10 min read

this week in security — july 5 2026 edition

Supreme Court rules on geofence warrants, Oracle customers hacked (again), DHS confirms intel-sharing breach, six ISPs had email logins stolen, Apple bug exposes private emails, politician probing spyware hacked with Pegasus, and more.
~ ~

Supreme Court says search warrants are needed for accessing a person's location data
SCOTUSblog: It's good to be back online after a long-weekend away with some actual good news (quelle surprise!) from the U.S. top court: Geofence warrants are search warrants, and must be treated as such, per Chatrie v. U.S [PDF]. The ruling means Americans' geolocation data is legally protected, despite the controversial way that geofence warrants are used to reverse-engineer who was at the scene of a crime by searching a company's entire bank of location data. It's a complex ruling in part because the Supreme Court court decided the case without really saying much more, instead bouncing the "figuring it out" part back to the Fourth Circuit to decide whether the search warrant itself was "reasonable" under the law. Legal analysts and lawyers on Bluesky (aka Lawsky) had all the analysis you could possibly need to parse the ruling.
More: Cyberscoop | Bloomberg ($) | The Guardian | The Washington Post ($) | @eff.org | @profferguson | @elizabethjoh | @mjsdc | @chrisgeidner | @paulohm 

Paul Ohm post on Bluesky: "First, and most significantly, the Court in Chatrie got it right! Geofence warrants are searches subject to the protection of the Fourth Amendment. Privacy wins!"

Oracle customers report PeopleSoft-related data breaches
Bleeping Computer: Carmaker Nissan and insurance group NAIC are the latest to report data breaches linked to a ShinyHunters hacking campaign from last month that targeted a bug (CVE-2026-35273) in Oracle PeopleSoft software, which companies use for human resources, payroll, and the like. More than 100 organizations have been hacked to date, so expect this hacking campaign to remain in the news as extortion demands continue. Unknown hackers are also said to be exploiting a new bug (CVE-2026-46817) in Oracle E-Business, a suite of business tools targeted by the Clop extortion gang last year.
More: The Register | Cybersecurity Dive | Infosecurity Magazine | IT Pro

Senator says hackers who breached DHS intel-sharing platform may have risked national security
Nextgov: The Dept. of Homeland Security confirmed an unclassified intelligence platform used for sharing information between federal, state and local authorities was breached and its contents accessed. The system, dubbed HSIN, is designed for coordinating big events and responding to major incidents, like the World Cup that's currently under way. It's not clear what kind of data was accessed, but HSIN previously had a security lapse that exposed information about Americans under surveillance, per Wired ($)… so that's not great. Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee (read: has access to actual classified information), said the breach may still be a risk to national security and called for answers. This is the latest in a series of breaches over the past year, not least DOGE's massive data swipe from federal databases, plus Signalgate, and CISA's security fustercluck.
More: TechCrunch ($) | Mark Warner | Hoodline

European lawmaker who investigated spyware abuses was hacked with Pegasus
Citizen Lab: Researchers with the University of Toronto's digital rights unit Citizen Lab found evidence that a former Member of the European Parliament (MEP), who served on the committee investigating government abuses of Pegasus spyware, was himself hacked with the Pegasus spyware back in 2022 and 2023. This was during a period where the committee was engaged in intense back and forth to try to rein in spyware makers like NSO Group, whose spyware has been used to snoop on the phones of ordinary people with no connection to major or serious crimes (which governments say they need spyware for). It might not be a surprise that a EU lawmaker investigating Pegasus was himself hacked with Pegasus, but the actual implications are huge. EU parliamentarians said the phone hack was an attack on democracy and the law itself. To actively spy on a committee investigating the very tools used in the hacks is brazen; it almost sends a message of intimidation. The former MEP, Stelios Kouloglou, told me that the hacking was "reckless" and that he planned to sue NSO Group, though it's unclear who is the government customer who actively used the spyware to snoop on Kouloglou.
More: Wired ($) | Reuters ($) | The Record | GovInfoSecurity | Politico EU

Breaches expose logins of 14 million ISP email customers
Bleeping Computer: KDDI, the largest internet provider in Japan, confirmed a data breach [PDF] affecting its email system that's used by five other internet providers, including STNet, JCom, and Nifty. The breach was discovered on June 17 and was blocked immediately, but not before the hacker stole some 14 million email usernames and passwords for accessing people's email. 

