this week in security — may 24 2026 edition

~ ~

THIS WEEK, TL;DR

GitHub says hackers stole data from thousands of internal repos after a staffer's plugin was compromised
Bleeping Computer: GitHub was hacked and some 3,800 of its internal repos breached after hackers compromised an employee's VS Code extension that they used for writing and editing source code. The poisoned extension, Nx Console, was itself hacked by an earlier attack on open source web stack Tanstack, allowing the hackers to steal sensitive private keys and tokens, and hop from one hacked company to another. Nx Console also has indicators of compromise for affected customers beyond GitHub. If this seems like a trend, it's because it is, per Wired ($). Lock down your developer pipelines, people! GitHub said no customer information was taken, but it's a bruising incident for an already degraded GitHub. TeamPCP took credit for this latest breach (as it did with Tanstack), saying it was selling the stolen data, rather than extorting GitHub. Meanwhile: Grafana's post-breach report is out, which blamed last week's hack on one token that wasn't rotated after Tanstack's breach. Grafana decided not to pay the hackers' ransom.
More: The Record | ThreatLocker | Wiz | IFIN | Nx Console | @jeffbcross | Grafana

Google publishes exploit code affecting millions of Chromium users
Ars Technica: Come for the interesting Chromium bug writeup, stay for the "oh f—k" moment when the researcher realizes Google thought it fixed the bug but hadn't. As a result, Google released the proof-of-concept code that allowed anyone to use it. The code was subsequently pulled. The bug in Chromium browsers (think Chrome, Edge, Brave, and any other browser that relies on the core Chromium engine) meant attackers could create a persistent connection to the user's browser as a way to proxy data through their internet connection, or used for denial-of-service attacks. This is similar to how botnet hosts use residential home networks to funnel their malicious traffic, so while this Chromium bug won't let hackers read your emails or see what websites you're browsing, this is still not good. The bug has been unfixed for ~3.5 years. 
More: Bleeping Computer | @rebane2001 thread | @lukOlejnik

CISA admin exposed AWS GovCloud keys and credentials on GitHub
Krebs on Security: Embarrassing moment for U.S. cyber agency CISA after a contractor admin with access to government cloud credentials left them exposed to the internet in a public GitHub repo — including spreadsheets full of passwords and one plaintext file that simply read: "Important AWS Tokens." While a rookie mistake, it's ultimately not a good look for the agency who's charged with …*checks notes*... federal cybersecurity! Krebs had the scoop, and by the end of the week, lawmakers were clambering for answers. CISA has faced cuts, furloughs, and layoffs throughout the past year-plus under Trump, and still doesn't have a permanent Senate-approved director leading the place. 
More: Krebs on Security | Cyberscoop | TechCrunch ($) | @briankrebs 

~ ~

PLEASE SUPPORT THIS NEWSLETTER!

~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for access to exclusive articles, analysis, and more.

Or, you can submit a one-time tip to show your support!

Subscribe to support this newsletter

~ ~

THE STUFF YOU MIGHT'VE MISSED

Kash Patel's apparel website down after serving ClickFix attacks
PCMag: FBI director Kash Patel has pulled down his side hustle clothing business (which, admittedly, I didn't know was a thing) after the website was served with a ClickFix attack. This is where websites are hacked and trick visitors into thinking they're facing a Captcha-style screen, but are prompted to copy and paste malicious code into their computer, which plants malware. For subscribers: My deep-dive read on ClickFix.

HIPAA security rule is expected to be overhauled
Shostack + Associates: HIPAA, the decades-old complicated healthcare law that actually doesn't do half the things people think, is set to have its security rules overhauled. The Department of Health & Human Services has until the end of May to finalize the rule, which will matter a great deal to HIPAA-covered entities. Shostack's team explores some of the changes, as does BankInfoSecurity. Expect more to come soon.

Fears of unfettered hacking sprees 'looking overstated' after Mythos release
Reuters ($): Good stuff here from @ajvicens examining the security fallout (or lack of, frankly) following last month's restricted release of Anthropic's Mythos. Cyber experts say the AI model's abilities are largely overstated, and the reactions were measured. This was an important read and a good leveler for anyone needing a splash of cold water to the face on all-things AI security. Meanwhile: The White House scrapped an anticipated AI executive order, slated to allow federal agencies to get pre-release access to frontier AI models to test for flaws and dangerous capabilities. But tech executives didn't like it, per the Washington Post ($), even though their invites had already gone out.

