Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Automotive marketplace Edmunds added to Have I Been Pwned with 177,860 breached accounts; expect car-buying-themed phishing

Have I Been Pwned has added the US automotive marketplace Edmunds to its breach corpus with 177,860 unique email addresses. Edmunds is a widely used car-research and shopping platform offering pricing, reviews, and dealer listings. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Affected users should anticipate car-buying-themed phishing such as financing offers, dealer-contact lures, or vehicle-quote follow-ups, and should rotate any reused passwords. The addition continues a steady run of mid-size US consumer-platform breaches surfacing in HIBP.

Check
Check whether your @company emails appear in HIBP's Edmunds corpus. Warn affected staff about car-buying-themed phishing (financing offers, dealer contacts) over the next 30-60 days.
Affected
177,860 unique email addresses tied to Edmunds accounts. Reused passwords are the primary downstream risk; expect automotive-themed phishing and credential-stuffing against other services.
Fix
Affected individuals: rotate Edmunds passwords and any reused elsewhere, enable MFA. Organizations: add Edmunds to breach-monitoring watchlists and brief staff on car-shopping-themed social engineering.

WP Maps Pro CVE-2026-8732 actively exploited to create unauthenticated admin accounts on WordPress sites - 'temporary access' AJAX endpoint flaw

Hackers are actively exploiting CVE-2026-8732, a critical unauthenticated flaw in the WP Maps Pro WordPress plugin that lets attackers create rogue administrator accounts. The plugin, a premium interactive-map and store-locator tool with over 15,800 sales on Envato Market, is affected in versions 6.1.0 and older. The flaw stems from a 'temporary access' feature meant to let vendor support staff troubleshoot customer sites: the AJAX endpoint was reachable by unauthenticated users and relied only on a nonce exposed in frontend JavaScript. A crafted request creates a new administrator user, generates a passwordless login URL, and sends it to a remote system. Researcher David Brown reported it.

Check
Inventory WordPress sites for the WP Maps Pro plugin and confirm version. Audit the WordPress users table for unexpected administrator accounts created recently. Review AJAX endpoint access logs.
Affected
WP Maps Pro versions 6.1.0 and older on WordPress. The unauthenticated AJAX 'temporary access' endpoint lets anyone create an admin account and receive a passwordless login URL.
Fix
Update WP Maps Pro to the patched version immediately. Remove any unauthorized administrator accounts. Rotate all admin credentials and audit for backdoors, web shells, or plugin/theme tampering.

CIFSwitch Linux LPE: forged cifs.spnego key descriptions trick cifs.upcall into running as root - cifs-utils 6.14+ across multiple distros

SpaceX security engineer Asim Manizada has disclosed CIFSwitch, a Linux kernel local privilege escalation in the CIFS subsystem that lets an unprivileged user forge cifs.spnego key descriptions and trick the kernel's key-request mechanism into running cifs.upcall as root. CIFS (Common Internet File System) mounts and accesses files across a network; when a share uses Kerberos, the kernel asks the user-space cifs-utils helper to authenticate. The CIFS subsystem fails to verify that cifs.spnego key requests originate from the kernel's CIFS client, so a local attacker can supply a forged key and gain root. It affects cifs-utils 6.14 and higher, plus some older variants, across multiple distributions.

Check
Inventory Linux hosts with cifs-utils 6.14+ that mount Kerberos-authenticated CIFS shares. Identify multi-user systems where untrusted local users have shell access. Check distribution advisories for patched cifs-utils.
Affected
Linux distributions shipping cifs-utils 6.14 and higher (some older variants also affected) where the kernel CIFS subsystem fails to verify cifs.spnego key-request origin. Local shell access required.
Fix
Apply distribution kernel and cifs-utils updates as they ship. Where patches lag, restrict local user access on systems mounting Kerberos CIFS shares. Monitor request-key and cifs.upcall invocations.

ShinyHunters publishes Charter Communications data after failed extortion - up to 5 million customer records now leaked, not just claimed

The ShinyHunters extortion group has now published the Charter Communications data it stole, after the telecom giant apparently refused to pay. Earlier reporting put the breach at 4.9 million HIBP-confirmed unique accounts; ShinyHunters' leak is described as potentially impacting up to 5 million customers. Charter is one of the largest US telecoms, providing internet, cable, mobile, and phone services to residential and business customers under the Spectrum brand. The data was originally exfiltrated via voice-phishing of a Microsoft Entra account on April 1 and a Salesforce export. With the data now public rather than merely claimed, the phishing and identity-theft risk to affected customers rises sharply.

