Full Extent of R2-Billion City of Ekurhuleni Hack Revealed
The City of Ekurhuleni disclosed that a coordinated cyber‑attack on its SOLAR billing platform siphoned roughly R2 billion in revenue. An OMA audit traced the breach to a network of municipal insiders and external hackers who exploited weak controls from IT provider BCX, inserting keyloggers, malware and manipulating property‑tax records. The fraud, which unfolded over several months and was first detected in mid‑2023, led to the suspension of senior ICT officials and a parliamentary briefing. The case exposes a systemic collapse of audit trails and basic cybersecurity safeguards within the municipality.
Experian Says 40% of the 5,000 Data Breaches It Serviced in 2025 Were AI-Powered, and Predicts Agentic AI Will Be...
Experian reported that out of roughly 5,000 data breaches it investigated in 2025, 40% involved AI‑generated attack methods. The firm warns that “agentic AI,” autonomous systems capable of independent decision‑making, will become the leading cause of breaches in 2026. The...
Hacker Group Targeted Companies in South Africa Using Fake SARS Notifications
SilverFox launched a sophisticated phishing campaign in South Africa, sending over 1,600 fake SARS tax audit emails between January and February 2026. The messages lured recipients into downloading malicious archives that installed the new Python‑based backdoor ABCDoor, an evolution of...
GM To Pay $12.75 Million To Settle California Privacy Case Over Driver Data Sales
General Motors agreed to a $12.75 million settlement with California’s Attorney General after the state alleged the automaker retained and sold precise location and driving‑behavior data of millions of residents without proper consent. The case hinges on the California Consumer Privacy...
China TV Variety Show Exposes Scam Linking ‘Peace’ Sign Selfies to Privacy Risks
A Chinese workplace reality show revealed that fingerprints can be extracted from peace‑sign selfies taken within 1.5 metres, and up to half of the ridge detail remains recoverable at three metres after AI enhancement. The program demonstrated image‑editing tools making finger...
Scientists Just Sent Unhackable Quantum Keys Across 120 Kilometers
An international team from Germany and China demonstrated the first true time‑bin quantum key distribution (QKD) system powered by an on‑demand telecom‑band semiconductor quantum dot. The setup transmitted single‑photon qubits over more than 120 km of optical fiber and operated continuously...
JD Vance Holds AI Wake-Up Call With Tech CEOs Elon Musk, Sam Altman and More After Anthropic Shows Hacking Superpowers
JD Vance convened an ad‑hoc AI safety summit after Anthropic’s Mythos model demonstrated the ability to autonomously locate and exploit vulnerabilities in critical cybersecurity systems. The April conference call brought together top tech leaders—Elon Musk, OpenAI’s Sam Altman, Google’s Sundar...
America Is About to Get Tougher on VPNs
Utah has enacted Senate Bill 73, which prohibits commercial websites that host material deemed harmful to minors from facilitating or encouraging the use of VPNs, proxies, or other tools to bypass age‑verification. The legislation also treats any user physically located...
Your Fire TV Collects More than Just Watch History, Here’s How to Stop It
Amazon’s Fire TV Stick 4K Max gathers more than viewing history, logging app interactions, usage duration, crashes, and even voice commands when Alexa is enabled. The article walks readers through the privacy menu to disable Device Usage Data, App Usage Data, and interest‑based...
It Might Be Too Late for Bitcoin’s Quantum Migration, Project Eleven Report Argues
Project Eleven’s 110‑page report warns that quantum computers could render elliptic‑curve cryptography obsolete as early as 2030, jeopardizing more than $3 trillion in digital assets and critical infrastructure. The analysis predicts a "Q‑Day" window between 2030 and 2033, after which attackers...
Why a 2017 Linux Bug Is Now a Major Concern for the Crypto Industry
A Linux kernel privilege‑escalation bug dubbed “Copy Fail,” present in kernels since 2017, lets a low‑privilege user obtain root with a short Python script. The Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog, indicating...
Your Yarbo Lawnmower Is a Backdoor Into Your Wi-Fi Network
Security researcher Andreas Makris revealed that every Yarbo internet‑connected lawnmower ships with a hard‑coded root password and a persistent backdoor that transmits telemetry, GPS data and Wi‑Fi credentials to the manufacturer’s servers. By exploiting the flaw he accessed data from...