This hacking toolkit helps attackers launch email takeover scams
Cyberscoop: New research by Cisco's Talos found a new hacking toolkit that allows hackers to automate (to a degree) business email compromise (BEC) attacks. These attacks aim to trick company staff into redirecting payments or funds to attacker-linked bank accounts, oftentimes by hacking into email accounts and impersonating their owners mid-way through a conversation. BEC scams are big business for hackers and scammers and can net a ton of money. These toolkits can make these attacks easier to carry out.

U.S. House passes national age verification law, but Senate passing unlikely
The Record: The U.S. House of Representatives has overwhelmingly passed the KIDS Act, another online "child safety bill" (heavy air quotes) that pushes legislation aimed at introducing nationwide online age checks. (Critics say age checks can be abused for surveillance and censorship.) However, the Senate wants stronger safeguards, including putting provisions on big tech directly, so the bill is unlikely to pass. 

Apple's Hide My Email bug exposes people's real email addresses
404 Media ($): Apple's "Hide My Email" feature… doesn't, according to a startup founder who found a bug that exposes the real email addresses behind Apple's private email masking service. @josephcox verified the bug, but Apple hasn't fixed the issue after more than a year and won't say why, so specific details of the bug have been withheld from publication so it can't be abused.

FBI's FYI on TeamPCP after rash of hacks hitting code supply chains
IC3: What do Trivy, Aqua Security, Checkmarx, LiteLLM, and GitHub have in common? They've all been compromised by the cybercrime group TeamPCP, which has been on a hacking spree of late. The FBI issued a flash warning [PDF] about the hackers, which target developers and security tools, with the aim of using their hijacked access to break into a large number of people's computers that run affected software. (via @briankrebs)

Canadian spies use cyberattacks to counter cyber-crims
Communications Security Establishment: Canada's top spy agency disclosed in its annual report that over the past year, it combatted espionage from China, "disrupted and diminished" the ability of fentanyl traffickers from brokering and buying chemicals used for making drugs, and also launched an operation against a ransomware gang aimed at undermining the group's efforts to recruit new members. The full report is worth the read, but try searching the page for "active cyber operation" for some interesting notes on CSE's own cyberattacks, including one defensive operation aimed at protecting Canada's systems. Meanwhile: In Germany, the government is seeking new powers for its spy agencies to proactively go after and disrupt cyber-attackers, notably Russians. 
More: Government of Canada | The Globe and Mail ($) | Reuters ($)

EY staffer nicked Aussie PM's bank deets: A junior EY (aka Ernst & Young) employee was fired and faces federal charges in Australia for accessing the prime minister's bank details. Another person was charged, too. Sky News has more. It seems like little prevented the access, except for a dialog box pinky-promising that the employee was allowed to see the data. It's not the first time that the Aussie PM had his data swiped during a security incident. (via Financial Times ($))

Hackers hit Aflac Japan: Hackers stole about 4.4 million people's data during a 10-day breach of Aflac Japan's systems, according to its incident page. (via SEC, SecurityWeek) This breach comes a year after its parent company, Aflac, was hacked last year to the tune of 22 million people as part of a Scattered Spider attack. Which… speaking of… 

More like Splattered Spider: Peter Stokes, 19, has been extradited to the U.S. to face charges related to alleged hacking and extortion attacks as part of the Scattered Spider group. The Justice Dept. announced the charges, which included an accusation that Stokes and others hacked over 100 companies and demanded millions in cryptocurrency. The indictment [PDF] is worth a read, if not least to discover how the feds caught Stokes — by tracking the use of his Windows computer. Stokes was also caught because he took photos of his crimes. (via BBC News ($), The Verge)

a photo from Peter Stokes' indictment, showing Stokes (allegedly) holding a fan of cash in front of his face while in a hotel room in Bangkok in 2024.

