this week in security — june 21 2026 edition
THIS WEEK, TL;DR
U.S. government's Anthropic ban wasn't really about an AI jailbreak
Axios ($), TechCrunch ($): Well that blew up… More than a week after the Trump administration used its export control powers to effectively ban Anthropic from offering its cybersecurity focused Mythos and Fable models, they're still largely offline. What initially erupted over cybersecurity fears after the White House took umbrage with an alleged Amazon-discovered jailbreak in Anthropic's latest AI models quickly turned out to be largely "personality clashes" between Trump and Anthropic, per Axios ($). The White House also seems to want a resolution to the jailbreak issue, which experts say isn't possible to fully remediate. Dozens of security researchers and experts have since called on the government to pull its export restrictions to allow Anthropic to offer its models again. So far, no dice. Anthropic has since dispatched a team to Washington, D.C. to negotiate with Trump officials, but we're not likely to see any change in positions here for the time being amid the impasse, and it's not known for how long this might drag on. Tech Policy Press said the quiet part out loud, that the "climate is one of a cloud of suspicion that senior officials are picking favorites based on personal and political factors." Infosec legend Bruce Schneier also has thoughts.
More: Luta Security | TechCrunch ($) | Axios ($) | The New York Times ($) | Wired ($) | The New Stack
'FortiBleed' bug affects thousands of Fortinet firewalls, hackers reportedly cracked admin passwords
DoublePulsar: Security researcher Kevin Beaumont is filling in the knowledge gaps because Fortinet's response to its customers getting hacked has been (predictably) crap. Meet FortiBleed, a new mass-hacking campaign targeting Fortinet firewalls belonging to big corporations around the world. There are at least 1,000 known compromised organizations so far out of a suspected 75,000 total internet-facing firewalls. A hacking crew appears to have scanned the internet for these firewalls, somehow logged in (it's unclear exactly how), exported the firewall configs, and then later unscrambled the hashed admin passwords offline. This allows the hackers to breach the firewalls and break into the victim's networks. CloudSEK also has a really good report on this campaign as well. Beaumont has IOCs, and the excellent folks at GAYINT have a list of affected Fortinet devices, so check if your organization is a victim. CISA also has a hardening guide for Fortinet customers. Expect more from this ongoing (albeit rumbled) campaign.
More: The Register | Ars Technica | @IFIN | @GossiTheDog | @ransomwaresommelier | @shadowserver
Ozempic maker Novo Nordisk hit twice by separate hacking campaigns
DataBreaches.net: Journalist Dissent Doe reports not one, but two hacking campaigns have hit Danish pharmaceutical giant and Ozempic maker Novo Nordisk of late. One gang stole a ton of pseudonymized health data of clinical trial patients, but it's not clear if the data will ever stay fully private if the key used to scramble the data is ever leaked. An entirely separate group, about two weeks later, stole gigabytes of AI-related data, source code, credentials, and more. The groups demanded respectively $50M and $25M, but neither got paid. Novo's negotiator allegedly strung the hackers along to give the firm time to prepare for a public disclosure. (I bet the negotiator got paid pretty well, though.) Dissent Doe has a great run through in both stories about the state of Novo's security, in some cases as told by the hackers themselves, who were critical of the company's posture. Meanwhile: Cardiac equipment firm iRhythm said this week that it was hacked, with patient data stolen. The company didn't say how many people are affected.
More: DataBreaches.net | Reuters ($) | HelpNetSecurity | MedTech Dive | The Register
U.K. social media law announced, denounced, and potentially trounced amid possible change in U.K. government
The Guardian: Governments generally only roll out disastrous policies when they're in extreme distress or when their politicians are on a hideous losing streak. The U.K. is there, and is attempting to roll out a social media ban for kids under 16, following Australia's semi-unsuccessful effort to roll out its own law late last year. Even the kids are like, "this makes no sense." (But of course they'd say that; many of them are evidently smarter than our politicians these days.) This may also include bans on VPNs, per the U.K. tech minister. It's a staggeringly bad idea, but the BBC News ($) tries to make sense of it all. As you can imagine, much of it will rely on scanning your driver's license or passport for access. And yet none of this might matter if newly minted MP Andy Burnham becomes U.K. prime minister after an anticipated upcoming leadership battle among the ruling Labour Party. This is because the U.K. is a parliamentary system that allows leaders to change with relative ease (unlike other places 😑), which is why the U.K. is about to have its fifth prime minister in four years. Make that make sense, kids. More thoughts by @tjheffernan and Signal's Meredith Whittaker via Bloomberg ($).
