this week in security — may 31 2026 edition
THIS WEEK, TL;DR
Microsoft sparks widespread condemnation after threatening security researcher with criminal investigation
DoublePulsar ($): We start this week with Microsoft royally messing up after publishing a blog post threatening a security researcher with a criminal investigation. In short, a disgruntled bug hunter called "Nightmare Eclipse" published several Windows-related zero-days online in recent weeks, including on GitHub, apparently frustrated with Microsoft's bug reporting process, which got them banned from GitHub altogether. Microsoft's veiled threat landed soon after, prompting a massive backlash from the infosec community, which flooded socials with stories of alleged mistreatment by Microsoft in response to bug report submissions. By taking this approach, MIcrosoft is likely disincentivizing people to submit bug reports, especially if the company might get legal. The logic goes: Why bother engaging with a bully at all? Microsoft thought it had the power by bullying researchers into submission (literally). Actually, it was the security community that had the power all along. My TechCrunch colleague @lorenzofb has some stellar words as well.
More: Microsoft | Cybernews | TechCrunch ($) | DataBreaches.net | @wdormann | @mbrg0 | @k8em0
Dutch authorities take down botnet that ensnared 17 million devices
The Register: Dutch cyber authorities took control and forcibly offlined 200 servers associated with a massive botnet made up of 17 million devices. (As botnets go, 17 million is quite sizable.) The Dutch said the botnet was used for a litany of crimes, but wouldn't say exactly what kind of devices were hijacked into the botnet, making remediation a bit of a challenge for affected end-users with compromised devices. This is the latest so-called residential proxy network that relies on hijacked home networks, like routers and other poorly secured devices (thanks to things like default passwords), which hackers use to shield their malicious activity from the outside world. More from Risky.biz, whose (very good!) newsletter leads with this story. Separately: Dutch authorities were also busy this week after targeting a sanctioned web host by seizing more than 800 servers, phones, and laptops associated with the operation, thought to support Russian hacks.
More: NCSC | Ars Technica | FIOD | Bloomberg ($)
CrowdStrike and Google disrupt Glassworm botnet targeting open-source devs
CrowdStrike: Cyber coalition CrowdStrike, Google, and the Shadowserver Foundation (which tracks online threats), collaborated in the takedown of the Glassworm botnet, which targeted open-source developers with the aim of poisoning their projects with malware that spreads to other developers — rinse and repeat. The companies "struck all four of Glassworm's [command] channels simultaneously." How, exactly, they didn't say… When asked, CrowdStrike declined to say under what legal authority (if any) it used in this operation, since companies usually have to obtain a court order first. A little suss! The news is a net good for the open source world, which has faced a barrage of hacks and malware of late, on top of the usual slew of North Koreans getting up to no good. Also: Microsoft nuked a malware signing-as-a-service that allowed malware to look like legitimate software (...credit where it's due).
More: Nextgov | The Register | SecurityWeek | Bleeping Computer | Microsoft | CSO Online
Senator says adtech industry is a 'national security threat' after U.S. troops targeted using location data
Reuters ($): The U.S. Department of Defense confirmed that adversaries have targeted and surveilled U.S. troops on the battlefield using commercial location data, a marked escalation in the use of data purchased from data brokers, which often derives its data from ads and people's smartphone apps. The Pentagon offered no further details, but Sen. Ron Wyden obtained and shared the Pentagon's letter, and warned that the information could be used to determine troop locations. The spicy senator didn't hold back in his remarks, saying that it was time to start "treating the adtech industry as a national security threat." Yes, preach! Adblockers are a big part of our front-line defenses, but at some point lawmakers have to step up and solve this by burning the entire data broker industry to the ground with legislation.
More: Wired ($) | Techdirt | Military Times
ShinyHunters hackers steal millions of records from Charter and Carnival; new data lapses expose more government IDs online
Alright, let's blast through a few of these real quick… *breathes in*... The ShinyHunters hackers breached internet provider Charter, stealing ~40 million records including customer accounts and support data… Cruise operator Carnival was hacked again to the tune of 6 million customer account records, including addresses and government-issued IDs… And, grocery store chain 7-Eleven confirmed its recent breach affects 185,000 people… As for security lapses: UK Visa Portal spilled thousands of applicants' passports and selfies online, then things got really weird when they called the lawyers on me (lol)... and prison payphone service Pay Tel also exposed around 300,000 driver's licenses. (Disclosure: I wrote the last two stories!)
More: Bleeping Computer | HelpNetSecurity | Reuters ($) | UpGuard
~ ~
~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for access to exclusive articles, analysis, and more.
Or, you can submit a one-time tip to show your support!
~ ~
THE STUFF YOU MIGHT'VE MISSED
Australian MP and staff targeted in successful WhatsApp hack
Sydney Morning Herald: A lawmaker in the Australian Parliament and three staffers had their WhatsApp accounts hacked and hijacked by a "foreign state actor." The attacks were part of an ongoing phishing campaign that involved someone masquerading as a "trusted source." Be careful out there. Also: Signal users were targeted with a new attack that aims to trick would-be victims into handing over their recovery key for accessing their message backups.
