Computer Security News and Insights
In May 2022, a Yahoo research scientist named Qian Sang downloaded roughly 570,000 pages of proprietary source code to his personal devices — minutes after receiving a job offer from a competitor. Yahoo's internal systems flagged it, but only after the data had already left. That incident is
One Clicked a Link. The Other Sold the Data. Both Cost Millions. In 2023, Tesla disclosed that two former employees had leaked the personal information of over 75,000 people — including Social Security numbers — to a foreign media outlet. That same year, the Verizon 2023 Data Breach Investigations Report confirmed
In May 2022, a Yahoo research scientist named Qian Sang downloaded roughly 570,000 pages of proprietary source code to his personal devices — just two weeks after accepting a job at a competitor. Yahoo's internal systems flagged the bulk transfer, but only after the damage was done. This
In January 2024, Microsoft disclosed that the Russian threat actor Midnight Blizzard had breached corporate email accounts — not by exploiting some exotic zero-day, but by password spraying a legacy test tenant that lacked multi-factor authentication. One overlooked account. No MFA. Catastrophic access. If a company with Microsoft's resources
The Breach That Made "Trust But Verify" Obsolete In January 2024, Microsoft disclosed that a Russian state-sponsored threat actor known as Midnight Blizzard had compromised executive email accounts — not by exploiting some exotic zero-day, but by password-spraying a legacy test tenant account that lacked multi-factor authentication. One overlooked
The VPN That Let Attackers Walk Right In In January 2024, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that Chinese state-sponsored threat actors had exploited Ivanti Connect Secure VPN vulnerabilities to breach multiple U.S. federal agencies. The attackers didn't kick down the door. They walked through
In January 2024, Microsoft disclosed that a Russian threat actor known as Midnight Blizzard breached corporate email accounts — not through some exotic zero-day, but by password-spraying a legacy test account that lacked multi-factor authentication. One forgotten account. No segmentation. No least-privilege enforcement. The result: a nation-state actor reading executive emails
In 2023, a single remote employee at MGM Resorts answered a vishing call — a voice phishing attack impersonating an IT help desk worker. That one conversation led to a social engineering breach that cost MGM an estimated $100 million in losses. The attacker didn't exploit some exotic zero-day.
In March 2024, a single remote employee at a midsize financial firm clicked a link in what looked like a Microsoft Teams notification. Within 72 hours, a threat actor had moved laterally across the company's network, exfiltrated 1.2 million customer records, and deployed ransomware that locked every
In May 2024, Check Point disclosed that threat actors were actively exploiting a zero-day vulnerability in its VPN products — CVE-2024-24919 — to harvest Active Directory credentials and move laterally through enterprise networks. Attackers didn't need a sophisticated exploit chain. They needed one VPN gateway running a default configuration with