More: GOV.UK | Wired ($) | EFF | Politico EU | NPR | @hypervisible
~ ~
~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for access to exclusive articles, analysis, and more.
Or, you can submit a one-time tip to show your support!
~ ~
THE STUFF YOU MIGHT'VE MISSED
Spy agencies using bulk data to snoop on targets
Financial Times ($): Advertising intelligence, aka "Adint," is now one of the major sources of government surveillance, according to a survey of European spy agencies. Buying access to huge datasets containing people's browsing and location data is sometimes far easier for the spy agencies than tapping undersea cables and sifting through ungodly amounts of intercept traffic. Using ad-blockers is a good way to combat public data collection.
Some health providers are recording your mental health care visits
The Markup: A horror story from The Markup investigating how medical providers, like Kaiser, are recording patient interactions — including mental health sessions — using "ambient listening," which is code for "listen to everything and feed it into an AI model for processing." You can (and should be able to) opt-out of this recording but as noted, it's increasingly making patients feel uncomfortable and wanting to change doctors.
An elite secret society is exposed after a data leak spilled its members
Straight Arrow News: A Peter Thiel-founded secret society of elite members that allegedly exists for fostering off-the-record discussions *pinches bridge of nose and sighs relentlessly* can't even seem to keep its members' information secret, because its website exposed dozens of their email addresses and phone numbers. The list includes celebrities, politicians, journos, and more, per @crimew.gay. More via Wired ($).
Apple is about to kneecap its Hide My Email privacy service
Arseniy Shestakov: For no good (or obvious) reason, Apple is about to make its email hiding feature, Hide My Email, less effective by moving users' masked email addresses from @icloud.com domains (which all customers use) to @private.icloud.com, making it far easier for websites and apps to block anonymous users from signing up. I asked Apple why it changed this but didn't get back to me. (*makes chicken clucking noises*)
How residential proxy networks power hacker and crime groups
Wall Street Journal ($): Want to know more about how hackers hide in your router (and also apps and cracked video games) and hijack that access as a funnel for cybercrims' bad activity? Here's your primer on residential proxy networks, the backdoor software that powers them, and why they're a risk to confidential information. Plus! Brian Krebs digs into one major residential proxy provider and the botnet it allegedly (heavy wink) runs, thanks to millions of hijacked Android TV boxes.
~ ~
OTHER NEWSY NUGGETS
Knicks data nicked: The ShinyHunters' hackers leaked some 45GB of data stolen relating to the Knicks and Madison Square Garden, where the team just played, including "risk" score data about high-profile attendees, per 404 Media ($). Meanwhile, Have I Been Pwned reports retail giant JCPenney and fashion outlet Ralph Lauren also didn't pay the hackers after they had data stolen by the same group, nor did Kodak nor Council of Europe pay. (via HigherEd Dive, GovTech)
Not so sweet sugar cyberattack: Queensland-based Mackay Sugar, Australia's second largest sugar producer, was hacked, forcing the shutdown of at least two mills. The hack prompted the company to ask farmers to keep crops in the ground for longer. It's unclear if that'll affect the collective harvest. A hacking group called The Gentlemen (narrator voice: they are not) took credit. (via ABC.net.au, The Register)
Joomla bug sparks alarm: A maximum severity 10/10 bug in Joomla's content management system, used by an estimated 1% of the web, has patched a bug actively under attack by hackers, per the software maker. The bug allows unauthenticated access and execution of PHP code, so that's… not great. Update today. (via Widget Factory, CISA, @IntCyberDigest)
Trump's Pulte takes spy agency reins: Another political mess is bubbling over in the U.S. capital as President Trump decided to dig in on Bill Pulte as his administration's part-U.S. spy chief, part-federal housing boss, and part-Trump's personal attack dog (but actually though). As such, Pulte took office as the acting U.S. director of national intelligence, much to the chagrin of both parties. Meanwhile, Trump said he won't pass the FISA renewal bill (even though it's nowhere near close to being resolved) because lawmakers won't pass his absolutely insane voter ID bill under the guise of Trump trying to steal another election. It's all very messy, but our neighborhood natsec cyberscribe @dustinvolz explains the s...hituation at The New York Times ($). (via @atrupar.com)
