Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and breakthroughs. In this issue, we delve into a series of alarming data breaches that have rocked various sectors, from healthcare to retail, underscoring the persistent vulnerabilities in our digital defenses.

We begin with the One Community Health data breach, a stark reminder of the risks posed by third-party vendors in healthcare. Meanwhile, Canada Computers faces its own cybersecurity woes, highlighting the ongoing threats in the retail industry. Legal scrutiny intensifies as Strauss Borrelli PLLC investigates breaches at Melwood and GEM Technologies, reflecting a growing trend of accountability in data management.

In a shocking revelation, 149 million logins have been exposed in a major leak, raising serious concerns about security oversights. This is compounded by the discovery of a massive open database containing millions of Gmail and Instagram entries, emphasizing the urgent need for enhanced data privacy measures.

On the technological front, a critical flaw in the Telnet server exposes forgotten attack surfaces, while AI's role as an enterprise accelerator is explored in Zscaler's ThreatLabz report. However, the promise of quantum computing is questioned as new research reveals potential security flaws, prompting a reevaluation of its future.

We also examine the evolving threat landscape with the expansion of ClickFix attacks, utilizing fake CAPTCHAs and trusted web services to deceive users. In the realm of vulnerabilities, Suricata and Juniper Networks face significant security challenges, with critical patches and workarounds being deployed to safeguard systems.

Join us as we navigate these complex narratives, offering insights and strategies to fortify your cybersecurity posture in an ever-evolving digital world.

Data Breaches

1. One Community Health Data Breach: One Community Health reported a data breach involving patient information, which was traced back to a third-party vendor, TriZetto, rather than their own systems. The breach highlights the risks associated with third-party vendors in healthcare data management. Source: Sacramento Business Journal
2. Canada Computers Data Breach: Canada Computers informed its customers about unauthorized access to a portion of its system, potentially compromising the security of some online data. The breach underscores the ongoing vulnerabilities in retail cybersecurity. Source: MobileSyrup
3. Melwood Data Breach Investigation: Strauss Borrelli PLLC is investigating a data breach at Melwood, Inc., which has raised concerns about the handling of sensitive information. This incident is part of a broader trend of increasing legal scrutiny over data breaches. Source: Strauss Borrelli PLLC
4. 149M Logins Exposed in Major Leak: A significant data leak exposed 149 million logins, including usernames and passwords from platforms like Gmail and OnlyFans. The data was accessible to anyone with knowledge of its location, highlighting severe security oversights. Source: Windows Central
5. GEM Technologies Data Breach Investigation: Strauss Borrelli PLLC is also investigating a data breach at GEM Technologies, Inc., reflecting the increasing frequency and legal implications of data breaches across various industries. Source: Strauss Borrelli PLLC

Security Research

1. Critical Telnet Server Flaw Exposes Forgotten Attack Surface: Security researcher Simon Josefsson disclosed a critical flaw in the Telnet server, highlighting an often-overlooked attack surface. Despite Telnet being considered obsolete, the vulnerability poses significant risks to systems still utilizing this protocol. Source: Dark Reading.
2. AI is Now Default Enterprise Accelerator: Takeaways from ThreatLabz 2026 AI Security Report: Zscaler's ThreatLabz report reveals a 91% surge in enterprise AI adoption in 2025, underscoring AI's role as a critical accelerator in business operations. The report analyzes nearly 1 trillion AI/ML transactions, emphasizing the need for robust security measures. Source: Zscaler.
3. Quantum Computers Had Serious Security Flaws? Researchers Issued A Warning: New research warns of potential security weaknesses in quantum computers, which were once considered the future of unbreakable computing. This revelation prompts a reevaluation of quantum security assumptions. Source: WION Podcast.
4. Massive Data Leak: 48M Gmail and 6.5M Instagram Entries Found in Open Database: Security researcher Jeremiah Fowler discovered a massive open database containing millions of Gmail and Instagram entries. The data was organized using sophisticated indexing, raising concerns about data privacy and security. Source: GBHackers.
5. ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services: Security researcher Marcus Hutchins highlights the expansion of ClickFix attacks, which now utilize fake CAPTCHAs and trusted web services to deceive users. This evolution in attack strategy underscores the need for heightened vigilance and updated security protocols. Source: The Hacker News.

Top CVEs

1. CVE-2026-22258: Suricata, a network IDS, IPS, and NSM engine, has a vulnerability where crafted DCERPC traffic can cause it to expand a buffer without limits, leading to memory exhaustion and process termination. This affects versions prior to 8.0.3 and 7.0.14, with patches available in these versions. Workarounds include disabling the parser for DCERPC/UDP and limiting stream reassembly depth for DCERPC/TCP and SMB. Source: Vulners
2. CVE-2026-22260: Suricata versions starting from 8.0.0 to before 8.0.3 can crash due to a stack overflow. The issue is resolved in version 8.0.3, and a workaround involves using default values for request-body-limit and response-body-limit. Source: Vulners
3. CVE-2025-21589: Juniper Networks Session Smart Router has an authentication bypass vulnerability that allows network-based attackers to gain administrative control. This affects multiple versions of Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Routers. Source: Vulners
4. CVE-2026-22264: Suricata versions prior to 8.0.3 and 7.0.14 have an unsigned integer overflow vulnerability that can lead to a heap use-after-free condition when generating excessive alerts for a single packet. The issue is patched in these versions, and a workaround involves not running untrusted rulesets or limiting signatures. Source: Vulners
5. CVE-2025-14988: A security issue in ibaPDA could allow unauthorized actions on the file system under certain conditions, impacting the system's confidentiality, integrity, or availability. Source: Vulners

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with new challenges and insights emerging daily. From healthcare data breaches to vulnerabilities in retail cybersecurity, and even the evolving threats in quantum computing, the need for robust security measures has never been more critical.

We've explored the intricate web of third-party risks, the relentless pursuit of legal accountability, and the ever-present vulnerabilities in both legacy and cutting-edge technologies. Each story serves as a reminder of the importance of staying informed and vigilant in our interconnected world.

As you digest these insights, consider sharing this newsletter with your friends and colleagues. By spreading awareness, we can collectively strengthen our defenses and foster a more secure digital environment for everyone.

Thank you for joining us today. Stay safe, stay informed, and see you in the next edition of Secret CISO!