The IT Nerd

By Stefanie Schappert

A Discord group’s unauthorized access to Anthropic AI’s powerful Mythos model on Tuesday is doing more than raising questions about the guardrails around powerful AI cybersecurity tools.

It’s exposing a bigger problem for the cybersecurity industry: AI can now find flaws and exploit them so quickly that defenders may be the ones left truly exposed.

A group of AI-fueled Discord info-seekers – one of them linked to a third-party vendor of the AI startup – managed to access the highly gatekept cybersecurity defense system in February, the same day of its debut. 

Using a mixed bag of insider access, web-scouring bots, and some raw ingenuity, the breach is triggering a fresh wave of alarm across an already spooked industry.

Ironically, as the Discord incident was unfolding, the Cloud Security Alliance – in a rapid-response briefing published days after Mythos was unveiled – warned that AI was accelerating vulnerability discovery faster than organizations could keep up, creating the perfect storm for defenders.

Finding thousands of flaws and zero days across hundreds of software systems, the introduction of Mythos has effectively shrunk the patch window defenders have relied on for years – from days to just a few hours.

If released in the wild and adopted by hackers, security teams will inevitably be tasked with building an entirely new playbook to help decide how to prioritize and fix what matters – and there’s still no guarantee they can stem the cyber bleeding. 

More than 250 security leaders helped shape the briefing, which argues the challenge is no longer just finding flaws, but deciding which ones actually pose real risk – and fixing them before they can be turned into working exploits.

It’s a shift some security experts say the industry is still underestimating. The problem is no longer discovery alone. It is remediation, accountability, and whether defenders can keep up as AI moves from identifying vulnerabilities to showing how they can be exploited in the real world.

The Mythos moment may ultimately be less about a single powerful cybersecurity model and more about what happens in the shrinking window between finding a flaw and weaponizing it.

Anthropic’s answer, for now, is Project Glasswing – a tightly controlled effort to use Mythos to help secure critical software before comparable models become more widely available.

But even that highlights the larger issue at hand: the industry knows what is coming and is still scrambling to build that much-needed playbook in time to defend against larger threats, such as nation-state or ransomware attackers.

If a group of AI nerds could get into Mythos – allegedly without malicious intent – imagine the fallout if the next ones to slide through that door were actual criminals.

ABOUT THE EXPERT

Stefanie Schappert, a senior journalist at Cybernews, is an accomplished writer with an M.S. in cybersecurity, immersed in the security world since 2019.  She has a decade-plus experience in America’s #1 news market working for Fox News, Gannett, Blaze Media, Verizon Fios1, and NY1 News.  With a strong focus on national security, data breaches, trending threats, hacker groups, global issues, and women in tech, she is also a commentator for live panels, podcasts, radio, and TV. Earned the ISC2 Certified in Cybersecurity (CC) certification as part of the initial CC pilot program, participated in numerous Capture-the-Flag (CTF) competitions, and took 3rd place in Temple University’s International Social Engineering Pen Testing Competition, sponsored by Google.  Member of Women’s Society of Cyberjutsu (WSC), Upsilon Pi Epsilon (UPE) International Honor Society for Computing and Information Disciplines.

A threat actor surfaced on a popular hacker forum, claiming to possess data belonging to Lacoste, Ralph Lauren, Canada Goose, and Carter’s.

The threat actor shared a small batch of sample images, roughly three to four per brand. The Cybernews research team has gone through the files provided.

These screenshots appear to include employee details such as full names and work email addresses. Others hint at possible customer data, though those portions were partially redacted by the actor before being posted. The full extent of the alleged breach remains under wraps, but Cybernews has reached out to the brands for confirmation.

Data that was allegedly stolen:

• Full names and work email addresses of company staff;
• Screenshots showing email addresses and home addresses of customers;
• Internal metadata in the form of various numerical values and system-specific data points.

The attacker states in the post that it is “supply chain data.” Cybernews researchers analyzed the technical fingerprints left behind in the samples.

“Generally, the format of this data repeats across different brands mentioned and their samples,” our researchers noted. This points toward a supply chain attack, where a third-party service provider, likely one specializing in data management or retail logistics, was the true entry point. “The data itself looks like it came from SQL server DBMS, because photo samples included specific SQL server-related metadata, such as row version numbers,” our research team explained.

“The company may have had some compromised employee accounts. It could’ve also had some system misconfigurations that led to unauthorized access to internal data without necessarily having any account credentials,” our researchers added.