Mythos models are back online: Anthropic's cyber models Mythos and Fable are back online after apparently satisfying the Trump administration's alleged concerns about their cybersecurity guardrails. The models were forced offline for weeks following a White House intervention ostensibly about AI security but probably more about personality clashes. (via CNBC, @k8em0)

FBI cracks NetNut, seizes domain: The feds have seized Netnut… kind of. At least one domain is down but its main domain remains up (as of the time of sending). Google's security researchers say NetNut is a massive residential proxy network (aka: botnet) made up of at least two million hijacked internet-connected devices. (via Krebs on Security, Google Cloud, @m_chael)

Medtronic breach hits millions: An earlier breach at medical device maker Medtronic in April allowed hackers to steal data belonging to at least 3.8 million people, according to Indiana's attorney general's website. (via Medtronic, SecurityWeek)

ALPR cameras are error-prone: Automatic license plate readers have gotten dozens of motorists pulled over, detained at gunpoint by police, and jailed because of technical faults and failures. The IoJ lists a number of known cases, and outlines the dangers of this pervasive car-tracking technology. (via Institute of Justice, Wired ($))

Welcome back to the calm and tranquil space of the happy corner. And indeed, welcome back to the newsletter after my week away. This newsletter is now in its eighth(!) year, and I couldn't be prouder. 

A very happy U.S. Independence Day to all those who celebrated yesterday. My ears have just about stopped ringing from the hour-long sky explosion of fireworks in the New York area. I must remember for next year that one of the best places to see the fireworks is by taking the Q train that goes over the Manhattan Bridge — but really!

an animated GIF of a view from a moving subway train, going over the Manhattan Bridge between Brooklyn and Manhattan in New York, with fireworks exploding in the sky in the distance.

Onto some fun tech stuff. Here's a great web resource for choosing a public DNS resolver for your devices that can filter out malware, ads, and more with minimal configuration.

I cracked up seeing this discovery by @alice, which feels like the padlock equivalent of the classic "admin/pass" username/password combo. A key with a single notch is not very secure at all!

an animated GIF of Alice opening a padlock with a key that only has a single notch in it, showing that the padlock is not very secure at all.

Congrats to Rhode Island for passing a new genetic data privacy law that protects consumers with new rights over their genetic information. Law firm Covington has an explainer (via PogoWasRight).

Thanks to @runasand for flagging this four-day open source intelligence summit that's coming up. This course looks incredible, from investigating drug cartels and bombings to potential war crimes, while verifying data and filtering out AI and disinformation. It's $99 for access, which seems like an extremely good price.

And finally, I'll admit, I laughed at this week's closing thought. It certainly put my own problems in perspective!

Lazarou Monkey Terror post on Mastodon: "Today, the Voyager 1 spacecraft is 25.50 billion kilometres away from your bullshit. 🚀"

Got good news to share? Get in touch! this@weekinsecurity.com.

This week's cyber cat is Toast, who attempted but did not succeed in preventing her human from studying for and passing the CISSP exam (congrats, by the way!). Kitty sabotage and subterfuge comes in many forms, but can be no match for chin scritches. Thank you so much to Shanni P. for sending in!

Toast is a black and white cat whose can be seen sprawled out half-asleep over a computer textbook.

🐈 Haven't sent in a cybercat in a while? Send one in today! 🐈‍⬛ Got a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in a later newsletter! (If you've sent in before, drop me an update!)

And on that note, it's time to sign off for this week's newsletter. Thanks so much for tuning in again and reading. If you want to reach out to me about anything for the newsletter, please do — I'm just an email away. And if you liked this newsletter, feel free to share it on your socials, feeds, Slacks and whatnots. It's really appreciated!

Catch you next,
@zackwhittaker