According to reporting from The Register, the hacking collective behind some of the most high-profile data breaches of recent years has claimed a successful attack on the studio behind Grand Theft Auto, with a ransom deadline set for 14 April 2026.

The attackers didn’t break into Rockstar’s own infrastructure to do it. They walked through a door left open by Anodot, a third-party cloud analytics vendor Rockstar used for monitoring cloud costs and performance data.

Rockstar has confirmed that a limited amount of non-material company information was accessed and that player data and live game services were unaffected. It hasn’t disclosed the exact nature of what was taken or whether any ransom demand has been met. What it has confirmed, however, is enough to make the point: one of the best-resourced studios in gaming had its data compromised because an attacker found a weaker door in the supply chain and used it.

That detail is the one every founder building on cloud services and third-party software stacks should contemplate.

Same Group, Same Playbook, Different Target

ShinyHunters has been making headlines for years, and the pattern is consistent.

The group has previously been linked to notable breaches at Ticketmaster, Santander and AT&T, among others. A recurring characteristic of their attacks is exploiting third-party cloud infrastructure rather than attacking targets directly. The Aura breach earlier this year, which exposed around 900,000 records, also involved ShinyHunters targeting a vendor relationship rather than the company’s core systems.

In the Rockstar case, the entry point was Anodot, a platform used for cloud analytics and cost monitoring. This bears relevance for a specific reason: analytics and monitoring tools are often given wide read access to cloud environments precisely because they need visibility across multiple systems to do their job – that makes them a valuable target. Compromise the analytics layer and you can potentially see a great deal of what the company sees, without ever touching the production systems themselves.

Rockstar isn’t the only business exposed to this. A 2021 PwC survey found that only around 40% of organisations comprehensively assess third-party and supply chain cyber risk, despite this being one of the most consistently exploited attack vectors.

The attack surface created by SaaS tools and cloud integrations is often larger than the one created by a company’s own code, and it receives far less scrutiny.

Your Vendors Are Part Of Your Attack Surface Whether You Like It Or Not

Third-party tools exist in a mental category, somewhere between ‘vendor problem’ and ‘not our responsibility’. Most startups think about security in terms of their own stack: their application code, their database, their infrastructure. The Rockstar breach illustrates why that framing is wrong.

When you give a SaaS vendor access to your cloud environment, even read-only access for monitoring purposes, you’re extending your security perimeter to include theirs. Their misconfiguration becomes your breach, their compromised credentials become your incident, and their incident response plan, or lack of one, becomes your problem to manage, including your obligations under UK GDPR and, for businesses operating in the EU, the NIS-2 Directive.

The challenge is that modern startups typically have dozens of third-party integrations touching their systems – analytics platforms, CRMs, payment processors, logging tools, CI/CD pipelines, identity providers – each one is a potential entry point. Most are assessed at onboarding and then rarely revisited.

The space between ‘we checked them at onboarding’ and ‘we haven’t looked since’ is exactly where attackers look for opportunities.

The Practical Bit For Founders

Here are three areas to address before an incident makes them urgent.

The first is vendor inventory and access review. Maintain an up-to-date list of every third party with access to your data or systems, what level of access they have and when that access was last reviewed. Any vendor with broad cloud access, like an analytics platform or a monitoring tool, warrants particular scrutiny. Ask for evidence of SOC 2 or ISO 27001 certification, penetration test summaries and incident response procedures. If a vendor can’t provide these, that tells you something important.

The second is limiting what any single integration can see or do. Cloud-native controls, strict IAM policies, VPC segmentation and isolated build environments all help limit how far the damage can spread if a third-party tool is compromised. The goal is to ensure that if vendors fail, the damage stays contained rather than cascading across the rest of your infrastructure.

The third is making sure your incident response plan explicitly covers third-party-led breaches. Many incident response plans focus on direct attacks against company systems. Rockstar’s situation is a reminder that you can be breached even when your own infrastructure is secure. Your plan should cover how you’d detect a vendor-side compromise, how you’d respond, and what your legal and communications obligations are under UK GDPR when the breach originates outside your own systems.

Don’t Pay The Ransom

On the ransom demand specifically: law enforcement and security authorities consistently advise against paying. Payment neither guarantees the deletion of stolen data nor prevents the group from attacking again or selling the data regardless.

ShinyHunters has a history of multiple monetisation attempts on the same data .The calculus for UK businesses is clear: engage your incident response team, notify the ICO within 72 hours where required under UK GDPR, and work with cybersecurity specialists, not the attackers.

The Rockstar breach is a reminder, although a frustrating one, that supply chain security is no longer a problem only large enterprises need to worry about. Attackers follow the path of least resistance. For growing businesses building on complex third-party stacks, that path largely runs through the tools they’ve integrated and forgotten about rather than the systems they actively protect.

The post ShinyHunters Just Hacked Rockstar Through A Supplier – Every Business Using Third-Party Software Should Pay Attention appeared first on 91Ě˝»¨.

But as speed increases, so do concerns. If developers are generating code they don’t fully understand, skipping manual reviews and relying on AI-suggested dependencies, is vibe coding introducing a new wave of security risks? Are we compromising quality for quantity?

The question for startups isn’t just whether vibe coding works. Rather, the question is whether it’s safe enough for real-world use.

The Speed Advantage Versus the Security Trade Off

Vibe coding dramatically lowers the barrier to entry in way we’ve never seen before. With nothing more than a few prompts, developers can generate authentication systems, databases, APIs and front-end interfaces that previously required incredibly experienced experts. For startups, that means faster MVPs, lower costs and less reliance on large engineering teams. In theory, an absolute win.

