In partnership with
|
Fact
|
The average cost of a data breach reached $4.88 million in 2024, the highest on record. For healthcare organizations, it was $9.77 million. (IBM Cost of a Data Breach Report, 2024)
|
|
When disclosure arrives after exploitation starts, “affected organizations” is already past tense. This edition: what got hit before anyone knew to patch it, how AI tools became exfiltration infrastructure, and why the agency that issues your passport couldn’t stop a teenager.
PS — Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe →
|
|
In this edition
|
|
|
|
|
| |
🏛️ Privacy, Power & Policy |
|
|
|
|
|
|
Zero-day / Active Exploitation
Oracle PeopleSoft Has an Unpatched Zero-Day. ShinyHunters Has Been Using It Since May.
Intro
If you run Oracle PeopleSoft PeopleTools anywhere in your environment, stop reading and go check your exposure right now. We will still be here.
What Happened
CVE-2026-35273 is an unauthenticated remote code execution vulnerability in Oracle PeopleSoft PeopleTools. Mandiant confirmed active exploitation starting May 27. Oracle disclosed it on June 12. There is no patch. ShinyHunters has breached more than 100 organizations, 68 percent of which are US higher-education institutions. They are naming victims publicly and demanding extortion payments. The University of Nottingham confirmed that student personal data was stolen. Mandiant’s CTO stated on June 12 that the campaign was “still active as of today.”
Why It Matters
Oracle went public after attackers were already inside most of these networks. A vendor disclosure that arrived more than two weeks after exploitation began means "affected organizations" was never a future state. The higher-ed concentration is particularly grim: lean security teams, large attack surfaces, and student data that cannot be unspilled.
The Other Side
Oracle’s position is that they disclosed once the vulnerability was confirmed and mitigation guidance was issued alongside the advisory. Whether three weeks of active exploitation before disclosure meets any reasonable standard of coordinated response is a question the industry has not finished asking.
| |
👉 Takeaway
If PeopleSoft is in your stack, apply Oracle’s interim mitigations immediately. Review for indicators of compromise going back to May 27. Do not wait for a patch before acting on this.
|
TL;DR: ShinyHunters exploited an unpatched PeopleSoft RCE for two weeks before Oracle disclosed, and they were still in as of disclosure day.
|
| |
Zero-day / Cybercrime
Operation Ghost Hook dismantled “Outsider,” a Chinese phishing-as-a-service network that sold Telegram bot subscriptions for $88 per week. Fake package delivery notices, fake toll violations, fake parking tickets. AI-generated custom lures per target. By shutdown: 3.9 million stolen credit cards, 55 countries, $1.9 billion in documented losses. FBI, Google, and Lumen seized domains, the Shopify storefront, and roughly $100K in crypto.
→ The $88/week price point is the detail to sit with. This was not sophisticated nation-state infrastructure. It was a franchise.
|
| |
Vulnerability
CVE-2026-20253 lets an unauthenticated attacker overwrite a Python script via a PostgreSQL sidecar endpoint. Splunk then repeatedly executes that script as the service account. CVSS 9.8. Affected versions: Splunk Enterprise 10.0.0-10.0.6 and 10.2.0-10.2.3. No active exploitation confirmed yet, but the full exploit chain is public. Patched versions 10.0.7 and 10.2.4 are available now. Splunk Cloud is not affected.
→ “No active exploitation yet” and “full exploit details are public” rarely share a timeline for long. Patch now.
|
| |
Espionage
Denis Nikolayevich Obrezko faces charges for conspiracy to commit unauthorized computer access as part of Void Blizzard (aka Laundry Bear), a Kremlin-linked group targeting US government agencies, defense contractors, and critical infrastructure. The method: stolen session tokens routed through US commercial proxy services to mask origin. The Dutch National Police confirmed their force was infiltrated by the group in September 2024.
→ Void Blizzard’s proxy routing through legitimate US services is a reminder that traffic origin is not a reliable indicator by itself.
|
|
Fix that. Live. With Clay + HubSpot.
Defining your ICP on vibes is a pipeline killer. In Build Your GTM Alpha, Clay + HubSpot for Startups walk you through a live build. Real prospect list. Real enrichment. Real outreach sequence. You don't leave with a plan. You leave with outbound running. June 18. 11am ET / 4pm GMT.
| |
AI misuse
Varonis researchers disclosed CVE-2026-42824, a chained exploit they named “SearchLeak” that converted Microsoft 365 Copilot into a silent exfiltration tool. Three links in the chain: parameter injection into Copilot prompts, an HTML rendering race condition, and a Bing SSRF CSP bypass. The victim clicks one crafted link. Copilot silently pulls their email, OneDrive files, and SharePoint documents and ships the contents to an attacker endpoint via Bing. The victim sees nothing. Patched in early June 2026.
