UK Visa Portal Spilled Thousands of Applicants’ Passports and Selfies Online — and Hasn’t Fixed the Leak
TechCrunch discovered that the private UK Visa Portal website has publicly exposed the passports and selfie photos of at least 100,000 visa applicants. The breach stems from a security lapse that remains unfixed, and the company, which is not affiliated with the UK government, has not responded to remediation requests. Affected users were misled into paying fees to the third‑party service instead of the official GOV.UK portal. The site also lacks a mechanism for reporting security issues, leaving data vulnerable.
Hackers Have Compromised Dozens of Popular Open Source Packages in an Ongoing Supply-Chain Attack
Hackers have launched a new supply‑chain assault, hijacking a developer account to publish over 630 malicious versions across 317 open‑source packages in just 20 minutes. Cybersecurity firms StepSecurity and SafeDep flagged the rapid rollout, which targets credential‑stealing code embedded in...
US Cyber Agency CISA Exposed Reams of Passwords and Cloud Keys to the Open Web
U.S. Cybersecurity and Infrastructure Security Agency (CISA) discovered that a contractor employee inadvertently published spreadsheets on GitHub containing plaintext passwords, cloud access tokens, and other credentials for CISA and Department of Homeland Security systems. Security researcher Guillaume Valadon identified the exposure,...
NYC Health + Hospitals Says Hackers Stole Medical Data and Fingerprints During Breach Affecting at Least 1.8 Million People
NYC Health + Hospitals disclosed a breach that exposed personal, medical and biometric data for at least 1.8 million patients. Hackers infiltrated the network through a third‑party vendor and remained undetected from November 2025 until February 2026, copying files that included health records,...
Google Launches New Android Security Feature to Help Uncover Spyware Attacks
Google has begun rolling out an opt‑in feature called Intrusion Logging to Android devices running the December 16 update or later. The tool, part of Advanced Protection Mode, creates encrypted daily logs of system events—unlock attempts, app installs, ADB connections,...
Exaforce Raises $125M Series B to Build AI for Catching and Stopping Cyberattacks as They Happen
Exaforce announced a $125 million Series B round, valuing the three‑year‑old AI cybersecurity startup at $725 million and bringing total funding to $200 million. The company’s AI agents, called “Exabots,” automate security operations, reportedly cutting manual analyst work by up to 90 percent. Its product,...
Hackers Hack Victims Hacked by Other Hackers
SentinelOne discovered a new hacking campaign, dubbed PCPJack, that targets systems already compromised by the cyber‑crime group TeamPCP. The attackers evict TeamPCP, remove its tools, and deploy a self‑spreading worm to steal credentials and exfiltrate data. PCPJack scans for exposed...
AI Evaluation Startup Braintrust Confirms Breach, Tells Every Customer to Rotate Sensitive Keys
AI evaluation startup Braintrust disclosed an unauthorized access incident in one of its AWS accounts that exposed customer API keys. The company sent an email urging every client to revoke and rotate those keys, noting that only one customer has...
Some Kids Are Bypassing Age-Verification Checks with a Fake Mustache
Governments in the U.S. and U.K. are tightening age‑verification laws to keep minors off adult sites, forcing platforms to adopt document uploads or biometric checks. A survey by Internet Matters found half of 1,000 children could easily bypass these controls,...
Paragon Is Not Collaborating with Italian Authorities Probing Spyware Attacks, Report Says
Paragon Solutions, the Israeli‑American maker of Graphite spyware, has failed to answer a formal information request from Italian prosecutors investigating a 2024 hacking campaign that targeted journalists and activists. The company previously promised to assist the probe but instead cancelled...
Vercel Says some of Its Customers’ Data Was Stolen Prior to Its Recent Hack
Vercel disclosed that hackers accessed a small number of customer accounts before its widely reported April breach, indicating a longer‑running intrusion. The company traced the initial entry to a Context AI app that infected an employee’s workstation with infostealer malware,...
Surveillance Vendors Caught Abusing Access to Telcos to Track People’s Phone Locations, Researchers Say
Security researchers at the Citizen Lab disclosed two distinct spying campaigns that exploited long‑standing weaknesses in global telecom signaling protocols to locate individuals’ phones. The attackers masqueraded as legitimate carriers—using 019Mobile, Tango Networks U.K., and Airtel Jersey—to piggyback on SS7...
UK Government Says 100 Countries Have Spyware that Can Hack People’s Phones
The UK National Cyber Security Centre disclosed that 100 countries now have access to commercial spyware, up from 80 last year, lowering the barrier for state‑backed surveillance. Tools such as NSO Group’s Pegasus and Paragon’s Graphite can infiltrate phones and...
Man Who Hacked US Supreme Court Filing System Sentenced to Probation
Nicholas Moore pleaded guilty to infiltrating the U.S. Supreme Court’s electronic filing system, as well as the networks of AmeriCorps and the Department of Veterans Affairs, using stolen credentials. He publicly bragged about the breaches on an Instagram account, posting...
Fashion Retailer Express Left Customers’ Personal Data and Order Details Exposed to the Internet
Express, a major U.S. fashion retailer, patched a website flaw that let anyone view other shoppers’ order confirmations. The vulnerability exposed names, contact details, addresses, purchase items and partial credit‑card data for at least a dozen customers, all accessible by...