Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and innovations shaping our digital landscape. In a world where data breaches and vulnerabilities are becoming alarmingly common, today's stories highlight the urgent need for robust security measures and the transformative role of AI in defense strategies.

We begin with a deep dive into the Marcus & Millichap data breach, a stark reminder of the vulnerabilities lurking within commercial real estate firms. As we navigate through the aftermath of this breach, we also explore the repercussions of a significant settlement in the educational sector, where students are questioning the sanctity of their data privacy.

In the realm of cryptocurrency, Bisq faces the daunting task of addressing a security breach that has shaken user confidence, while the VECT 2.0 ransomware attack serves as a grim lesson on the futility of ransom payments. Meanwhile, IBM's Italian subsidiary falls victim to the Salt Typhoon group, underscoring the need for fortified digital defenses across Europe.

On a more proactive front, Washington is considering a groundbreaking 72-hour cyber defense rule to counteract the accelerated timelines of AI-driven hacking. This potential policy shift could redefine industry standards and enhance our collective resilience against cyber threats.

In the world of software security, we witness the power of AI as Mozilla leverages Anthropic Mythos to fix an astounding 271 security bugs in Firefox, showcasing the efficiency of AI-driven solutions. Simultaneously, Google revamps its bug bounty programs, reflecting the evolving priorities in vulnerability research.

Finally, we delve into the technical intricacies of newly disclosed vulnerabilities, including critical flaws in Edimax and JD Cloud systems, urging immediate attention and action from vendors and users alike.

Stay informed and vigilant as we navigate these complex cybersecurity challenges together.

Data Breaches

1. Marcus & Millichap Data Breach: In April 2026, Marcus & Millichap, a commercial real estate brokerage firm, was identified as a victim of the ShinyHunters cybercriminal group. The breach exposed sensitive data, raising concerns about the security measures in place to protect client information. Source: Have I Been Pwned.
2. Students Question Data Privacy After $17.25M Naviance Settlement Notice: A significant data breach impacted students nationwide, compromising the data within the student information system (SIS). This incident led to a $17.25 million settlement, prompting questions about data privacy and security in educational institutions. Source: The Forest Scout.
3. Bisq Explores Compensation After Security Breach: A security breach at Bisq resulted in the theft of approximately 11 BTC, primarily affecting altcoin transactions. The incident has prompted discussions about compensation for affected users and the need for enhanced security protocols. Source: Binance.
4. Paying Ransom Won't Help as VECT 2.0 Ransomware Destroys Data Irreversibly: The VECT 2.0 ransomware attack has highlighted the futility of paying ransoms, as the malware irreversibly destroys data. This incident underscores the importance of robust data backup and recovery strategies to mitigate ransomware threats. Source: Hackread.
5. Salt Typhoon Breach IBM Subsidiary in Italy: IBM confirmed a security breach at its Italian subsidiary, attributed to the Salt Typhoon group. The breach serves as a warning for Europe's digital defenses, emphasizing the need for heightened cybersecurity measures across the continent. Source: Security Affairs.

Security Research

1. Washington Eyes 72-Hour Cyber Defense Rule as AI Compresses Hacking Timelines: The U.S. is considering implementing a 72-hour deadline for addressing cybersecurity vulnerabilities, a significant shift driven by the rapid pace of AI-enhanced hacking. This proposal aims to bolster defenses by reducing the time attackers have to exploit flaws. Experts like John Hammond from Huntress highlight the potential industry-wide impact of such a change. Source: Tekedia.
2. Claude Code Leak: 8100 Takedown Requests and the Birth of Claw-Code: Security researcher Chaofan Shou uncovered a significant code leak at Anthropic, leading to 8100 takedown requests. This incident has sparked discussions about the security of public directories and the potential for unauthorized access to sensitive information. The leak has also led to the emergence of a new threat dubbed "Claw-Code." Source: Heise Online.
3. Update Linux Now As 9-Year-Old Root Hack Confirmed, CISA Warns Users: A critical vulnerability in the Linux kernel, existing for nine years, has been confirmed by security researchers at Theori. This logic bug allows for root-level access, prompting urgent updates to mitigate potential exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings to users to update their systems immediately. Source: Forbes.
4. Google Revamps Bug Bounty Programs: Android Rewards Rise, Chrome Payouts Drop: Google has overhauled its bug bounty programs, increasing rewards for Android vulnerabilities while reducing payouts for Chrome. This shift reflects the evolving landscape of security research, where generative AI tools are playing a more significant role in identifying and addressing vulnerabilities. The changes aim to incentivize researchers to focus on high-impact areas. Source: Security Affairs.
5. How Anthropic Mythos Helped Mozilla Fix 271 Security Bugs in Firefox: Mozilla's latest Firefox release benefited from Anthropic Mythos, an AI-driven tool that helped identify and fix 271 security bugs. This development underscores the growing importance of AI in cybersecurity, potentially marking a shift away from traditional human-only research methods. The collaboration highlights the efficiency and effectiveness of AI in enhancing software security. Source: KuCoin Blog.

Top CVEs

1. CVE-2026-7684: A security vulnerability in Edimax BR-6428nC up to version 1.16 allows for a buffer overflow via the /goform/setWAN file. This flaw can be exploited remotely, and the exploit has been publicly disclosed. Despite early contact, the vendor has not responded. Source: Vulners.
2. CVE-2026-7705: JD Cloud JDCOS 4.5.1.r4518 has a command injection vulnerability in the setiptvinfo function of the /jdcap file. This remote exploit has been published, but the vendor has not responded to the disclosure. Source: Vulners.
3. CVE-2026-7703: AV Stumpfl Pixera Two Media Server up to version 25.2 R2 is vulnerable to code injection via the Websocket API. The attack can be initiated remotely, and upgrading to version 25.2 R3 is recommended. The exploit is publicly available. Source: Vulners.
4. CVE-2026-7685: Edimax BR-6208AC up to version 1.02 is susceptible to a buffer overflow through the /goform/setWAN file. This remote vulnerability has been disclosed publicly, but the vendor has not responded. Source: Vulners.
5. CVE-2026-7683: A command injection vulnerability exists in Edimax BR-6428nC up to version 1.16 via the /goform/setWAN file. This flaw can be exploited remotely, and the exploit is publicly available. The vendor has not responded to the disclosure. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cybersecurity landscape is as dynamic as ever. From the Marcus & Millichap data breach to the urgent call for Linux updates, each story underscores the critical importance of staying informed and vigilant. Whether it's the evolving tactics of cybercriminals or the innovative use of AI in security, the need for robust defenses and proactive measures is more pressing than ever.

We hope these insights empower you to strengthen your own security posture and spark meaningful conversations within your teams. Remember, cybersecurity is a collective effort, and sharing knowledge is a powerful tool in our defense arsenal.

If you found today's newsletter valuable, please consider sharing it with your friends and colleagues. Together, we can build a more secure digital world, one informed reader at a time. Stay safe, stay informed, and we'll see you in the next edition of Secret CISO!