But, security experts warn that this speed often comes at the expense of proper safeguards. AI-generated code may appear flashy and functional on the surface, but it can include insecure defaults, weak validation or outdated dependencies. When developers copy, paste and deploy without fully understanding the logic, vulnerabilities can slip into production unnoticed, and these vulnerabilities can be incredibly problematic.

In many cases, vibe-coded applications are also built without traditional development processes like threat modelling, security reviews or penetration testing – steps that normally catch problems before release.

Common Security Risks In Vibe-Coded Apps

One of the biggest concerns is authentication. AI tools can generate login systems quickly, but these may lack protections like rate limiting, proper session handling or multi-factor authentication. This leaves applications vulnerable to brute-force attacks or account takeovers.

Another issue is exposed secrets. Developers sometimes include API keys, tokens or database credentials directly in prompts. These values can then appear in generated code, logs or version control systems, creating serious security exposure.

Another significant issue is that dependency risks are also growing. AI tools frequently pull in libraries automatically, and developers may not check whether those packages are maintained, secure or even necessary. This can introduce supply chain vulnerabilities without anyone noticing.

There’s also the problem of over-permissioned systems. Vibe-coded apps often use broad access controls simply because they are easier to implement. Indeed, without careful review, this can allow users to access data or functions they shouldn’t.

Finally, there’s the human factor – often the most significant risk. Vibe coding encourages experimentation and rapid iteration, which is great for innovation but highly risky when code moves straight from prompt to production.

Why Are Startups Particularly Exposed?

Understandably, startups are especially likely to embrace vibe coding because of what it has to offer. Smaller teams, tighter budgets and pressure to move fast make AI-generated development appealing. But, these same factors that make vibe coding so attractive also mean that security can become an afterthought.

Unlike larger organisations, startups may not have dedicated security engineers or formal review processes. That increases the risk of vulnerabilities making it into live products, especially when founders are focused on product-market fit rather than infrastructure hardening.

Of course, another big thing to contemplate here is reputational risk. A security breach early in a startup’s lifecycle can damage trust with customers and investors, and in some cases, stall growth entirely. In many cases, it may, in fact, be the en dof the road for many startups.

But That Doesn’t Mean Vibe Coding Isn’t Usable

Despite the risks, vibe coding isn’t inherently unsafe – that’s not what we’re saying. In fact, many experts argue that the real issue isn’t AI-generated code itself, but how it’s used. When treated as a starting point rather than a finished product, vibe coding can still be secure. It’s not a fix-all, complete solution, and it shouldn’t be used for instant gratification.

Indeed, the key is to introduce safeguards. Human review remains critical, particularly for authentication, data handling and permissions. Automated scanning tools can also help detect vulnerabilities, exposed secrets and risky dependencies before deployment.

Another common recommendation is separating prototype and production workflows. Vibe coding can be used to build MVPs quickly, but code should be refactored and hardened before going live.

Startups should also adopt basic security hygiene, including environment variables for secrets, dependency auditing, input validation and proper access controls. These steps don’t remove the speed advantage but significantly reduce risk.

Tossing Up Speed and Security

Vibe coding is unlikely to disappear – it’s just too effective and useful – nor should it. If anything, it’s becoming a core part of modern development workflows, especially for startups trying to move quickly. The bigger question is whether teams can balance speed with responsibility and use the technology effectively and safely.

Used carelessly, vibe coding could introduce a new generation of vulnerable applications. Used thoughtfully, it could democratise software development without sacrificing security.

For startups embracing AI-generated development, the safest approach may be simple: move fast, but don’t skip the security review.

The post Is Vibe Coding Safe Or A Cybersecurity Disaster Waiting To Happen? appeared first on 91Ě˝»¨.

Project Glasswing is a cybersecurity initiative using Anthropic’s unreleased Claude Mythos Preview model to proactively find and patch critical vulnerabilities across widely used operating systems, browsers and open-source projects. The coalition behind it includes Amazon Web Services, Apple, Broadcom, Cisco, Google, Microsoft, CrowdStrike, JPMorganChase, the Linux Foundation, NVIDIA and Palo Alto Networks, among more than 40 other organisations.

The scale of the partner list deserves a closer look. This isn’t a research collaboration between a handful of security firms. The organisations involved collectively ship or depend on the core operating systems, cloud stacks, networking hardware, chips and open-source foundations that most of the world’s digital infrastructure runs on. Patches generated through Project Glasswing will flow into software updates used by most enterprises and consumers. That makes this less a product announcement and more an infrastructure play.

The reason this is happening now is important. Anthropic has stated publicly that similar AI-driven offensive capabilities, tools that can systematically find and exploit software vulnerabilities across large codebases at speed, will likely emerge in the hands of malicious actors soon. Project Glasswing is a direct attempt to harden the world’s software before that window closes.

Anthropic has committed up to $100 million in usage credits for Claude Mythos Preview across the coalition, plus $4 million in direct donations to open-source security organisations.

Meet The AI That’s Been Finding 27-Year-Old Bugs

Claude Mythos Preview isn’t being released publicly. Access is tightly restricted to defensive security partners, a deliberate design choice given that the model can do something that most AI systems can’t: systematically discover zero-day vulnerabilities and, in some test cases, auto-generate working exploits. Keeping that capability out of general circulation while deploying it defensively is the core logic of the initiative.

