🚨 BrEaKiNg: Splunk, a security product, has zero authentication in its built-in database service and accepts any credentials, according to the security researchers who just dropped a full pre-auth RCE chain for Splunk Enterprise (CVE-2026-20253, CVSS 9.8).
Splunk Enterprise on AWS is vulnerable out of the box.
Wait till you see this 👀
@daveedbarka just re-created the CoLab workspace in 3D and it’s TOO CLEAN 🔥
If you’ve been thinking about learning 3D modelling or improving your skills, this is your sign to join the 3DT
Don’t just watch. Build.
#Colabkd#3DModelling#TechCommunity
This is True Worship!
For God is Spirit and those who must Worship him will worship him in Spirit and Truth!
The Language of God is Spirit!
His Vocabulary is Truth!
🔥🔥🔥🔥
As a believer, always move with the consciousness that you are never without help.
The Holy Spirit is always there to help you. Call on Him and He will help you.
No matter how insignificant or little you think the situation is.
Important Update.
Africa CyberFest 2026 will now be held as a one-day event.
This change allows us to deliver a more focused, high-impact experience—
where every session, every activity, and every moment is intentional.
Same vision.
Same energy.
Stronger experience.
Everything you need.
All in one powerful day.
🗓 New Date: May 2, 2026
📍 Lagos, Nigeria
We look forward to hosting you.
🎟 Register now https://t.co/2nHZ9Dk8YS
#AfricaCyberFest2026
#CyberFest2026
#CyberSecurityAfrica
#TechEventsNigeria
This actually happened. Nigeria Police Force confirmed it. January 28, 2026.
A Nigerian telecommunications company noticed something strange in its billing and payments system.
Airtime was leaving. Data was disappearing. At scale.
They filed a petition with the police.
What investigators found: internal staff login credentials had been compromised.
Someone on the inside or someone who got to someone on the inside had handed over access to the company's core billing infrastructure.
Six suspects were eventually arrested across three states.
Operations in Kano. Katsina. Then a follow-up in Abuja.
What police recovered from them:
Two residential houses.
Two mini-plazas.
GSM and laptop retail outlets.
Over 400 laptops.
1,000 mobile phones.
A Toyota RAV4.
Total diverted: ₦7.7 billion in airtime and data.
Think about what ₦7.7 billion in airtime looks like.
It is not cash sitting in a vault.
It is digital credits generated, distributed, and resold through a network of retail outlets before anyone noticed the source was stolen.
The telco's billing system treated every diversion as a legitimate transaction.
Because the credentials used were legitimate.
That is the nature of credential compromise attacks.
The system does not know it is being robbed.
It just sees an authorised login doing authorised things.
What stops this:
Multi-factor authentication on every internal system especially billing and payments infrastructure.
Anomaly detection on privileged accounts that flag unusual transaction volumes, unusual hours, unusual locations.
Principle of least privilege... staff should only access exactly what their role requires. Nothing more.
Credential compromise is not a sophisticated attack.
It is the most common attack vector in Nigeria's tech ecosystem right now.
And it is working.
₦7.7 billion worth of airtime says so.
Hi @victorosimhen9
I gave up my dream to become a professional footballer to pursue a career in cybersecurity.
It has been over 4 years now since i made that decision and there is a professional certification exam (OSCP) that costs $1,749 that i have been wishing to write.
I was sent a file recently.
Nothing unusual at first. Just a simple executable someone claimed was a “tool” for automating some work.
The file name looked normal. The size was not suspicious. Even the icon looked like a regular application.
Most people would open it without thinking twice.
But something about it did not sit right with me.
Before running anything, I decided to check it properly.
I started with basic inspection just to see what the file contains.
Immediately, I noticed something strange.
There were readable strings inside the file that should not be there if it was just a normal tool.
IP addresses.
URLs.
Commands.
That was the first sign this was not what it claimed to be.
So, I went deeper.
Instead of running it directly, I analyzed it and monitored what it was trying to do.
The file was attempting to reach out to an external server the moment it was executed and it needed no user action.
Just opening it was enough.
Below is exactly what I saw on my terminal.
Once an attacker has a foothold inside a network, shared storage becomes one of the fastest ways to understand the environment. Internal SMB shares often contain scripts, onboarding documents, backups, configuration files, and exported data that were never meant to be broadly accessible. Pentest+ expects you to recognise that lateral movement is not only about remote code execution. It is also about inherited trust and weak internal permissions.
In the terminal below, I am enumerating SMB shares on an internal file server from a compromised host. The goal is not to exploit the server. The goal is to discover what the organisation already made available to authenticated users. The moment a readable share exposes deployment notes, credential references, or internal documentation, the attacker gains operational knowledge that can be reused across systems.
This is why internal shares are so dangerous. They feel normal to staff, but to an attacker they function like a map, a toolbox, and a memory dump at the same time.
I have no issues with people who vibe-code but when developers use it to build e-commerce websites or sites that store client personal information, that’s where problems can start.
I recently reached out to a developer on TikTok to inform her about a vulnerability I discovered in one of her projects. Surprisingly, she didn’t seem to take it seriously and even dismissed the idea that hacking vulnerabilities like this exist.
After that, my team (@hack_ademy) investigated further and found that the AI-generated code had created an unsecured database viewer intended for client use. This exposed sensitive data. We were also able to query the sql db through the terminal.
We’ve since contacted her again, explaining the issue and showing the specific security flaws in the AI-generated code, We received a response and she promised to patch before April 2nd.
Devs, when coding a site that will hold customer information be careful.
I do not condone ruining anyone’s business or spoiling anyone’s name but the right thing must be done!