The IT Nerd

The threat actor known as Lapsus$ claims to be selling 180GB of internal data allegedly stolen from Ingka Group, the largest franchisee of the IKEA brand, operating hundreds of stores and digital channels across 32 countries.

Cybernews took a look at the claims. Here are the key findings:

• In the data sample, Cybernews researchers found roughly 6,300 directory names referencing internal tools, CMS platforms, and the IKEA Android app, but the actual contents of those directories remain unverified.
• IKEA has not officially confirmed the breach.
• The allegedly stolen data relates to source code, not customer records. The listing references internal source code repositories, e-commerce architecture maps, supply chain logistics systems, cloud infrastructure, and AI/MLOps repositories.
• Even without customer data, the leak poses serious security risks. Exposed source code could reveal unpatched vulnerabilities, internal system architecture, and communication patterns between applications, giving attackers a detailed roadmap for more targeted future attacks.
• The Lapsus$ gang has previously claimed breaches at Adidas, AstraZeneca, Microsoft, Uber and Vodafone.

For more information, here’s the full report: https://cybernews.com/security/ikea-source-code-data-sale-lapsus

On a popular data leak forum, hackers claim to be selling 340 million OnlyFans user records, including emails, usernames, and account activity metrics. According to Hackread, the attackers claim they built the database using data from previous OnlyFans leaks, public sources, and other data breaches.

The Cybernews research team has investigated the data sample and here’s what they found:

• There were only 10 sample records attached to the post.
• The listed data included user IDs, usernames, email addresses, and registration profiles. Other fields in the sample that were empty were for phone numbers, account flags, and linked accounts.
• The team noted that samples in the account appear to come from around August 2025, which could indicate the attacker collected older data.

For more information, here’s the full report: https://cybernews.com/security/onlyfans-mega-data-leak-hackers-claim/ 

On March 19th, the Cybernews team discovered three exposed servers containing data for Wahlap users. Wahlap is a China-based arcade maker, one of the largest in the world, partnering with gaming giants such as Sega, Warehouse of Games, Timezone, and others. 

Here are the key findings:

• In total, 18.9 million records were left exposed online, covering Wahlap members’ identifiers, gaming behavior data, asset information, customer snapshots, and application logs. 
• According to our team, the data most likely leaked via Wahlap’s WeChat mini programs. WeChat mini programs are lightweight applications that run inside the WeChat ecosystem. 
• The exposed information can be broadly put into five index categories: Wahlap members data, members’ gaming behavior data, Wahlap asset data, consumer snapshot data, and other indices.

We have reached out to Wahlap and will update this article once we receive a reply. Several days after the discovery, the team noticed that the exposed cluster was no longer publicly accessible.

For more information, here’s the full report: https://cybernews.com/security/wahlap-arcade-game-maker-data-leak-wechat

Cybernews analyzed Reddit discussions related to age verification bypassing between May 2025 and April 2026, as well as VPN download trends in countries where online age verification laws have come into effect. The study found that users are increasingly looking for age verification bypass techniques as laws take effect.

Here are the key findings:

• Reddit posts about age verification bypassing rose from 1 thread in May 2025 to 65 threads in April 2026, with 241 total discussions identified.
• After the UK’s age verification measures came into effect on July 25, 2025, comments on Reddit discussions about bypass techniques surged by 460%, while VPN downloads in the UK hit 2 million.
• VPN downloads nearly tripled in Australia after the country introduced age restrictions for adult content in March 2026. Reddit comments about bypass techniques also increased by 47%.

“It looks like age verification laws are not stopping determined users from accessing restricted content. And it’s not just kids – many privacy-conscious users simply do not want to share sensitive personal data online, as age verification often requires uploading an ID or doing a facial scan. As long as these methods remain so privacy-invasive while bypass techniques remain widely accessible, these laws are unlikely to achieve their intended effect”, says Aras Nazarovas, Senior Information Security Researcher at Cybernews.

In the US, various states enforced age verification laws throughout late 2025 and early 2026, which may have also contributed to the elevated Reddit activity about age verification bypass techniques.