Early runs have reportedly uncovered thousands of serious vulnerabilities, including bugs in widely used software that had survived between 16 and 27 years of human and automated review without being caught. The specific examples cited include OpenBSD and FFmpeg, software components used in critical infrastructure and consumer devices worldwide.

Finding vulnerabilities that have been dormant for decades in systems that have been reviewed by thousands of people over many years is a signal of what AI-assisted security analysis can do that years of human review could not.

The mechanism is simple in principle, if technically formidable in practice. Claude Mythos Preview scans codebases systematically for high-severity bugs, identifies the vulnerability and in many cases produces a patch. The patch then flows through the relevant partner’s normal update and distribution process.

Anthropic’s role is to provide the model capability and the coordination layer; the partners own the software and control the deployment.

Rising Tide Or Big Tech Moving In On Your Market?

The question that matters for cybersecurity startups and founders operating in this space is straightforward: does Project Glasswing make the market bigger, or does it compress the opportunity for independent players? The answer is probably both, depending on where you’re positioned.

The rising-tide argument has substance. Glasswing addresses a systemic problem: mass-scale latent vulnerabilities across shared infrastructure that no individual company can fix alone and that creates background noise for every security product in the market. Closing thousands of long-standing bugs in widely used operating systems and browsers raises the baseline security of the entire digital environment. That should reduce the volume of commodity exploits that smaller vendors have to help their customers defend against, freeing up capacity for higher-order work.

That said, the less comfortable reading deserves airtime too. The coalition includes most of the platforms that host, chip and network the world’s software. If AI-driven vulnerability discovery becomes embedded in the standard update process for major cloud providers, chip manufacturers and OS vendors, the market for independent tools that do similar things at the infrastructure layer becomes more crowded.
Large enterprise customers who already rely on AWS, Azure or Cisco for core infrastructure may not need a separate vendor offering AI-assisted scanning of the same stack.

Don’t Compete With The Coalition – Build Around It

For cybersecurity startups, the strategic response to something like Project Glasswing isn’t to compete directly on vulnerability discovery at infrastructure scale. That race is now being run by a coalition with $100 million in committed AI credits and the most advanced security model currently in existence.

The more durable position is in the areas that large platform players are structurally unlikely to prioritise: vertical-specific compliance workflows, incident response tooling, identity-centric defences, and the integration work that turns AI-generated findings into action within specific enterprise environments.

This pattern has played out before in security. Big Tech has consistently absorbed the most horizontally applicable layers of security, from antivirus to endpoint protection to cloud-native firewalls, while specialist startups continued to build valuable businesses in the more specific, workflow-adjacent, compliance-heavy work that doesn’t lend itself to platform-scale automation. AI-native security startups asking whether this changes their market are asking the wrong question. The better one is: which part of it doesn’t it reach?

Project Glasswing is a serious initiative from a serious coalition, and it addresses a real and underappreciated problem in global software infrastructure. The window for patching decades-old vulnerabilities before offensive AI tools arrive is narrow, and the argument for moving fast is sound.

Whether it ultimately benefits the security industry or concentrates value upward depends less on the initiative itself and more on whether the partners treat it as a foundation to build on or a moat to defend.

The post Anthropic Is Taking On Cybersecurity With AI, And It Has Brought Apple and Amazon Along For The Ride appeared first on 91Ě˝»¨.

As digital strategies expand, many startups lack a clear view of what is visible and accessible online. For companies with lean IT teams and rapid change, there is a need for tools and processes that map and monitor this evolving perimeter, including platforms such as . Understanding external attack surface management equips businesses to support growth while maintaining good security hygiene.

The consequences of missing even a single exposed asset can have significant implications for operations and reputation.

Startups And The Challenge Of Rapid Exposure

When your business grows quickly, taking advantage of the latest technologies and relying on external providers is often essential. However, scaling at pace means new assets and services regularly appear on the public internet, making it difficult to track exactly what is exposed.

Startups are frequently targeted by attackers who see opportunity in fast-moving organisations that may not prioritise robust security early on. A lack of visibility into the digital footprint increases the likelihood that critical assets go unnoticed and unprotected. This can leave a company open to attacks exploiting forgotten domains, misconfigured cloud storage, or unsecured admin interfaces.

External attack surface management supports identifying these weak points before they attract unwanted attention. By mapping internet-facing assets and alerting your team to new and changed exposures, you can spot risky gaps far sooner.

This proactive approach is particularly important since attackers routinely scan for new targets and many incidents stem from assets you might not even remember exist. Maintaining continuous awareness is the only way to keep pace with a dynamic threat landscape, especially in environments driven by constant innovation.

The Fundamentals Of External Attack Surface Management

External attack surface management involves a set of processes and tools that help organisations discover, inventory, and monitor digital assets accessible from the public internet.

The term “external attack surface” refers to systems, domains, web apps, APIs and services that can be reached without internal access, contrasting with internal assets, which are protected behind network controls or authentication. In practice, external attack surface management gives a view into an online presence by cataloguing what is visible and providing frequent updates as things change.

With external attack surface management in place, a team can prioritise which assets require the most attention by risk and business impact. Automation and ongoing discovery are central features, as cloud-based development and third-party SaaS tools often lead to assets being deployed outside traditional IT oversight.

The ability to spot deviations from policy, detect new third-party integrations, and identify forgotten test environments is essential for reducing exposure. This approach helps teams stay ahead of attackers by knowing what assets exist before they do.