→ Copilot is not the only example. Any AI assistant with document access and browser integration is a candidate for this attack class.
|
| |
AI enforcement
CFAKE.com and SOCFAKE.com are down. The two sites had 14,000 identified victims, 300,000 images, 7,000 videos, 200,000 user accounts, and 4 million monthly views. French national Cyrille B., 47, was arrested in Nice and faces trial July 7 with potential penalties of 7 years and €500,000. This is the first major enforcement action under the TAKE IT DOWN Act, the new US federal law specifically criminalizing non-consensual deepfake pornography.
→ The law named the crime. Whether enforcement can scale to the volume is a different question.
|
|
|
🏛️ Privacy, Power & Policy
|
|
| |
Surveillance
At a Madison County, NC Board of Commissioners meeting, Chairman Michael Garrison refused to allow individual residents opposing Flock Safety license plate readers to testify. They could send one spokesperson or nothing. The county sheriff had been running Flock since at least March, logging 1,200-plus database searches in 60 days. The board’s position on oversight: “We don’t control the sheriff’s budget. We give him X dollars.” Citizens had no formal avenue left.
→ The Flock contract playbook: sign first, hold the meeting after, answer questions never.
|
| |
Data leak
Flock Safety’s system was inadvertently indexing law enforcement license plate search queries, including the officers’ stated reasons for each search, through public search engines. Joseph Cox at 404Media confirmed it is not a theoretical risk. Sensitive surveillance data in public search results is a chain-of-custody failure with real implications for ongoing investigations and officer safety.
→ Two Flock stories in one week is a pattern. Watch this company.
|
| |
Regulation
California AB 2564 would prohibit businesses from offering different prices based on personal data surveillance. The EFF and Consumer Reports are co-sponsoring. The documented targets: Princeton Review’s racial pricing algorithm, Uber and Lyft neighborhood-based fares, Tinder’s age-based subscription tiers. The bill passed the California Assembly and is in the California State Senate. Enforcement via AG prosecution and private right of action.
→ California passing this would set de facto national standards the way CCPA did. Senate vote is the one to watch.
|
|
| |
Practical play
CISA BOD 26-04: A Four-Factor Framework for Deciding Which Vulnerabilities Get Fixed in 3 Days
Most patch programs run on “CVSS score = urgency.” CISA’s Binding Operational Directive 26-04 gives defenders a more practical triage model. Four factors determine how fast you must act: (1) is the asset internet-facing, (2) is the CVE in the KEV catalog, (3) is it auto-exploitable without user interaction, (4) how much system control does exploitation grant. Vulnerabilities that hit all four factors get a 3-day remediation window. Supplementary signals: EPSS probability scores, Global CVE data, and NIST’s new LEV metric. One known gap: the framework is oriented around internet-facing assets, so internal network vulnerabilities are not in scope.
→ Start with KEV-listed CVEs on internet-facing systems. If a vuln hits all four factors, you have 3 days — not 30.
|
|
Bring OOH Into the Modern Marketing Stack
AdQuick makes Out Of Home advertising approachable, measurable, and performance-focused. Designed for marketers at startups and large brands alike, it combines digital efficiency with real-world reach—so your campaigns always hit the mark.
|
Strange but real
A 15-Year-Old Allegedly Hacked the Agency That Issues Every French Passport
Intro
The suspect goes by “breach3d.” They are 15 years old. French authorities are investigating them for hacking the national agency that issues passports, national IDs, and driver’s licenses for every person in France.
What Happened
The alleged attacker accessed between 12 and 18 million records from the French national identity agency. Charges are being pursued under French law: up to 7 years in prison and a 300,000 euro fine. The investigation was reported by The Record in April 2026.
Why It Matters
If the breach scale is confirmed, this is one of the largest single identity record exposures in French history. The agency whose job is to verify who you are did not catch who got in.
The Other Side
A 15-year-old pulling this off is not a mitigating factor for the victims. It is, if anything, a more pointed indictment of the security posture than a state-sponsored actor would be.
| |
👉 Takeaway
Identity agencies are high-value targets precisely because their data is foundational. Compromise a passport agency and you have undermined the root of trust for everyone in the registry. Age is not a security control.
|
TL;DR: A French teenager allegedly accessed 18 million identity records from the agency that confirms who you are. The irony of that is doing a lot of work here.
|
Business news in 5 minutes flat. Morning Brew breaks down markets, tech, and the economy — clearly, quickly, and with serious personality. 100% free. Join 4M+ Readers.