For more information and visuals, here’s the full report:

https://cybernews.com/security/age-verification-laws-drive-surge-in-bypass-discussions-and-vpn-downloads

By Stefanie Schappert

The Canvas attack shows how educational platforms have become critical infrastructure – and how paying off hackers still leaves major questions about whether student data is ever truly safe. 

Last week’s Canvas cyberattack led to a finals-week nightmare for thousands of students across North America, locking them out of exams, assignments, and coursework – all while putting them face-to-face with the notorious ShinyHunters ransomware gang – something most students would never have expected. 

With threats to release stolen data belonging to 275 million students and teachers tied to the e-learning platform, Canvas by Instructure announced over the weekend it paid off the seasoned hackers, alongside a “digital confirmation of data destruction” from ShinyHunters themselves. 

The undisclosed ransom demand was reportedly paid to ShinyHunters as part of an agreement intended to prevent an imminent leak affecting schools, from kindergarten classrooms to universities worldwide. 

But now the breach is becoming something much bigger: a test of whether the more than 8,000 schools caught up in the hack can trust a hacker group’s word that stolen student data was actually destroyed.

---

Despite historical evidence that ransomware groups lie, students, parents, and schools are still being asked to accept that these cybercriminals will honor their end of the deal.

---

Paying hackers does not erase the risk 

While it may have been enough to stop an immediate leak, it does not erase the larger problem – once student data is stolen, control is gone.

If we look back to the December 2024 breach of edtech software provider PowerSchool, the lesson apparently has not been learned.

After PowerSchool allegedly forked over a $60 million ransom demand, the 19-year-old attacker later turned to extorting the 15,000 North American school districts using the platform – despite earlier promises to delete the stolen data. 

Fast forward to the Canvas breach. The company says there is no evidence the stolen information was publicly leaked or retained after the payment agreement. 

Canvas revealed compromised data included full names, email addresses, student IDs, course and enrollment data, plus “billions of private messages” exchanged on the platform. 

And while passwords, Social Security numbers, financial information, grades, coursework submissions, and student files were not exposed, cyber experts say once student data falls into the hands of criminal actors, “the implications for identity theft, targeted social engineering, and even safeguarding are serious and long-lasting.”

Despite historical evidence that ransomware groups lie, students, parents, and schools are still being asked to accept that these cybercriminals will honor their end of the deal.

Criminal promises are still promises from criminals 

To be fair, there is a reason extortion groups sometimes do. ShinyHunters and groups like it operate for profit. Their entire business model depends on victims believing that payment can reduce damage, prevent leaks, or stop further extortion. 

If hackers routinely take the money and leak the data anyway, future victims have less incentive to pay.

In that sense, even criminal groups have a reputation to protect.

But that does not make their promises trustworthy. Data can be copied. Affiliates can retain files. Archives can resurface months later.

The PowerSchool breach already showed how difficult it is for schools and families to know whether stolen student information has truly disappeared after a cyber extortion incident.

That is why the Canvas case matters beyond a company apology and a single ransom agreement.

One platform, millions of students 

The attack also exposed how dependent modern schools have become on centralized cloud platforms to function at all. 

Canvas is no longer just a homework portal. For many schools, it is the classroom, gradebook, assignment tracker, messaging hub, exam platform, and student records pipeline all rolled into one.

When initial negotiations failed, ShinyHunters upped the ante, defacing Canvas login pages with threats and turned to targeting individual schools for extortion. 

With the system down, frustrated students and teachers lost access to key classroom tools, while school officials scrambled to contain the damage, with some schools forced to cancel final exams altogether.

It is the same uncomfortable lesson seen in the infamous AWS and CrowdStrike disruptions from years past: when one widely used platform fails, entire industries can grind to a halt all at once.

The answer is not for schools to abandon cloud platforms altogether. That’s unrealistic. But cyber insiders have long warned that institutions need real backup plans before outages happen – not improvised workarounds after the systems have already been disabled.

Because when the world’s classrooms run on a single platform, a cyberattack is no longer just an IT problem – it becomes an education crisis. 

