Computer Security News and Insights
The Misconfigured Bucket That Exposed 540 Million Records In 2019, researchers at UpGuard discovered that Facebook user data — over 540 million records — sat exposed on misconfigured Amazon S3 buckets maintained by third-party app developers. Nobody hacked anything. Nobody exploited a zero-day. The data was simply left open to the public
The Snowflake Breach Changed How I Think About Cloud Risk In mid-2024, threat actors compromised over 165 organizations by exploiting stolen credentials against Snowflake cloud accounts that lacked multi-factor authentication. Ticketmaster, AT&T, Santander — massive names, massive data losses. The root cause wasn't some exotic zero-day. It
In January 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive after threat actors exploited misconfigured SaaS environments across multiple federal agencies. The attackers didn't need sophisticated zero-day exploits. They walked in through overprivileged service accounts, dormant API tokens, and single-factor authentication — problems that every
A Single Stolen Phone Cost This Company $4.9 Million In 2023, a healthcare organization reported to the HHS that a single unencrypted mobile device — left in a rideshare — led to the exposure of over 100,000 patient records. The resulting HIPAA settlement, remediation costs, and reputational damage ran into
The Personal Phone That Took Down a Hospital Network In 2023, a nurse at a regional hospital plugged her personal phone into a workstation USB port to charge it. That phone carried malware picked up from a third-party app store. Within 72 hours, ransomware had encrypted patient records across three
The Text Message That Cost One Company $40 Million In 2024, a sophisticated smishing campaign targeted employees at several major financial institutions. Threat actors sent SMS messages impersonating IT support, directing staff to fake login portals that harvested credentials and multi-factor authentication tokens. The attackers then used those stolen credentials
In March 2024, a finance director at a mid-size logistics company received a text message that appeared to come from the CEO. It asked for a quick wire transfer to close a vendor deal. The director tapped the link, entered credentials on what looked like the company's banking
The $0.97 Device That Cost a Defense Contractor Millions In 2008, a USB flash drive infected with the Agent.BTZ worm was plugged into a U.S. military laptop at a base in the Middle East. It took the Department of Defense 14 months to clean up the damage,
In January 2024, a penetration tester hired by the Iowa State Court Administration was arrested for breaking into a courthouse — even though he had a signed contract to test physical security. The incident made national news and sparked a legal battle. But it also exposed something most organizations ignore: the
A Badge Swipe, a Smile, and a Six-Figure Data Breach In 2019, a penetration tester hired by Coalfire walked into a locked Iowa courthouse after hours — simply by following someone through a door. He and his partner were arrested, but the point was proven: physical security is often the weakest
