Sign in Subscribe
11 min read Newsletters

this week in security — february 1 2026 edition

ShinyHunters' new hacking campaign targets 100 companies, AI app and toy spilled users' data, a pig-butchering scammer blows the whistle, Salt Typhoon hacked U.K. politicians' phones for years, and more.
~ ~

ShinyHunters target 100 organizations with new phishing attack
Cyberscoop: The ShinyHunters kids are back with a new hacking campaign targeting companies who rely on single sign-on (SSO) providers, like Okta and Microsoft. The hackers, who are known for their social engineering skills, are calling up helpdesks and employees with the aim of tricking them into entering their credentials and two-factor codes into a real-time phishing page — so that the hackers can log-in on the victim company's real SSO page to pilfer all of the company's data. Look, it doesn't have to be "sophisticated" or use a zero-day for it to be effective. These hackers are extremely good at this; it's literally their full-time job — and it's working. Silent Push sounded the alarm, finding dozens of domains used by the hackers to spoof the real domains of corporate giants. So far it looks like several companies have been hacked this way, including Match Group (owner of OKCupid, Hinge, and others), Bumble, Crunchbase, Panera Bread, and others. ShinyHunters are known for their extortion efforts, but the stolen data of late has been a mixed bag of sensitivity of late — so we'll see. 
More: The Register | 404 Media ($) | Bleeping Computer | Mandiant

a screenshot from Mandiant's blog, showing how the hackers gain initial access by voice-phishing, then sends them a link to a real-time phishing page, then they gain access to their SSO account usually by way of Okta, then they exfiltrate as much data as possible.

AI toy and AI chat app leaked users' chat logs and conversations
404 Media ($): Two AI slop disasters this week as 404 Media reports that the wildly popular AI app, Chat & Ask AI, which claims to have 50 million users, spilled hundreds of millions of chat logs exposed to the internet, in some cases highly revealing inputs from users. The misconfiguration allowed anyone to make themselves an authenticated user capable of accessing the app's Firebase database. Meanwhile: Wired ($) reports an AI toy called Bondu similarly exposed thousands of chat logs of children to anyone with a Gmail account. The researcher, Joseph Thacker, wrote up how the AI toy company exposed its web-facing console, including the personal information of children.
More: PCMag | @josephcox | @hypervisible

Salt Typhoon hacked phones of top U.K. officials for years
The Telegraph ($): It looks like the Salt Typhoon hacks (think China hacking telcos and internet providers) has found its way into the highest ranks of the British government. China's hacking unit reportedly targeted the phones of U.K. officials for years (though unclear if the hacks targeted any of the 15,000* prime ministers that the U.K.'s had over the past five years). The breaches date back to 2021 but were only discovered in 2024. Presumably, as they did in the United States, the hackers targeted unspecified telcos to get access to metadata and call recordings "at will," but this wasn't specified in the story. This comes as the U.K. cozies up to China, because when your biggest ally acts like an authoritarian, the logical step is to... find another authoritarian?! (*Slight exaggeration.)
More: LBC | Associated Press | The Register | @argvee

Heather Adkins tweet: "I have a few regrets in my career. Not being able to complete an investigation into Salt Typhoon as part of the USG’s Cyber Safety Review Board is creeping to the top of that list. Unfortunately I’m not surprised to see this news emerging in the UK, as I suspect the intelligence gathering is pervasive across many countries. And unfortunately I’m not surprised to see legally mandated backdoors (lawful intercept systems) exploited for adversarial gain."

How 'Red Bull' leaked the secrets of a scam compound, then escaped
Wired ($): Genuinely breathtaking reporting here from @agreenberg. Pig-butchering scams are huge, huge business, in some cases running on entire compounds across parts of Myanmar, Cambodia, and Laos, and capable of ensnaring thousands of unsuspecting victims around the world using romance lures. It's these compounds where the scammers — themselves often victims of trafficking and slavery — aim to steal as much money from their victims as possible, sometimes so that they can escape. One scammer was lured to a compound to work — but secretly contacted Greenberg to blow the whistle, leading to his daring escape. My words here won't do this story justice. It's just one of those stories you need to sit, read, and digest. Wired's security desk worked on a whole separate post detailing the scam from materials leaked by their whistleblower. Just absolutely brilliant work here: chef's kiss, no notes.
More: Wired ($) | @agreenberg thread | @couts

Hackers exploiting bugs in Microsoft, Fortinet, Ivanti, and WinRAR
Zero-day Roundup: Buckle up for a wild ride through zero-day city… we've got a bunch of vulnerabilities under exploitation to note, including… this emergency Microsoft Office bug under attack, which triggers when someone opens a malicious file... and… Fortinet patched a bug in its FortiCloud SSO that hackers are exploiting to create new admin accounts and steal data. Not to be outdone… WinRAR for Windows got hammered by multiple government-backed hackers exploiting a path traversal bug. And lastly: Ivanti confirmed that some customers were hacked thanks to not one, but two zero-day bugs in its Endpoint Mobile Manager (EPMM). Just throw it all in the trash and start again.
More: Bleeping Computer | SecurityWeek | Fortinet | PCWorld | Google

~ ~

PLEASE SUPPORT THIS NEWSLETTER!

