Welcome to today's edition of Secret CISO, where the digital landscape is a battlefield and data breaches are the skirmishes that define our times. In this issue, we delve into a series of alarming data breaches that have rocked industries from fintech to dating apps, highlighting the vulnerabilities that continue to plague even the most secure-seeming platforms.

Figure Lending and Bumble find themselves in the crosshairs of class action lawsuits, raising questions about the adequacy of their data protection measures. Meanwhile, Conduent's breach could go down in history as the largest in the U.S., underscoring the scale of the threat we face. As Alert Medical Alarms undergoes investigation and Flagstar Bank edges closer to a hefty settlement, the financial implications of these breaches become ever more apparent.

In a twist of innovation, the University of Illinois is pioneering a role-playing game to bolster research security, while AI tools are both the bane and boon of cybersecurity. From breaching firewalls to hunting software bugs, AI's dual role in this saga is undeniable. Persona's exposed frontend serves as a stark reminder of the importance of securing every digital nook and cranny.

Finally, we explore the latest vulnerabilities, from MLflow's directory traversal flaw to GIMP's buffer overflow risk, each presenting unique challenges to cybersecurity professionals. As we navigate these turbulent waters, today's newsletter is your compass, guiding you through the complexities of modern data security.

Data Breaches

1. Fintech Mortgage Co. Hit With Class Action Over Data Breach: Figure Lending is facing a class action lawsuit due to a data breach, with accusations of unreasonable delay in notifying affected individuals. The breach has raised concerns about the company's data protection practices. Source: Law360.
2. Class Action Lawsuit Brought Against Dating App Bumble Over Data Breach: Bumble is under scrutiny as a class action lawsuit has been filed following a data breach. The breach has sparked discussions about user privacy and data security on dating platforms. Source: YouTube.
3. Conduent Data Breach Could Be Largest in U.S. History: A massive data breach at Conduent has potentially exposed millions of individuals' personal information, making it one of the largest breaches in U.S. history. The breach is under investigation by authorities. Source: WRDW.
4. Alert Medical Alarms Data Breach Investigation: Alert Medical Alarms is being investigated for a recent data breach. The investigation aims to determine the extent of the breach and its impact on affected individuals. Source: Strauss Borrelli PLLC.
5. Flagstar Customers Closer To $31.5M Data Breach Settlement: Flagstar Bank is nearing a $31.5 million settlement following a data breach that compromised customer information. The settlement aims to compensate affected customers and improve data security measures. Source: Law360.

Security Research

1. New NSF Grant Backs Innovative Role-Playing Game to Enhance Research Security in Academia: In a groundbreaking initiative, the University of Illinois' School of Information Sciences has received an NSF grant to develop a role-playing game aimed at improving research security in academia. This innovative approach seeks to educate and engage researchers in understanding and mitigating security risks in their work. Source.
2. AI Tools Used in Global Firewall Breaches - Binance: Recent security research highlighted by Bloomberg reveals that AI tools have been instrumental in breaching 600 firewalls across multiple countries. This underscores the growing threat posed by AI in cybersecurity, as these tools become more accessible and sophisticated. Source.
3. Exclusive: Anthropic Rolls Out AI Tool That Can Hunt Software Bugs on Its Own: Anthropic has introduced Claude Code Security, an AI tool capable of autonomously identifying software bugs. This tool, developed by the company's Frontier Red Team, represents a significant advancement in AI-driven cybersecurity solutions. Source.
4. Age Verification Vendor Persona Left Frontend Exposed, Researchers Say: Security researchers have discovered that Persona, an age verification vendor, left its frontend exposed, potentially compromising user data. This incident highlights the importance of securing all aspects of digital infrastructure to prevent unauthorized access. Source.
5. Hackers Used AI to Breach 600 Firewalls in Weeks, Amazon Says: According to Amazon's security research, hackers have leveraged AI tools to breach 600 firewalls in a matter of weeks. This alarming trend emphasizes the need for enhanced cybersecurity measures to counteract the evolving capabilities of AI-driven attacks. Source.

Top CVEs

1. CVE-2026-2033: MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server without requiring authentication. The flaw exists due to improper validation of user-supplied paths, enabling attackers to execute code in the context of the service account. Source: Vulners.
2. CVE-2026-0797: GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. Exploitation requires user interaction, such as visiting a malicious page or opening a malicious file. The flaw arises from improper validation of user-supplied data length before copying it to a heap-based buffer. Source: Vulners.
3. CVE-2026-26045: Moodle Backup Restore Functionality Code Execution Vulnerability. A flaw in Moodle’s backup restore functionality allows specially crafted backup files to execute server-side code. Exploitation requires authenticated access, as restore capabilities are typically available to privileged users. Successful exploitation could lead to a full compromise of the Moodle server. Source: Vulners.
4. CVE-2026-27199: Werkzeug Safejoin Function Path Handling Vulnerability. In Werkzeug versions 3.1.5 and below, the safejoin function allows Windows device names as filenames if preceded by other path segments. This can cause the application to hang indefinitely when reading such files. The issue has been fixed in version 3.1.6. Source: Vulners.
5. CVE-2025-59819: Arbitrary File Read Vulnerability. This vulnerability allows authenticated attackers to read arbitrary files by altering a filepath parameter to an internal system path. The issue poses a significant risk of unauthorized data access. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the landscape of cybersecurity is as dynamic and challenging as ever. From the legal battles faced by companies like Figure Lending and Bumble due to data breaches, to the groundbreaking initiatives like the NSF-backed role-playing game aimed at enhancing research security, the stories we've covered today highlight the critical importance of vigilance and innovation in our field.

The alarming use of AI tools in breaching firewalls, as reported by Amazon and Binance, serves as a stark reminder of the evolving threats we face. Meanwhile, advancements like Anthropic's AI tool for hunting software bugs offer a glimpse into the future of cybersecurity solutions. These developments underscore the dual nature of technology as both a tool for defense and a vector for attack.

On the vulnerability front, the recent disclosures, including those affecting MLflow, GIMP, and Moodle, emphasize the need for continuous monitoring and patching to safeguard our systems. Each vulnerability serves as a lesson in the importance of robust security practices and the potential consequences of oversight.

We hope you found today's insights valuable and thought-provoking. If you did, please consider sharing this newsletter with your friends and colleagues. Together, we can foster a community that is informed, prepared, and resilient in the face of cybersecurity challenges. Stay safe and see you in the next edition of Secret CISO!