Deleted Messages Aren’t Gone, Cyber Arrests & Exploits Surge.

A total of 17 breach events were found and analysed resulting in 15,718,593 exposed accounts containing a total of 30 different data types of personal datum. The breaches found publicly and freely available included McGraw Hill, Alert 360, Berkadia Commercial Mortgages, Kemper and Roca Asociados Lawyers & Economists. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

With a mix of education, finance, and professional services in the spotlight, it’s a reminder that no sector gets a free pass. For third-party organisations, the risk isn’t just direct compromise, employee data caught in these leaks can quietly become a backdoor for attackers. And for individuals, it’s another spin of the roulette wheel: more data out there means more chances for phishing, fraud, and identity misuse. Not the biggest week, but more than enough to keep things interesting, for all the wrong reasons.

Cyber Update

Let’s start with a slightly uncomfortable truth: deleted messages might not be as gone as you think. New findings suggest that law enforcement can recover message content from end-to-end encrypted apps like Signal, WhatsApp, and Telegram, even if the app itself has been removed from the device.

The culprit? Push notifications.

On iPhones, notifications are stored in a separate directory called UserNotifications, meaning snippets of messages can persist outside the app itself. Tools like Cellebrite, widely used in digital forensics, can extract this data when a device is connected and analysed.

So while the message may be encrypted in transit and gone from your chat history, the preview that popped up on your lock screen might still be sitting there quietly… waiting to be rediscovered.

Design flaw? Oversight? Feature? Depends who you ask. A simple mitigation: turn off notification previews. Less convenient, yes, but also less likely to leave a breadcrumb trail of your conversations behind.

Elsewhere, another threat actor has been taken off the board. HexDex, a 20-year-old accused of multiple cyber-related offences, was arrested by French law enforcement’s BL2C cybercrime brigade following a raid on April 20. The investigation kicked off last December after nearly 100 reports of data theft were linked to his activity. What followed was fairly standard, tracking, attribution, evidence gathering.

What wasn’t standard… was the finishing move. Authorities reportedly accessed HexDex’s account on a dark web forum and did something beautifully petty:
- Changed his profile avatar to the BL2C logo
- Posted an arrest banner titled “Arrestation Angle_Batista”

It’s not every day law enforcement logs into your account and updates your profile for you. The operation involved coordination between BL2C, the Judicial Police, and the Paris prosecutor’s office, all working together to build the case. A reminder that even in the shadows, someone is always watching, and occasionally updating your profile picture.

And finally, the week’s “this is why we can’t have nice things” moment. The EU’s age verification app, proudly positioned as having the “highest standards of privacy available” was reportedly bypassed in under two minutes.

Now, to be fair:
- The breach occurred on a demo version
- The project is open source (which is actually a good thing)

But still… not the strongest opening act. The method?
- Install the app on a rooted Android device (full system control),
- Port the app’s logic into a Chrome extension,
- Register with a PIN, then close the app,
- Use a file manager to delete two lines of data,
- Reopen, log in with a different PIN,
- Gain access to previous session data.

Not exactly Mission Impossible. While the exploit isn’t catastrophic on its own, it highlights a bigger issue: if the logic can be manipulated this easily, the trust model starts to wobble. And given the broader push toward age verification, digital identity, and reduced anonymity, these systems need to be rock solid, not “demo got bypassed before the kettle boiled.”

Software Vulnerabilities

SAP NetWeaver; actively exploited RCE (KEV).
SAP rarely makes headlines quietly, and this one didn’t either. A remote code execution flaw in NetWeaver is being actively exploited, with attackers targeting exposed systems that often sit right at the core of business operations. When SAP goes down, it’s not just IT, it’s finance, logistics, everything. Patch urgently, restrict exposure, and review for suspicious activity across business processes, not just logs.

Ivanti Endpoint Manager; exploitation maturing post-compromise.
Ivanti remains the gift that keeps on giving. This week wasn’t about initial access, it was about what attackers are doing after they get in: persistence, lateral movement, and quietly poking around. If you were exposed, assume compromise. Patch, then investigate like you mean it.

Cisco IOS XE; web interface exploitation resurfaces.
Cisco’s web UI issues are being revisited by attackers, particularly where fixes were partial or poorly implemented. It’s less “new vulnerability” and more “unfinished business.” Validate remediation properly, check for rogue accounts, and audit configs for anything unexpected.

Windows Print Spooler; still causing problems in 2026.
Yes, it’s back (or never really left). Ongoing chatter and exploitation attempts around Print Spooler weaknesses prove that legacy attack surfaces have nine lives. Minimise exposure, patch thoroughly, and consider whether you actually need it enabled everywhere.

Backup infrastructure; increasingly targeted.
Not a single CVE stealing the spotlight, but a clear shift in attacker focus. Backup systems are being targeted to remove recovery options before ransomware strikes. It’s calculated, and it works. Isolate backups, enforce strict access controls, and test recovery like your weekend depends on it.

Data & Privacy Headlines

BreachForums chaos, again (because of course).
BreachForums continues to operate like a soap opera written by cybercriminals. Internal drama, leaks, and instability exposed parts of its own ecosystem, leading to fresh data circulating far and wide. When these platforms wobble, the fallout isn’t contained, it spills everywhere, fast.

Data exposure ≠ breach (but still a problem).
A number of incidents this week highlighted a growing trend: large datasets being exposed due to misconfigurations rather than outright “hacks.” Cloud storage, open databases, poorly secured APIs, the classics. Sometimes attackers don’t need to break in. They just need to look.

AI data scraping backlash keeps building momentum.
The pressure on AI companies over training data hasn’t slowed. More scrutiny, more questions, and a growing sense that “we trained on publicly available data” is starting to sound a bit thin. Transparency is no longer optional, it’s becoming enforceable.

Credential theft ecosystem still booming.
Stealer logs and credential dumps continue to flood underground markets, fuelling everything from account takeovers to corporate breaches. It’s industrial-scale at this point, efficient, repeatable, and very profitable. If credentials exist, assume they’re circulating somewhere.

Privacy vs convenience, still an unresolved battle.
Whether it’s age verification, AI tools, or platform features, the same tension keeps surfacing: users want convenience, regulators want protection, and companies are trying to balance both without upsetting either side. Expect more friction, more regulation, and fewer shortcuts.

Smarter Protection Starts with Awareness

Third-party exposure is now a first-order risk. You can’t patch what you can’t see.
Free Data Breach Exposure Scan: Check any domain in seconds: https://breachaware.com/scan