Risks And Reasons For Prioritising Visibility

For most startups, the external attack surface includes a mix of domains and subdomains, web applications, public APIs, cloud assets and authentication endpoints. As the company grows, legacy test sites, misconfigured storage platforms, and shadow IT can add to the exposure. You may also encounter lookalike domains or services pretending to represent your brand. These elements combine to create a sprawling digital perimeter that, if left unmanaged, can become difficult to secure.

Many common cyber risks can be mitigated by effective external attack surface management. This includes identifying exposed administration panels, detecting leaked credentials, and finding outdated software that presents vulnerabilities. Attackers search for these weaknesses around the clock, so regular monitoring and change tracking are crucial.

Startups benefit from rapid notifications when internet-facing assets or settings change unexpectedly, so action can be taken before damage occurs. Standardising this process can help meet expectations from investors, partners, and enterprise customers, who increasingly look for evidence of sound risk management during due diligence.

Building Effective Practices For Startup Environments

Implementing external attack surface management starts with ensuring clear ownership and accurate inventories of every digital asset. By assigning responsibility for different parts of the external footprint and cleaning up unused or deprecated resources, unnecessary exposure is reduced.

Monitoring for new exposures and enforcing remediation when issues are detected is achievable by integrating these practices into existing ticketing and incident response workflows. Establishing priorities based on whether an asset is accessible from the internet, holds sensitive data, or impacts core business helps focus efforts where they are most needed.

If you invest in external attack surface management tools, look for those that deliver comprehensive coverage and scan frequently enough to capture rapid startup changes. Good solutions minimise false positives through validation and provide reporting that supports collaboration across engineering, product, and leadership. Compatibility with cloud services and transparent risk scoring can help translate technical findings into business-relevant decisions.

For modern startups, this approach establishes a practical baseline for digital risk reduction, not just an enterprise standard. Continuous vigilance as a business scales helps it grow confidently without sacrificing security.

The post External Attack Surface Management And Why It Matters For Startups appeared first on 91Ě˝»¨.

SpyCloud, the leader in identity threat protection, today released its annual , one of the most comprehensive analyses of stolen credentials and identity exposure data circulating in the criminal underground and highlighting a sharp expansion in non-human identity (NHI) exposure.

Last year, SpyCloud saw a 23% increase in its recaptured identity datalake, which now totals 65.7B distinct identity records. The report shows attackers are increasingly targeting machine identities and authenticated session artifacts in addition to traditional username and password combinations and personally identifiable information (PII).

“We’re witnessing a structural shift in how identity is exploited,” said Trevor Hilligoss, Chief Intelligence Officer at SpyCloud. “Attackers are no longer just targeting credentials. They’re stealing authenticated access, including API keys, session tokens and automation credentials, and using this access to move faster, stay persistent and scale attacks across cloud and enterprise environments.”

Key Findings From The 2026 Identity Exposure Report

Non-Human Identities Are Now a Core Attack Surface

SpyCloud recaptured 18.1 million exposed API keys and tokens in 2025, spanning payment platforms, cloud infrastructure providers, developer ecosystems, collaboration tools and AI services.

The report also identified 6.2 million credentials or authentication cookies tied to AI tools, reflecting rapid enterprise adoption of AI platforms and the associated expansion of machine-based access paths.

Unlike human credentials, these NHIs often lack MFA enforcement, rotate infrequently and operate with broad permissions. When exposed, they can provide attackers with persistent access to production systems, software supply chains, and cloud infrastructure.

Phishing Is An Enterprise Threat

SpyCloud recaptured 28.6 million phished identity records in 2025. Notably, nearly half of those identities were corporate users, reinforcing that phishing remains a persistent enterprise threat.

This trend aligns with SpyCloud research showing that successful phishing attacks have surged 400% YoY. The result is a clear warning to enterprises: their workforce is now 3x more likely to be targeted with phishing attacks than infostealer malware.

Modern phishing datasets increasingly contain more than credentials. Many include session cookies, authentication tokens and MFA workflow data, allowing attackers to assume authenticated sessions without triggering traditional alerts. With an influx of bad actors leveraging AI to craft more realistic lures and automate campaigns, this problem is not going away anytime soon and enterprise security teams must go beyond employee training for a more true preventative approach.

Session Theft And MFA Bypass Continue At Scale

SpyCloud recaptured 8.6 billion stolen cookies and session artifacts exposed through malware infections, demonstrating continued attacker focus on session hijacking techniques that bypass traditional authentication safeguards. In parallel, SpyCloud analysis of underground combolists found that 51% of records overlapped with previously observed infostealer logs, indicating that criminals are increasingly repackaging malware-exfiltrated data rather than relying solely on fresh breach disclosures.

Public reporting throughout the past year has documented multiple MFA bypass campaigns leveraging adversary-in-the-middle (AitM) phishing kits and session replay techniques, including activity targeting Microsoft 365 environments through stolen authentication tokens.

On March 4, 2026, Europol announced, in partnership with Microsoft and other private organisations, that it had executed a coordinated seizure of Tycoon 2FA, a major phishing-as-a-service infrastructure and service that enabled widespread MFA bypass through AitM techniques and disrupted its operational capabilities significantly.

SpyCloud supported the global disruption effort by contributing victim identity intelligence and operational analysis drawn from criminal underground sources. The recent operation highlights the industrialisation of phishing and the growing value of session artifacts in attacker workflows. 

Malware Continues to Exfiltrate Identity Data

Despite the rise of phishing, infostealer malware remains a significant contributor to identity exposure, enabling attackers to harvest credentials, cookies and authentication tokens from infected devices.

