Have I Been Pwned has added the US automotive marketplace Edmunds to its breach corpus with 177,860 unique email addresses. Edmunds is a widely used car-research and shopping platform offering pricing, reviews, and dealer listings. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Affected users should anticipate car-buying-themed phishing such as financing offers, dealer-contact lures, or vehicle-quote follow-ups, and should rotate any reused passwords. The addition continues a steady run of mid-size US consumer-platform breaches surfacing in HIBP.
Hackers are actively exploiting CVE-2026-8732, a critical unauthenticated flaw in the WP Maps Pro WordPress plugin that lets attackers create rogue administrator accounts. The plugin, a premium interactive-map and store-locator tool with over 15,800 sales on Envato Market, is affected in versions 6.1.0 and older. The flaw stems from a 'temporary access' feature meant to let vendor support staff troubleshoot customer sites: the AJAX endpoint was reachable by unauthenticated users and relied only on a nonce exposed in frontend JavaScript. A crafted request creates a new administrator user, generates a passwordless login URL, and sends it to a remote system. Researcher David Brown reported it.
SpaceX security engineer Asim Manizada has disclosed CIFSwitch, a Linux kernel local privilege escalation in the CIFS subsystem that lets an unprivileged user forge cifs.spnego key descriptions and trick the kernel's key-request mechanism into running cifs.upcall as root. CIFS (Common Internet File System) mounts and accesses files across a network; when a share uses Kerberos, the kernel asks the user-space cifs-utils helper to authenticate. The CIFS subsystem fails to verify that cifs.spnego key requests originate from the kernel's CIFS client, so a local attacker can supply a forged key and gain root. It affects cifs-utils 6.14 and higher, plus some older variants, across multiple distributions.
The ShinyHunters extortion group has now published the Charter Communications data it stole, after the telecom giant apparently refused to pay. Earlier reporting put the breach at 4.9 million HIBP-confirmed unique accounts; ShinyHunters' leak is described as potentially impacting up to 5 million customers. Charter is one of the largest US telecoms, providing internet, cable, mobile, and phone services to residential and business customers under the Spectrum brand. The data was originally exfiltrated via voice-phishing of a Microsoft Entra account on April 1 and a Salesforce export. With the data now public rather than merely claimed, the phishing and identity-theft risk to affected customers rises sharply.
Palo Alto Networks has confirmed that CVE-2026-0257 (CVSS 7.8), a GlobalProtect authentication-bypass flaw in PAN-OS and Prisma Access, is under active exploitation. The flaw lets attackers bypass authentication and establish an unauthorized VPN connection; it affects firewalls with a GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Rapid7 identified successful exploitation across numerous customers dating back to May 17, with a second wave on May 21, attributed to the same threat actor; in two cases the attacker received a VPN IP and reached the internal network. CISA added the CVE to its KEV catalog on May 29.
Dutch authorities have taken offline a botnet of at least 17 million infected computers, tablets, and smartphones, seizing more than 200 servers at a Netherlands-based hosting provider. The action was led by the National Police with the National Cyber Security Centre (NCSC). Local media link the infrastructure to Asocks, a service that advertises itself as a universal residential-proxy provider - the kind of proxy network used to launder malicious traffic, run credential-stuffing and ad fraud, and anonymize attacks. The hosting provider took the botnet offline once it was confirmed to be supporting criminal activity. Authorities have not formally named the botnet or announced arrests.
Permiso Security has disclosed ChatGPhish, a vulnerability in OpenAI ChatGPT that abuses the assistant's implicit trust in Markdown links and images sourced from third-party pages it has just summarized. The chatgpt.com response renderer auto-fetches those images and surfaces the links as live clickable elements inside the trusted assistant UI. An attacker who appends a small payload to any web page a victim later asks ChatGPT to summarize can leak the victim's IP, User-Agent, and Referer via attacker-hosted images, render fake system-style security alerts, plant malicious clickable links, and serve a QR code from an S3 bucket to bypass desktop URL filters via the victim's phone.
WithSecure has attributed persistent attacks against Ukraine and Ukraine-related entities since at least August 2025 to GREYVIBE, a previously undocumented Russian-speaking group operating in the Russian time zone and aligned with Kremlin intelligence interests. Victims span military, government, civilian, and business organizations. The group uses spear-phishing (PhantomMail, delivering JavaScript loaders from Google Drive and 4sync), a PowerShell RAT called PhantomRelay, and ClickFix-style fake-CAPTCHA pages (PhantomClick) impersonating Zoom and a fake adult-club site (PrincessClub). WithSecure describes GREYVIBE as low-to-moderately sophisticated, hampered by repeated OPSEC mistakes, but increasingly relying on generative AI and LLMs to accelerate malware development. Some members have ties to the broader Russian cybercrime ecosystem.
Google has made Device Bound Session Credentials (DBSC) generally available in Chrome, rolling it out to all users to blunt session-cookie theft. First announced in 2024 and in beta since April, DBSC cryptographically binds session cookies to a specific device using the hardware security chip - the TPM on Windows or the Secure Enclave on macOS. Because the public/private keys are generated inside the security chip and never leave it, stolen cookies become useless on any other machine, defeating the infostealer-to-account-takeover pipeline that bypasses MFA. Google frames it as a shift from reactive detection to proactive prevention. The protection is most effective where sites adopt the DBSC server-side protocol.
Security researchers are warning of a phishing campaign that impersonates Signal Support over text message to steal users' backup recovery keys, specifically targeting journalists and activists. Once an attacker obtains the recovery key, they can decrypt the victim's entire message-history backup. The campaign relies purely on social engineering - there is no flaw in Signal's cryptography - tricking targets into handing over the secret that protects their encrypted backups. The targeting of journalists and activists points to surveillance-motivated actors rather than financially-driven crime. Signal users should treat any unsolicited 'Support' contact requesting recovery keys or codes as hostile, since Signal never asks for them.