Microsoft fixes Defender zero-day; Cisco fixes new 10/10 bug
Bleeping Computer, The Register: Microsoft fixed two zero-day bugs under attack in its Defender anti-malware engine that allowed malware to gain system-level privileges on a target's computer. The company also said it's released mitigations for a BitLocker bug (*cough* backdoor *cough*) dubbed YellowKey, which was published online as a zero-day and allows access to data on protected drives. Meanwhile: Not to be outdone, Cisco struck yet another 10/10 max-severity bug, this time in Cisco Secure Workload; though, on the bright side, no evidence of exploitation just yet… but give it time. Patch today! Last up: Trend Micro warned of a zero-day under attack in its Apex One product.

Verizon reports surge of exploited security vulnerabilities
Cyberscoop: Verizon's annual data breach report is out. According to the data, 31% of intrusions (up from 20%) exploited security flaws in software code, like zero day bugs. The issue was blamed on too many bugs and not enough time to patch. Financially motivated crims made up most of the attacks, and ransomware is still a big deal, so doing the security basics will help you a lot. Verizon always deserves the flak that it gets, but I will say, props for not putting the report behind a paywall; the direct PDF is readable here.

Scammers are abusing an internal Microsoft email to send spam
TechCrunch ($): An internal email address that Microsoft uses for sending actual account notifications to users, such as two-factor codes, is being abused to send spam emails. Microsoft said (belatedly) that it was aware of the issue, but anti-spam nonprofit Spamhaus said this has been going on for months already. (Disclosure: I wrote this story!)

~ ~

OTHER NEWSY NUGGETS

Crypto 'wrench' attacks on the rise: Physical attacks on crypto holders are rising, with at least 72 confirmed incidents during 2025, allowing the theft of $41 million in crypto. These are called wrench attacks because bad people use violence (hence the wrench) to force crypto owners to give up their passwords. Many of the attacks have been in France. (via Bloomberg ($), Cointelegraph)

How many government demands does Oura get? Health wearable gadget maker Oura says it receives government demands for users' data. The big question is how many. (via this week in security) 

KimWolf botnet boss busted: A Canadian man has been nicked and is set to be extradited across the border to the U.S. for allegedly running the notorious KimWolf botnet, used for launching DDoS-for-hire attacks. Some attacks were measured at 30 terabits per second, which the DOJ says was a "record" in known DDoS attacks at the time. (via Justice Department, Krebs on Security, GovInfoSecurity)

New gov app, who dis? The White House plans to auto-install its official app on all federal phones in the executive branch. Notwithstanding the weirdness of it all, the app is known to have some security bugs, but it's unclear if those bugs are fixed or if the app is the same version in the public app stores. (via Government Executive, NASA Watch)

Trump Mobile exposed customer order details: Trump Mobile, the hilariously bad Trump-themed cell provider and phone maker, exposed 10,000 unique customer order details. Two YouTubers disclosed the leak after hearing nothing from Trump Mobile, which later confirmed it had publicly spilled customers' data. (via PCMag, TechCrunch ($))

SMS blaster at Eurovision: Incredible headline… a Chinese scammer was caught with an SMS blaster outside the Eurovision Song Contest in Vienna, and likely used to send several million SMS phishing text messages. Commsrisk has high-resolution photos of the device for your viewing. Although, I will say, it's extremely bad form for this guy to have his 6-year-old son in the car. That's far too young to be handling cellular equipment.

Hackers' favorite VPN is no more: Authorities have dismantled First VPN, a VPN provider that was allegedly used by ransomware gangs to hide their malicious traffic. French and Dutch authorities took down dozens of servers, and notified those who used the service "who mistakenly believed themselves to be safe." Savage. (via Help Net Security, Operation Saffron, @ransomwaresommelier)

~ ~

THE HAPPY CORNER

Welcome to another happy corner, where everything is ~chill~.

A new bipartisan(!) amendment, if passed, would effectively ban automatic license plate readers across the United States, per Wired ($). This would be very good if it passes, and strikes at the heart of surveillance companies like Flock.

Congrats to those kids young adults, vx-underground, the world-renown group of friendly malware collectors, who marked their 7-year-anniversary this week. If you're ever in the mood to research or rip apart some malware, vx has everything you need. Plus, their tweets always make me smile, and much like this newsletter, it also features cats. 

