Cybersecurity is the rickety scaffolding supporting everything you do online. For every new feature or app, there are a thousand different ways it can break – and a hundred of those can be exploited by criminals for data breaches, identity theft, or outright cyber heists. Staying ahead of those exploits is a full-time job, and one of the most lucrative and sought-after skills in the tech industry. All too often, it’s something up-and-coming companies decide to skip out on, only to pay the price later on.
A proposed class action lawsuit alleges MSG failed to protect the data of over 26 million guests. It comes just days after 404 Media reported that hackers claimed to have published data stolen from MSG, which is known for its extensive surveillance system.
The Cybersecurity and Infrastructure Security Agency (CISA) gained access to the limited release cybersecurity-focused model last week, Nextgov/FCW reports. It’s just a little late, since the rest of the world has mostly moved onto the drama around the Trump administration’s block of the safeguarded public version of the model, Fable.
The group behind Matter has released the next version of its Product Security Certification Program, a cybersecurity standard designed to provide a single security label for consumer IoT devices.
The update extends certification beyond devices to include apps, gateways, and remote processes, allowing companies to certify entire ecosystems. It also adds independent validation through physical test labs and is now integrated into the Matter spec, with companies seeking Matter certification encouraged to complete the security certification as well.
“Outsider Enterprise” allegedly distributes phishing templates that have scammed people out of millions of dollars. Google says over a million fraudulent URLs are linked to the group, and that over just two weeks, it sent 2.5 million messages to Android users with links to fraudulent websites.
According to The New York Times:
Still, Meta decided not to make major changes to its A.I. plans after the Instagram hacks, according to the internal documents. “We agreed to leave all products on and to pause one ongoing experiment (IG Forgot Password Chat),” the documents said. “All other entrypoints will remain available.”
[The New York Times]
Despite last year’s $167 million verdict against NSO Group for its Pegasus software hacking some 1,400 WhatsApp users, Meta says it has detected new spear phishing attacks on its platform from the spyware maker, in violation of the court’s permanent injunction:
We successfully disrupted NSO-linked social engineering attempts, after investigating user reports. They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO. We also caught them creating test accounts and groups on WhatsApp, which we took down.
The YouTube star has gone from reviewing synths to taking on the surveillance state.
The smart ring company says on March 27th hackers used an internal analytics tool to access users’ contact and account details, transaction history, and “some fitness related data.” According to TechCrunch, the breach impacted 0.1 percent of Ultrahuman users, or an estimated 700 people.
If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.
[Ultrahuman]
With this expansion of Anthropic’s Project Glasswing initiative, organizations in “several industries that weren’t well represented” in the initial cohort, like power, water, and healthcare, will get access to the model so they can use it to find security vulnerabilities.
[Anthropic]
The @obamawhitehouse account briefly showed images of Iranian propaganda, which have since been taken down, as spotted earlier by TMZ. The account belonging to the US Space Force Chief Master Sergeant was also hijacked.
Attorney General Rob Bonta filed a lawsuit against Chrome Holding Co. — formerly 23AndMe — claiming that the company failed to protect user information, leading to the massive 2023 breach that included data belonging to 6.9 million users. In 2024, 23andMe agreed to pay $30 million to settle a class action lawsuit related to the breach.
[California Office of the Attorney General]
The Aqara U500 lineup includes three separate models. There’s a “Rim Lock” for standard entrance and interior doors that doesn’t require a mortise, a “Gate Lock” for metal grille-style doors, and even a lock that’s designed for glass doors. They’re only available in Europe for now though.
If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.
AI can’t feel, but the best hackers pretend it can.
Upon request, “qualifying” customers can use things like skills, a Claude harness, and a threat model builder, Anthropic says as part of a bigger update about Project Glasswing.
Anthropic also plans to expand Project Glassing to “additional partners” and has published a dashboard of open source vulnerabilities disclosed by Mythos Preview.
[Anthropic]
YouTuber Coffeezilla first reported the leak of customer details, now apparently fixed. Trump Mobile CEO Pat O’Brien has now confirmed to The Verge there was a breach, which he blames on “a third-party platform provider.”
“The impacted information appears to be limited to certain customer details, including names, email addresses, mailing addresses, order identifiers and mobile phone numbers.
Out of an abundance of caution, our third-party platform provider has implemented additional safeguards and enhanced monitoring measures while the matter continues to be investigated.”
Update: Added comment from Trump Mobile’s CEO.
A security bulletin from Nvidia breaks down new vulnerabilities found in some of its GPU drivers for Windows and Linux and vGPU software. As Digital Foundry and Club386 point out, they affect drivers prior to 596.36 on the current branch, so if you’re running the most recently released update (596.49, which was released on May 12th), you don’t have anything to do.
The company traced the incident to a “poisoned” VS Code extension on an employee’s device. While the hacking group TeamPCP has claimed responsibility for the breach, GitHub says it has since removed the malicious extension and that the exfiltration was limited to internal data, as reported by Bleeping Computer.
[BleepingComputer]
Researchers at the security firm Calif say they used Anthropic’s cybersecurity AI to create a privilege escalation exploit, the Wall Street Journal reports:
Last September, Apple said it leveraged its hardware and operating system expertise into a technology called Memory Integrity Enforcement (MIE), which it described as “the culmination of an unprecedented design and engineering effort, spanning half a decade.” With Claude, building the code that exploited the two MacOS bugs took five days, Calif says.
On Wednesday, the AISI, which evaluates AI models for the British government, said both Anthropic’s Claude Mythos Preview and OpenAI’s GPT-5.5 showed progress well above previous trends on cybersecurity testing. Separately, XBOW released data suggesting “frontier models have taken a major step forward in vulnerability discovery.”
Meanwhile, Microsoft said its multi-model agentic setup, MDASH, was used to discover 16 CVEs in this week’s Patch Tuesday updates and is the leader on the CyberGym security evaluation framework.
They should be fixed now. Hopefully.
Similar to the “Copy Fail” exploit revealed a week ago, the two “Dirty Frag” exploits (CVE-2026-43284) also allow a local user to give themselves root privileges on nearly any Linux distribution. The researcher who found it says that, “Because the embargo has now been broken, no patches or CVEs exist for these vulnerabilities.”
Ubuntu developer Canonical has detailed mitigations, and Red Hat says it will provide guidance “soon.”
Sean Hollister let a hacked robot lawnmower run him over in the name of journalism, but it took a Verge commenter to find the right language that really sets the stakes.
MattMaher_M7Innovations:
There’s investigative journalism, and then there’s ‘get-run-over-by-a-lawnmower-to-prove-a-point’ journalism. Thank you Sean, for almost chopping off your chicken nuggets to give us the gif of the century.
Get the day’s best comment and more in my free newsletter, The Verge Daily.
Ordinarily we keep detailed bug reports private for several months after shipping fixes and issuing security advisories, largely as a precaution to protect any users who, for whatever reason, were slow to update to the latest version of Firefox. Given the extraordinary level of interest in this topic and the urgency of action needed throughout the software ecosystem, we’ve made the calculated decision to unhide a small sample of the reports behind the fixes we recently shipped.
[Mozilla Hacks – the Web developer blog]
