Transcript
A (0:00)
From the CISO series. It's Cybersecurity Headlines.
B (0:07)
These are the cybersecurity headlines for Friday, February 6, 2026. I'm Sarah Lane. Substack admits data breach Substack is notifying users of a data breach after attackers accessed email addresses, phone numbers and internal metadata back in October. Substack CEO Chris Best says the issue was only discovered this week and there's no evidence that passwords or financial data were accessed. A threat actor has since posted a database with around 697,000 records online. Substack says it's fixed the flaw and is warning users about potential phishing. Russian attacks target Winter Olympics Italy's foreign minister says cyber attacks of Russian origin have targeted Foreign Ministry sites and and infrastructure linked to the Milano Cortina Winter Olympics, including hotels. Though officials say the attacks were blocked, no details were given on whether the activity was state backed. The warning comes as the UK urges organizations not to underestimate pro Russia hacktivists and as cloudflare CEO threatens to pull free services for the Games after Italy fined the company 14 million euros for anti piracy violations. GitHub Codespaces enable RCE Orca Security says attackers can achieve remote code execution in GitHub Codespaces by tricking developers into opening a malicious repository or a pull request. The researchers found that default configuration files can automatically run commands on startup, letting attackers steal tokens, access secrets and potentially move laterally across enterprise environments. Orca warns developers should treat repository supplied configs as untrusted. Russia Used Starlink terminals are now deactivated Ukraine says its new Starlink whitelist system is now stopping Russian military use of the satellite Internet network and has already cut off access for unverified terminals following the impact of yesterday's move to disconnect unauthorized devices. Approved terminals on the whitelist are operational, but Russian ones have been blocked and verified Lists are being updated daily as part of the ongoing registration process. Huge thanks to our sponsor Strike 48. It's no secret that AI is only as good as the data available to it. Strike 48 unifies a Gentek AI with unmatched log visibility while avoiding the typical hefty price tag. Build and deploy agents for phishing detectors, alert, triage, threat correlation and more. Query existing logs where they currently live so you can keep the technology you already have. Learn more@strike48.com Cyber espionage operation targets governments worldwide Palo Alto Networks Unit 42 says an Asia based cyber espionage group breached at least 37 governments and conducted reconnaissance in 155 countries calling it one of the most widespread state linked compromises since SolarWinds. Telecom firms, police ministries and even a parliament were accessed. Researchers say the campaign focused on espionage and data theft using phishing and common tools like Cobalt strike across varied targets. Kahnped discloses Cyber attack Romania's national oil pipeline operator Kahnpet says a cyber attack disrupted its corporate IT systems and knocked its website offline, but didn't affect operational technology or fuel transport. The company runs nearly 4,000 kilometers of pipelines. The Qilin Ransomware group claims responsibility, saying it stole about 1 terabyte of data and leaked sample documents as proof. OpenClaw may reveal big personal info the OpenClaw AI agent platform may be riddled with security flaws, including prompt injection attacks that could let hackers backdoor a user's machine, steal files or deploy ransomware. Snyk found that 283 of around 4,000 skills in the clawhub marketplace exposed sensitive data like API keys, passwords and credit card numbers. Zenity also showed attackers could use indirect prompt injection through integrated apps to gain remote control of systems and exfiltrate data. NCASE driver Weaponized Huntress Researchers say that attackers are abusing an old revoked Windows driver from the ncase forensic tool to disable security software in bring your own vulnerable driver attacks. The team found that Windows still loads the driver because of legacy signing rules that allow pre2015 certificates even if they're expired or revoked. If you have some thoughts on the news from today or about the show in general, you know what to do, but I'm going to tell you again. Reach out to us@feedbackisoseries.com we'd really love to hear from you. I am Sarah Lane reporting for the CISO series. You stay safe out there.