Check
If you are a Charter/Spectrum customer or vendor, treat the leaked dataset as public now. Watch for Spectrum-themed phishing and account-recovery fraud over the next 60-90 days.
Affected
Up to 5 million Charter/Spectrum customers whose records are now publicly leaked, not just claimed. Names, contact details, and plan information enable targeted phishing and impersonation.
Fix
Affected individuals: rotate Spectrum credentials, enable MFA, scrutinize unsolicited Charter contacts. Organizations: refresh breach-monitoring watchlists and brief help desks against Charter-themed social engineering.

Palo Alto PAN-OS GlobalProtect authentication bypass CVE-2026-0257 actively exploited since May 17, added to CISA KEV - patch urgently

Palo Alto Networks has confirmed that CVE-2026-0257 (CVSS 7.8), a GlobalProtect authentication-bypass flaw in PAN-OS and Prisma Access, is under active exploitation. The flaw lets attackers bypass authentication and establish an unauthorized VPN connection; it affects firewalls with a GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Rapid7 identified successful exploitation across numerous customers dating back to May 17, with a second wave on May 21, attributed to the same threat actor; in two cases the attacker received a VPN IP and reached the internal network. CISA added the CVE to its KEV catalog on May 29.

Check
Inventory PAN-OS and Prisma Access firewalls with GlobalProtect portal/gateway configured. Check whether authentication-override cookies are enabled. Review VPN logs for unauthorized sessions since May 17.
Affected
PAN-OS firewalls with GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Exploitation confirmed across numerous Rapid7 customers since May 17.
Fix
Apply the Palo Alto patch urgently. Temporary mitigation: disable the authentication-override feature or generate a dedicated certificate for it. FCEB agencies must remediate per CISA KEV deadline.

Dutch police dismantle 17-million-device botnet linked to Asocks proxy service, seize 200+ servers at local hosting provider

Dutch authorities have taken offline a botnet of at least 17 million infected computers, tablets, and smartphones, seizing more than 200 servers at a Netherlands-based hosting provider. The action was led by the National Police with the National Cyber Security Centre (NCSC). Local media link the infrastructure to Asocks, a service that advertises itself as a universal residential-proxy provider - the kind of proxy network used to launder malicious traffic, run credential-stuffing and ad fraud, and anonymize attacks. The hosting provider took the botnet offline once it was confirmed to be supporting criminal activity. Authorities have not formally named the botnet or announced arrests.

Check
Check whether your network egress or fraud logs show traffic to or from Asocks residential-proxy exit nodes. Review IoT and endpoint fleets for proxyware infections feeding such services.
Affected
17 million compromised devices (computers, tablets, smartphones) conscripted into the proxy botnet. Organizations targeted via proxied credential-stuffing, ad fraud, and anonymized attacks routed through residential IPs.
Fix
Block known Asocks infrastructure once IoCs are published. Hunt for proxyware and residential-proxy SDKs on managed devices. Add residential-proxy ASNs to fraud-scoring and bot-detection rules.

ChatGPhish: ChatGPT auto-renders attacker Markdown links, images, and QR codes from summarized web pages as trusted clickable phishing

Permiso Security has disclosed ChatGPhish, a vulnerability in OpenAI ChatGPT that abuses the assistant's implicit trust in Markdown links and images sourced from third-party pages it has just summarized. The chatgpt.com response renderer auto-fetches those images and surfaces the links as live clickable elements inside the trusted assistant UI. An attacker who appends a small payload to any web page a victim later asks ChatGPT to summarize can leak the victim's IP, User-Agent, and Referer via attacker-hosted images, render fake system-style security alerts, plant malicious clickable links, and serve a QR code from an S3 bucket to bypass desktop URL filters via the victim's phone.

Check
Warn staff that ChatGPT summaries of untrusted pages can render attacker links, fake alerts, and QR codes. Treat clickable elements in AI summaries with the same caution as email links.
Affected
Any organization using ChatGPT for research or summarization of third-party web content. The trusted-UI rendering of attacker Markdown bypasses normal phishing-awareness instincts and desktop URL filters.
Fix
Apply OpenAI's fix once available. Train users not to scan QR codes or click links surfaced inside AI summaries without verification. Restrict enterprise ChatGPT connectors that auto-summarize untrusted URLs.