SpyCloud recaptured over 642.4 million exposed credentials from 13.2 million infostealer malware infections in 2025. That’s an average of 50 exposed user credentials per malware infection, further expanding the amount of entry points available to bad actors.  

A notable portion of infections occurred on endpoints with EDR or antivirus tools installed, reinforcing that endpoint controls alone are not sufficient to prevent identity theft.

Credential Exposure Remains High With Weak Password Hygiene

SpyCloud recaptured 5.3 billion credential pairs; stolen credentials consisting of usernames or email addresses and passwords.

Among exposed corporate credentials, 80% contained plaintext passwords, significantly lowering the barrier to immediate account takeover attacks. Once again, predictable patterns tied to pop culture, sports, and short numeric strings continue to be used broadly. Top trendy passwords include:

• 67 / sixseven: 140.4M
• sweet / cookie / candy / cake / pie: 5.7M
• chiefs / kansas city chiefs: 5M
• 2025: 4.1M
• apple / banana / orange / strawberry / fruit: 2.6M

Password reuse remains widespread and the report also identified 1.1 million password manager master passwords circulating in underground sources, raising concerns about vault-level compromise when master credentials are weak.

The Expanding Identity Exposure Surface

The 2026 report highlights a central shift in identity threats and underscores the need for continuous identity threat protection across both human and machine identities.

Attackers are combining breach data, phishing captures, malware logs, session tokens, and machine credentials to construct composite identity profiles that fuel everything from session hijacking and ransomware to supply chain compromise.

As organisations accelerate cloud adoption and embed AI tools across workflows, machine identities are becoming deeply integrated into critical systems. The theft of these credentials and authentication tokens can create downstream ripple effects far beyond a single compromised account.

“The challenge isn’t just stopping phishing or malware,” Hilligoss added. “It’s understanding how exposed identities connect across systems, vendors, and automation workflows.”

He continues, “SpyCloud has recaptured nearly one trillion stolen identity assets in our 10 years of disrupting cybercrime. It’s the basis of our insights on the evolution of identity sprawl and the ways in which bad actors aim to weaponize data against individuals and businesses. But there is good news for defenders. When organisations continuously monitor exposure and build in automated remediation workflows, we’ve seen how that can significantly shrink the attacker’s window of opportunity, and that’s a win worth fighting for.”

-This is a paid press release published via CyberNewswire-

The post SpyCloud’s 2026 Identity Exposure Report Reveals Explosion Of Non-Human Identity Theft appeared first on 91Ě˝»¨.

No sophisticated zero-day exploit. No team of hoodie-clad hackers in a darkened server room. The Aura breach, confirmed on March 17, 2026, and affecting roughly 900,000 users, started with a phone call. Someone called an Aura employee, pretended to be someone they weren’t, and talked their way into access. One hour of unauthorised access. 900,000 records. Names, email addresses and, for a smaller group of active and former customers, home addresses, phone numbers and IP addresses.

No passwords. No financial data. But plenty of ammunition for what comes next: targeted phishing, social engineering and follow-on attacks on the people whose details were just handed over.

If you’re a founder or operator using Salesforce for your CRM or marketing stack, this one’s for you, and it’s a story about more than just Aura.

This Is Bigger Than One Breach

The Aura incident doesn’t exist in isolation. It’s part of a broader hacking campaign by a group called ShinyHunters, which has been targeting Salesforce Marketing Cloud and Experience Cloud customers since September 2025. According to security researchers, between 300 and 400 organisations have been affected – including around 100 high-profile ones.

The attack method is worth understanding, because it’s clever. The hackers used a modified version of a legitimate security tool called AuraInspector – originally developed by Mandiant – to scan public-facing Salesforce sites for misconfigured guest user permissions. Where those misconfigurations existed, they could extract data through an API endpoint without needing to break anything. They just walked through a door someone had accidentally left open.

Salesforce has been clear that there’s no vulnerability in the platform itself. The issue is configuration, specifically, the way some businesses have set up guest user access. That’s both reassuring and slightly uncomfortable, because it means the responsibility sits with the businesses using the platform, not Salesforce.

Which brings us to the practical part.

Is Your Salesforce Instance Actually Secure?

If your business uses Salesforce – and a huge number of startups and scaleups do, given how dominant it is in the CRM space – there are specific steps you should be taking right now, not next quarter.

Salesforce has issued its own guidance, and the headline recommendation is this: disable “API Enabled” in your guest user profiles. This blocks unauthenticated queries to the Aura endpoint that ShinyHunters exploited. It’s a single setting change, and if you haven’t done it, now is the time to do so.

Beyond that, the checklist looks like this. Set your org-wide sharing defaults to Private rather than Public. Enable Secure guest user record access. Strip guest profiles back to the minimum objects and fields they actually need – if a guest user doesn’t need access to something, remove it. Disable self-registration if you’re not actively using it. Uncheck Portal and Site User Visibility settings. And review your Aura event logs for any suspicious activity over the past few months.

If you have an Experience Cloud site, audit it immediately. Run AuraInspector on your own instance to check what a potential attacker would see from the outside.

The Vishing Problem Nobody Talks About Enough

Let’s go back to that phone call for a moment, because it’s the part of this story that gets glossed over in most coverage.

Voice phishing – aka vishing – is one of the most effective and underestimated attack vectors in cybersecurity right now. It doesn’t require any technical sophistication. It requires confidence, a convincing story and a target who hasn’t been trained to be sceptical. The Aura employee who took that call presumably wasn’t being careless – they were merely doing their job and someone exploited that.

