In partnership with

~7 MIN READ
FACT A single credential-harvesting campaign called FortiBleed has compromised more than 110 million credentials across 430,000+ FortiGate firewalls since February, and researchers just confirmed the stolen logins are being handed directly to two active ransomware operations. (SecurityWeek / SOCRadar, July 2026)
The Signal
 
This week the Supreme Court told law enforcement your phone's location history needs a warrant, and ATF canceled a location-tracking contract before Congress finished asking about it. Meanwhile, an AI agent ran a full ransomware attack with no human anywhere near the keyboard. Privacy won two rounds this week, patching lost one, and an AI agent proved it can run an entire extortion operation without asking anyone's permission. Here's what changed, what's still exposed, and one patch you need to make today.

PS: Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe

In this edition
  📌 Big Cyber News
  🚨 Can't Miss
  🤖 AI in Cyber
  🏛️ Privacy, Power & Policy
  🛠️ Tools & Tactics
  🧪 Strange Cyber
📌 Big Cyber News
 
Federal breach
DHS's Intel-Sharing Platform Just Became Breach Number Four
Intro
The agency responsible for securing the rest of the federal government just admitted its own information-sharing network got hacked, and this is starting to feel less like an incident and more like a pattern.
What Happened
DHS confirmed hackers breached the Homeland Security Information Network (HSIN) between late May and early June, an unclassified platform agencies use to coordinate emergency response and share intelligence. Sen. Mark Warner, vice chair of the Senate Intelligence Committee, warned the exposed data "risks national security" despite being technically unclassified. DHS has not disclosed what was taken.
Why It Matters
HSIN isn't a side project. It's currently supporting World Cup security coordination and was used to manage the response to January's fatal DC air collision, so a breach here carries real operational risk, not just embarrassment.
The Other Side
DHS calls the affected system a "specific, unclassified legacy information sharing environment," language doing a lot of work to make this sound smaller than the fourth major federal breach in roughly a year.
 
👉 Takeaway
If your organization coordinates with federal agencies through shared platforms like HSIN, treat any data submitted there as needing a fresh risk review now, not later.
TL;DR: Hackers breached DHS's own intel-sharing platform, the fourth major federal breach in about a year.
Further reading: TechCrunch
🚨 Can't Miss
 
 
Data breach
Hackers accessed Aflac Life Insurance Japan's policyholder portal repeatedly between June 15 and June 25 before anyone noticed, taking names, addresses, phone numbers, dates of birth, and insurance account details on 4.38 million customers and agents. About 230,000 people also had premium transfer account details exposed; no credit card data was taken.
Ten days of unnoticed access on a portal serving millions means detection, not just prevention, needs a hard look.
 
Ransomware
Researchers tracking FortiBleed, which has harvested 110 million+ credentials from 430,000+ FortiGate firewalls since February, found one operator logged into both the INC Ransom and Lynx negotiation panels using FortiBleed infrastructure. Twelve of 354 fully compromised targets have already been hit with ransomware.
If your FortiGate was ever exposed in this campaign, rotate every credential it touched: the access is now being resold into ransomware ops.
 
Cybercrime
Peter Stokes, 19, was extradited from Finland to Chicago on charges tied to a 2025 jewelry retailer breach and a US insurance company attack, part of a group that's extorted over $100 million from 100+ businesses since 2022. He was caught boarding a flight to Japan with two hard drives of evidence, after posting photos of a diamond-encrusted "Hack the Planet" chain.
Scattered Spider keeps getting caught partly because its members can't resist documenting the lifestyle their crimes buy.

One brand shipped 30+ landing pages last week. No developers.

A DTC brand briefed Viktor inside Slack: one landing page per Meta ad group, mapped to a different headline variant. He wrote the code, deployed each page to their subdomain, posted the URLs back in #marketing, and now monitors performance across the set.

Their content team uses him to draft email flows, generate creative variants, and audit Klaviyo segments every Friday. Their growth lead uses him to catch spend anomalies before the day starts.