ABOUT THE EXPERT

Stefanie Schappert, a senior journalist at Cybernews, is an accomplished writer with an M.S. in cybersecurity, immersed in the security world since 2019.  She has a decade-plus experience in America’s #1 news market working for Fox News, Gannett, Blaze Media, Verizon Fios1, and NY1 News.  With a strong focus on national security, data breaches, trending threats, hacker groups, global issues, and women in tech, she is also a commentator for live panels, podcasts, radio, and TV. Earned the ISC2 Certified in Cybersecurity (CC) certification as part of the initial CC pilot program, participated in numerous Capture-the-Flag (CTF) competitions, and took 3rd place in Temple University’s International Social Engineering Pen Testing Competition, sponsored by Google.  Member of Women’s Society of Cyberjutsu (WSC), Upsilon Pi Epsilon (UPE) International Honor Society for Computing and Information Disciplines.

Cybernews researchers have found that Tokee, a video and text messaging app, has leaked the details of 1.2 million user profiles, which represents the vast majority of the app’s user base. The exposed data was stored in a MongoDB database, a popular service businesses use to store and process large volumes of data.

Here’s the data that was leaked:

• User display names;
• Phone numbers (stored as numeric values);
• Profile avatars (hosted on Firebase Storage);
• Device tokens used for push notifications;
• User IDs;
• Account creation and update timestamps;
• “Last seen” activity indicators;
• Account status flags (e.g., premium/non-premium);
• The exposed database appears to have stored Tokee’s chat messages, but our researchers say the messages were encrypted. 

After the Cybernews team contacted the company and the responsible authorities, the exposed database was taken offline. 

Attackers could exploit the data to track and profile user activity and use leaked tokens for targeted phishing and spam campaigns, increasing cybersecurity risks for app users. 

For more information, here’s the full report:

https://cybernews.com/security/tokee-messaging-app-data-leak

By Jurgita Lapienytė, Chief Editor at Cybernews

Under the excuse of keeping United States Immigration and Customs Enforcement (ICE) employees safe, the Department of Homeland Security (DHS) invades your privacy.

Maybe it hasn’t happened to you — or you’re unaware it has — but if you’ve been critical of ICE on social media, DHS has likely requested your personal data from platforms like Meta or Google, including your contact details and physical location.

Reportedly, the DHS has issued hundreds of administrative subpoenas to Google, Reddit, Discord, and Meta, all seeking identification of people who have publicly criticized ICE. Wired recently reported on a case involving a Canadian man who got under the spotlight after Google revealed that the DHS had requested his location, activity logs, and other information.

The DHS issued a custom summons request [which they asked Google not to disclose,] which is used to investigate issues related to illegal imports. Notably, the man hasn’t been to the US for over a decade, and has been criticizing the Trump administration after federal agents killed Renee Good and Alex Pretti.

Now, if Google were to be trusted, insisting that their “processes for handling law enforcement requests are designed to protect users’ privacy while meeting our legal obligations,” we might all sleep soundly. But we shouldn’t.

But the scary part is that Google and other platforms HAVE all that information that the government could use against its people: email addresses, phone numbers, home addresses, activity logs, and whereabouts, among other sensitive data. Remember when ProtonMail, the European tech company praised for its privacy focus, shared an IP address of an activist with authorities, claiming it had no legal grounds to resist the request? This disclosure led to the activist’s arrest on criminal charges by French police and tarnished the reputation of the Swiss tech company. Unfortunately, it wasn’t an isolated incident for Proton.

We may choose to trust that companies will do their best to protect our data, since their reputation and profits depend on it. But we cannot always trust governments to protect us. It seems that federal agencies have been issuing custom summons with increasing frequency, raising suspicion about why they need data such as surveillance video from an abortion provider in Illinois or information from a Lutheran organization that provides refugees with humanitarian and housing support.

Don’t rely on corporate promises. The government can make sure they fail to deliver. Instead, take back control of your data and your safety.

How?