For startups and growing businesses, this is where the real vulnerability often lies. You can have the most secure Salesforce configuration in the world, but if someone can phone your customer support team and talk their way into a system reset, the dangers in your workplace may be more human than technical. Staff training on social engineering, clear internal verification protocols and a culture where it’s acceptable to say “let me call you back on your registered number” are not optional extras. They’re basic hygiene.

What To Do If You Think You’ve Been Affected

If you’re a business whose customer data sits in Salesforce Marketing Cloud, treat this as a prompt to audit rather than panic. The steps above will significantly reduce your exposure. But there are a few additional things worth doing.

Monitor for phishing attempts that reference the Aura breach specifically – attackers often use breach news to add credibility to follow-on scams. Brief your team. Consider a targeted communication to customers if you believe their data may have been involved. And if you don’t already have anti-malware and endpoint protection across your business devices, now is a very good time to sort that out.

Data breaches are rarely the catastrophic, cinematic events they’re portrayed as. More often, they’re the result of a small configuration error, a moment of misplaced trust, or a door that was left ajar. The good news is that those are exactly the kinds of problems that are fixable – if you’re paying attention.

Start paying attention.

The post The Aura Data Breach Exposed 900,000 Users – Here Is What Every Business Needs To Know appeared first on 91Ě˝»¨.

To understand the current crisis, we must define the threats. Malware is the broad umbrella term for any “malicious software” designed to exploit or damage a device. Within this category, a virus is a specific type of malware that attaches to clean files and spreads by replicating itself. Depending on their intent, they can be called browser hijackers, password stealers, Trojans, botnet malware or ransomware just to name a few.

Ransomware, malicious code that encrypts a user’s data and demands payment (usually in cryptocurrency) for the decryption key, has become the king of threats and a very lucrative business.

How Traditional Antivirus Works

For years, Endpoint Protection Platforms (EPP) relied on three primary pillars:

• Signature-based Detection: like a digital fingerprint, the software compares files against a database of known malware “signatures”
• Heuristic Analysis: this looks for suspicious code structures or commands that look similar to known threats, even if an exact signature is not found
• Behaviour Monitoring: this watches what a program actually does. If a file suddenly starts encrypting hundreds of documents or trying to disable system logs, the antivirus steps in to kill the process

It is important to understand that while the signature-based detection is very accurate (i.e., a malware is either in the black list of known “signatures” or it is not), the other two approaches are not, suffering from both false positives and false negatives (see Can Antivirus Software Detect And Remove Ransomware?). False positives occur when legitimate activities are incorrectly flagged as threats, leading to “alert fatigue” and unnecessary disruptions for users. Conversely, false negatives happen when actual malicious attacks go undetected, leaving the system vulnerable to security breaches.

A Resources Arms Race: From Hobbyists To Professionals

In the early days, viruses were often written by individuals for notoriety or “fun”. Today, hacking is a professional industry. “Ransomware-as-a-Service” (RaaS) providers operate like tech startups, complete with help desks, marketing teams, and sophisticated R&D departments. This professionalism has turned a simple contest into an expensive, fast-moving arms race.

Looking back in time, it can be argued there have been two major shifts in how cybersecurity is approached:

Polymorphism And Scale Break The Blacklist Defence

The first major shift occurred when hackers began using polymorphism, code that automatically changes its own appearance or signature every time it replicates. When a single piece of malware can generate millions of unique variants in minutes, signature-based “blacklists” become obsolete.

You cannot block a file based on its “fingerprint” if the fingerprint changes every five seconds. Further, in the case of ransomware, because most of its damage is done at the beginning of the infection, this is particularly problematic.

AI is Breaking the Behavioural Defence

We are now entering a more dangerous era. Hackers are using AI and Machine Learning (ML) to bypass behavioural monitoring. Modern malware can now sense when it is being watched in a “sandbox” or by a heuristic engine.

It can adjust its behaviour in real-time, executing benign tasks to “blend in” or slowing down its encryption process to fly under the radar of traditional sensors.

New Defence Approaches Are Required

As traditional barriers crumble, the market is pivoting toward new approaches:

• Endpoint Detection and Response (EDR) is a foundational monitoring tool for endpoint security, which continuously records activity on devices (laptops, desktops, servers, mobile devices) to uncover incidents that traditional antivirus might miss. When a threat is detected typically the endpoint will be isolated and the offending process killed
• Extended Detection and Response (XDR) is considered an evolution of EDR, which unifies siloed security tools, such as firewalls, email gateways, and cloud security platforms into a single console. It correlates data across domains (endpoints, network, cloud, email, identity) to identify complex “kill chains”

It is worth noting that both EDR and XDR “assume breach” will happen and focus on monitoring for intruders already inside to hunt them down. While this may be fine for most types of malware, it is problematic with ransomware as by the time the endpoint is detected and isolated, highly valuable data may already be encrypted and therefore lost.

Further, this approach is complex and involves significant resources, often requiring a SOC (Security Operations Centre) to manage alerts. As such, it is neither suitable for consumers nor usually economically feasible for small businesses. And ultimately, because it often mitigates by stopping an attack early rather than fully preventing it, XDR often does not save the need to report a cyber breach under the applicable regulation, such as EU / UK GDPR, NIS2 Directive (Directive (EU) 2022/2555), Digital Operational Resilience Act (DORA), and soon the Cyber Resilience Act (CRA).

Leading EDR/XDR vendors include CrowdStrike, SentinelOne, Microsoft, Palo Alto Networks, Tend Micro and Sophos. Leading SOC vendors include Huntress and Blackpoint Cyber.