Excellent news from Discord, which switched on end-to-end encryption across its entire platform, meaning anyone who makes voice and video calls can now chat in privacy — not even Discord can access your content. No action is needed by users.

And lastly, this week: How many of us feel at the best of times:

Got good news to share? Get in touch! this@weekinsecurity.com.

~ ~

CYBER CATS & FRIENDS

This week's cyber pup is Ginger, who we're very fortunate to have featured in a newsletter a couple of years ago. Ginger recently passed over the rainbow bridge, and though I know we're all really sad to see her go, she was deeply loved, and lived a happy and wonderful life. Thanks to Jason T. for the photo, and we're sending all our love and support.

Send in your cyber cats! ‍ Got a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in a later newsletter!

~ ~

SUGGESTION BOX

That's all there is for this week's edition. Thank you so much for reading! I won't keep you for another moment. I hope you have a good rest of your long weekend (if you're here in the United States) and a great rest of your week wherever you are in the world.

Please email me if you want to see anything in next week's newsletter that you think would be a good fit. If you like what you read, please share this newsletter!

Peace, my friends,
@zackwhittaker

Reading this online? Get ~this week in security~ by email

a weekly cybersecurity newsletter by Zack Whittaker, plus analysis and blogs.

Subscribe

Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

~ ~

THIS WEEK, TL;DR

Instructure paid and 'reached an agreement' with hackers who breached it twice; ShinyHunters says it won't extort victims
BBC News ($): Canvas school system maker Instructure paid the hackers that breached the company (twice) and stole gobs of student data. Instructure CEO Steve Daly said the company "reached an agreement" with the hackers (heavy wink, of course) to not release the data, without saying how many millions it paid the hackers or estimating how many future hacks its ransom payment may have contributed to funding. The ShinyHunters gang told TechCrunch and DataBreaches.net that the data is "deleted, gone," and that victims will "not further be targeted or contacted for payment by us.” But that still leaves open the possibility — as has happened before — that another hacker group might extort them, à la the massive breach at ed-tech giant PowerSchool; or that the hackers might not stick to their word. Lawmakers now want answers over Instructure's catastrophish (the hackers' main modus operandi). Instructure can't guarantee jack about any of the hackers' claims, so lawmakers should press them on it — and who, if anyone(!) — is ultimately responsible for cybersecurity at the company.
More: TechCrunch ($) | Reuters ($) | Associated Press | Inside Higher Ed | Harlem World | CalMatters | @mzinshteyn | @briankrebs

On state visit to Beijing, Trump discussed AI, cyberattacks, sanctions, and spying with China's Xi Jinping
The New York Times ($): Trump and his entourage of senior staffers, emotional support tech executives, and family members (for some bizarre reason?), went to China and all they got was this lousy T-shirt were several gifts probably laden with bugs that they weren't even allowed to bring aboard Air Force One. As part of the state visit to Beijing, Trump and China's Xi Jinping talked spies, sanctions, AI, and cyberattacks, among other things, per @dustinvolz (new byline!), who runs down the gist of the trip's aims as the long-running frenemies met over a largely conciliatory tone. China remains a major adversary ($) in cyberspace as it continues to eye Taiwan for its own, and will keep hacking and spying its way around the world to meet its objectives. That also came up, with Trump telling reporters: “They’re talking about the spying. Well, we do it too.” But whether or not anything actionable came of this visit remains to be seen. Slightly worried that Trump didn't seem to follow when a reporter asked about Volt Typhoon, the Chinese hacking group planting malware around the world so it can distract American forces during an invasion, responding: "You don’t know that," and that he would "like to see it."
More: TechCrunch ($) | Nextgov | Associated Press | The Hill | NPR | For subscribers: this week in security ($)

Tanstack among many hacked in latest worm attack targeting developers; OpenAI says two staffers affected
SecurityWeek: Another worm-like campaign mass-targeted developers this week by stealing their credentials and self-propagating, using stolen tokens to publish malicious versions of the packages that victims have access to. Hacking gang TeamPCP, which has been on a tear stealing developer tokens and backdooring popular open-source packages, is behind this latest campaign, according to Wiz. Tanstack, an open-source tech stack for web developers, was one of the bigger projects hacked, allowing the hackers to pivot from there to gain access to two OpenAI staffers' devices. OpenAI said the hackers accessed code repositories containing developer signing keys, so the ChatGPT maker had to revoke those certificates and ask Mac users to update their apps.
More: OpenAI | SecurityWeek | Bleeping Computer | The Register | Wiz | @MsftSecIntel 