20,000+ teams now have the same setup: one AI employee across every marketing tool. A teammate who ships work in Slack and Microsoft Teams.

🤖 AI in Cyber
 
 
AI security
LayerX built a BioShock-inspired puzzle that convinces agentic AI browsers, including ChatGPT Atlas, Comet, and Claude Chrome, that losing is winning, tricking them into dropping safety guardrails and exfiltrating credentials from other tabs. OpenAI patched the issue; Anthropic's fix failed; three other vendors never responded.
Treat every authenticated session inside an agentic browser as something the agent could be manipulated into exposing.
 
AI offense
Sysdig documented what it calls the first fully autonomous ransomware attack: an LLM agent exploited a Langflow flaw, harvested cloud credentials, pivoted to a production database, and encrypted 1,342 configuration items with no human directing a single step. When an admin login failed, the agent diagnosed and fixed the problem itself in 31 seconds.
The skill required to run ransomware just dropped to whatever it costs to run an agent on stolen compute, which is close to zero.
🏛️ Privacy, Power & Policy
 
 
Privacy law
In a 6-3 ruling in Chatrie v. United States, the Supreme Court held that police collection of geofence location data is a Fourth Amendment search, extending 2018's Carpenter decision to a new category of surveillance. Justice Alito's dissent warned the ruling will send "seismic waves" through Fourth Amendment law.
Courts are done letting "we bought it from a data broker" substitute for a warrant.
 
Surveillance
After lawmakers pressed ATF's director in a hearing about an "ad-tech type thing" the agency used to buy Americans' geolocation data, ATF quietly canceled the Penlink contract, despite having already run 340+ searches, 222 tied to active cases. A prosecutor and judge had already balked at the warrantless data in one arson case.
One good hearing question ended a surveillance contract faster than any lawsuit has this year.
🛠️ Tools & Tactics
 
 
Practical play
CISA confirmed active exploitation of CVE-2026-45659, a SharePoint flaw that lets any authenticated attacker with basic Site Member permissions run code remotely, no elevated access needed. Microsoft patched it in May, but over 10,000 SharePoint servers remain exposed online, and CISA wants federal agencies fixed by Saturday. If you run on-prem SharePoint 2016, 2019, or Subscription Edition, patch now and audit logs for Site Member accounts behaving oddly. Seven of the eleven SharePoint flaws CISA has flagged since 2021 also turned up in ransomware attacks, so "needs authentication" is not a reason to deprioritize this one.
Patch SharePoint now if you run it on-prem, and audit Site Member accounts for unusual activity.

Wall Street is shifting billions into a select group of stocks, and MarketBeat’s updated 10 Best Stocks to Own in 2026 report reveals exactly which ones. Get the 10 names attracting fresh capital before the crowd catches on. Send My Free Report

🧪 Strange Cyber
 
Strange but real
The Hackers Who Shoveled Their Way Into Network Admin Access
Intro
Forget phishing emails and zero-days, the newest social engineering trick is just being helpful.
What Happened
According to The Register, attackers gained network admin access to a company by posing as workers who showed up and shoveled its snow, then were rewarded with the kind of trusted access that usually takes a fake IT ticket.
Why It Matters
It's a reminder that access controls built around digital identity checks miss the oldest attack vector: a person showing up, doing something helpful, and getting handed trust nobody verified.
The Other Side
Physical-proximity social engineering isn't new, and any organization with basic contractor vetting and least-privilege access should be immune to this particular flavor of it.
 
👉 Takeaway
If your process for contractors or "the nice person who helped in the parking lot" includes handing out admin credentials without a formal request and approval, that's the real vulnerability here.
TL;DR: Hackers got network admin access to a company by shoveling its snow, not by hacking anything.
Further reading: The Register

Claude vs Gemini. OpenAI vs Anthropic. Which lab ships next? Real money on all of it. Kalshi is the CFTC-regulated prediction market for tech readers. Trade what you know.

Keep Reading