For more information, here’s the full report: https://cybernews.com/security/lacoste-ralph-lauren-supply-chain-data-breach/

Just before the Iran-U.S. ceasefire deal hit the news, the U.S. announced that Iran-affiliated threat actors attacked critical U.S. infrastructure through internet-facing Operational Technology (OT) systems, which are used to control physical processes such as water systems and energy grids.

Cybernews’ Senior Information Security Researcher Aras Nazarovas provided some extensive commentary on this. He explains what made these attacks possible and what protective measures should be taken with Operational Technology (OT) systems.

This is not just a one-off campaign – it’s a repeatable attack model

“Attackers didn’t rely on anything particularly advanced. They took advantage of OT systems that were supposed to be isolated but ended up exposed to the internet. This is a very common issue in OT systems, and the same kind of attack can be repeated again and again, until the systems are properly secured.”

OT environments often lack the standard security features that IT environments have

“OT environments often don’t have the same security controls as IT systems. Instead, they rely much more on physical security and isolation. These systems are built to stay active 24/7, so a lot of standard protections like encryption or strong authentication aren’t always in place. In some cases, traffic is unencrypted for simplicity, and default passwords are still used.

That’s why isolation is so important. OT systems are supposed to be air-gapped and kept completely separate from IT networks and the internet. In the Iranian attacks on U.S. critical infrastructure, that basic rule wasn’t followed – systems that should have been isolated were exposed online. To avoid this kind of situation, the first step is simple: don’t connect them to the internet in the first place.”

Global VPN downloads hit an all-time high of 487 million in 2022 — and have been falling ever since. Downloads dropped to 404 million in 2023, partially recovered to 464 million in 2024, and fell again to 412.5 million in 2025, according to the latest iteration of the Cybernews VPN Adoption Report.

The report analyzed download data for the 50 most popular VPN apps from the Google Play Store and Apple App Store across 126 countries, compared against each country’s population to calculate adoption rates.

The Gulf states dominate the top 10

The countries where VPN adoption remains highest are overwhelmingly in the Persian Gulf. The UAE leads the world at 85.5%. The driving forces are state-level content restrictions and VoIP service blocks, as large expatriate populations need to communicate internationally.

Europe is showing consistent growth

Europe is the one region still showing consistent growth in 2025, while adoption rates in most other regions slowed down significantly. Three European countries sit in the global top 10 — the United Kingdom at #7, the Netherlands at #8, and France at #10. France saw the biggest climb of any G7 nation, rising 12 positions since the previous report. Seven of the global top 20 are now European, with the Nordics and Baltics also posting steady gains.

Adoption in G7 countries varies widely

Among G7 nations, the picture is uneven. The UK and France are both in the global top 10, while Italy and Japan remain far behind their peers.

The United States, despite producing the largest absolute download volumes, ranks only #21 — with downloads falling from 63.4 million in 2024 to 54.1 million in 2025.

Where VPN adoption is falling fastest

The steepest single-year declines were concentrated in countries with volatile political or regulatory environments. Myanmar dropped 19.4 percentage points in a single year, Nauru fell 17.1 pp, and Russia declined 12.3 pp.

The countries where almost no one uses a VPN

The lowest adoption rates are concentrated in Africa — 8 of the bottom 10 countries are African.

Full report here: https://cybernews.com/best-vpn/vpn-usage-by-country/

By Jurgita Lapienytė, Editor-in-Chief at Cybernews 

A new BBC report revealed what we suspected all along – big tech platforms turn a blind eye to harmful content for the sake of profit. Platforms allow so-called borderline content – misogynistic, sexist, racist, conspiracy-driven – that is harmful yet legal.

According to the report, based on accounts from a dozen whistleblowers and insiders, Meta engineers were instructed to allow more borderline content to compete with TikTok. Meanwhile, TikTok is said to have prioritized several user complaints involving politicians to “avoid threats of regulation or bans.”

Unsurprisingly, big tech platforms denied any wrongdoing, insisting that they do not amplify harmful content.

Algorithms are allegedly designed to better understand user interests and needs, and cater to them accordingly. Unfortunately, most of what a user “wants” turns out to be conspiracy theories, AI slop, deepfakes, and pro-Nazi content. Or at least the algorithm seems to think so – because most of this is so-called ragebait content, designed to provoke a strong response from the user.

And since users engage with it, the algorithm is tricked into “thinking” this is what people want. Humans behind the algorithm must clearly understand this is not the case, but clicks translate to cash. So why would Big Tech cut the branch it’s sitting on?

In 2024, Meta earned $16 billion, or 10% of its annual revenue, from scam ads and banned goods. The information comes not from a third-party analytics firm but from Meta’s own documents, proving that the tech giant is well aware of how much harm it can spread – and how much money it can make along the way.

