🅿 PayPal says a software error exposed customers' personal data, including Social Security numbers, from July to December 2025. The company fixed the code, reset affected passwords, and is offering two years of free credit monitoring. Some customers saw unauthorized transactions and received refunds.

🇫🇷 🏦 France’s Ministry of Economy disclosed a breach of the national bank account registry FICOBA that exposed 1.2 million accounts — An attacker used stolen official credentials to access names, addresses, IBANs and some tax IDs; access is now blocked and affected people are being notified. Security experts warned that broad access tied to single identities makes such large exposures easier and companies should limit privileges by need.

🇩🇪 🚂 💥 Germany’s rail operator Deutsche Bahn was hit by a large DDoS attack that disrupted ticketing and some IT systems. The attack began Feb 17, came in waves, and briefly made websites and the DB Navigator app intermittently inaccessible. No culprit has been named, though similar attacks on German infrastructure have been linked to pro‑Russian hacktivist groups.

🇺🇸 Hackers breached Figure Technology Solutions and stole personal data from about 967,200 accounts. The stolen files included names, emails, phone numbers, addresses, and dates of birth. The ShinyHunters group claimed responsibility and leaked the data after a social-engineering attack.

🇳🇱 🚂 Hackers stole customer data from Eurail and are offering it for sale online — The leaked files may include names, contact details, passport copies, travel reservations, and bank info for millions of customers. Eurail says it is investigating while hackers threaten to publish all stolen data if no buyer is found.

🇨🇦 🐻 Hackers claiming to be ShinyHunters leaked a 1.67 GB dataset of over 600,000 Canada Goose customer records. Canada Goose says the data appears to be historical, it has found no breach of its systems, and no full payment card numbers were exposed. The leaked details could still enable phishing, fraud, and customer profiling.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🇺🇸 🇮🇷 Three former Google engineers and one husband were indicted for stealing trade secrets from Google and other tech firms and sending them to unauthorized locations, including Iran. The defendants allegedly copied files about processor security and cryptography, hid their actions, and photographed screens after access was revoked. If convicted, each faces up to 10 years for trade secret theft and up to 20 years for obstruction.

🇺🇦 🇰🇵 A Ukrainian, Oleksandr Didenko, was sentenced to five years for running a scheme that helped North Korea hire remote IT workers at U.S. companies. He stole identities, created over 2,500 fake accounts, and sold them to North Korean operatives. Authorities say the payments supported North Korea’s regime and posed national security risks.

🌍 African police arrested 651 suspects in a coordinated INTERPOL operation against investment fraud, mobile money scams, and fake loan apps. Authorities across 16 countries seized devices, shut down 1,442 malicious sites, and recovered over $4.3 million while identifying 1,247 victims. The operation highlights cross-border collaboration to disrupt large cybercriminal networks.

🇳🇬 🇺🇸 ⚖ A Nigerian man, Matthew Akande, was sentenced to eight years for running a five-year scheme that filed over 1,000 fraudulent U.S. tax returns. He and co-conspirators stole client data, used phishing and malware, and obtained more than $1.3 million in false refunds. Akande was arrested in 2024, extradited to the U.S., pleaded guilty, and must pay about $1.4 million in restitution.

🇪🇸 🏨 Spanish police arrested a 20-year-old who hacked a hotel booking site to pay as little as one cent for luxury rooms. He altered the payment validation so bookings looked fully paid while only one cent was charged. Hotels lost over €20,000 and he was caught staying in a Madrid hotel with a €4,000 reservation.

🇵🇱 Polish police arrested a 47-year-old suspect linked to the Phobos ransomware group and seized computers and phones with stolen credentials and server data. The arrest was part of Operation Aether, an international effort coordinated by Europol targeting Phobos infrastructure and affiliates. The suspect faces charges for creating and distributing hacking tools and could get up to five years in prison.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇵🇱 🇨🇳 Poland’s army now bars Chinese-made cars from entering protected military sites over information security risks. The ban targets vehicle systems that can record or transmit location, images, or sound. The rule is preventive, follows NATO practices, and does not affect public use of these cars.

🇺🇸 🧑‍⚖ A judge scolded members of Mark Zuckerberg’s team for wearing Ray-Ban Meta AI glasses with a camera as they entered a Los Angeles courtroom — The judge ordered the glasses removed and warned anyone who recorded must dispose of footage or face contempt. The incident occurred during a trial over whether Meta and YouTube design platforms that harm children.

🇺🇸 🇨🇳 Texas sued TP-Link, accusing it of hiding that its routers are built from Chinese parts and are vulnerable to state-backed Chinese hackers. The suit says TP-Link misled consumers about security and that its devices were used in large botnets and credential-theft attacks. Texas seeks fines and orders forcing disclosure of Chinese origins and an end to collecting user data without consent.

🇪🇸 ⚽ A Spanish court ordered NordVPN and ProtonVPN to block 16 websites and related IPs that stream LaLiga matches illegally. The ruling was made without the VPNs being heard, and the companies say they were not notified. LaLiga says VPNs enable piracy and must help stop it, while VPNs argue the order is procedurally invalid and ineffective.

👀 🇦🇴 Amnesty International says Intellexa’s Predator spyware was used to hack an Angolan journalist’s iPhone via a WhatsApp link. The hack shows governments are using commercial spyware to target journalists and others. Researchers found forensic links to Intellexa but could not identify the exact customer.

