Ransoms Paid, Faces Scanned, and Governments Launching VPNs

A total of 16 breach events were found and analysed resulting in 5,073,825 exposed accounts containing a total of 32 different data types of personal datum. The breaches found publicly and freely available included Stealer Log 0553, Figure, Harvard University, University of Pennsylvania and Canada Goose. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

This week’s breach count may be lower, but the impact still hits where it hurts. 16 breach events exposed just over 5 million accounts, with 32 varieties of personal data laid bare. From luxury labels like Canada Goose to elite institutions like Harvard and UPenn, the leak list is a mixed bag of academia, commerce, and cyber shadiness. For third parties, it’s a gentle nudge (read: loud siren) that even indirect exposure can leave your staff vulnerable. And for individuals? It’s another entry in the ever-growing saga of digital risk, where leaked data becomes ammo for scammers, phishers, and identity thieves alike. Small number, big problem.

Cyber Update

A couple of large companies that appeared on the Shiny Hunters dark web leak site several days ago, complete with their logos inside a rather dramatic red square stamped “Final Notice” have now quietly vanished. In ransomware theatre, disappearing acts usually mean one thing: the bill’s been settled.

We won’t be naming the organisations involved. At this stage, the matter appears to have been resolved, at least publicly, and sometimes silence tells you everything you need to know.

Interestingly, the Shiny Hunters site itself went offline for several hours today. Coincidence? Possibly. This follows chatter that a fairly senior member of the group may have been arrested, though that claim remains unverified. In this world, rumours travel faster than packets on fibre, confirmation tends to lag behind. For now, the scoreboard reads: red square up, red square down, business concluded.

Next up: Discord has announced it will require users to verify their age using either photo ID or a live selfie, enabling facial scanning to confirm whether they are over 18. Users who decline will be placed into what’s charmingly labelled a “Teen Experience” essentially a restricted version of the platform with tighter controls on private messaging and reduced functionality. Compliance equals convenience. Non-compliance equals friction.

The justification? Protecting minors online. A noble goal, though critics argue it’s another step toward normalising digital ID checks for everyday internet use. It’s also worth remembering that last year Discord’s vendor, Zendesk, suffered a data breach involving photo IDs, with over 70,000 IDs leaked onto the dark web. The breach reportedly stemmed from an employee in Southeast Asia being bribed $5,000 for login credentials, granting attackers access to sensitive data.

Now, with a global rollout planned for March, Discord is preparing to collect even more ID-linked information from users worldwide. To critics, this feels less like child protection and more like groundwork for what some have dubbed a “licence for the internet” echoing regulatory moves across Western nations, including the UK’s Online Safety Act. Whether this becomes the norm or sparks serious backlash remains to be seen. But one thing is certain: the age of anonymous scrolling is looking increasingly vintage.

And finally, in a plot twist few had on their 2026 bingo card: the United States is reportedly preparing to launch its own government-backed VPN. The stated purpose? To counter what US officials describe as government censorship of online material. Strategically, it’s an intriguing move. Consider platforms like X (formerly Twitter), which have faced mounting regulatory pressure in the EU and UK over content moderation and hate speech. Restrictions or access limitations have been openly discussed.

But here’s the geopolitical curveball. Would European governments be willing, or even able, to block a VPN backed by the US government? The optics of throttling what’s branded as a “freedom tool” could get messy, fast. If this rolls out as described, it won’t just be a privacy product. It will be a diplomatic chess piece.

Another week in cyber: ransoms quietly paid, faces scanned for entry, and nation-states experimenting with subscription-level internet sovereignty. Nothing to see here. Just the future arriving slightly ahead of schedule.

Software Vulnerabilities

BeyondTrust has confirmed a critical pre-authentication remote code execution bug in Remote Support (≤25.3.1) and Privileged Remote Access (≤24.3.4). Exploitation attempts have been observed since 10 Feb, targeting internet-facing, self-hosted instances that didn’t get the memo about patching. It landed in KEV on 13 Feb with a 16 Feb due date and, for extra spice, is reportedly being used in ransomware campaigns. Not the sort of endorsement you frame.

Why it matters: This is your remote support platform. If it falls over, everything it can reach is suddenly fair game. Think credential harvesting, lateral movement, and a mystery admin account appearing at 03:17.

Do now: Apply BT26-02 or upgrade (RS 25.3.2+, PRA 25.1.1+) immediately. If you were exposed and unpatched into early Feb, assume breach until proven otherwise. Hunt, rotate credentials, restrict inbound access (VPNs and allow-lists only), and monitor for suspicious request patterns.

An unauthenticated SQL injection with a CVSS 9.8. No privileges. No user interaction. Just crafted requests and away we go. It’s in KEV, it’s been exploited, and patches have existed for months. If you’re still vulnerable, that’s not bad luck that’s patch hygiene with vibes.

Why it matters: ConfigMgr is the management plane. If an attacker executes there, they can turn your software deployment engine into a malware distribution service. Efficient. Scalable. Catastrophic.

Do now: Confirm remediation across all site roles. Validate patch state don’t assume it. Treat ConfigMgr as Tier-0: tight network access, serious logging, and privileged access controls. Hunt for odd database queries or unexplained admin activity.

All versions up to 12.8.8 HF1 are affected; fixed in 2026.1. KEV gave it a due date that politely wrecked a weekend. Vendor scoring says “High”, NVD says “Critical”. Either way, it’s not decorative.

Why it matters: Help desk systems are designed to be reachable and plugged into everything. Even a control bypass can morph into credential capture, ticket tampering, or a stepping stone into the domain if chained creatively.

Do now: Upgrade to 2026.1. If you can’t, pull it off the public internet and restrict admin access. Review logs, check for unexpected authentication or integration changes, and rotate credentials if trust feels… theoretical.

A protection mechanism failure in MSHTML, CVSS 8.8, actively exploited. Requires user interaction which in attacker terms means “send a convincing email and wait”.

Why it matters: MSHTML bugs are classic chain links. Bypass a control here, bolt on another exploit there, and suddenly you’ve got a multi-stage compromise. “User interaction required” is not a comfort blanket.

Do now: Deploy February 2026 Microsoft updates promptly and verify they actually installed. Harden document and browser surfaces (Protected View, ASR-style controls, attachment policies). Monitor for suspicious child processes spawned from Office or browser contexts.

Apple says this may have been used in “extremely sophisticated” attacks against specific individuals on iOS