While platforms and lawmakers take their sweet time debating what borderline content is, people are left to deal with the psychological fallout of social media addiction. From the inability to tell right from wrong or fake from real, loss of concentration, sleep, and even sense of self, to radicalization, depression, and self harm – the consequences of companies toying with their algorithms to meet business goals are dire for humanity.

It’s not only our mental health that’s at stake. Adversaries, well aware of algorithmic logic, abuse it to spread misinformation and straightforward lies, sowing division to influence elections all over the world – making us wonder just how much harm performative compliance has already done to democracy.

ABOUT THE AUTHOR 

Jurgita Lapienytė is the Editor-in-Chief at Cybernews, where she leads a team of journalists and security experts dedicated to uncovering cyber threats through research, testing, and data-driven reporting. With a career spanning over 15 years, she has reported on major global events, including the 2008 financial crisis and the 2015 Paris terror attacks, and has driven transparency through investigative journalism. A passionate advocate for cybersecurity awareness and women in tech, Jurgita has interviewed leading cybersecurity figures and amplifies underrepresented voices in the industry. Recognized as the Cybersecurity Journalist of the Year and featured in Top Cyber News Magazine’s 40 Under 40 in Cybersecurity, she is a thought leader shaping the conversation around cybersecurity. Jurgita has been quoted internationally.

ABOUT CYBERNEWS

Cybernews is a globally recognized independent media outlet where journalists and security experts debunk cyber by research, testing, and data. Founded in 2019 in response to rising concerns about online security, the site covers breaking news, conducts original investigations, and offers unique perspectives on the evolving digital security landscape. Through white-hat investigative techniques, Cybernews research team identifies and safely discloses cybersecurity threats and vulnerabilities, while the editorial team provides cybersecurity-related news, analysis, and opinions by industry insiders with complete independence. For more, visit www.cybernews.com.

By Stefanie Schappert

From hospital supply chains to payment networks, the latest Iran-linked cyber threats show how geopolitical retaliation can disrupt the companies and services people depend on every day.

Verifone and Stryker Bring Cyberwar Closer to Home

Verifone and Stryker are the clearest signs yet that cyberwar is no longer confined to government agencies or military systems.

In less than a day on Wednesday, the Iran-linked hacktivist group Handala claimed attacks on both companies – Verifone, a major payments provider with strong ties to Israel, and Stryker, one of the biggest medical technology firms in the US.

In Stryker’s case, the fallout appeared far bigger than ordinary corporate IT downtime.

The group claimed it wiped more than 200,000 systems, servers, and mobile devices and stole 50TB of data. It also said the attack forced shutdowns across Stryker offices in 79 countries, though Stryker says it operates in 61 countries and impacts more than 150 million patients annually.

What’s more, more than 5,000 workers at Stryker’s Ireland hub were reportedly sent home, while healthcare providers in the US struggled to order surgical supplies through the company, according to KrebsOnSecurity. 

AOL reported that the disruption also affected Lifenet, a platform used by emergency responders to send patient data to hospitals.

That is what makes this story more than another burst of geopolitical cyber noise – it shows how retaliation abroad can hit the companies and systems ordinary people rely on every day.

Iran-Linked Threats Are Already Multiplying Online

The threat is not limited to one or two headline-grabbing incidents. In an early March advisory, Sophos warned that likely tactics could include website defacements, DDoS attacks, ransomware, destructive wipers, hack-and-leak operations, phishing, and password spraying.

Researchers also say the infrastructure for the next wave may already be in place. ThreatLabz identified more than 8,000 newly registered domains tied to the Middle East conflict, warning that many may still be “weaponized or used in threat campaigns in the near future.”

The lures include fake news blogs, conflict-themed malware files, and other content designed to exploit panic and curiosity while tensions remain high.

At the same time, more sophisticated Iranian-linked operators do not appear to be starting from scratch.

In my recent Cybernews reporting on Seedworm, the Iran-backed espionage group was found maintaining access to multiple organizations since early February – before the current escalation became front-page news – with targets spanning banking, aviation, technology, and nonprofit organizations.

The Easiest Way in Is Still Human Error

Cyberwar is no longer a niche story about espionage and classified systems, but has moved into the mainstream.

US cyber agencies warned last June (after the US bombed Iran’s nuclear facilities), that Iranian cyber actors often exploit familiar weaknesses – including unpatched software, known vulnerabilities, and default or commonly used passwords on internet-connected accounts and devices.

Those risks are also getting easier to scale. 

CrowdStrike’s latest threat reporting says AI is “scaling attacks and lowering barriers to entry,” turning it into both a force multiplier for cyberattacks and a new attack surface.

