Andrew Alston

🚨 MASSIVE CYBERATTACK: The EU Commission, ENISA, and the DG for Digital Services have been compromised by threat actor ShinyHunters. Leaked data includes: ▪️ Emails & attachments ▪️ Full SSO user directory ▪️ DKIM signing keys ▪️ AWS config snapshots ▪️ NextCloud/Athena data ▪️ Internal admin URLs It's a mess!

🚨‼️ BREAKING: Adobe has been breached by threat actor Mr. Raccoon, leaking 13 million support tickets with personal data, 15,000 employee records, all HackerOne submissions, internal documents and more. Mr. Raccoon gained access through an Indian BPO, first deploying a remote access tool on an employee, then phishing their manager. Mr. Raccoon told us: "They allowed you to export all tickets in one request from an agent."

🚨Cyber Alert ‼️ 🇺🇸USA - 𝗖𝗶𝘀𝗰𝗼 𝗦𝘆𝘀𝘁𝗲𝗺𝘀, 𝗜𝗻𝗰 ShinyHunters claims to have breached Cisco, allegedly accessing 3M+ Salesforce records (PII), GitHub repos, and cloud data. Threat actor: ShinyHunters Sector: ICT Data exposure (claimed): Not specified Data type: Personal data and source code Observed: Mar 31, 2026 Status: Pending verification ESIX©: 6.57 Full details and impact assessment on https://t.co/eB7qgxKFAa

The Stryker breach just got worse. After the initial compromise - attributed to Iranian-linked group Handala Hack - attackers used legitimate Microsoft Intune admin credentials to issue remote-wipe commands across corporate devices globally. They didn't deploy malware. They didn't exploit a vulnerability. They logged into the management console with valid credentials and pressed the wipe button. Thousands of corporate devices. Ordering systems down. Manufacturing disrupted. Shipping halted. All through a tool designed to protect those devices. CISA and the FBI are now directly engaged. CISA issued an advisory urging every enterprise to harden Microsoft Intune and endpoint management platforms immediately. This is the part that should keep security leaders up at night: the attackers used the admin tooling exactly as it was designed to be used. The commands were legitimate. The credentials were valid. The actions were authorised - just not by the right people. This is what living-off-the-land looks like in 2026. No custom malware to detect. No anomalous network traffic to flag. Just someone with the right credentials doing what the platform was built to do. And it's not an isolated pattern. Same week: Interlock ransomware exploiting Cisco's Firewall Management Center for 36 days before disclosure. ConnectWise ScreenConnect flaw allowing remote session hijacking. Oracle EBS zero-day hitting 100+ organisations including Michelin. Four management-plane attacks in one week. All targeting the tools that run the infrastructure, not the infrastructure itself. Now here's where this gets uncomfortable for anyone deploying AI agents at enterprise scale. Your AI agents authenticate with API keys. They connect to CRMs, email, code repos, and production databases. They operate with persistent credentials, often with broad permissions, often stored locally in plaintext. They access external tools through MCP servers that most security teams haven't assessed. That's a management plane nobody is governing yet. If attackers are compromising Microsoft Intune - a platform with decades of security investment, dedicated security teams, and enterprise hardening - what happens when they discover that your AI agent has admin access to HubSpot, GitHub, and Slack with an API key sitting in a JSON file on a Mac mini? The Stryker incident isn't just a breach story. It's a preview of what happens when management-plane access isn't treated as the highest-value target in your environment. AI agents are the newest management plane. Treat them like one before someone else does. More info: https://t.co/6MTRk0mDE8

Researchers Found an Unprotected Database Containing Billions of Records, Including Over 1 Billion Social Security Numbers. Security firm UpGuard identified an Elasticsearch database sitting wide open on the internet with no authentication required. Inside were two massive datasets: one containing roughly 3 billion records with email addresses and passwords, and another with 2.7 billion records that included Social Security numbers. The origin of the database and how long it remained exposed remain unclear. https://t.co/6vcxZ2iYeV

🚨Cyberattack Alert ‼️ 🇺🇸USA - PACCAR Coinbase Cartel hacking group claims to have breached PACCAR. Sector: Manufacturing Threat class: Cybercrime Observed: Nov 13, 2025 Status: Pending verification — About this post: Hackmanac provides early warning and cyber situational awareness through its social channels. This alert is based on publicly available information that our analysts retrieved from clear and dark web sources. No confidential or proprietary data was downloaded, copied, or redistributed, and sensitive details were redacted from the attached screenshot(s). For more details about this incident, our ESIX impact score, and additional context, visit https://t.co/eB7qgxLdpI.