Time is a flat circle, spyware edition: Human Rights Watch found Bulgaria-based surveillance vendor Circles sold its spyware to countries with atrocious records of human rights, like Bahrain and the UAE. Circles sells Pixcell (for tracking calls, messages, and data) and Landmark (tracks location). The EU just can't seem to stop its countries exporting spyware to the world. If only it actually tried to begin with! (via Bloomberg ($), The Record)
Canada gets legal anti-botnet kibosh order: Canadian spy agency CSIS was granted approval by a court to take down botnets… two years ago, following a request by the agency to "remove the compromised devices from Canada." The ruling was made public this week in a barebones filing, but as Risky.biz notes, it's probably China-related. The FBI used similar court orders in the past to take down botnets, too, but also remove the malware code from routers and servers. (via The Canadian Press, CityNews)
Klue app compromised: Klue, a market intelligence company that makes the Battlecards integration for Salesforce customers, was compromised (Klue noindex'd its blog post, hiding it from search engines). This breach allowed hackers to hijack those integrations and steal customer data. A new extortion gang called Icarus took credit for the hack. A bunch of customers are affected, including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. (via Dark Reading, Bleeping Computer, DataBreachToday)
~ ~
THE HAPPY CORNER
It's a corner, it's got happy stuff, it's the happy corner. And it's got all that we need to relax after a busy week of news.
To the kids facing a social media ban today, well… at least you didn't have to rely on using an Excel spreadsheet on a Nokia 9210 to send text messages to your boo. (I fear nobody under the age of 30 will get this reference and if that's the case, I'm gonna go find a nice quiet corner to just crumble into dust.)
I will admit, I got a little hooked on this secrets-finding game. Find the exposed tokens, credentials, and other exposed sensitive data in this data leak simulator.
Be careful out there, folks. Things are getting desperate among AI-fueled CEOs. Please, please use our sh*tty AI products, they beg. Will someone think of the executives?
And lastly this week. Thank you so much to everyone who contributed to last week's shout-out to a special cause, Project Sunshine, a nonprofit that my partner Jordan and I are involved with that helps to raise funds so that kids with medical challenges can enjoy much-needed playtime. We were just blown away by the support and love from you. We raised our goal and then some! If you're reading this on the weekend, there's still a few more hours before the Play-A-Thon closes for this season, but if you can spare a few bucks to donate, it will make all the difference to the kids that you help to support. Thank you again, really; it means so much.
Got good news to share? Get in touch! this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
This week's cyber cat is Meech, who can be seen h… Zzzz…. Z..z zz… zzz… Zz… *shhh* sleeping softly with his head on a… keyboard?! …Zzz…. Z.. Zz…zz.. must be exhausted after a busy day hacking. Z.. zz…. z….. back to snoozing for you… *psssts quietly* Thanks so much to Mike B. for sending in…!
🐈 Keep sending in your cyber cats! 🐈⬛ Got a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in a later newsletter! I always appreciate an update if you've sent in before!
~ ~
SUGGESTION BOX
And that's all there is for this week. Thank you so much for reading, subscribing, and supporting this newsletter (and blog!). That was... a bit of a busy one. I hope this edition gave you everything you needed to catch up.
If you like this newsletter, please do share it on your socials and whatnot! I really appreciate getting new readers in and word-of-mouth is one of the best ways to do that.
And, if you have anything you want to share for the newsletter, including suggestions and feedback, please drop me a note any time.
As a short programming note from me, there will be no newsletter next week! I'll be away in New England for a few days with Jordan; she's always wanted to go up to Maine, so we're going to drive north and disconnect from the world. I'm back the week after for July 5, with the latest edition of ~this week in security~ to mark a special milestone.
Logging off for now... take care, and catch you soon.
Back in a fortnight,
@zackwhittaker