AI is allowing threat groups to move faster, generate more convincing phishing lures, and automate more of the attack chain than many defenders are prepared for.

We have seen this playbook before. Russia’s GRU-linked Sandworm hackers were blamed for disruptive attacks on Ukraine’s power grid, including a 2022 incident that researchers said coincided with missile strikes and triggered power cuts.

And after the October 7 attacks, US agencies warned that Iran-linked actors had targeted US water and wastewater facilities by exploiting Unitronics PLCs used in industrial control systems.

All because the PLCs were Israeli-made – once again, proving how quickly geopolitical cyber retaliation can move from symbolism to systems that touch everyday life.

For organizations, that means patching faster, locking down internet-facing devices, turning on MFA, and training employees on the latest phishing lures.

For everyone else, it is a reminder that human error is still one of the easiest ways in – and that the next disruption may hit not a government target, but the companies people depend on without thinking twice.

ABOUT THE AUTHOR

Stefanie Schappert, a senior journalist at Cybernews, is an accomplished writer with an M.S. in cybersecurity, immersed in the security world since 2019.  She has a decade-plus experience in America’s #1 news market working for Fox News, Gannett, Blaze Media, Verizon Fios1, and NY1 News.  With a strong focus on national security, data breaches, trending threats, hacker groups, global issues, and women in tech, she is also a commentator for live panels, podcasts, radio, and TV. Earned the ISC2 Certified in Cybersecurity (CC) certification as part of the initial CC pilot program, participated in numerous Capture-the-Flag (CTF) competitions, and took 3rd place in Temple University’s International Social Engineering Pen Testing Competition, sponsored by Google.  Member of Women’s Society of Cyberjutsu (WSC), Upsilon Pi Epsilon (UPE) International Honor Society for Computing and Information Disciplines.

Cybernews is a globally recognized independent media outlet where journalists and security experts debunk cyber by research, testing, and data. Founded in 2019 in response to rising concerns about online security, the site covers breaking news, conducts original investigations, and offers unique perspectives on the evolving digital security landscape. Through white-hat investigative techniques, Cybernews research team identifies and safely discloses cybersecurity threats and vulnerabilities, while the editorial team provides cybersecurity-related news, analysis, and opinions by industry insiders with complete independence. For more, visit www.cybernews.com.

The US Pentagon recently approved Elon Musk’s Grok AI for classified military operations while threatening Anthropic with penalties for refusing to remove ethical safeguards from its Claude AI.

Jurgita Lapienytė, chief editor at Cybernews had this to say:

Safety rules are being thrown out.

“For the fear of its Claude being used for the surveillance of American citizens or used to develop mass weapons, the US leading AI company has backed out of the deal with the Pentagon, and is now facing penalties for standing its ground. Yes, the government shouldn’t allow any company to dictate the terms for defence operations. But should AI companies be punished for having safety rules? If the biggest market players are forced onto their knees, smaller companies will stop having safety rules, too. Will being “safe” become bad for business?”

Machines making kill decisions.

“Currently, AI is not only untrustworthy but also very dangerous when unsupervised. In military operations, it can also be used to dehumanize operations by offering gamified experiences for officers and soldiers, and shifting personal responsibility.”

Approval based on politics, not security.

“You’d expect your government to pick the best technology and go to great lengths to discuss the best possible solutions for American citizens and defense goals. What seems to have happened here is that, in the heat of public discussion, another company got fast-tracked, while at the same time it’s facing hefty fines and even bans in other countries.”

This might be a security issue for other countries, too.  

“When the world’s most powerful military starts using AI without being transparent about exactly how, one can begin to wonder just how much US operations overseas are influenced by the algorithm. Every country in conflict with the US should keep a close eye on this development.”

A user of a popular data leak forum posted a database, claiming it contains 6.8 billion unique email addresses collected from various data sources online. The user claims to have spent several months digging through various online sources, containing often illegally obtained data.

“Two years ago, I obtained more than 3.3 billion unique email addresses. After a long break, I started this again and spent about 2 months extracting emails from various combos, ULP collections, logs, and databases and extracted 6,839,584,670 unique email addresses,” the post’s author, going by the moniker Adkka72424, said.

The Cybernews research team investigated the 150GB-strong dataset and here’s what they found:

• The dataset did include over 6.8 billion lines of information, exactly as the posts’ author said.
• However, our team noted numerous invalid email addresses, which makes the database a lot more difficult to use for amateur attackers. For one, the database requires time and effort to fix and make usable for large scale attacks.
• The team believes that after eliminating unusable emails and removing duplicates the actual number of email addresses included in the database could be significantly smaller, hovering 3 billion unique emails.

