FBI email theft, Lloyds Bank glitch, API keys running loose - Cybersecurity Headlines

Cybersecurity Headlines – March 30, 2026

Host: Steve Prentiss, CISO Series
Episode Focus: Key security incidents and vulnerabilities—FBI Director's email leak, Lloyds Bank data glitch, exposed API keys, critical F5 vulnerability, new macOS malware, WordPress plugin flaw, European Commission hack, and Apple pushing urgent device updates.

Main Theme

This episode offers a rapid-fire rundown of notable cybersecurity incidents shaping the landscape in late March 2026. The focus is on breaches affecting high-profile organizations (such as the FBI and Lloyds Bank), ongoing threats from exposed credentials (API keys), critical vulnerabilities (F5, WordPress plugins), and the evolving nature of attacks on both personal and enterprise systems.

Key Discussion Points & Insights

1. FBI Director’s Personal Emails Stolen (00:11)

Incident: Hackers accessed and leaked photos and emails belonging to FBI Director Kash Patel, which date from 2010-2019.
Attacker: The Handalla group, linked to Iran’s Ministry of Intelligence and Security.
Motivation: Claimed as retaliation for the FBI’s recent takedown of their sites and a $10 million bounty on group members.
FBI Statement: Data is “historical in nature and involves no government information."
Quote:

“The hacking group Handalla, which has ties to Iran's Ministry of Intelligence and Security, is said to have leaked them.” (00:18)
Context: Illustrates risks of personal email compromise at the highest government levels.

2. Lloyds Bank Data Exposure Glitch (01:12)

Incident: IT glitch exposed personal and financial data of 500,000 customers (including payment details and national insurance numbers).
Cause: Software defect introduced during a mobile app update affecting Lloyds, Halifax, and Bank of Scotland customers on March 12.
Impact: Exposure window was brief, but transaction details may have been visible even to non-customers.
Quote:

“Officials… blamed the glitch on a software defect introduced during an IT update... in the early hours of March 12.” (01:32)

3. Exposed API Keys on the Web (02:06)

Incident: Stanford researchers, after scanning 10 million websites, found nearly 2,000 valid API credentials on 10,000 pages.
Significance: Credentials grant “programmatic access” to services like AWS, GitHub, Stripe, and OpenAI—higher risk than ordinary logins.
Context: Many belonged to large corporations, government agencies, and critical infrastructure providers.
Quote:

“These, the researchers say, are even more dangerous than exposed login details because they provide programmatic access to resources.” (02:44)

4. F5 Big-IP APM Vulnerability—Active Exploitation (03:05)

Issue: CISA flagged a remote code execution (RCE) vulnerability (CVSS v4 base score 9.3) in F5 Big-IP APM, citing in-the-wild exploitation.
Background: Initially disclosed as a denial-of-service issue; urgency increased as exploitation evolved.
Expert View:

“This vulnerability initially appeared last year as a denial of service issue... why it is more urgent now.” (03:27) – Benjamin Harris, Watchtower CEO

5. Infinity Stealer Malware—macOS Campaign (04:11)

Threat: Newly documented macOS malware uses a Python payload, disguised as a clickfix/Cloudflare CAPTCHA, to steal info.
Technique: Uses Nuitka to compile Python, making it harder to analyze.
Significance: First known combination of these techniques targeting macOS.
Quote:

“…the first documented macOS campaign combining click fix delivery with a python based infostealer compiled using Nuitka.” (04:35)

6. Smart Slider 3 WordPress Plugin Flaw (04:49)

Exposure: File read vulnerability in a plugin active on 800,000 sites allows low-privilege users to access server files, including database credentials.
Risk: Enables full site takeover and data theft.
Quote:

“An authenticated attacker could access sensitive files such as wp-config.php...” (05:09)