FCC Reverses Course, Allows Software Updates for Foreign-Made Drones and Routers Until 2029 — Agency Says Blocking Security Patches Could...
The Federal Communications Commission has extended temporary waivers that let foreign‑made drones, drone components, and consumer routers continue receiving software and firmware updates through January 1 2029. The original “Covered List” added in late 2025 barred post‑approval changes, risking security gaps for millions...
Fake OpenAI Repository on Hugging Face Pushes Infostealer Malware
A malicious repository on Hugging Face impersonated OpenAI’s Privacy Filter, briefly topping the platform’s trending list and amassing roughly 244,000 downloads before being removed. The repo contained a loader.py script that disabled SSL verification, fetched a PowerShell command, and installed...
A Manual Pentest Costs 50,000 Dollars. Intruder Built an AI that Does It in Minutes.
Intruder, a UK cybersecurity startup backed by GCHQ, has launched AI‑driven penetration‑testing agents that mimic manual pen‑test methodology and deliver results in minutes. A traditional pen test costs $10,000‑$50,000, takes weeks to schedule and days to execute, and often becomes...
Hackable Robot Lawn Mower Unlocks a New Nightmare
Security researchers exposed critical flaws in Yarbo’s $5,000 robot lawn mower, allowing remote hijacking, camera access, and extraction of owners’ Wi‑Fi credentials and home locations. At the same time, Meta abruptly discontinued end‑to‑end encryption for Instagram Direct Messages, sparking privacy‑rights...
Apple Made It Easy for Others to Record Your iPhone Calls, without You Even Knowing It
Apple’s iOS 18.1 added a built‑in call‑recording function that lets anyone using the Phone app capture a conversation. The feature plays a brief audible cue for both parties, but only the initiator receives a persistent on‑screen notification and can stop the...
The Threat Every South African Bank Should Be Worried About
Anthropic's Claude model Mythos, an AI designed to pinpoint software flaws, has emerged as a looming cyber threat for South African banks. Unauthorized access to the model demonstrates that even heavily restricted AI can be leaked and weaponized. Local financial...
Fiber Optic Cables Can Eavesdrop On Nearby Conversations
Researchers at the European Geosciences Union demonstrated that distributed acoustic sensing (DAS) on fiber‑optic cables can capture nearby speech and be transcribed in real time using AI. By firing laser pulses and analyzing reflected light, the system detected tones, music...
Vidar Infostealer Campaign Steals Passwords, Cookies, Crypto Wallets, and Device Data
A new Vidar infostealer campaign, first seen in 2018, uses the MicrosoftToolkit.exe hack‑tool to gain initial access and then stages a multi‑stage payload built with AutoIt. The malware disguises payload files as .dot documents, renames them to .bat, and employs...
Biometric Update Podcast Explores Identification at Scale Using Browser Fingerprinting
In the latest Biometric Update Podcast, Fingerprint CTO Valentin Vasilyev explains how the company’s layered device‑signal approach creates a persistent browser fingerprint that can uniquely identify browsers and mobile devices. By aggregating data such as screen resolution, installed fonts, and OS...
International Cyber Attack Disrupts Swathe of Universities and Schools
A coordinated ransomware attack by the ShinyHunters group crippled Canvas, the learning management system used by roughly 9,000 universities and schools across the United States, Canada and Australia. The breach forced institutions such as Mississippi State, University of Sydney and...
LayerZero Admits Mistake in 1/1 DVN Setup Tied to $292M Kelp Hack
LayerZero Labs issued an apology after a Lazarus Group attack compromised its internal RPC nodes, enabling a 1/1 Decentralized Verifier Network (DVN) to authorize a high‑value transaction that drained roughly $292 million from Kelp DAO’s rsETH bridge. The breach affected about...
OCC Recommends Banks Sharpen AI Defense Tactics
The Office of the Comptroller of the Currency (OCC) released its Spring 2026 Semiannual Risk Perspective, flagging artificial intelligence as both a cyber‑risk and an innovation driver for banks. It urges institutions to tighten AI‑related defenses with multifactor authentication, rapid...
ShinyHunters Extorts Universities in New Instructure Canvas Hack
AWS open‑sourced Trusted Remote Execution (Rex) on May 4, 2026, providing an open‑source runtime that intercepts every system call from AI‑generated scripts and evaluates it against host‑defined Cedar policies. The framework is designed to block three common agentic AI failure modes—hallucinated code,...
