Transcript
A (0:00)
From the CISO series, it's Cybersecurity Headlines
B (0:06)
these are the cybersecurity headlines for Wednesday, April 29, 2026. I'm Rich Stroffolino. FIDO alliance working on securing AI Agent Payments the industry association said it's working with Google and MasterCard and a pair of working groups to develop industry standards for validating and protecting payments made by AI agents. Google is contributing its Agent Payments protocol to cryptographically verify that a user has authorized an agent. MasterCard will provide its verifiable intent framework, which will allow users to authorize the agents. The Fido alliance still needs to build out use cases for using both in real world deployments, then work with merchants and payment providers on adoption and support. Germany suspects Russia in signal phishing A spokesperson for the German government said federal prosecutors began investigating phishing attacks against the secure messaging Service. Since mid February 2020. Roughly 300 signal accounts tied to political operatives were compromised by receiving faked suspicious activity notifications, according to a reporting by Der Spiegel. Clicking on these messages would link their account to an external device. While Germany suspects Russian involvement, it did not officially attribute the attacks. This mirrors a warning from the Dutch government last month. RCE flaw an open source robotics platform A GitHub advisory disclosed details on an untrusted data deserialization flaw in Hugging Face's robotics platform Lerobot, which could allow for remote code execution. Researchers at RE Security said the flaw is in the Async interface policy server component that allows an unauthenticated attacker on the same network to send a malicious serialized payload to host machines. This doesn't appear to be completely new, with a researcher disclosing the flaw back in December 2025. The flaw remains unpatched, with plans to fix it in version 0.6.0, according to Le Robot's team. That part of the codebase needs to be almost entirely refactored, as its original implementation was more experimental. Privacy fines and scam losses spike It's a tale of two figures. On the one hand, the US Federal Trade Commission released a report finding that Americans lost US$2.1 billion in social media scams in 2025, eight times higher than 2020 losses. Social media accounted for 30% of all scam losses in the year. Meta platforms unsurprisingly, took the top three spots, with Facebook seeing $794 million in scam losses and Instagram and WhatsApp combining for $629 million in losses. On the other side of the coin, gartner reports that US states issued $3.45 billion in privacy related fines in 2025, more than the last five years combined. Some of this comes from more active enforcement of the California Consumer Privacy Act. But Gartner also cited the consortium of privacy regulators formed by 10 states last year, leading to more coordinated enforcement. And now a huge thanks to our sponsor Guard Square Is your mobile app truly protected? Relying on the OS isn't enough. A Global study of 1300 security and developer leaders found that 96% of teams using layer protection reported significantly fewer security incidents. Don't wait for a breach to harden your defenses. Get the protection needed for modern security risks. Learn more@guardsquare.com ransomware gangs still going at it earlier this month we reported on the group 0APT putting the ransomware group Crybit on its leak site, publishing information that partially docks the group. A new report from Halcyon found that Crybit responded by hacking back 0APT's site, defacing it and leaking 0APT's full operation dataset with full access logs and PHP source code and system files. This revealed that the initial victims, published by 0APT in January 2026, were completely fabricated. So far, 0APT has been unable to recover its site. North Korea Targets Crypto Firms Researchers at Arctic Wolf found that the Lazarus Group affiliated Blue Noroff team conducted a large scale spear phishing campaign against over 100 cryptocurrency organizations. First observed back in January, these attacks used typo squatted zoom meeting links sent through manipulated calendly invites going into the meetings would capture their live video camera feed and deploy a clipboard injection attack that attempted to exfiltrate crypto wallet details. This appears to have been a long con, with attackers taking up to five months to deploy after initial contact. Once the attack took place, researchers found they retained access to systems for an average of 66 days. Vimeo blames Anodot breach for incident Vimeo confirmed reports that some of its user and customer data leaked, saying this came as a result of a breach at the security analytics company Anodot. The leaked data included technical information on accounts, video titles and metadata, as well as emails. No video content or payment information was impacted. In response, Vimeo disabled all Anodot credentials and removed the Anodot integration with Vimeo systems. Shiny Hunters added Vimeo to its leak site earlier this week and claimed that its breach of Anodot enabled the theft of Rockstar Games data earlier this month. Medtronic confirms Attack the medtech giant confirmed unauthorized access to its systems after the threat group Shiny Hunters, you may have heard of them just a minute ago, listed it on its leak site. Medtronic did not confirm any actual data loss, saying its customer networks remained separate from its IT systems. Shiny Hunters removed Medtronic from its Leak site on April 21, indicating it may have paid a ransom. It claims it obtained over 9 million records with personal information and terabytes of corporate data. AI agent deletes production database Again the founder of the car rental SaaS platform PocketOS, Yair Crane, posted on X that an AI coding agent from Cursor deleted its production database and all volume level backups in a single API call to Railway the, the company's infrastructure provider. The action took about nine seconds. The Cursor agent was attempting to resolve a conflict by deleting a storage volume on Railway using an API token that it found in a completely unrelated project. This saw multiple failures of oversight. The agent specifically didn't follow established safety protocols, and the Railway API didn't properly document that it could delete all data with no confirmation. Railway also stored its backups on the same volume as the primary data source PocketOS was able to restore from a full three month old backup before we finish this episode, I just wanted to say thank you to everyone who makes cybersecurity headlines part of your daily routine. If that's you, I've got something to ask. Why don't you tell a friend or a colleague to check out the show? Talk about a couple of the stories that we feature. We would really appreciate it. Thanks for helping grow the show. And if you have some thoughts about the news from today or about the show in general, be sure to reach out to us. Feedbackisoseries.com we'd love to hear from you. Reporting for the CISO series, I'm Rich Strofalino, reminding you to have a super sparkly day.