delay as opposed to multiple seconds if you take it off platform, which is how people have been doing it so far."
Asked if AI/HBM-fueled DRAM price hikes were a problem, Krishna said: "I personally believe, as long as that dynamic is there, those pricing issues are going to be there through the year. There is no AI server without a bunch of CPUs right next to it. So the reality becomes that the AI demand also drives demand for normal servers that in turn feed and load up those servers."

Oracle AI sailed the world on Royal Navy flagship via cloud-at-the-edge kit
The UK Royal Navy deployed a so-called "sovereign AI capability" aboard the vessel during Operation Highmast, an eight-month mission in 2025 that saw it traverse the Mediterranean, Middle East, and Indo-Pacific. This was operated using Oracle's Roving Edge Infrastructure - a locally hosted version of its cloud platform, running on hardware inside a military-grade, ruggedized enclosure. Big Red launched a version of Roving Edge in 2021, saying it allows customers to run workloads, including machine learning and analytics, in the field.
Banker claims Oracle may slash up to 30,000 jobs, sell health unit to pay for AI build-out
Oracle could cut up to 30,000 jobs and sell health tech unit Cerner to ease its AI datacenter financing challenges, investment banker TD Cown has claimed, amid changing sentiment on Big Red's massive build-out plans.
The bank estimates the OpenAI deal alone is going to require $156 billion in capital spending. Last year, when Big Red raised its capex forecasts for 2026 by $15 billion to $50 billion, it spooked some investors.

How to encrypt your PC’s disk without giving the keys to Microsoft
Both the Home and Pro versions of Windows support disk encryption, but only the Pro versions give users full control over the process. The Home version of Windows only supports disk encryption when logged in with a Microsoft account and will only offer to store your encryption key on Microsoft’s servers.

I stopped Windows from searching the web and my Start menu is instant now.
Remember when you could hit the Windows key, type a few letters, and instantly launch an app? I don't. Those days feel like ancient history because, somewhere along the way, Microsoft decided that every search you perform on your own computer should also query Bing and the cloud. The result? A laggy, frustrating experience that makes even a high-end PC feel sluggish.
I stopped Windows from searching the web with a simple registry hack and my Start menu is much better now.

LEGAL & REGULATORY

County pays $600,000 to pen testers it arrested for assessing courthouse security
The case was brought two penetration testers who at the time were employed by Colorado-based security firm Coalfire Labs. The men had written authorization from the Iowa Judicial Branch to conduct “red-team” exercises, meaning attempted security breaches that mimic techniques used by criminal hackers or burglars. The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage.
Despite the legitimacy of the work and the legal contract that authorized it, DeMercurio and Wynn were arrested on charges of felony third-degree burglary and spent 20 hours in jail, until they were released on $100,000 bail. The charges were later reduced to misdemeanor trespassing charges, but even then, sheriff of Dallas County continued to allege publicly that the men had acted illegally and should be prosecuted. Five days before a trial was scheduled to begin in the case, Dallas County officials agreed to settle the case.

White House Scraps ‘Burdensome’ Software Security Rules
The US Office of Management and Budget (OMB) has issued Memorandum M-26-05, officially revoking the previous administration’s 2022 policy, ‘Enhancing the Security of the Software Supply Chain through Secure Software Development Practices’ (M-22-18), as well as the follow-up enhancements announced in 2023 (M-23-16).
“Each agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency’s network. There is no universal, one-size-fits-all method of achieving that result. Each agency should validate provider security utilizing secure development principles and based on a comprehensive risk assessment.”
While agencies are no longer strictly required to do so, they may continue to use secure software development attestation forms, Software Bills of Materials (SBOMs), and other resources described in M-22-18.
It’s worth noting that the US government and its allies recently released new guidance on the advantages of widespread SBOM adoption. M-26-05 also expands agency focus to include hardware supply chain threats, encouraging the use of Hardware Bill of Materials (HBOM) frameworks to ensure broader resilience against sophisticated threat actors.

Microsoft illegally installed cookies on schoolkid's tech
In 2024, Austria-based campaign group None of Your Business (noyb) asked the Austrian data protection authority to investigate Microsoft 365 Education to clarify if it breaches transparency provisions under GDPR. It said the tech giant pushed data protection obligations onto schools that use the system, and failed to comply with subjects' right to access data about them.
According to a ruling by the Austrian data protection authority, Microsoft acted unlawfully when it placed tracking cookies on the devices of a minor using Microsoft 365 Education. Microsoft's own documentation says these cookies analyze user behavior, collect browser data, and are used for advertising. Microsoft now has four weeks to comply.

France to ditch US platforms Microsoft Teams, Zoom for ‘sovereign platform’ citing security concerns
France will replace the American platforms Microsoft Teams and Zoom with its own domestically developed video conferencing platform, Visio, which will be used in all government departments by 2027