WithSecure: Russia-linked GREYVIBE targets Ukraine with AI-assisted malware via PhantomMail, PhantomRelay RAT, and ClickFix fake-CAPTCHA chains

WithSecure has attributed persistent attacks against Ukraine and Ukraine-related entities since at least August 2025 to GREYVIBE, a previously undocumented Russian-speaking group operating in the Russian time zone and aligned with Kremlin intelligence interests. Victims span military, government, civilian, and business organizations. The group uses spear-phishing (PhantomMail, delivering JavaScript loaders from Google Drive and 4sync), a PowerShell RAT called PhantomRelay, and ClickFix-style fake-CAPTCHA pages (PhantomClick) impersonating Zoom and a fake adult-club site (PrincessClub). WithSecure describes GREYVIBE as low-to-moderately sophisticated, hampered by repeated OPSEC mistakes, but increasingly relying on generative AI and LLMs to accelerate malware development. Some members have ties to the broader Russian cybercrime ecosystem.

Check
Hunt for PhantomRelay PowerShell RAT activity and JavaScript loaders from Google Drive or 4sync links. Block known GREYVIBE ClickFix domains impersonating Zoom. Apply WithSecure IoCs.
Affected
Ukrainian military, government, civilian, and business organizations and Ukraine-related entities. Delivery via spear-phishing, fake CAPTCHA pages, and fraudulent adult-club websites since August 2025.
Fix
Block GREYVIBE C2 and loader-hosting domains per WithSecure. Restrict PowerShell for standard users. Train staff against ClickFix fake-CAPTCHA 'paste this command' prompts. Monitor Google Drive/4sync archive downloads.

Google Chrome rolls out Device Bound Session Credentials to all users, binding cookies to TPM/Secure Enclave against theft

Google has made Device Bound Session Credentials (DBSC) generally available in Chrome, rolling it out to all users to blunt session-cookie theft. First announced in 2024 and in beta since April, DBSC cryptographically binds session cookies to a specific device using the hardware security chip - the TPM on Windows or the Secure Enclave on macOS. Because the public/private keys are generated inside the security chip and never leave it, stolen cookies become useless on any other machine, defeating the infostealer-to-account-takeover pipeline that bypasses MFA. Google frames it as a shift from reactive detection to proactive prevention. The protection is most effective where sites adopt the DBSC server-side protocol.

Check
Confirm managed Chrome fleets are updated to the DBSC-capable release. For your own web properties, evaluate adopting the server-side DBSC protocol to bind user sessions to device hardware.
Affected
Organizations relying on session cookies without device binding remain exposed to infostealer-driven account takeover that bypasses MFA. DBSC only protects sessions where both browser and server support it.
Fix
Roll out DBSC-capable Chrome via policy. Implement the DBSC server-side protocol on high-value web apps. Pair with phishing-resistant MFA and short session lifetimes for defense in depth.

Signal phishing campaign impersonates Support to steal backup recovery keys from journalists and activists, enabling full message decryption

Security researchers are warning of a phishing campaign that impersonates Signal Support over text message to steal users' backup recovery keys, specifically targeting journalists and activists. Once an attacker obtains the recovery key, they can decrypt the victim's entire message-history backup. The campaign relies purely on social engineering - there is no flaw in Signal's cryptography - tricking targets into handing over the secret that protects their encrypted backups. The targeting of journalists and activists points to surveillance-motivated actors rather than financially-driven crime. Signal users should treat any unsolicited 'Support' contact requesting recovery keys or codes as hostile, since Signal never asks for them.

Check
Brief journalists, activists, and high-risk staff that Signal never requests backup recovery keys. Treat any 'Signal Support' text asking for keys or codes as a phishing attempt and report it.
Affected
Signal users - particularly journalists and activists targeted by surveillance-motivated actors. The attack is pure social engineering; Signal's encryption is not broken, but a handed-over recovery key decrypts all backups.
Fix
Never share Signal recovery keys or codes with anyone. Enable registration lock. For high-risk users, store recovery keys offline and verify any support contact through official Signal channels only.