New Linux 'Dirty Frag' Zero-Day Gives Root On All Major Distros
Security researcher Hyunwoo Kim disclosed a new Linux zero‑day dubbed "Dirty Frag" that combines two page‑cache write bugs—xfrm‑ESP (CVE‑2026‑43284) and RxRPC (CVE‑2026‑43500)—to achieve deterministic root access on all major distributions. The exploit does not rely on timing windows, making its success...
5,000 Vibe-Coded Apps Just Proved Shadow AI Is the New S3 Bucket Crisis
RedAccess, an Israeli cyber‑security firm, identified 380,000 publicly accessible apps built with low‑code AI platforms such as Lovable, Replit, Base44 and Netlify, and found roughly 5,000 (1.3%) containing sensitive corporate data. The exposures span shipping schedules, clinical trial details, bank...
Defense Watch: Mythos, DARC, DARPA Plane, New SWO Boss, Startup Raises
Pentagon chief technology officer Emil Michael announced that the department is evaluating Anthropic’s new Mythos AI‑driven cyber‑security model, signaling renewed interest in AI tools after a Trump‑era halt on Anthropic products. The service is also scaling production of the low‑cost...
Fake macOS Troubleshooting Sites Used to Steal iCloud Data in ClickFix Scam
Microsoft Defender researchers uncovered a new ClickFix campaign that lures Mac users with fake troubleshooting articles on platforms like Medium, Craft, and Squarespace. The pages urge victims to copy‑paste a terminal command, which silently downloads macOS stealer families such as...
Tech Bills of the Week: Limiting Data Harvesting; AI for Financial Fraud Prevention; and More
Congress introduced four bills targeting emerging technology risks. The YODA Act would bar companies from forcing users to surrender data or accept tracking cookies without explicit permission and lets the FTC and state attorneys general sue firms with $50 million+ revenue...
Some Canvas Users Receive Ransomware Threat After Data Breach
A ransomware threat surfaced on Thursday when students and staff in North Carolina logged into the Canvas learning management system, displaying a pop‑up allegedly from the ShinyHunters group. The extortion message gave users until May 12, 2026 to contact the hackers...
GM to Pay over $12 Million in California Privacy Settlement Involving Driver Data
General Motors agreed to pay $12.75 million to settle California's accusations that it collected and sold OnStar driving data without consumer consent, marking the largest fine ever under the California Consumer Privacy Act. The settlement bans GM from selling such data...
What Does the FCC Have to Do with Cyber Security?
The Federal Communications Commission (FCC) is intensifying its role in cybersecurity by hosting two workshops on May 14‑15 aimed at small and medium‑sized telecom and broadcast providers. Chief Zenji Nakazawa highlighted the growing threat from nation‑state actors and ransomware, which can...
Here Is Yarbo’s Promise to Fix the Robot Mower that Ran Me Over
Yarbo acknowledged critical security flaws in its robot lawn‑mowers after a researcher remotely commandeered a unit, exposing GPS data, Wi‑Fi passwords and other personal information. The company issued a 1,200‑word response, temporarily disabling remote diagnostic tunnels, resetting shared root passwords...
Google Play Scam Apps Hit 7.3M Downloads with Fake Call Logs
ESET Research uncovered a network of 28 fraudulent Android apps dubbed CallPhantom that promised to reveal anyone's call, SMS, and WhatsApp histories. The apps generated fake records, luring users into paying for nonexistent data, and collectively amassed more than 7.3 million...
Unleashing AI Across the US Government: The Data Security Challenge Holding Back Decision Advantage
Former DoD CIO Terry Halvorsen warns that while federal agencies are rapidly deploying AI, most of their most valuable data remains locked away because current security architectures require decryption during processing. This "decrypt‑to‑use" vulnerability especially hampers Retrieval‑Augmented Generation (RAG) models,...
DDoS Attacks Surge During Milano Cortina 2026 Winter Games
The Milano Cortina 2026 Winter Games triggered a dramatic spike in distributed denial‑of‑service attacks, with Italian networks seeing a 181 % increase over the previous year. From February 6 to February 23, daily attack volumes were six‑to‑ten times higher than historic averages, peaking at more...