Zero trust endpoint security is a framework that removes the concept of an “internal” trusted network, treating every access attempt, whether from a personal laptop at home or a server in the office—as potentially hostile. It moves security from the network perimeter directly to the individual device, user, and application.

This framework is typically implemented by integrating several key technologies, such as the aforementioned EDR/XDR solutions, Identity and Access Management (IAM), Unified Endpoint Management (UEM) and Data Loss Prevention (DLP). Leading security vendors offer various point solutions to support this security model, such as , CrowdStrike Falcon, SentinelOne Singularity, Palo Alto Networks Prisma Access, Zscaler Private Access, Okta, Palo Alto Networks/CyberArk and ProofPoint.

While most of these solutions are relatively expensive and complex targeting enterprise customers rather than consumers, there are emerging start-ups offering zero trust solutions for consumers and/or small business such as Island, , Tailscale and Zero Networks.

FinalAV Security is particularly interesting as a zero-trust endpoint security provider. Unlike traditional tools that focus on black lists of “virus signatures” and “detecting” bad behaviour, it uses . Following zero‑trust principles, any software that is not digitally signed is not blocked but is instead forced to run in a highly granular, real-time sandbox at the OS kernel API level.

This means that if a developer (or a hacker) wants their software to perform “virus-like” actions, such as secretly installing executable files, encrypting files or extracting data, they must authenticate the product with a digital signature.

As it prevents rather than detects and isolates after a cyberattack has started like EDR/XDR solutions, it is particularly effective as an affordable ransomware protection.

The era of “set it and forget it” antivirus is over. As hackers weaponise AI and operate with the efficiency of Fortune 500 companies, our defences must be equally dynamic. Moving beyond simple detection to proactive isolation and resource-based security is no longer an option, it is a necessity for survival in the modern threat landscape.

The post How AI And Hacking Professionalism Are Overwhelming Endpoint Security appeared first on 91Ě˝»¨.

Understanding USB Threats

USB devices, while convenient, can be vectors for a range of cybersecurity threats. One of the most common risks is malware infection. Malicious software can be easily transferred via USB devices, infiltrating a network and causing widespread damage. Malware can range from viruses and worms to ransomware, each capable of disrupting operations and leading to significant financial losses.

Another critical threat is data breaches. USB devices often store sensitive information, and if lost or stolen, this data can fall into the wrong hands. This risk is particularly pronounced in sectors handling confidential information, such as defence and government agencies. The implications of a data breach can be severe, including legal repercussions and damage to an organisation’s reputation.

Cyber Attacks And USB Devices

USB devices can also be used as tools for targeted cyber attacks. Cybercriminals may distribute infected USB sticks in public places, hoping unsuspecting individuals will plug them into their computers, thereby granting access to the network. This method, known as “USB drop attacks,” exploits human curiosity and can lead to significant security breaches.

Moreover, USB devices can be used to bypass network security measures.

Once connected to a computer, a malicious USB device can execute scripts that compromise the system’s security settings, providing attackers with unauthorised access to the network. This highlights the importance of implementing stringent security protocols to mitigate such risks.

Data Protection Strategies

To combat these threats, organisations must adopt comprehensive data protection strategies. One effective measure is the implementation of endpoint security solutions. These solutions monitor and control USB ports, preventing unauthorised devices from connecting to the network. By restricting access to approved devices only, organisations can significantly reduce the risk of malware infections and data breaches.

Another crucial strategy is the use of encryption. Encrypting data stored on USB devices ensures that even if the device is lost or stolen, the information remains secure. Encryption converts data into a code that can only be accessed with the correct decryption key, providing an additional layer of security.

Practical Tips For USB Cybersecurity

Organisations can enhance their USB cybersecurity by implementing several practical measures. Firstly, conducting regular security audits can help identify vulnerabilities in the network and address them promptly. These audits should include a review of USB device usage and the implementation of security policies.

Secondly, educating employees about the risks associated with USB devices is crucial. Training sessions can raise awareness about the potential threats and teach employees how to handle USB devices securely. This includes advising against using unknown USB devices and encouraging the use of company-approved devices only.

Finally, organisations should consider investing in specialised solutions, such as tools. These tools can scan and clean USB devices before they are connected to the network, ensuring they are free from malware and other threats.

In conclusion, while USB devices are invaluable tools in the modern workspace, they pose significant cybersecurity risks that cannot be overlooked. By understanding the threats associated with USB devices and implementing robust security measures, organisations can protect their sensitive information and maintain the integrity of their networks.

From adopting endpoint security solutions to educating employees and investing in USB decontamination tools, there are numerous strategies available to enhance USB cybersecurity. As the digital landscape continues to evolve, staying vigilant and proactive in addressing these hidden dangers is essential for safeguarding the future of any organisation.

The post Navigating The Hidden Dangers Of USB Devices In The Modern Workspace appeared first on 91Ě˝»¨.

Rocio Pillado, partner at Spanish deeptech VC Adara Ventures, told Sifted, “Cybersecurity doesn’t produce the same flashy hardware or imagery that defence investors often look for — it’s quieter, but that doesn’t make it less strategic.” She added, “Whether we’re talking about satellite systems, autonomous platforms or AI-driven intelligence, their effectiveness depends entirely on how secure, resilient and trusted their digital backbone is.”

Cyber attacks hit airports in Germany, the UK and Belgium in September, pushing resilience higher up the political and investment agenda. Software and data systems now sit inside almost everything from drones to power stations. Joshua Walter, partner at Osney Capital, said infrastructure such as power plants and nuclear stations are now “far more connected than they were a decade ago,” and the opportunity for startups defending them is “significantly” greater.