A hotel check-in system exposed a million passports, driver's licenses, and selfies to the open web
TechCrunch ($): Yes, it's the year 2026 and I'm still banging the "stop leaving your cloud storage buckets exposed to the web" drum. Anurag Sen found a publicly exposed AWS S3 bucket belonging to Japanese maker of hotel check-in tech Reqrea, storing a million identity documents and selfies that guests used to check in to their reservations. This is yet another major spill of identity documents at a time when ID verification is on the rise around the world. I wrote this story (disclosure alert!) because it was a perfect example of how a dead-simple data exposure can result in major harm, even while there's a lot of buzz and hype about the threat from AI models finding and exploiting security flaws. AI has helped to find bugs, even though many of them aren't much of a threat. Daniel Stenberg who maintains the curl library (which is used in everything) has a great blog on this worth a read, if not least to manage your general AI expectations. In reality, I'm more concerned about someone setting an AWS S3 bucket full of people's data to "public" than somehow using AI to take down the entire Social Security database, or something daft like that. Also this week: Best Western Hotels emailed customers to say hackers had access to their systems for six months before being evicted (via Reddit). It's not clear how many people's data is affected. 
More: SecurityWeek | The Register | @zackwhittaker

~ ~

PLEASE SUPPORT THIS NEWSLETTER!

~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for access to exclusive articles, analysis, and more.

Or, you can submit a one-time tip to show your support!

Subscribe to support this newsletter

~ ~

THE STUFF YOU MIGHT'VE MISSED

Medical imagery is still(!) spilling to the open web
HIPAA Journal: PACS servers, which doctor's offices and hospitals use to store, share, and view patients' medical imagery, are often unsecured and, in some cases, accessible from the internet. This has been a chronic problem for years, and is happening again. (I wrote about this back in 2020… 🫠) Trend Micro has more on the technicals. If you work in healthcare, check your PACS servers for exposures before the regulators find you!

A million video baby monitors and security cameras were easily viewable by hackers
The Verge ($): Hardcoded keys and public passwords found shipped in an Android app exposed over a million Meari internet-connected baby cameras to anyone who knew where to look. Thankfully a security researcher found the security lapse, as detailed by The Verge ($), which did a solid job on explaining the flaws.

Now-published zero-day can defeat default Windows 11 BitLocker protections
Ars Technica: A zero-day dubbed YellowKey, released by disgruntled researcher Nightmare-Eclipse (who was behind the BlueHammer exploit release), allows people with physical access to a Windows 11 system to bypass default BitLocker's encryption protections and gain complete access to an encrypted hard drive within seconds. @GossiTheDog called this "essentially… a backdoor." 

Mayo Clinic is using AI to listen to emergency room visits
404 Media ($): Hospital network giant Mayo Clinic has been collecting ambient audio from emergency rooms to record patient interactions, and feeding the data into AI. The audio collection is opt-out, and not opt-in. Relatedly: The Ontario government recently found in examining its use of AI transcription in healthcare that it was largely, well, crap, given that healthcare is too important for AI to get things wrong. "If the notes in the chart are wrong, the whole thing falls apart," per @mttaggart. Also, ICYMI: Professor extraordinaire @emilymbender on why you should refuse to let your doctor record you.

Ransomware gang The Gentleman hacked and dissected by researchers
BankInfoSecurity: A prominent and rising ransomware gang called The Gentlemen was hacked earlier in May and its database leaked. Check-Point has a blog with more details, including more about how the gang operates, how they hack, and what defenders can look out for. Ransom-ISAC also has a solid blog. (via @campuscodi)

Fast16 malware from the mid-2000s likely sabotaged Iran's nuclear weapons tests
Zero Day: Belter reporting by @kimzetter this weekend… A malware called Fast16, which was discovered years ago but recently analyzed, actually dates back to the mid-2000s when it was secretly fed to Iranian systems with the aim of altering nuclear weapons simulation data. The aim was to undermine those tests and slow the progress of a nuclear program. Amazing reporting here, and with many similarities to Stuxnet, the other famed malware that aimed to set back Iranian efforts to build a nuclear weapon. Symantec has more in its blog, and Zetter's sidebar timeline ($) is a handy chronological guide.