• Switching to privacy-focused tech options. Ditch Google, TikTok, Meta apps, forget data-harvesting and simply malicious browser extensions. May I suggest even exploring some European tech alternatives built with privacy in mind?
• Go analogue sometimes. Consider going on some adventures without any device. If you have your phone with you, your location is traceable, and you aren’t also mute.
• Opt out of personalization. Decline cookies, block ads, hide your location. That hyperpersonalization isn’t created for you — it’s designed so advertisers can know you better.
• Above all, be polite online. Exercising your free speech should not mean hate speech, doxxing and endangering federal agents or any other human beings.

ABOUT THE AUTHOR 

Jurgita Lapienytė is the Editor-in-Chief at Cybernews, where she leads a team of journalists and security experts dedicated to uncovering cyber threats through research, testing, and data-driven reporting. With a career spanning over 15 years, she has reported on major global events, including the 2008 financial crisis and the 2015 Paris terror attacks, and has driven transparency through investigative journalism. A passionate advocate for cybersecurity awareness and women in tech, Jurgita has interviewed leading cybersecurity figures and amplifies underrepresented voices in the industry. Recognized as the Cybersecurity Journalist of the Year and featured in Top Cyber News Magazine’s 40 Under 40 in Cybersecurity, she is a thought leader shaping the conversation around cybersecurity. Jurgita has been quoted internationally – by Metro UK,  The Epoch Times, Extra Bladet, Computer Bild, and more. Her team reports on proprietary research highlighted in such outlets as the BBC, Forbes, TechRadar, Daily Mail, Fox News, Yahoo, and much more.

The way Americans protect their devices is undergoing a quiet shift. According to the second annual Antivirus Market Report 2026 from cybersecurity news portal Cybernews, built-in operating system tools have overtaken traditional third-party antivirus software as the primary line of defense for the majority of US internet users, while smartphones remain dangerously underprotected.

The study, based on a survey of 1,005 US adults conducted between March 30 and April 10, 2026, also shows a sharp drop in consumer enthusiasm for AI-powered security and a measurable rise in cybercrime.

Key findings:

• 53% of US PC users and 51% of mobile users rely on built-in OS security (such as Microsoft Defender or Apple’s native tools) as their primary protection, which is roughly 139 million and 134 million Americans, respectively.
• Only 18% of mobile users invest in third-party antivirus, compared with 41% on computers; 14% of mobile users use no cybersecurity tools at all.
• Favorability toward AI-powered threat detection fell from 77% in 2025 to 47% in 2026.
• The share of Americans who reported experiencing cybercrime grew by 14% year over year.
• McAfee and Norton remain the leading third-party brands for the second year in a row; AVG dropped out of the rankings entirely.
• Paid antivirus has overtaken free versions: 68% of PC and 66% of mobile antivirus users now hold a premium subscription.
• Data breaches were named the single greatest personal cybersecurity threat by 36% of respondents.

Smartphones are severely underprotected

Smartphones are the most-used personal device as 85% of respondents use one outside of work, yet they receive the least investment in security. Beyond the 14% of mobile users who report no protection at all, another 16% are unsure what protection they have, leaving a substantial share of the US smartphone population effectively unguarded.

Compared with the 2025 report, third-party antivirus use on mobile devices fell by roughly 10 percentage points, while computer protection inched up by two.

AV market consolidates around two names

Among third-party antivirus users on computers, McAfee leads with 40% market share, followed by Norton (37%), Malwarebytes (19%), and Bitdefender (9%).

On smartphones the order flips: Norton takes 42%, McAfee 39%, Surfshark 16%, and Bitdefender 15%.

The strong showing of Surfshark and Bitdefender on mobile points to growing traction among multi-tool security users. AVG, which appeared in last year’s report, was not used by survey respondents at all in 2026.

Consumers are okay with paying more for protection

Among users who do choose third-party antivirus, paid subscriptions are now clearly preferred:  68% of PC antivirus users and 66% of mobile antivirus users hold a premium plan, a notable jump from the 32% in 2025.

The data suggests that the segment still actively purchasing antivirus is increasingly willing to spend more for stronger protection, while everyone else is migrating to whatever ships with their device.

Antivirus is becoming one tool among many

Americans are no longer relying on antivirus software in isolation. VPNs are now used by 62% of PC and laptop users and 65% of mobile users, ahead of ad blockers and password managers.

