Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and breakthroughs. In this issue, we delve into a series of alarming data breaches and vulnerabilities that underscore the critical need for robust security measures across various sectors.

We begin with a massive credential leak that has compromised 149 million passwords, posing significant risks to users worldwide. This breach is a stark reminder of the vulnerabilities inherent in digital ecosystems. Meanwhile, in Bangladesh, a data breach has exposed the personal data of thousands of journalists, raising serious concerns about their safety and privacy.

In Northern Ireland, nearly 10,000 police officers and staff are set to receive compensation following a significant data breach, highlighting the importance of stringent data protection in law enforcement. Similarly, a misconfigured database on Moltbook has exposed sensitive information, emphasizing the need for proper security practices in database management.

Educational institutions are not immune, as a series of cyber leaks in Sydney schools have compromised student and parent data, illustrating the ongoing cybersecurity challenges faced by schools. On a broader scale, a security expert warns of China's expanding influence near Australia, urging strategic vigilance to counter potential threats.

In the realm of vulnerabilities, critical flaws in Ivanti's Endpoint Manager Mobile have been rapidly exploited, while multiple CVEs in ingress-nginx and other platforms reveal potential for arbitrary code execution and data exposure. These incidents serve as a wake-up call for enterprises to prioritize security governance.

Amidst these challenges, there is a silver lining as U.S. Senators secure a $4 million investment in energy security research, underscoring the strategic importance of energy advancements in national defense.

Join us as we navigate these pressing issues, offering insights and strategies to fortify your defenses in an ever-evolving digital landscape.

Data Breaches

1. 149 million passwords exposed in massive credential leak: A massive credential leak has exposed 149 million passwords, affecting numerous services. Security researcher Jeremiah Fowler highlighted the scale of the breach, which poses significant risks to users' online security. Source: Fox News.
2. Bangladesh: Data breach a threat to journalist safety: A data breach at the Election Commission in Bangladesh has exposed personal data of at least 14,000 journalists, raising concerns about their safety and privacy. This incident underscores the vulnerabilities in handling sensitive information. Source: ARTICLE 19.
3. PSNI officers affected by data breach to receive £7,500: Nearly 10,000 police officers and staff in Northern Ireland are set to receive compensation of at least £7,500 each following a significant data breach. This breach highlights the importance of robust data protection measures in law enforcement agencies. Source: RTE.
4. Moltbook database exposes 35,000 emails and 1.5 million API keys: Security researchers discovered a misconfigured Supabase database on Moltbook, exposing 35,000 emails and 1.5 million API keys. This breach emphasizes the need for proper database configuration and security practices. Source: Techzine Global.
5. Student test results and parent data caught in series of Sydney school cyberleaks: A series of data breaches in Sydney schools have leaked students' behavioral testing records and parents' personal information. These incidents highlight the ongoing cybersecurity challenges faced by educational institutions. Source: Sydney Morning Herald.

Security Research

1. China's rapidly expanding footprint on Australia's doorstep has triggered a grim warning: A leading security expert has raised alarms over China's increasing presence near Australia, suggesting potential security implications for the region. The expert emphasizes the need for vigilance and strategic planning to counterbalance this growing influence. Source: Sky News Australia
2. Wedding Photo Booth Company Exposes Customers' Drunken Photos: A security researcher has revealed that a wedding photo booth company inadvertently leaked private photos of customers, raising concerns about data privacy and the handling of sensitive information by third-party vendors. This incident highlights the importance of robust security measures to protect user data. Source: 404 Media
3. Critical flaws in Ivanti EPMM lead to fast-moving exploitation attempts: Security researchers have identified critical vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM), which have been rapidly exploited by threat actors. The initial attacks were highly targeted, affecting a limited number of users before the vulnerabilities were publicly disclosed. Source: Cybersecurity Dive
4. Moltbook and the Rise of AI-Agent Networks: An Enterprise Governance Wake-Up Call: Security researcher Jameson O'Reilly discovered a misconfiguration in Moltbook's Supabase backend, exposing the platform to potential data breaches. This incident serves as a cautionary tale for enterprises to ensure proper governance and security of AI-agent networks. Source: JD Supra
5. Schumer and Gillibrand Secure $4 Million Investment in Energy Security Research: U.S. Senators Chuck Schumer and Kirsten Gillibrand have secured a $4 million investment for energy security research, aiming to bolster national security through advancements in energy technology. This funding underscores the strategic importance of energy security in national defense. Source: SBU News

Top CVEs

1. CVE-2026-24512: A security issue in ingress-nginx allows the rules.http.paths.path Ingress field to inject configuration into nginx, leading to arbitrary code execution and potential disclosure of Secrets accessible to the controller. This vulnerability affects the default installation where the controller can access all Secrets cluster-wide. Source.
2. CVE-2026-1580: In ingress-nginx, the nginx.ingress.kubernetes.io/auth-method Ingress annotation can be exploited to inject configuration into nginx, resulting in arbitrary code execution and possible disclosure of Secrets. The default installation allows the controller to access all Secrets cluster-wide. Source.
3. CVE-2025-36033: IBM Engineering Lifecycle Management's Global Configuration Management is vulnerable to cross-site scripting, allowing authenticated users to embed arbitrary JavaScript in the Web UI. This can lead to credential disclosure within a trusted session. Source.
4. CVE-2025-67853: A flaw in Moodle's confirmation email service lacks proper rate limiting, enabling remote attackers to enumerate or guess user credentials more easily. This vulnerability facilitates brute-force attacks against user accounts. Source.
5. CVE-2026-24513: In ingress-nginx, a misconfiguration involving the auth-url Ingress annotation and a defective custom-errors backend can allow unauthorized access even when authentication fails. This issue requires specific configuration with a broken external component. Source.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges and opportunities. From massive credential leaks affecting millions to vulnerabilities in critical infrastructure, the stories we've shared today underscore the importance of vigilance and proactive measures in cybersecurity.

Whether it's the exposure of sensitive data in Bangladesh threatening journalist safety, or the misconfigured databases like Moltbook's that leave vast amounts of information vulnerable, each incident serves as a stark reminder of the need for robust security protocols. The breaches in educational institutions and the inadvertent leaks by third-party vendors further highlight the diverse range of threats we face.

Meanwhile, geopolitical developments, such as China's expanding influence near Australia, remind us that cybersecurity is not just about protecting data but also about safeguarding national interests. The investment in energy security research by U.S. Senators Schumer and Gillibrand exemplifies the strategic importance of integrating cybersecurity with national defense initiatives.

As we continue to navigate these complex issues, sharing knowledge and insights becomes crucial. We encourage you to share this newsletter with your friends and colleagues. By spreading awareness, we can collectively enhance our understanding and fortify our defenses against the ever-evolving cyber threats.

Thank you for being a part of the Secret CISO community. Stay informed, stay secure, and we'll see you in the next edition!