7. Shiny Hunters: European Commission Breach (05:22)

Allegation: Threat group claims breach of EC’s mail servers and internal comms, claiming 350GB of confidential data.
Suspected Vector: Initial reports speculated AWS compromise; AWS denies any breach.
Significance: EC is central to EU legislative and policy activities.
Quote:

“This may include confidential documents, contracts, and other sensitive material.” (05:33)

8. Apple Sends Lock Screen Alerts to Outdated Devices (06:08)

Update Strategy: Apple is pushing on-screen notifications to urge iOS and iPadOS users to update, following appearance of exploit kits (Karuna, Darksword).
Rationale: Mass exploit potential as toolkits become more accessible beyond nation-state attackers.
Quote:

“They could democratize access to exploits that were previously reserved for nation states, potentially turning them into mass exploitation tools.” (06:31)

Notable Quotes & Memorable Moments

“The hacking group Handalla… has ties to Iran's Ministry of Intelligence and Security...” (00:18)
“Although the window of exposure of the customer's data was very small, at least for human observers…” (01:46)
“The researchers found highly sensitive API credentials left publicly exposed on web pages…” (02:19)
“This is the first documented macOS campaign combining click fix delivery with a python based infostealer…” (04:35)
“This may include confidential documents, contracts and other sensitive material.” (05:33)
“They could democratize access to exploits that were previously reserved for nation states…” (06:31)

Timestamps for Important Segments

| Segment | Timestamp | |-----------------------------|------------| | FBI email theft | 00:11 – 01:12 | | Lloyds Bank data glitch | 01:13 – 02:06 | | API keys running loose | 02:07 – 03:05 | | F5 Big-IP exploit | 03:06 – 04:11 | | Infinity Stealer malware | 04:12 – 04:48 | | Smart Slider plugin flaw | 04:49 – 05:22 | | Shiny Hunters EC hack | 05:23 – 06:07 | | Apple update push | 06:08 – 06:43 |

Overall Tone

The episode balances urgency with calm analysis, adopting the clear, measured style characteristic of daily cybersecurity briefings. Steve Prentiss quickly contextualizes each headline, creating a sense of immediacy without sensationalism, and underscores practical risks and takeaways for CISOs and security professionals.

Additional Notes

No vendor pitches or advertisements are included in this summary.
For more depth or direct participation, listeners are encouraged to join the CISO Series live commentary and discussions on YouTube (see 06:53).

Summary

This episode delivers a clear, high-level synthesis of recent and ongoing security incidents that underscore persistent challenges in protecting personal information, securing production environments, and the growing sophistication of both cybercriminal groups and defensive measures. Each story is relevant to organizations aiming to minimize attack surfaces and respond proactively to newly emerging threats.

Transcript

A (0:00)

From the CISO series. It's Cybersecurity Headlines

B (0:06)

