If you can't see this newsletter properly, please click here |
|
|
Cybersecurity Digest – 15th Edition Date: 28-2-2026 |
|
|
February may be the shortest month of the year, but the cyber world clearly did not get the memo. It has been a restless few weeks filled with breaches, trust issues, and tough questions around AI adoption. Let’s take a look at how February 2026 really unravel in security. |
|
|
Six months, one costly bug |
PayPal has disclosed a breach that left some customer data exposed for months, all due to a quiet internal coding error.
For nearly half of 2025, a logic flaw in PayPal’s Working Capital loan application exposed sensitive personal information to unauthorized parties. The issue went unnoticed for almost six months, during which some customers experienced fraudulent transactions. While PayPal says no financial credentials were accessed, the type of data involved raises serious identity theft concerns. The incident is another reminder that not all breaches start with hackers forcing their way in. What happened, at a glance: - Exposure ran from 1 July to 13 December 2025
-
Data included names, contact details, dates of birth, and Social Security numbers
- Root cause was a code change in the PayPal Working Capital application
- Affected customers had passwords reset and some received refunds
Security experts were quick to point out that this was not a flashy attack but a slow burn caused by weak development controls. Noelle Murata from Xcape Inc warned that subtle logic errors can be just as damaging as major intrusions, especially when detection takes months.
Others raised concerns about PayPal’s messaging, with Denis Calderone of Suzu Labs calling out contradictions between public statements and regulatory filings. Beyond the immediate fraud risk, the long-term impact may linger. Simon Pamplin from Certes noted that once sensitive data is exposed, the risk does not end when the bug is fixed. For customers and companies alike, this incident is a reminder that internal controls, clear disclosure, and secure development practices matter just as much as perimeter defenses. |
|
|
Trusted platforms, twisted code |
The Winter Olympics are back, and so are cyber attackers. With Milan-Cortina 2026 expanding across multiple cities, security leaders warn that the growing digital footprint is creating new opportunities for disruption, espionage, and ransomware attacks. Read more >>>
|
When malware learns design |
AI-powered Android malware enters a new phase Researchers at ESET have uncovered what they say is the first Android malware to abuse generative AI for real-time UI manipulation. Dubbed PromptSpy, the malware uses Google Gemini to adapt to different devices, stay persistent, and grant attackers remote access. Read more >>>
|
When updates turn against you |
Attackers hijacked Notepad++’s update mechanism for six months, quietly pushing malware to targeted users in what experts describe as a highly selective supply-chain attack. Read more >>> |
|
|
Who’s the boss of your vacuum? A Spanish engineer accidentally discovered he could control around 7,000 smart vacuums worldwide while tinkering with his own device. What started as a fun reverse engineering project quickly turned into a global wake up call about weak smart home security. The flaw allowed access to live camera feeds and device data, raising obvious privacy concerns. The manufacturer says the issue is now fixed, but the bigger lesson still lingers.
Your selfie has a second job. A routine ID check for apps you use every day may be doing far more than you think. A leak tied to Persona, the firm behind verification for platforms like ChatGPT and Roblox, exposed a powerful surveillance tool built for government use. Researchers found unprotected infrastructure showing hundreds of identity and behavior checks designed for federal agencies. That same verification pipeline appears closely related to the one handling everyday selfies and ID uploads.
Yesterday’s keys, today’s AI risk. Google API keys that were once considered harmless are now unlocking far more than developers expected. After Gemini integration, exposed client-side keys could be used to access private data through Gemini, turning old configuration habits into a new security headache. Researchers at Truffle Security found nearly 3,000 live Google API keys sitting in public code, some tied to major organizations. What used to function as simple identifiers suddenly gained authentication privileges when Gemini APIs were enabled.