Iranian hackers blamed for Los Angeles transit breach
Reuters ($): New findings from Gambit Security found Iranian hackers were likely behind the breach of the Los Angeles' transit system systems earlier this year. Researchers found a cache of the stolen data hosted on a server previously linked to Iranian hackers. While Iran is known for espionage-driven breaches and hack-and-leak operations, the country's hackers have gone ballistic with destructive attacks since the start of the U.S.-Israeli-led war by targeting anything it can, in many cases causing disruption.
Cyberscammers are bypassing banks’ security with illicit tools sold on Telegram
MIT Technology Review: There is a burgeoning underground economy that helps people bypass "know your customer" (KYC) checks online, allowing scammers to launder money through real bank and crypto accounts. During a two-month investigation, reporters found close to two-dozen Chinese-, Vietnamese-, and English-language public Telegram channels and groups advertising "bypass kits and stolen biometric data," capable of skirting KYC checks that rely on virtual cameras and deepfakes.
Zapier fixes chain of bugs that allowed widespread account takeover
Cyberscoop: Interesting findings from Token Security, which found five separate bugs in Zapier's automation platform that when chained together using only a free Zapier account could be exploited to allow widespread account takeovers. Zapier fixed the bugs and found no evidence of past exploitation, but shows how a company's own systems can be used against it.
FBI says hackers are being sent to hack companies in person
Becker's Health IT: In an FBI alert this week, the feds warned that a ransomware gang known for targeting law firms by posing as IT staff in social engineering attacks have also allegedly been sending people "in-person to the victim company’s location to gain physical access to computers." While real-world attacks do happen in conjunction with cyberattacks — think truck hijackings and wrench attacks — the FBI left very little information for network defenders to rely on here. I'm skeptical of this without evidence, akin to juicejacking. That said, securing your digital and physical perimeter doesn't hurt.
~ ~
OTHER NEWSY NUGGETS
AI haters, unite! AI is taking people's jobs, ruining people's water, and their way of lives, and yet the U.S. feds seem to think "anti-technology extremists" (heavy air-quotes here) who hate AI are the problem and should be surveilled as such. Hundreds of documents from the feds reveal this new shift in their investigative focus. That's most of us, dear readers, now on a list. At least we're in good company. (via Wired ($))
IRS wants its ID checker to store data for years: An IRS proposal would allow ID.me, the identity checking service used by the tax authority, to keep taxpayers' biometric data for years. Currently, face scans are deleted straight away (allegedly) but federal officials want the data to be held for at least 36 months. Using ID.me is the only way to sign into the IRS' website. (via Politico, ID Tech)
Nationwide license plate scanning law killed: A federal bipartisan amendment that would have effectively killed license plate scanning tech across the U.S., like Flock (boooo, we're booing), was killed by two House lawmakers. In other news: A company called BusPatrol put tens of thousands of AI-powered cameras in school buses to serve as roaming license plate scanners. Using access to kids for surveillance is… bleak. (via Wired ($), 404 Media ($), IPVM)
23andMe hit with fresh breach lawsuit: California just slapped genetics testing giant 23andMe with a fresh lawsuit over its 2023 data breach, which exposed close to 7 million people's sensitive data. 23andMe was acquired last March after previously filing for bankruptcy. This new lawsuit doesn't seek to let the new corporate owner off the hook. (via California AG, Associated Press)
PostHog reveals security incident: Ridiculously named analytics platform PostHog said late Friday that it received word of a security lapse involving an "exploit in one of our AWS environments," referring to Amazon Web Services. The company rotated its keys, and said everything is fine now, without saying exactly what happened or committing to saying so. (via PostHog, @AlesandroOrtiz)
~ ~
THE HAPPY CORNER
We're back in the happy corner, where we have a handful of good things to see out the rest of the week.
Friend-of-the-newsletter and investigative tech reporter @yaelwrites walks us through her privacy and security stack. This is a great look at some of the best tech you can use for keeping your opsec intact and your privacy protected. Using any of these will improve your security and privacy posture. Your posture doesn't have to be perfect (it never will be!) as it's largely about minimizing your exposures and harms as best as possible.
The Pope dropped his first Magnifica Humanitas(.html), in which the Catholic leader's encyclical uses AI as the hook (including quoting Gandalf) while highlighting today's mass inequality, war, and the concentration of wealth. In the same week, The Ringer published its top 40 most infuriating things about technology and the internet, which I think the Pope was basically trying to get at, but less in list-form. I laughed my way through this entire list, and even though you didn't ask, my favorites were 18, 26, 33, and of course, 37-39.
And, since we're talking about bug disclosure this week… Go big or go home, this is surely one way to get a big company's attention:
Got good news to share? Get in touch! this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
This week's cyber cat is Sushi, who can be seen here being served up as a snug little hand roll. When Sushi isn't comfortably napping, Sushi is a world-class password stealer and online treat orderer. Thank you so much to Dawood for sending in!
🐈 Send in your cyber cats! 🐈⬛ Got a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in a later newsletter!
~ ~
SUGGESTION BOX
And that's all there is for this week's newsletter, thank you so much for joining and reading! I hope you have a great rest of your weekend and week. I'll be back next Sunday with your usual roundup of all the cyber news you need to know.
If you like this newsletter, please share it! And if you have anything you want to share for next week, please get in touch — it's really nice hearing from you, and your cybercats! (If you haven't sent in before, drop me a photo!)
Gone phishin',
@zackwhittaker