Welcome to today's edition of Secret CISO, where we unravel the tangled web of cybersecurity incidents and vulnerabilities that have surfaced across the globe. In this issue, we delve into a series of alarming data breaches that have rocked institutions from universities to healthcare providers, each grappling with the aftermath of unauthorized access to sensitive information.

The narrative unfolds with Keio University, Adaptive Home Health, and Pell City School System, all reeling from breaches that have exposed personal and patient data, prompting urgent investigations and apologies. Meanwhile, Ledger's breach via its ecommerce partner Global-e serves as a stark reminder of the interconnected risks in the digital economy, urging users to prioritize privacy to safeguard their assets.

In a parallel storyline, the bug bounty ecosystem faces scrutiny as a researcher claims to have been 'ghosted' by HackerOne over a substantial bounty, highlighting potential flaws in the system meant to reward cybersecurity vigilance. This is juxtaposed with the discovery of a significant security flaw in Flock Safety's surveillance technology, underscoring the critical need for robust defenses in our increasingly monitored world.

As we turn the page to the future, 2026 emerges as the year of quantum security, with experts warning of the looming threat quantum computing poses to current encryption standards. The cryptocurrency realm is on high alert, with Coinbase's research chief cautioning that a third of Bitcoin's supply could be at risk, emphasizing the urgent need for quantum-resistant measures.

Finally, we spotlight a series of vulnerabilities affecting popular WordPress themes and plugins, from DOM-based XSS exploits to unrestricted file uploads, each posing significant risks to web security. These vulnerabilities serve as a reminder of the ever-present need for vigilance and proactive measures in safeguarding digital assets.

Stay informed, stay secure, and join us as we navigate the complex landscape of cybersecurity challenges and innovations.

Data Breaches

1. Keio University Data Breach: Keio University has reported an unauthorized access incident that may have compromised personal data. The breach is currently under investigation to determine the extent of the data involved. The university has issued an apology and is taking steps to enhance security measures. Source: Keio University.
2. Adaptive Home Health Data Breach Investigation: Strauss Borrelli PLLC is investigating a data breach involving Adaptive Home Health. The breach potentially exposed sensitive patient information, prompting legal scrutiny and a call for affected individuals to come forward. Source: Strauss Borrelli PLLC.
3. Pell City School System Data Breach: The Pell City School System has suffered a cyber attack leading to a data breach. The school system is yet to provide an updated comment on the incident, and investigations are ongoing to assess the impact. Source: WBRC.
4. Manage My Health Data Breach: Former users of Manage My Health may have had their data stolen in a recent breach. The incident highlights the importance of security when handling sensitive information in applications. Source: RNZ News.
5. Ledger Data Breach via Global-e: Ledger has confirmed that customer data was accessed due to a breach at its ecommerce payment partner, Global-e. The company is warning customers and taking steps to mitigate potential risks. Source: The Register.

Security Research

1. HackerOne 'ghosted' me over $8500 bounty: Researcher: A security researcher claims that HackerOne, a popular bug bounty platform, ignored their reports and withheld an $8,500 bounty for months. This incident highlights potential issues in the bug bounty ecosystem, where researchers rely on timely communication and fair compensation for their discoveries. Source: The Register.
2. How to stay safe after the Ledger leak: experts urge privacy first: Following a significant data leak involving Ledger, security experts are advising users to prioritize privacy to prevent wallet takeovers and financial losses. This guidance is crucial as similar past incidents have led to severe consequences for cryptocurrency holders. Source: CoinDesk.
3. Report: Flock Safety, Maker of SF's License Plate Reader Cameras, Had Gobsmacking Security Flaw: A security researcher uncovered a major vulnerability in Flock Safety's license plate reader cameras, which could have allowed unauthorized access to sensitive data. This discovery underscores the importance of robust security measures in surveillance technology. Source: SFist.
4. After a Year of Quantum Awareness, 2026 Becomes the Year of Quantum Security: As quantum technology becomes a mainstream concern, 2026 is set to focus on quantum security. This shift is driven by the need to protect data against potential quantum computing threats, which could compromise current encryption standards. Source: The Quantum Insider.
5. Coinbase Research Chief Warns 33% of Bitcoin Supply Faces Quantum Risk: Coinbase's research chief has warned that a significant portion of Bitcoin's supply could be vulnerable to quantum computing attacks. This revelation stresses the urgency for the cryptocurrency industry to develop quantum-resistant security measures. Source: Yahoo Finance.

Top CVEs

1. CVE-2024-31088: This vulnerability involves improper neutralization of input during web page generation, leading to a DOM-based XSS in WPShop.Ru AdsPlace'r – Ad Manager, Inserter, AdSense Ads. It affects versions up to 1.1.5 and poses a risk of malicious script execution. Source: Vulners.
2. CVE-2024-30547: A cross-site scripting vulnerability in Shazdeh Header Image Slider allows DOM-based XSS, affecting versions up to 0.3. This flaw can be exploited to execute arbitrary scripts in the context of the user's browser. Source: Vulners.
3. CVE-2025-30996: Themify WordPress themes are vulnerable to unrestricted file uploads, allowing attackers to upload web shells. This affects multiple themes, including Themify Sidepane and Themify Newsy, up to specified versions, posing a significant security risk. Source: Vulners.
4. CVE-2025-31051: EngoTheme's Plant - Gardening & Houseplants WordPress Theme has a vulnerability that exposes sensitive system information to unauthorized users. This issue affects version 1.0.0 and can lead to data breaches. Source: Vulners.
5. CVE-2025-32304: Mojoomla WPCHURCH is affected by a PHP remote file inclusion vulnerability, allowing local file inclusion through improper control of filenames. This affects versions up to 2.7.0 and can lead to unauthorized access and code execution. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is constantly evolving, with new challenges and vulnerabilities emerging every day. From the data breaches at Keio University and Adaptive Home Health to the pressing concerns about quantum security and cryptocurrency risks, the need for robust cybersecurity measures has never been more critical.

Our journey through these stories highlights the importance of staying informed and vigilant. Whether it's understanding the implications of a data breach, navigating the complexities of bug bounty programs, or preparing for the quantum future, knowledge is our most powerful tool in safeguarding our digital world.

If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can build a community that is better equipped to tackle the cybersecurity challenges of today and tomorrow.

Thank you for being a part of Secret CISO. Stay safe, stay secure, and we'll see you in the next edition!