Where Did The Money Go?

Grace Cassy, founder of CyLon and a former UK diplomat, described cyber as a new theatre of conflict. She said, “So you have air, land, sea, space, [and] cyber now being recognised as a domain in its own right that we need to think about as a place where future contests and conflict is played out.” She also said that as NATO embraces more of a “data-led, software-defined style of fighting, the ability to have confidence in your data and confidence in your communications is only going to increase.”

Investors showed interest in deception tools, AI model robustness and secure infrastructure for critical systems. Pillado highlighted Spanish company CounterCraft, which builds deception and threat intelligence tools for enterprises and governments. Walter pointed to UK startup Sitehop, which develops encryption for government and national security use.

Disinformation also attracted capital. Cassy referred to Refute in London, which applies a “threat intelligence-type approach to understanding what’s real and what isn’t, and helping governments and enterprises, frankly, to ensure that the narratives that are out there about them are real.” Command and control software and security for AI systems running at the edge also featured in new deals.

How Are Top VCs And Governments Responding?

CB Insights said its 2025 Smart Money list reviewed more than 12,000 venture investors over 10 years. The top 25 were 6.5x more likely than the average VC to invest in a future unicorn and recorded 2.2x more exits per investor. Smart Money investors backed 52% of new AI unicorns in 2023, 73% in 2024 and 77% in 2025 year to date. CB Insights said its M&A probability model identifies cybersecurity as the most likely near term exit pool among Smart Money portfolios, naming companies such as Tenex.ai.

Government money also increased. The UK government said cybersecurity forms a core pillar of its Industrial Strategy released in June 2025. It pledged up to $14 million for the CyberASAP programme and $8 million to support SMEs and startups in the cyber sector. In 2024, the UK cyber sector generated $17.8 billion in revenue and employed 67,300 people, showing YoY growth.

2026 has more opportunities in store, and more jobs to create. Who exactly is investing right now?

VCs Investing In Cybersecurity

The following VCs are actively investing in cybersecurity:

DataTribe

The DataTribe Foundry leverages deep experience and expertise to build and launch successful product companies. The team is a mix of Silicon Valley and Intelligence Community founders, investors, and experienced entrepreneurs. We know what it takes to build a company, but more importantly, we understand the world our startup founders are coming from. We put real firepower behind every idea.

DataTribe starts relationships with seed-stage companies by making an investment and accepting them into The Foundry. We continue to support companies through follow-on investments as they mature out of the Foundry into their growth stage.

Todd Graham, Managing Partner at M12, Microsoft’s Venture Fund

Todd is a managing partner at M12, where he leads investments in cybersecurity, developer tools, and cloud infrastructure.

Prior to joining M12, Todd was Vice President at Venrock, where he focused on early-stage enterprise infrastructure and cybersecurity investments.

He is very passionate about the intersection of technology and business. His main areas of interest include digital transformation, human-based threats, disruptive go-to-market, and the consumerization of the enterprise experience.

In his career, Todd has alternated between startups and large infrastructure vendors. Prior to Venrock, he led Corporate Strategy for Cisco’s Security and Collaboration businesses where he developed long-range business strategy while also driving inorganic activities such as the acquisition of Duo Security.

Earlier in his career, he led product for IT Business Management at VMware. Using experience gained at VMware, Todd co-founded Bluenose Analytics to help customer success leaders better manage their customers.

While attending college, he founded a Data Loss Prevention company that was acquired by EMC’s security division, RSA.

The post VCs Investing In Cybersecurity In 2026 appeared first on 91Ě˝»¨.

The OWASP Smart Contract Security Project has released the OWASP Smart Contract Top 10 2026, a risk prioritisation framework developed from structured analysis of real world exploit data observed across blockchain ecosystems in 2025.

Crypto protocols continued to experience significant smart contract failures in 2025, with exploit patterns increasingly pointing to structural weaknesses rather than isolated bugs.

led the exploit pattern aggregation behind the ranking, incorporating impact-weighted signals from production incidents observed across decentralised finance, cross-chain infrastructure, and upgradeable systems..

Observed Protocol Failure Patterns

The 2026 Top 10 highlights failure classes repeatedly observed in live environments:

• Access control misconfiguration
• Business logic invariant failure
• Oracle dependency risk
• Flash loan amplification
• Upgrade and proxy exposure

In 2025 incidents, attackers often exploited:

• Exposed admin keys
• Fragile governance permissions
• Cross-chain timing gaps
• Economic model weaknesses

Contracts executed as designed but adversarial conditions exposed hidden assumptions.

Security Must Move Upstream

The 2026 ranking encourages teams to integrate risk modeling earlier in the development lifecycle, including:

• Role-based permission validation
• Upgrade path simulation
• Oracle dependency stress testing
• Automated CI/CD enforcement
• Invariant-driven design review

Passing an audit is not sufficient. Production resilience requires modeling adversarial behavior before deployment.

Expanding The Threat Model

Recognising that some of the largest 2025 losses stemmed from operational attack vectors, the release also includes an Alternate Top 15 Web3 Attack Vectors covering governance abuse, multisig compromise, and infrastructure-level threats.

The full OWASP Smart Contract Top 10: 2026 framework and supporting data are available via the OWASP Smart Contract Security Project.

-This is a paid press release published via CyberNewswire-

The post CredShields Contributes to OWASP’s 2026 Smart Contract Security Priorities appeared first on 91Ě˝»¨.