Brussels Takes Seven Member States To Court Over CER, And The Consequences Land On You
On May 7, 2026 the European Commission referred Bulgaria, France, Luxembourg, the Netherlands, Poland, Spain and Sweden to the EU Court of Justice for failing to transpose the Critical Entities Resilience (CER) Directive more than 18 months after the deadline....
Katalyst, E4n Partner To Build AI-Enabled Cybersecurity, Infrastructure MSP Platform
Midmarket MSP Katalyst has partnered with New York‑based e4n to launch an AI‑enabled cybersecurity and infrastructure platform. The deal makes Katalyst the founding company of e4n’s managed services platform, combining Katalyst’s service base with e4n’s AI engineering and acquisition expertise....
Canvas Outage Delays College Finals Across the Country
A cyberattack on Instructure’s Canvas learning platform caused a nationwide outage, forcing universities such as Penn State, Boise State and Mississippi State to cancel, postpone, or reschedule final exams. The breach exposed student names, email addresses, IDs and messages, and...
AI & Data Exchange 2026: PRAC’s Ken Dieffenbach on Using AI Tools to Stay a Step Ahead of Fraudsters
The Pandemic Response Accountability Committee (PRAC) has extended its mandate through 2034 and is now leveraging artificial‑intelligence tools to oversee more than $5 trillion in pandemic‑era spending. Executive Director Ken Dieffenbach highlighted a new AI‑enabled fraud‑prevention engine that can scan 20,000...
Poland Says Hackers Breached Water Treatment Plants, and the US Is Facing the Same Threat
Poland’s Internal Security Agency disclosed that hackers breached five water‑treatment plants, potentially gaining control of industrial equipment and endangering water safety. The agency linked the attacks to Russian intelligence activity, though it did not confirm the perpetrators. Similar incidents have...
Sen. Schumer Seeks DHS Plan on AI Cyber Coordination with State, Local Governments
Senate Minority Leader Chuck Schumer wrote to DHS Secretary Markwayne Mullin demanding a coordinated plan to protect state, local, tribal and territorial (SLTT) governments from AI‑enhanced cyber attacks. He set a July 1 deadline for a strategy covering talent identification, rapid...
1 Campaign, 2 Targets: China’s Cyber Operations Hit Asian Governments and Dissidents Abroad
Trend Micro disclosed a China‑aligned espionage operation, Shadow‑Earth‑053, active since late 2024. The campaign compromised ministries and defense contractors in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan and Poland, while running parallel phishing attacks against Uyghur, Tibetan, Taiwanese and Hong Kong critics....
Disgraced US Gov Software Contractor Found Guilty of Database Destruction
A Virginia contractor, Sohaib Akhter, and his twin brother Muneeb were convicted of a coordinated attack that erased roughly 96 government databases within an hour after their termination from a software supplier serving 45 federal agencies. The deletions targeted Freedom...
Meta Can See Your Instagram Messages Now, and It's Time to Stop Using It
Meta has removed end‑to‑end encryption from Instagram direct messages as of May 8, 2026, allowing the company to read and analyze message content. The change is justified by low adoption of encrypted chats and Meta’s desire to improve moderation of harmful activity....
Is 2026 the End of iMessage Work Group Chats?
Businesses relying on iMessage for internal communication face three critical risks: departing employees walk away with years of client data, legal disputes lack a retrievable audit trail, and disgruntled staff can retain access to confidential chats. iMessage was designed for...
US Defense Contractor Who Sold Hacking Tools to Russian Broker Ordered to Pay $10M to Former Employers
Former L3Harris executive Peter Williams was ordered to pay $10 million in restitution, on top of a prior $1.3 million judgment, after stealing and selling advanced hacking tools to Russian broker Operation Zero. Williams, an Australian‑born former intelligence officer, exploited his full access to...
Platform Breach Downs Nearly 9,000 Colleges, Universities in the U.S.
Nearly 9,000 U.S. colleges and universities experienced a Canvas outage after the criminal group ShinyHunters claimed to have stolen user data. The attackers demanded a ransom by May 12, threatening to publish the information if unpaid. The disruption struck during a...
Turn Off Direct Send in Microsoft Exchange to Protect Yourself From Phishing
Microsoft Exchange’s Direct Send feature allows legacy devices to transmit email without authenticating, a convenience that can be weaponized by cybercriminals. Attackers harvest public staff content, use AI to mimic writing styles, and send phishing messages that appear legitimate, bypassing...