~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for exclusive articles, analysis, and more.

Subscribe to support this newsletter

~ ~

Marquis blames hack at firewall provider SonicWall for its data breach
TechCrunch: Marquis, a company that allows banks and credit unions to visualize their customers' data, was hit by ransomware in September, affecting at least hundreds of thousands of people. According to a Marquis message to its customers that I've seen, Marquis blamed SonicWall for their breach, which exposed Marquis' firewall configuration file to hackers, which is how Marquis now says the hackers got in to steal data from its systems. Now Marquis wants SonicWall to pay —  literally. (Disclosure: I wrote this story!) Bleeping also has some good yarn on this story, too.

Booz Allen contractor took IRS job to leak Trump tax records
Zero Day: The U.S. Treasury said it's canceling all of its contracts with consulting giant Booz Allen Hamilton, years after a contractor leaked Trump's tax returns, which revealed the president showed almost no income tax over the course of a decade. This is likely the first time a major federal agency has cancelled significant government contracts over an infosec leak. The leaker was jailed in 2024, but @kimzetter dug into his case and found prosecutors alleged he took the job specifically to leak Trump's taxes. On top of that, Trump is now as a result suing the IRS, currently under his own control, for $10 billion of our money to further enrich himself.

Trump's cyber chief uploaded sensitive gov't documents to ChatGPT
Politico ($): CISA's acting head Madhu Gottumukkala sparked a Homeland Security review after he uploaded sensitive-marked government contracting documents ("for official use only") to the public version of ChatGPT. The department's info-leak sensors flagged the uploads but wouldn't say if there was any harm to U.S. security as a result. This is the same CISA head who failed a counterintelligence polygraph and won't release an unclassified report revealing how insecure the phone networks are. Normal stuff!

NSA chief pick champions FISA 702 spying law, weeks before its expiry
The Record: Section 702 of FISA, the surveillance law that lets the NSA and FBI spy on Americans without a warrant, is expiring in about *checks calendar* 12 weeks and the Trump administration has said nothing about saving it or seeking reform. Trump's pick to lead the NSA, Army Lt. Gen. Joshua Rudd, backs the law, saying it's vital to national security; while critics continue to demand that the law is reformed so the feds have to get a warrant before searching through Americans' comms. More via @jakelaperruque.

Secret cyber ops shielded 2024 election from trolls. Not for 2026
CNN ($): CNN has a deep-dive story on how the U.S. government launched several cyber operations against Russian and Iranian disinformation groups aimed at minimizing their influence on the 2024 election. After taking office, Trump gutted these election protections, leaving the U.S. facing an onslaught of propaganda ahead of the midterms this year. This comes as the U.S.' top spy was inexplicably at the scene of an FBI raid of an elections office in a Georgia county where Trump lost in 2020, and will just not shut up about it.

Spam sent from real Microsoft email, as Windows PCs get botched update
Ars Technica: Microsoft has disabled a Power BI feature that threat actors were abusing to send an avalanche of spam coming from a real Microsoft email address, which makes it look like a legitimate message. Meanwhile: Some Windows 11 users had a rough week after a botched Patch Tuesday security update left some users unable to boot their PCs. The good folks at AskWoody have been keeping track of the ongoing shituation. At least on the bright side, Windows 11 is such trash that it's pushing Windows users to Linux. 

Apple publishes new edition of its platform security guide
Apple: Geeks, rejoice! Apple's latest edition of its platform security guide [PDF] is out, detailing all the ways the company tries to keep your devices safe. New additions include how Apple is using quantum-secure cryptography, its automatic device restart feature (which helps to block police unlocking devices, detailed for the first time in 2024), and its new background security improvements feature.

Google takes legal action to knock out residential proxy network
Google Threat Intelligence: After securing a federal court order, Google took control of a series of domains used in a massive residential proxy network (aka botnet) made up of at least 9 million hijacked devices. These residential networks allow hackers to hide their malicious traffic to make it look like it's coming from a regular residential home, making it more difficult to spot. The Wall Street Journal ($) digs in, but to call this a "massive cyber weapon" is a push. (Dear WSJ's headline writers, please calm down.)

~ ~

Saudi hacked satirist, court rules: Justice for Ghanem Al-Masarir, a Saudi satirist and government critic, whose was awarded damages this week after the U.K. High Court ruled his phones were hacked with Pegasus spyware in 2018, likely by Saudi Arabia, and beaten up in London by Saudi agents. Al-Masarir said no amount of money would repair the harm. His story is harrowing and worth your time to read. "I am not the same Ghanem I used to be." (via BBC News ($), Reuters ($), The Guardian)

London cyberattack ongoing: A November hack on at least two London boroughs that rely on shared infrastructure continues to cause havoc, including the selling of homes, because local authorities provide information about properties and their surrounding areas, like flood risks. (via Bloomberg ($), @lukaszolejnik)