|
|
|
When Moltbook, later rebranded as OpenClaw, exploded across tech feeds in early 2026, it looked like the plot of a sci-fi thriller. Eric Schwake at Salt Security explains how autonomous AI agents appeared to be debating, upvoting, and forming communities with no humans involved. In reality, much of the activity was driven by people exploiting exposed APIs, weak controls, and unsecured infrastructure. The spectacle was AI theater. The real story was API risk hiding in plain sight. Read More >>>
|
Racing AI, risking everything |
John Mutuski at Pipedrive talks about how AI adoption is accelerating at a pace few organisations have experienced before. From customer service to product development, intelligent automation is becoming embedded in daily operations. But as companies rush to integrate new AI capabilities, the security implications are often treated as an afterthought. Recent incidents at firms like Salesforce and Google show how tightly innovation and exposure are now linked. The real challenge of this AI wave is not capability, it is control. Read More >>>
|
2026 Top Pentesting Platforms |
In 2026, penetration testing has moved far beyond a once-a-year compliance checkbox and become an ongoing security discipline. As attack surfaces expand across cloud environments, APIs, CI/CD pipelines, and AI-driven systems, organizations need more intelligent ways to simulate real-world threats at scale. In this guide, Joe Pettit of Bora, outlines the leading pentesting platforms on the market and what sets them apart. Read More >>>
|
|
|
Some of the most interesting cybersecurity research and insights we spotted this month 👇 |
-
VIPRE’s email threat trends report: Q4 2025: Scammers have always exploited human trust, but in Q4 2025, they took it to a new level. Compromised accounts, CEO impersonation, and even weaponized security tools are letting attackers bypass traditional email defenses with alarming efficiency. VIPRE’s Email Threat Trends report reveals how trust itself has become the latest vulnerability and why Business Email Compromise is surging. If you want to see the full picture of the Trust Exploitation Era, this report is a must-read. Read More >>>
-
ReliaQuest 2026 annual cyber threat report: ReliaQuest's latest report reveals how AI is supercharging cyberattacks, making them faster, smarter, and more dangerous than ever. In 2025, attackers achieved lateral movement in as little as four minutes, while AI-enabled defenders could respond just as quickly. Ransomware, automated reconnaissance, and social engineering are all evolving at unprecedented speed. Elevated privileges at initial access are shrinking the window for response, making visibility and resilience critical. Read More >>>
-
Wallarm’s 2026 API threatstats report: This report shows that APIs are now one of the most exploited attack surfaces in cybersecurity, with a huge share of 2025 vulnerabilities and real‑world exploits tied to API weaknesses. AI‑related flaws continue to grow rapidly, and when AI and API risks overlap, the consequences can be severe for data, automation, and business logic. Analysts found that APIs often remain exposed to untrusted input and easy to exploit at scale, making traditional defenses less effective. For defenders, visibility and resilience across API interfaces are now mission critical. Read More >>>
|
|
|
Why Cyber Risk gets lost in the boardroom |
In our second edition of the year this February, we turned our focus to a question that refuses to go away: why does cyber risk still get lost in the boardroom? It shows up in reports and agendas, yet something is clearly not connecting between security teams and leadership. To explore the gap, we asked six leading voices in cybersecurity to challenge the assumptions boards still hold. Their answers reveal a consistent theme, cyber is being framed in the wrong language and measured the wrong way. What emerged is a clear call to treat cyber not as an IT issue, but as a business survival issue.
Dive into the full expert discussion.
|
|
|
-
Black box no more. As teens increasingly turn to AI for advice and even emotional support, trust in these systems is rising fast. At the same time, startups like Guide Labs are tackling a different but equally urgent problem: understanding why AI says what it says. Their newly released model, Steerling-8B, is designed so every output can be traced back to its training data. In a world where 12% of U.S. teens seek guidance from chatbots, interpretability is quickly becoming more than a technical upgrade. It is shaping up to be a safety requirement.
-
Practice with your boss bot. Uber engineers have taken AI integration to a fun new level by building an internal chatbot version of their CEO, Dara Khosrowshahi, nicknamed “Dara AI” to rehearse pitches before meeting the real executive. The tool lets teams refine presentations and messaging, helping them arrive better prepared. According to Khosrowshahi, roughly 90 % of Uber’s software engineers now use AI in their workflows.
-
Tell it what you want, it plays it. Spotify is expanding a new AI‑powered feature that lets Premium users create custom playlists just by typing what they feel like listening to. Instead of relying on generic algorithm picks, you can describe a mood, activity, era or even a vibe, and Spotify will build a playlist that matches your words and listening history. The tool is rolling out in beta across markets including the U.K., Ireland, Australia and Sweden, building on earlier launches in the U.S. and Canada.
|
|
|
Information Security Buzz and all its contents are copyright © 2014-2025. All rights reserved. All third-party trademarks are recognized. |
|
|
|