~ ~

OTHER NEWSY NUGGETS

Europe exporting electronic exfiltrators: Six EU member states, including Denmark, have sold surveillance tech to dozens of countries known for human rights violations. The EU's top body keeps complaining about spyware abuses across Europe but does nothing about spyware makers selling to abusive governments from its own turf. (via Bloomberg ($), Human Rights Watch)

Cisco layoffs amid 'record revenue': In the same blog post, Cisco CEO Chuck Robbins announced record revenue and double-digit growth while also laying off 4,000 people, or 5% of the company, to spend more on AI. Robbins, meanwhile, had a total compensation package of ~$53 million last year. When I asked if Robbins planned on taking a pay cut, a spokesperson wouldn't comment. (via TechCrunch ($); I wrote this story!)

Cisco's security woes hit again: Oh look, another top-severity Cisco zero-day exploited in the wild; what a surprise, it's a day ending in "y." The bug was found in Cisco's SD-WAN products, aka CVE-2026-20127. Cisco's research arm Talos — still doing good work — found exploitation dating back to at least 2023 (woooof). Per Talos, the hackers sought to "establish persistent footholds into high value organizations including critical infrastructure sectors," which… sounds a lot like Volt Typhoon again, no? (via Cisco, TechCrunch ($), @stephenfewer)

Iranian hackers targeting gas stations: U.S. officials suspect Iranian hackers are accessing unprotected automatic tank gauge systems, used by gas and petrol stations to monitor the amounts of fuel in storage tanks. (Experts say this could allow gas leaks to go undetected, for example.) This was much to the chagrin of security researchers, who've been warning about this for literally years. (via CNN ($), IFIN, @neurovagrant)

Signal, Windscribe plans to bounce from Canada: Canada is preparing to vote on Bill C-22, a new surveillance bill that would require tech companies to collect customer metadata and store it for up to a year. E2EE messaging app Signal and VPN provider Windscribe said they'd leave Canada if the bill passes rather than give up data about their customers. (via Globe and Mail ($), Juno News, @privacylawyer)

DOJ seeks to unmask app users: According to Forbes ($), the Justice Department wants Amazon, Apple, and Google to turn over the identities, addresses, and purchase histories of at least 100,000 users who downloaded the EZ Lynk app, which prosecutors accused of breaking federal emissions laws. It's a rare case of authorities trying to app users, but looks like a major overreach. 

Grand jury subpoena demands healthcare data: This is really f-ed up: The DOJ secured grand jury subpoenas for several U.S. hospitals, such as NYU Langone in New York, demanding a ton of medical records of children who received gender affirming care since 2020. This is a huge privacy risk for potentially anyone who seeks healthcare of any kind. This may start by targeting trans people, but it will not stop there. The Handbasket reports on some of those affected. More from Erin Reed.

Grafana extorted over stolen source code: Observability software Grafana says hackers (known for using credentials stolen from infostealers) broke in, stole its source code, and tried to extort the company into paying. Grafana said no, and went public instead, and blamed the breach on hackers stealing an authentication token. (via @grafana)

~ ~

THE HAPPY CORNER

Ding dong! What's that sound…? Hell yeah, it's the happy corner gong!

Trust me, you'll want to read this fictional but brilliantly written "incident" report. The only remediation you need is to laugh and enjoy — and maybe hide your Yubikeys from the office dog. CVE-2024-YIKES, indeed!

A smidge of good news for Android users (running the latest Pixel phones) who will get a new Intrusion Logging feature aimed at helping to identify spyware and surveillance attacks. More words from Amnesty, which helped Google develop the feature. Plus: iOS and Android devices can now send and receive end-to-end encrypted RCS messages!

Meanwhile: It looks like the U.K. is making good on its earlier promise to shield security researchers from its decades-old hacking laws. It's a great step in the right direction (finally). 

A fab offer here from threat analysis sensei @JohnHultquist: CYBERWARCON is an absolute hoot, and I've heard SLEUTHCON is also a must-go event. 

And lastly, this week. Since vx-underground and VirusTotal have some of the world's largest repositories of malware, I wondered (disclosure alert! What would this look like, visualized stacked as hard drives, one on top of another? Guess no more…

Got good news to share? Get in touch! this@weekinsecurity.com.