Ransomware forum off-ramps the internet: Notorious hacker forum RAMP (aka Russian Anonymous Marketplace) is now offline after Florida prosecutors secured a court order to seize its web and dark web (.onion) sites. RAMP was the go-to forum when ransomware gangs were banned from other major crime sites over fears that heat from law enforcement would draw unwanted attention. Well, now look at what happened! (via DataBreaches.net)

a screenshot of a seizure notice splash screen on the RAMP forum, showing a red banner: "THIS SITE HAS BEEN SEIZED"

British bobbies expand face-scanning vans: U.K. politicians are allowing police to roll out more facial recognition vans and AI tools (heavy sigh) across the country. Critics have long said that facial recognition tech is deeply flawed and all too often identifies false positives. Yet, the U.K. is taking this extremely lazy approach to law enforcement and civil liberties be damned, apparently. (via Sky News, @mattburgess1)

U.S. probing government crypto hack: The U.S. Marshals has refused to comment beyond that it's investigating a suspected hack of seized crypto that the agency stores on behalf of the federal government. A top Trump crony said on toxic hellsite X that he's "on it," after crypto investigator @ZachXBT identified the possible source of the alleged theft of $40 million in crypto. (via Bloomberg ($), Coinbase)

Hacking the Nobel prize: The Nobel Committee says the name of the recent Peace Prize winner, Venezuelan opposition leader Maria Corina Machado, was revealed early, likely due to a hack. Norway's intelligence agency was called in to investigate, but the results were inconclusive. (via Reuters ($))

Berserk Bear blamed for Polish grid hack? Plot twist: Was it a Russian government hacking group Sandworm behind the recent failed attempt to knock out its power grid, or was it — as the Polish government suggests — a different Russian government hacking group dubbed Berserk Bear? That could, plausibly, explain why the hack seemed different from previous Sandworm energy blackouts. Thankfully, Zero Day has two stories this week further dissecting the failed Polish outage cyberattack. (via CERT-PL, Dragos)

DHS tried to unmask ICE trackers: Homeland Security has tried to unmask people behind anonymous online accounts sharing the locations of ICE agents (which is not unlawful) by filing subpoenas with Meta for their users' data. DHS withdrew the subpoenas, but not without drawing a ton of attention to itself. (via Bloomberg ($))

~ ~

And that's all the news you need to know from this calamitous week. Onto the happy corner, stat!

First off, a much-needed bonus security cat:

an animated GIF of someone's house window with a sign that reads: "WARNING: 24 hour security system" with a cartoon photo of a cat. And, the camera pans across the window to show a cat on the window ledge that looks exactly like the cat in the poster.

As for counterpoint, bonus social engineering cat:

da_667 post on Mastodon: "'It was a sophisticated attack we could not have prepared for'.jpg" followed by a photo of a cat, meowing in frustration, next to a sign that says: "THE CATS HAVE BEEN FED. DON'T LISTEN TO THEIR BULLSHIT."

Good news for Android users, who will get new anti-theft features that make it more difficult for phone-grabbers to steal your data or sell your phone. Meanwhile: WhatsApp rolled out "strict account settings" that aims to block spyware from abusing the messaging app to hack users' phones. And: Newer iPhones and iPads will allow users to limit the precise location data that devices share with cell carriers, which prevents law enforcement — or hackers and spies — from tapping phone networks to access a user's location (disclosure: I wrote this!)

*shouts loudly amid protests and a cloud of tear gas* Gas masks, anybody? Get your gas masks! Thanks to The Verge for this genuine service journalism.

And, lastly: Great news out of Iowa as two security researchers, who were back in 2019 employed to physically test the security of court house buildings but were caught and charged by what can only be described as a complete buffoon of a county sheriff, have been paid $600,000 to settle their lawsuit claiming wrongful arrest and defamation. Ars Technica has the story.

Got good news to share? Get in touch! this@weekinsecurity.com.

~ ~

This week's cyber cats are Méabh and Oisin, who can be seen here exhausted and relaxing by the fireplace after a hard day's work keeping their human occupied and entertained. With the weather here in the single-digits (Fahrenheit!), I would even turn to cybercrime if it meant being as snuggly and warm as these two. Thanks so much to Northwoods IT for sending in!

two ginger cyber cats on a bean-bag asleep, one of them belly up, in front of a wood-fire furnace. there's not much light, but it's a very cozy scene.

Send in your cyber cats! Got a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in a later newsletter!

~ ~

And that's..... it! Going once, going twice.... going... thrice? OK, we're done here! Thank you so much for reading. I hope you enjoyed this week's edition as much as I loved writing it.

As for me, look, I wasn't kidding when I said it was cold here on the east coast... the Hudson River is frozen and the air feels like tiny little razor blades on my face. Cue a live shot to me writing today's newsletter:

an animated GIF of Nick Offerman, playing Ron Swanson, sat at his computer desk layered up with jackets, gloves, and several hats, seemingly freezing cold.

If you want to get in touch, please do — it's lovely to hear from you (and especially your cyber-cats! Tell them pssp pssp psssp, they'll know what it means).

Ciao for now,
@zackwhittaker