Cybersecurity is the rickety scaffolding supporting everything you do online. For every new feature or app, there are a thousand different ways it can break – and a hundred of those can be exploited by criminals for data breaches, identity theft, or outright cyber heists. Staying ahead of those exploits is a full-time job, and one of the most lucrative and sought-after skills in the tech industry. All too often, it’s something up-and-coming companies decide to skip out on, only to pay the price later on.
Ubuntu’s web infrastructure remains unavailable after going offline Thursday morning, blocking updates and other access at a time when Linux admins really need to apply a patch.
“Canonical’s web infrastructure is under a sustained, cross-border attack and we are working to address it. We will provide more information in our official channels as soon as we are able to.”
Claude Security uses the Opus 4.7 model to scan a business’s codebase for vulnerabilities and issue a fix. This tool is rolling out to enterprise customers globally and isn’t to be confused with Anthropic’s Mythos, a powerful AI model that can identify and exploit vulnerabilities across operating systems and web browsers.
The group is accused of using stolen cookies to hijack accounts, targeting profiles with high amounts of in-game currency and items, according to a press release spotted by Bleeping Computer. The hackers allegedly earned around $225,000 after selling the accounts on a Russian website.
[BleepingComputer]
In the aftermath of Mythos, AI-assisted amateur hackers are waiting to strike.
The prolific ShinyHunters group is claiming responsibility and threatening to leak the stolen data unless a ransom is paid. ADT has said that the info was mostly limited to names, phone numbers, and addresses, and that credit card or bank account information was not compromised.
The investigation confirmed that the information involved was limited to names, phone numbers, and addresses. In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included. Critically, no payment information — including bank accounts or credit cards — was accessed, and customer security systems were not affected or compromised in any way.
The hosting platform provided a new update on the recent compromise. It named Context.AI as the vector for the attack, found more customer data that had been stolen, and said it discovered that some accounts had been broken into during an earlier incident.
First, we have identified a small number of additional accounts that were compromised as part of this incident. Second, we have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods.
Sources told Axios that the agency was among the roughly 40 organizations granted access. This, despite the Pentagon arguing that Anthropic is a threat to national security. The NSA has reportedly been using it primarily to identify vulnerabilities in its own network, but considering its track record, it’s understandable if you’re wary.
A new Wired investigation details the lengths Jim Dolan, owner of the New York Knicks and venues like MSG and the Las Vegas Sphere, goes to to spy on perceived enemies, fans, and critics. The vast surveillance apparatus includes dossiers, social media posts, and facial recognition tech.
Last year I wrote about one fan who believes a t-shirt design he had made resulted in a lifetime ban from Dolan’s venues — and that facial recognition picked him out of the crowd.
Despite Anthropic’s ongoing battle with the Pentagon, Bloomberg reports that the White House Office of Management and Budget’s CIO told government officials that it is preparing for their agencies to use Anthropic’s cybersecurity-focused AI model.
When hackers got access to an account belonging to the maintainer of Axios, they inserted a script that granted remote access to users’ Windows, macOS, and Linux devices. This malicious version potentially compromised ChatGPT’s macOS apps, so OpenAI is issuing an update and new certificates to mitigate any risks.
Starting this week, enterprise users will be able to send encrypted messages from Gmail’s Android and iOS apps if their organization has the feature enabled. Gmail’s version of E2EE, which uses client-side encryption, has been available since last year, but is still limited to users with enterprise accounts.
[Google Workspace Updates Blog]
Google is officially rolling out Device Bound Session Credentials (DBSC) to Windows users in Chrome 146. The new security feature cryptographically binds your login cookies to your device’s hardware. So, even if malware steals your browser cookies, they should be useless to remote hackers. MacOS support is coming soon.
The AI-powered compliance startup is no longer listed on YC’s directory after an anonymous report alleged Delve “fakes compliance” and leaked audit reports, as reported by TechCrunch. Delve responded by claiming a bad actor “maliciously exfiltrated data” as part of a “coordinated, targeted cyberattack.”
Meta has paused work with the company, Mercor (which The Verge has profiled), while OpenAI is investigating the security incident, Wired reports.
The update adds protections against DarkSword, a security vulnerability that can steal information from your phone if you visit an infected link. Apple previously released iOS 18.7.7 to the iPhone XS and XR, but if you have a newer phone and don’t want to download iOS 26, now you can install the patch without worrying about getting Liquid Glass.
A disclosure spotted by TechCrunch says the incident prompted the toymaker to activate “its security response protocols.” Hasbro says it’s currently working to determine the impact of the breach, but it will continue to “take orders, ship product and conduct other key operations.”
iOS 26 devices are already protected against the hacking tool that targets iPhones when visiting malicious links, and today Apple is pushing out a new security update for older, vulnerable versions of iOS. That means iOS 18 users can protect their phones and avoid the Liquid Glass design update.
A hacker took over an account belonging to the lead maintainer of the JavaScript library, Axios, which is used to handle HTTP requests, as reported by Cybernews. Security researchers found that versions 1.14.1 and 0.30.4 contained the script for a remote access trojan capable of giving hackers access to a user’s Windows, macOS, or Linux device.
If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.
The bundle, Proton Workspace, includes a new end-to-end encrypted video chat service called Proton Meet. But even encryption can’t guarantee the company will keep your payment info private from government requests.
According to “I Decompiled the White House’s New App,” the Android version has some odd choices for a government app that mostly shows content from the White House website.
That includes enabling location tracking and other monitoring via OneSignal’s analytics (which the company says are opt-in at the OS level), JavaScript loaded from some guy’s GitHub, an injected script to hide things like consent dialogs on pages users open in the app, and other hooks to non-government third-party services.
[Thereallo]
Why Todd McKinnon thinks it’s ‘naive’ not to prepare for the SaaSpocalypse
An Iran-linked group claimed responsibility for the breach and posted documents stolen from Patel’s inbox online, according to Reuters.
The DOJ has reportedly confirmed the breach, with a preliminary review by CNN finding emails from around 2011 to 2022 that “appear to include personal, business and travel correspondence that Patel had with various contacts.”
A newer version of the DarkSword exploit that targets devices running iOS 18.4 to 18.6.2 has appeared on GitHub. About 34 percent of iPhone and 43 percent of iPad users are still running iOS 18 or earlier, according to Apple, which issued an emergency patch on March 11th. Update your devices, folks!
Some Lloyds Bank, Halifax, and Bank of Scotland app users reported they were briefly able to view charges and payments made by other people on their accounts. Lloyds Banking Group, which owns all three banks, says the issue was “quickly identified and resolved,” and that it’s “reviewing what happened to ensure this cannot occur again.”
”The hacker expressed disgust at the presence of child abuse images on the device and left a message threatening to turn its owner over to the FBI, the person said.” Apparently they didn’t realize they were on an FBI server.
While end-to-end encryption can keep an account’s data private and hidden even from a service provider, the name of who paid for the account and other metadata is harder to hide.
LeakBase had more than 142,000 members and a database containing “hundreds of millions” of stolen account credentials, according to the DOJ. US law enforcement worked with Europol to seize LeakBase’s data and take over two of its domains.