~ ~

CYBER CATS & FRIENDS

This week's returning cyber cat is Murphy, basking in a beautiful stream of sunlight, knowing full well that his online accounts are protected with long, unique passphrases stored in his human's password manager and multi-factorered; or better yet, protected with passkeys. Many thanks again to Matt S. for sending in!

Send in your cyber cats! ‍ Got a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in a later newsletter!

~ ~

SUGGESTION BOX

That's it for now! Thank you so much for reading. I won't keep you for another moment! I'm off to my local pottery studio to throw some clay. Cyber is important, but so is making stuff and being creative. Whether you're reading at home or doing something outdoors, coding for fun, or something even more adventurous, I hope you enjoy and that you have a great rest of your day, weekend, and your week.

I'll catch you next Sunday with everything you need to know from the world of cyber. Please do get in touch if you have anything to share!

Ta-ra!
@zackwhittaker

Reading this online? Get ~this week in security~ by email

a weekly cybersecurity newsletter by Zack Whittaker, plus analysis and blogs.

Subscribe

Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

Last year, I had dinner with a friend who works in the cybersecurity field. They recounted a recent conversation they had with a corporate executive where I came up by name, and the executive apparently visibly shuddered, as if in revulsion. The executive told my friend that one of their fears is someday getting an email from me. 

The implication, my friend told me, was that the executive had "f—ed up somehow if he's reaching out."

As a cybersecurity journalist, it's not uncommon for folks to contact me after discovering a security bug or an active data leak. At TechCrunch, where I oversee our cybersecurity coverage, I have a triage-like system that allows us to attempt to resolve flaws when there is a likely chance that we will end up covering it as a story. To meet that bar for coverage, there has to be a public interest in the issue, such as in a significant or well-known product or service; the bug has to be of such simplicity or severity that it could be exploited with ease or at scale; or, that the issue affects a lot of people or is critical to national security.

Over the last year or so, I've noticed that the outreach has gone up, as well as our need to intervene in efforts to resolve glaring flaws or security lapses.

A common scenario is this: A customer, patient, or user of a website or service finds a security bug exposing their private data, or the data of someone else, but they have no way to alert the company or vendor to the issue. Oftentimes, the bug is simple to find or exploit, enough so that the person feels compelled in good faith to try to alert someone to the problem. 

But customer support agents are not typically trained to handle security issues, and companies have retaliated in the past against people who find security bugs, which might understandably deter some from drawing attention to themselves.

That's why people who find these issues go to the media, usually when they feel they have no other option. 

And so, the reporter contacts the company's public relations department, they realize that word is starting to get out about the thing they tried to ignore, the company fixes the problem (or not), and issues a statement (...or not). The reporter publishes a story about the lapse and the company gets a reputational bruising.

On the other hand, some people have no means to contact a reporter, leaving the issue unresolved and potentially maliciously exploited down the line. The company eventually gets hacked or breached, and then even more media end up writing about it. 

Not having a dedicated security email address on a company or organization's website makes it far more difficult for people to report security issues in their products, website, or infrastructure.

I hear this gripe consistently from security researchers and almost anyone else who has discovered a security bug. Most of the time, people just want to be able to alert the right person to the problem, maybe get a "thank you" in return, and be on their way.

Here are a few examples of when companies don't handle their scandal:

• Fashion retail giant Express publicly exposed the order details of every customer who made a purchase, including their personal information, home address, and what they bought. A customer found the bug but found no way to alert the company, so he flagged with me for help. The bug was easily scriptable, so it was plausible that someone could have mass-scraped people's order details. Express fixed the bug, but wouldn't commit to notifying affected customers.
• Security researcher Eaton Zveare found cargo shipping tech firm Bluspark was exposing the plaintext admin passwords of their shipping systems to the web in plaintext, but had no way to contact the company. Zveare asked me to reach out. I finally heard back… from the company's lawyers. The issue was fixed in the end, but I dread to think how anyone else might have handled receiving an email from a lawyer just for trying to do the right thing,
• Big box retailer Home Depot left sensitive private keys to its internal systems publicly exposed for a year. But when security researcher Ben Zimmermann found them online and tried to alert the company, including its top cybersecurity official, Home Depot did not respond. The retailer eventually nuked the keys, but said nothing else of the incident. 
• A couple of notable security bugs in a payment system used across North American public transit systems remain unfixed after the tech company behind the payment system ignored multiple emails from both me and a customer. I also asked city officials at one of the affected transit systems to reach out, and they said they hadn't heard back from them either.