🇮🇪 Ireland's Data Protection Commission has opened a formal probe into X over its Grok AI creating non-consensual sexual images, including of children. The investigation will check if X complied with GDPR rules like lawful processing and data protection by design. This adds to multiple international probes into Grok, which could lead to big fines across the EU.

🔕 👀 Amazon’s Ring ended plans to integrate with surveillance firm Flock Safety after announcing the joint project would take more time and resources than expected. The cancellation came amid backlash to a Super Bowl ad showing a camera network finding a lost dog, which sparked fears about intrusive tracking and face recognition. Privacy advocates and a U.S. senator warned Ring’s features could erode civil liberties.

→ Leaked Email Suggests Ring Plans to Expand ‘Search Party’ Surveillance Beyond Dogs

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

→ OpenClaw Security Issues Continue as SecureClaw Open Source Tool Debuts

→ Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems

🏧 🤑 The FBI warns of a rise in ATM jackpotting, with over 700 attacks in 2025 and losses above $20 million. Attackers install malware like Ploutus to make ATMs spit out cash quickly. Authorities are prosecuting suspects and sharing detection tips.

📺 Researchers found a new Android trojan called Massiv that hides in fake IPTV apps to steal banking data. It uses overlays, keylogging, SMS interception, and remote control to take over devices and commit fraud. Massiv spreads via SMS droppers and targets users in Spain, Portugal, France, and Turkey.

🤖 Researchers at ESET found PromptSpy, an Android malware that uses Google’s Gemini AI during runtime to guide taps and swipes for persistence. It uses a VNC module and Accessibility Services to steal PINs, capture screens, block uninstallation, and lock itself in recent apps. ESET says it may be a proof of concept with possible links to Chinese developers and a delivery domain aimed at Argentina.

🔙 🚪 📲 Kaspersky found a new Android backdoor called Keenadu preinstalled on many devices and pushed via firmware updates or fake apps. The malware gives attackers full remote control but is mainly used for ad fraud like hijacking searches and clicking ads. Infections were seen on about 13,000 devices worldwide and researchers link Keenadu to large botnets with likely Chinese origins.

🤖 Researchers found Microsoft Copilot and xAI Grok can be abused as stealthy malware command-and-control (C2) relays by using their web-browsing and URL-fetch features. This lets compromised machines fetch attacker commands and send data back through the AI without needing API keys or accounts. The technique could enable AI-driven malware that adapts and evades detection.

🔎 Anthropic launched Claude Code Security, an AI tool that scans code for vulnerabilities and suggests fixes. It will roll out first to select enterprise and team testers after extensive internal and lab testing. The company says the tool speeds up finding bugs but human experts are still needed for higher-level threats.

👀 📧 Microsoft confirmed a bug let Copilot Chat read and summarize customers’ confidential emails without permission — The issue affected emails labeled confidential since January, even when data-loss-prevention rules were in place. Microsoft says it started rolling out a fix in February.

🚫 DEF CON has banned three people—Pablos Holman, Vincenzo Iozzo, and Joichi Ito—after they appeared in DOJ files and emails connected to Jeffrey Epstein. The bans follow reporting linking them to Epstein and similar moves by other cybersecurity events. The three have disputed wrongdoing, saying interactions were business-related or minimal.

🍎 💬 🔐 Apple is testing end-to-end encrypted RCS messaging in the iOS and iPadOS 26.4 developer beta. The feature is limited to Apple devices and not all carriers or devices yet. The beta also adds stronger memory safety protections and stolen device safeguards.

📱 🤖 Google released the first Android 17 beta with new privacy and security defaults — It blocks unencrypted cleartext traffic by default for new apps and adds HPKE support for stronger encryption. Other changes include default certificate transparency, a new install-time localhost permission, and a push toward “secure-by-default” app behavior.

➝ From the Patching Department:

💥 A critical pre-auth RCE in BeyondTrust remote support (CVE-2026-1731) lets attackers run OS commands and fully compromise systems. Unit 42 observed active exploitation using webshells, SparkRAT, VShell, lateral movement, and data exfiltration across multiple sectors and countries. Patches and mitigations exist, and many instances remain exposed, so urgent patching and monitoring are needed.

🇨🇳 🫥 Chinese-linked hackers used a Dell RecoverPoint zero-day (CVE-2026-22769) to get root access and stay hidden for about 18 months. Researchers say the group replaced older malware with a harder-to-detect backdoor and likely compromised dozens of organizations. Dell has released a patch and agencies are sharing detection guidance.

🔓 ☁ Researchers at ETH Zurich found that popular cloud password managers (Bitwarden, LastPass, Dashlane, 1Password) can have vaults compromised if the provider’s servers are fully malicious. They exploited recovery, SSO, sharing, and compatibility features to read and sometimes modify users’ stored credentials. Vendors say fixes and mitigations are being rolled out, but some issues are design trade-offs or hard to fully eliminate.

→ Password managers' promise that they can't see your vaults isn't always true

🎥 🐛 CISA warns a critical Honeywell CCTV flaw (CVE-2026-1670) lets attackers change recovery emails and take over accounts. The bug scores 9.8 and affects several mid‑level Honeywell camera models. Users should isolate devices, use secure remote access, and contact Honeywell for patch guidance.

🏠 A security researcher found that DJI Romo robovacs and some power stations leaked lots of data to public servers he could read. He could see live video and control devices before DJI partially fixed the issue. The incident shows weak security and raises concerns about who can access people’s home cameras and data.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.