While over twice as small as initially intended, several billion email addresses in a single database is still a massive number of ready-to-use targets for cybercriminals.

For more information, here’s the full report: https://cybernews.com/security/massive-email-database-leak-billions-records/ 

Cybernews researchers analyzed a data sample allegedly stolen from dating app Bumble after the ShinyHunters cybercrime group claimed responsibility for a breach involving internal company systems.

ShinyHunters added Bumble to its dark web leak site on January 29, claiming it exfiltrated approximately 30GB of data from the company’s Google Drive and Slack channels. According to the attackers, the data was obtained by compromising a contractor’s account through phishing. The gang claims to possess “thousands of internal documents” belonging to the company.

Bumble confirmed to Cybernews that a contractor’s account with limited privileges was compromised in a phishing incident. The company stated that the intrusion was detected and contained quickly.

“Our InfoSec team rapidly eliminated the access, and the incident is contained. We have engaged external cybersecurity experts and notified law enforcement. Importantly, there was no access to our member database, member accounts, the Bumble application, or member direct messages or profiles,” a Bumble spokesperson told Cybernews.

Bumble is a widely used dating platform with over 40 million active users and hundreds of millions of downloads globally. The app is operated by Bumble Inc., which also owns Badoo and Bumble For Friends (BFF).

Following the attackers’ claims, the Cybernews research team analyzed the data sample attached to the ShinyHunters dark web post. Researchers say the exposed files appear legitimate, but the dataset shared by the attackers is limited, making it unclear whether it represents the full scope of the allegedly stolen data or only a partial sample.

Based on the analysis, the majority of the exposed material consists of internal corporate information rather than user-facing data. The files include internal company documents such as contracts with partner companies, invoices, policy reviews, onboarding guides, internal reports, and CVs containing candidate employment history and personally identifiable information (PII).

While Bumble stated that no user accounts or messages were accessed, the Cybernews team noted that the sample contains some technical data, including user IDs, session IDs, and authentication cookies. In theory, such data could be abused by sophisticated attackers to attempt account takeover via session hijacking, although no evidence suggests this has occurred.

The dataset also includes information related to a limited number of Bumble in-app groups, known as Hives. While no group members were exposed, some group names, descriptions, welcome messages, rules, and change logs were present in the sample.

ShinyHunters is currently running a broader campaign targeting dating platforms and technology companies. Last week, Cybernews researchers analyzed a leaked Hinge data sample and found it contains user dating profile information, such as names and bios, as well as Hinge subscription data, including transaction IDs and amounts paid.

Cybernews continues to monitor the situation and analyze new information as it becomes available.

You can find a full technical breakdown of the Bumble data sample, the attackers’ claims, and expert analysis on potential risks in the complete investigation published on the Cybernews website here.  

The Cybernews research team has analyzed 1.8 million Android apps on the Google Play Store and found that most AI apps leak an average of five secrets. Analyzed apps are leaking hardcoded secrets and cloud endpoints, putting users at risk or, in some cases, even potentially allowing attackers to empty their digital wallets.

Key research takeaways:

• 72% of analyzed Android AI apps contained at least one hardcoded secret.
• On average, an AI app leaks 5.1 secrets, and 81.14% of the detected secrets were related to Google Cloud Project identifiers, endpoints, and API keys.
• 68% of the hardcoded secrets pertained to Google Cloud Project Identifiers and API Keys.
• LLM API Keys were mostly secured, with mainly low-risk LLM API Keys found hardcoded.
• An investigation found that hundreds of AI apps had already been breached. 
• Leaky instances of Firebase and Google Cloud Storage have already exposed over 200 million files, totaling nearly 730TB of user data.
• Android AI apps exhibit similar dangerous tendencies to hardcoded secrets found in iOS apps, as Cybernews investigated in 2025.

Secrets already exploited

Cybernews researchers identified 285 Firebase instances missing authentication entirely, leaving them openly accessible to anyone. Collectively, these databases leaked 1.1GB of user data.

The team is sure that the instances were already compromised. In 42% of cases, the researchers found a table explicitly named “poc,” shorthand for “proof of concept.”

Google secrets were leaked the most

More than 81% of all detected secrets were related to Google Cloud projects. In total, researchers identified 197,092 unique secrets, averaging 5.1 per app, of which just 0.96 were not connected to Google.

The second most common category of embedded identifiers belonged to Facebook, primarily app IDs and client tokens, which are frequently hardcoded for analytics, login, and advertising integrations.

Please find the full Cybernews research article here.