Though, it's not all doom and gloom. There are some rare wins:

• Laundry servicing giant CSC ServiceWorks implemented a vulnerability disclosure policy after two college students uncovered a security bug that allowed anyone to do their laundry for free, the on-campus equivalent of hitting the jackpot. The duo tried to alert the company but got nowhere — and neither did I — until after my story was published and the company realized it had made a mistake.
• And, recently: The maker of a dental practice management system, Practice by Numbers, used in thousands of dentist's offices around the U.S., vowed to update its website to allow reports of future security issues. This comes after one patient, Joseph R. Cox, found his private medical records were exposed to other users of the company's patient portal.

A plea from me: Please make it easier for hackers, security researchers, but frankly anyone to contact your company or organization about security issues. 

A contact form is not enough. A general email address is also not enough. Instead, consider a dedicated security email address on your website as a great place to start, as this actively signals to the outside world that you are open to feedback. (Tech company Ghost, which hosts the backend for this website, has a security page if you ever find a security bug on mine, for example.)

Another easy and effective way to allow people to find your dedicated security email address is to use security.txt, a simple concept that consists of putting a small text file in a known area on your website so that security researchers can know where to look and find the dedicated security email. The idea for security.txt originated from security researchers who wanted to make it easier to identify an email address of someone at the organization capable of handling bug reports. 

Take a look at the BBC's version of security.txt, which is a great example of how the broadcaster guides people on where to report security flaws across the BBC's domain.

Your company's decision to take this approach ultimately rests with leadership. If you're in executive management or able to effect change at your company, please make the case for this. As I sometimes say, share this blog post with them if it's more time-efficient — as this issue goes to the core of how a company operates and publicly presents itself. 

Yes, it's more work. And yes, you have to fix bugs that you might otherwise not be aware of. Having a dedicated security email address is a strong start for reactively fixing issues, and it can open the door for greater collaboration with the security research community down the line. This could include things like establishing a proper vulnerability disclosure program, where you publicly outline the scope in which you want people outside your organization to prod and poke at your front-facing systems to find bugs. And, having a bug bounty program in place can financially reward people for finding these flaws, which is another way to give back to the community.

As one person (whose social account is private) shared with me recently regarding this issue, simply having a dedicated channel for folks to report issues to a person capable of handling security requests "is a force multiplier in reputational and risk hygiene."

PLEASE SUPPORT THIS NEWSLETTER!

~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for exclusive articles, analysis, and more, like:

Security precautions to consider while traveling through airports

Age verification laws threaten everyone's online security and privacy

Why your doctor's AI recorder can be bad for your health (and privacy)

How hackers are helping criminal gangs hijack truck deliveries

That company's big hack probably wasn't an employee's fault

Subscribe to access premium blogs

Here's another way to look at it. 

If, as a corporate executive, your fear is that one day you're going to hear from me (or any other journalist for that matter), the irony is that you might never hear from me about whatever bug, flaw, or lapse you had — if you have a dedicated security email address on your website.

That's because if you make it easy for people to reach out to you, people will! It might not stop every hack or data breach, but at least you are giving people the opportunity to alert you first.

You might also not prevent the news from ever getting out but this can be a net-positive experience, and doesn't have to be a PR disaster. You should be proud of taking on this challenge and that you care about your company and customers enough to protect their information. 

Sharing in the now-safe aftermath of an incident can be helpful for anyone to learn from. It's not the security lapse or the vulnerability that's the issue; how it's handled matters most from a reputational point of view. Once the issue is fixed, actively sharing what you learned can be enormously helpful and a powerful thing — especially to help others identify similar issues. 

As the saying goes, "it takes a village," and that's especially true in cybersecurity, where everyone is fighting the same battle.

~ ~

Thank you so much for reading ~this week in security~. If you liked this article, please share it! Feel free to reach out with any feedback, questions, or comments about this article: this@weekinsecurity.com.

Get all the cyber news you need to know, delivered weekly.

sign up for Zack Whittaker's weekly cybersecurity newsletter. Hand-written, zero slop.

Subscribe

Email sent! Check your inbox to complete your signup.

No email open or link tracking. Unsubscribe anytime.