this week in security — july 12 2026 edition
THIS WEEK, TL;DR
What happens if China cyberattacks the U.S.? Wired went to a cyberwar simulation to find out
Wired ($): Let's start this week's newsletter in New York's Times Square… *picks up microphone* …"We're all here to simulate and play-out a massive Chinese cyberattack on thousands of water facilities across the U.S., and you, the insurance companies holding the purse strings to most of America, get to decide who receives money in the immediate aftermath, and ultimately who lives and dies. Oh — and the U.S. military is breathing down your neck… and, don't mind that eminent cyber reporter Andy Greenberg is also in the room. Start the clock and… go!" This was excellent fly-on-the-wall reporting looking at how America would respond to a massive anticipated mass-hack on vital real-world systems, such as from the China-backed hacking group Volt Typhoon. The two-day cyberwar simulation was designed to "overwhelm" the responders, similar to how an attack would play out in real-time, not least to "surface and shatter assumptions" about how hacks happen. The hairs on my neck are still raised from reading this story.
More: @agreenberg | @MarkCMontgomery
U.S. fraudsters say they're buying exploits and hacking tools
Krebs on Security: Two American far-right conspiracy theorists and convicted fraudsters Jack Burkman and Jacob Wohl claim(!) to be dangling millions of dollars to buy zero-day exploits and details of security flaws in popular software, allegedly through a cybersecurity company they operate that allegedly started out as a pen-testing company. @briankrebs has the details of the operation, and hedges accordingly with deep skepticism given their backgrounds. Zero-day brokers are big business and growing worldwide as governments seek access to hacking tools that can break into suspects' devices, but neither Burkman nor Wohl appear to have any discernible cyber experience. I'm not sure if it's a damning indictment of how much the exploit brokering industry has proliferated, or that any idiot (or two, in this case) can set up an ostensible cyber shop.
Archive: Citation Needed | More: Washingtonian | @joemenn
Accenture confirms incident as hacker claims massive data breach
Cybersecurity Dive: Professional outsourcing giant Accenture had another data breach, according to a hacker taking credit for swiping 35 gigabytes of private RSA and SSH keys, Azure tokens and storage access keys, and configuration files, which may have allowed the hackers to go on a data-grabbing spree of Accenture's customers. The proof itself is still a bit thin; the hacker posted a screenshot and Accenture confirmed a breach but didn't comment further. HelpNetSecurity notes Accenture has been breached a lot in recent years, and this is just the latest incident. Also this week: Insurance firm AssuranceAmerica had a massive data breach affecting close to 7 million driver's license numbers, the largest known breach of drivers' personal information this year (disclosure: I wrote this!). And: ProPublica reports a Puerto Rico government official blatantly tried (and failed) to cover up a data exposure of about a million Social Security numbers.
More: SecurityWeek | The Register | TechCrunch ($) | CRN | SOCRadar
European lawmakers call for investigation after then-MEP's phone hacked with Pegasus
Common Dreams: Members of the European Parliament are furious that one of their (former) own, Stelios Kouloglou, had his phone hacked with the Pegasus spyware while he was investigating Pegasus as an elected representative. In an hour-long fury fest, EU lawmakers called on Brussels to investigate, while the EU Commission said any investigation was a matter for national governments — essentially, "it's not my problem." The hacking of a former lawmaker's phone is a big deal, with critics saying it's a strike against democracy itself. It's still not clear who hacked Kouloglou, but it's possible that he's not the only lawmaker who fell victim. Citizen Lab's @jsrailton has words about the lawmakers' speeches in an X thread, with most of them expressing anger and dismay about the affair. Meanwhile: The same European Parliament voted to extend legislation, dubbed "Chat Control," which is the bloc-wide effort to scan everyone's private messages for child abuse content. This is despite more members voting against the effort, it was still short of a majority, per The Register. Make it make sense...
More: Euractiv ($) | Wired ($) | Fight Chat Control | Patrick Breyer
~ ~
~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for exclusive articles, analysis, and more.
Or, you can submit a one-time tip to show your support!
Recent stories include: Reframing smart glasses as 'pervert glasses' | Dozens of America's largest companies have no simple way to report security flaws | Will Oura say how many government demands it gets for user data? | A beginner's guide to analyzing the network traffic of apps and websites
~ ~
THE STUFF YOU MIGHT'VE MISSED
Hackers said to be exploiting bug in Progress ShareFile to steal data
Bleeping Computer: Software house Progress notified customers of its enterprise file sharing product ShareFile that it pulled their storage offline — and that self-hosted customers should "manually shut down their own servers — after a "credible" threat to customers' data. Per cyber soothsayer @GossiTheDog, the company may know more than it's letting on. The Clop extortion gang has been behind hacks of corporate file sharing systems in the past… Keep an eye on Progress' status page.