these are the cybersecurity headlines for Monday, March 30, 2026. I'm Steve Prentiss. FBI confirms theft of Directors personal Emails the announcement is in regard primarily to photographs of FBI Director Kash Patel, which were allegedly stolen from his personal email account on Friday morning. The hacking group Handalla, which has ties to Iran's Ministry of Intelligence and Security, is said to have leaked them. An FBI spokesperson stated that the information is historical in nature and involves no government information. The leak also includes emails allegedly sent by and to Patel from between 2010 and 2019. The group Handalla claimed the leak was in response to the FBI's takedown last week of several Handala websites, as well as the imposition of a $10 million boun bounty on the members of the group. Lloyds Bank Customer data exposed in IT glitch this is an error that exposed personal Data of nearly 500,000 customers of Lloyds Banking Group, data that included payment details, account details and national insurance numbers that could have been visible to other users. Officials from Lloyds bank, which is One of the UK's big four banking houses, blamed the glitch on a software defect introduced during an IT update to its Lloyds Halifax and Bank of Scotland mobile banking apps in the early hours of March 12. Although the window of exposure of the customer's data was very small, at least for human observers, the customers and even people who were not Lloyds Banking Group customers may have had their transaction details exposed. Hundreds of valid API keys discovered on the Web Researchers from Stanford say that after analyzing 10 million websites, they found almost 2,000 API credentials strewn across 10,000 web pages. They performed this research, they said, because much of the attention on exposed credentials has focused on scouring code repositories and source code, they put forth that analysis of production websites is essential to understand the scope of the problem. The researchers found highly sensitive API credentials left publicly exposed on web pages, which act as access tokens that authorize applications to interact with third party services granting direct access to critical infrastructure like cloud platforms and payment providers. These, the researchers say, are even more dangerous than exposed login details because they provide programmatic access to resources. The valid credentials belong to multinational corporations, critical infrastructure entities and government agencies, and provide access to services like AWS, GitHub, Stripe and OpenAI. CISA adds F5 big IP APM exploit to its kev, citing evidence of active exploitation. The agency added the vulnerability, which has a CVSS v4 score of 9.3 to its catalog because it could allow a threat actor to achieve remote code execution and because it has been exploited in the vulnerable big IP versions. Watchtower CEO and founder Benjamin Harris said in a statement that this vulnerability initially appeared last year as a denial of service issue, which did not immediate signal urgency, and many system administrators likely prioritized it accordingly, which is why it is more urgent now. Huge thanks to our sponsor ThreatLocker. Most breaches don't start with a zero day. They start because something unexpected was allowed to run. One way organizations reduce risk is by shrinking the attack surface, deciding what software should be allowed to execute, and blocking everything else by default. Fewer unknowns means fewer opportunities for attackers. You can learn more@threatlocker.com Infinity Stealer malware grabs macOS data through click Fix Lures this new infosteeling malware uses a Python payload packaged as an executable and is used to target macOS programs. It employs a clickfix technique in the form of a fake cloudflare captcha. Researchers at Malwarebytes say this is the first documented macOS campaign combining click fix delivery with a python based infostealer compiled using Nuitka. That's N U I T K A, which creates an executable that is more resistant to static analysis. File read Flaw in Smart Slider plugin affects Half a million WordPress sites the Smart Slider 3 WordPress plugin is actually active on more than 800,000 websites. The flaw can be exploited to allow subscriber level users access to arbitrary files on the server. An authenticated attacker could access sensitive files such as wpconfig php, which includes database credentials, keys and SALT data, thus creating the risk for user data theft and complete website takeover. Smart Slider 3 is used to create and manage image sliders and content carousels, and this issue, of course, does have a CVE number. Shiny Hunters claims hack of European Commission the breach allegedly includes data dumps including content from mail servers and internal communications Systems, amounting to 350 gigabytes of data. This may include confidential documents, contracts and other sensitive material. Bleeping Computer first reported the incident, suggesting that the threat actors breached the European Commission's AWS account. But AWS says it did not suffer a security incident and that its services functioned as expected. The attack vector is still unknown. Based in Brussels, the European Commission is the politically independent executive arm of the European Union, responsible for proposing new laws, managing EU policies and enforcing EU law. Apple sends lock screen alerts to outdated devices. These lock screen notifications are being sent to iPhones and iPads running older versions of iOS and iPadOS to protect users from web based attacks and urge them to update their devices. This is currently being prioritised due to the appearance of iOS exploit kits like Karuna and Darksword, which we have been reporting on these past weeks, and which have raised concerns that they could democratize access to exploits that were previously reserved for nation states, potentially turning them into mass exploitation tools. Do you want to know more about the most pressing stories of the last few days in time for your weekly stand up? Well join us today at 4:00pm Eastern for the Department of no Where. Our guests, Dennis Pickett, VP and CISO at Westat, and Jacob Combs at CISO at Tandem Diabetes Care will sort out the priority stories and do a deep dive on the ones that matter most. And of course we will actively involve you in the conversation. Just go to YouTube, search for CISO series and look for Department of no. Mar 30, 20206 under upcoming live Streams. And if you have some thoughts on the news from today or about the show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.