The AI hype in cybersecurity is fading

Enthusiasm for AI-based security has collapsed in just twelve months. Favorability toward AI-powered threat detection dropped from 77% in 2025 to 47% in 2026, and 9% of users said AI features would actively make them less likely to use a given antivirus product.

Cybercrime keeps climbing

The share of Americans reporting personal experience with cybercrime rose by 14% year over year. Among those affected, 74% said the experience directly influenced their decision to start or continue using antivirus protection, meaning that, for many US consumers, security upgrades still tend to follow a harmful experience instead of preventing it.

Trust is now a huge competitive differentiator

Forty percent of respondents had heard of antivirus-related controversies, including Kaspersky’s US ban over national security concerns and Avast’s case for selling user browsing data. Among those aware, 82% said the information influenced their trust or purchasing decisions. The effect was strongest among users aged 18–24.

Demographic differences persist

Women are less likely than men to fall victim to cybercrime and tend to rely more on built-in tools and free antivirus software. Men are more likely to invest in paid third-party antivirus and additional security tools. Among non-users, men also showed higher levels of distrust toward antivirus software overall.

Data breaches are the biggest cybersecurity fear 

When asked to identify their greatest cybersecurity concern, 36% of respondents named data breaches at companies that store personal information, followed by phishing (31%), accidentally downloading malware (24%), and being specifically targeted by hackers (24%).

Notably, AI-related threats such as deepfake scams entered the top five, ranking ahead of the long-standing concern of unsafe public Wi-Fi.

The full report is available at: https://cybernews.com/best-antivirus-software/antivirus-market-report

Methodology

The survey was conducted online via the Cint panel between March 30 and April 10, 2026, among 1,005 US respondents aged 18 to 74. Quotas were applied to ensure balanced representation across age, gender, and region. Margin of error: ±3.1% at the 95% confidence level. Population estimates referenced in the report are based on US Census Bureau 2026 data.

On April 16th, the Cybernews research team discovered an exposed server owned by a threat actor. The exposed information is controlled by a carding market called Jerry’s Store.

Here are the key findings:

• Jerry’s Store is a tool that provides credit card validity percentages. In other words, threat actors used this tool to check if stolen payment cards are still operational.
• Jerry’s Store operators used Cursor, an AI-assisted development environment, to set up the leaking server and administrator-facing dashboards.
• Researchers believe that relying on an AI assistant to set up the server was the main reason why it ended up exposed, and that the threat actor received flawed instructions for building the dashboards.
• “While in this case it helped identify credit card fraud-related abuse, it’s also a lesson for developers using Cursor for legitimate uses, showing how it can lead to accidental data leaks,” researchers said. 

Researchers identified nearly 200K credit card details that the service deemed “invalid,” and over 145K counts of valid payment card information, including:

• Credit card numbers;
• Expiration dates;
• Security codes;
• Cardholder names;
• Cardholder addresses.

For more information, here’s the full report: https://cybernews.com/security/jerrys-store-vibecode-exposes-stolen-credit-cards

New research by Cybernews reveals that there have been 156 deepfake incidents targeting currently-serving U.S. officials in the past two years. Most of them are of Donald Trump. The research analyzed deepfakes of the President, Vice President, Cabinet members, governors, and Congress members.

Here are the key findings:

• 23 out of 602 currently-serving U.S. officials were targeted at least once during the analyzed period.
• In the past two years, there have been 156 deepfake instances of currently serving U.S. government officials. President Donald Trump alone accounts for 90 of the 156 instances recorded, or 58% of all deepfake incidents in the dataset.
• The next most targeted figures are Marco Rubio (13 instances) and JD Vance (12 instances). Together, the top three account for 115 out of 156 instances, or 73.7% of all recorded cases.
• 76% of deepfakes targeted Republicans – but without Trump, the distribution is more balanced.
• The most-deepfaked democrat is Alexandria Ocasio-Cortez with 9 instances recorded.
• The likelihood of being targeted by deepfakes drops sharply in larger groups, such as the House and Senate, where individual members are less visible and less recognized by the media.

For more information and visuals, here’s the full report: https://cybernews.com/ai-news/most-deepfaked-us-government-officials