U.S. cyber agency CISA reveals lessons learned after password leak
CISA: Earlier this year, an employee at a CISA contractor left reams of passwords and credentials exposed in a public GitHub for all to see. Thanks to Krebs on Security, CISA was alerted and sprung into action. In its incident post-mortem out this week, CISA said it didn't have a specific playbook for handling a GitHub/cloud leak and had to build one from scratch. Some good lessons here from the U.S.' own federal cybersecurity agency.
Hacktivists deface U.S. Army websites with Trump insults
Cyberscoop: Two U.S. Army websites had their error pages defaced by hacktivists this week. The sites, which were modified to show insults about Trump, are run on WordPress and separate from Army systems.
Meta faces flak over rollout and abuse of its 'pervert' smart glasses
Vogue Business: Opposition to smart pervert glasses made by companies like Meta and Snap are intensifying, with celebrities like Lorde and Tyler, The Creator (who called for a ban) joining the criticism against these wearable internet-connected camera glasses. Vogue dug into the surveillance problem that these glasses have brought, and why they're technically legal but clearly grossing people out. This landed in the same week that Meta faced considerable backlash from users after launching… and then almost immediately removing Muse Image, which let people generate AI images from people's public Instagram accounts.
Russian hackers are breaching doorbell cameras to spy on NATO bases
The Telegraph ($): Speaking of creepy surveillance… Dutch spies say Russian-speaking hackers are hacking into consumers' video doorbells that point towards military transport routes in the hope of identifying which weapons are going to Ukraine. This camera-hacking playbook has been seen in Ukraine, as well as recently in Iran. Relatedly: The New York Times ($) exposed a secretive Russian intelligence unit tasked with stealing chips and transmitters for weapons, whose office is in the heart of... Tokyo.
A profile of Thalha Jubair, the Scattered Spider member behind London's transit network hack, set to be sentenced
London Centric: Top reporting from Jim Waterson's team on the ground in London profiling the downfall of Thalha Jubair, a millionaire teenage hacker who crippled London's transit network for months, forcing the entire staff to reset their passwords in person. Jubair, who pleaded guilty, is set to be sentenced next week, after police nabbed him by tracing a food delivery paid using a gift card from his hacking crypto wallet.
~ ~
OTHER NEWSY NUGGETS
FortiBleed bug hit U.K. gov: The ongoing FortiBleed attack targeting buggy Fortinet firewalls allowed Russian hackers to break into British government systems, allowing access to critical infrastructure. (via The Telegraph ($), NCSC)
CISA using Mythos to find flaws: CISA is now using Anthropic's cyber AI model Mythos to audit government software for security flaws, with the aim of securing them before they can be exploited. Sources say a large number of bugs have been found so far, though not clear how many could be actively exploited or were fixed through cleaning up code. (via Reuters ($), SecurityWeek)
Bonk bonked for $20M: Hackers stole $20 million in cryptocurrency from a decentralized finance organization called Bonk, a dog-themed memecoin. The hackers exploited a governance bug that allowed them to "approve" the fraudulent transaction. No word on who the attackers are, but North Korea has been stealing crypto for years. (via @bonk_inu, The Record, Decrypt)
Nayax probing potential monster breach: Israeli fintech firm Nayax confirmed a cyberattack in an SEC filing, with a hacker claiming (as yet without evidence) to have stolen a billion payment card details. Definitely a breach to watch, as if true, this could be sizable. (via Calcalistech, DataBreaches.net)
Flock cameras got auto journo stopped: Joel Feder, a journalist car reviewer for The Drive was tracked, boxed-in, and detained by police after Flock cameras incorrectly identified the company issued review car he was driving as stolen because of a data input error. Add Feder to the list of motorists who've been pulled over (and worse) because of Flock errors. In good news: Los Angeles is letting its contract with Flock expire, with cops saying the license plate tracking cameras pose "serious concerns around civil liberties and civil rights issues." (via ABC7, @kevincollier)
Ransomware negotiator helped ransomware gang: Angelo Martino is the third cybersecurity professional to be jailed for a scheme in which he and two others conspired with a ransomware gang to carry out hacks. Martino exploited insider information while working as a ransomware negotiator, no less. (via Cyberscoop, Justice Department)
Apple sues OpenAI, reveals security lapse: Apple is suing ChatGPT maker OpenAI for alleged trade secrets theft. The complaint makes for spicy reading. One thing stood out: Apple said one of its former employees named in the suit "could access the Apple’s network repository after leaving Apple, the result of a then-unknown authentication vulnerability." Details are light, but it reads like someone at Apple might have forgotten to fully decommission his network access after he left. Whoops! (via TechCrunch ($))

~ ~
THE HAPPY CORNER
That's all the cyber news you need to know for the week. Let's cool off and chill out in the happy corner.
I loved this long-read with security extraordinaire Tarah Wheeler, not least for the British slang (it reminds me of growing up there!), but critically for sage words on burnout and what it means to be a good leader. Plus, Wheeler dishes advice on how to get ahead, and who and what helped her on the journey to success.
If you're a security researcher who's experienced a cease-and-desist or demand letter (and we know there are plenty who have), the Security Research Legal Defense Fund is a non-profit that can help provide grants to those to fund legal defense. It's run by known and trusted folks in the community, so keep this in your back pocket. (via @KimZetter)
From @Em0nM4stodon, this is a much-needed reminder, especially when folks say that tech (especially bad tech) is "inevitable" — it's really not. From AI, surveillance, and creepy wearables and more, we have far more power than we realize to say "no."

And finally. I'm sorry, did someone put a base64-encoded bash script on a t-shirt? Yes, yes they did, and for a good cause! I won't spoil the surprise, but Tris Sherliker decoded it.

Got good news to share? Get in touch! this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
This is Sophie, who can be seen here not wanting to take any chances with their human's cybersecurity: "No more snacks for you until you switch over to passkeys!" Thanks so much to Nina J. for sending in!

🐈 Please send in your cyber cats! The cyber cat bank is low! 🐈⬛ Have a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in an upcoming newsletter!
~ ~
SUGGESTION BOX
And that's all there is for this week's busy, busy edition. Thanks so much for reading, supporting, and subscribing to ~this week in security~!
Please do get in touch if you have anything you want to share, or if you've seen something for next week's newsletter. It's great hearing from you, especially if you flag something I might have missed! If you like this newsletter, please share it with a friend or colleague! And if you really want to make my day, consider a paying subscription for full access to the site of blogs and much more to come.
I am off to grab a bagel and enjoy some of the delightful weather in the NY/NJ area. I hope you enjoy the rest of your weekend and week, wherever you are, and I'll catch you this time next Sunday.
'til then,
@zackwhittaker