65.7B
Identity records in SpyCloud's 2026 datalake
SpyCloud Identity Exposure Report 2026
217%
Rise in MFA fatigue attacks year-over-year
Verizon DBIR 2025
22%
Of all confirmed breaches started with stolen credentials
Verizon DBIR 2025
$4.67M
Average cost of a credential-based breach
IBM Cost of a Data Breach 2025

Featured

Breaking
🔴 Critical — April 2026
One game download.
Hundreds of companies breached.
Infostealer Supply Chain

Vercel: Lumma Stealer Entered via a Roblox Cheat File

An employee downloaded a Roblox game script from an unofficial site. It contained Lumma Stealer. The malware ran silently for two months — collecting passwords and session tokens. Attackers then used those credentials to reach Vercel's Google Workspace through a connected third-party app. Source code, API keys, and data from hundreds of organisations was stolen.

April 2026 • TechCrunch, The Hacker News, BleepingComputer
Read full story →

Latest News

Critical MFA Bypass

Storm-2372: MFA Bypassed at Scale — No Password Stolen

A criminal group abused a legitimate Microsoft login flow to gain full account access. Victims clicked a link and pressed Allow — no password was ever needed. The FBI shut down the infrastructure in April 2026.

April 2026 Read more →
High Social Engineering

Figure Technology: 967,000 Accounts Exposed After One Employee Was Manipulated

Attackers sent a convincing message to one employee and were given access. No malware. No hacking tools. Nearly 967,000 customer records were stolen and published online.

February 2026 Read more →
Critical Session Theft

APT28: 18,000 Routers Hijacked to Steal Session Tokens

A state-sponsored group compromised 18,000 routers globally to steal OAuth tokens — bypassing MFA entirely. With a stolen token, attackers log in as you without a password or MFA code.

April 2026 Read more →
High Phishing

Adobe: 13 Million Support Tickets Exposed via a Contractor's Device

A phishing email opened on a contractor's device gave attackers access to Adobe's internal systems. 13 million tickets, 15,000 employee records, and unpublished security vulnerabilities were taken.

April 2026 Read more →
Industry-wide Breach Data

Synthient: 1.3 Billion Passwords Now Searchable in Have I Been Pwned

In November 2025, HIBP absorbed 1.96 billion email addresses and 1.3 billion passwords from the Synthient corpus. 625 million of those passwords had never been seen before. Check yours at haveibeenpwned.com.

November 2025 Read more →
Guide Best Practice

Six Steps to Protect Yourself Right Now

Change your password. Deny unexpected MFA prompts. Stop reusing passwords. Remove unknown browser extensions. Scan personal devices. Know who to call. Six actions — no jargon — under 30 minutes.

May 2026 Read guide →

Verified Sources

Every article on this hub is sourced from verified, authoritative outlets. No unverified claims are published.

BleepingComputer
Security news, breach reporting, malware analysis
bleepingcomputer.com
The Hacker News
Cybersecurity reporting, APT tracking, vulnerability news
thehackernews.com
TechCrunch Security
Breach disclosure and tech industry security reporting
techcrunch.com
NCSC
UK National Cyber Security Centre — official guidance
ncsc.gov.uk
CISA
US Cybersecurity & Infrastructure Security Agency
cisa.gov
ENISA
EU Agency for Cybersecurity — annual threat landscape
enisa.europa.eu
Have I Been Pwned
Check if your email appeared in a known breach — free
haveibeenpwned.com
Europol
Operation Endgame, infostealer takedowns, EU enforcement
europol.europa.eu