Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges facing the digital world. Our stories today weave a narrative of breaches, vulnerabilities, and the relentless pursuit of security in an ever-evolving landscape.

We begin with Coupang Inc., whose financial forecast has taken a hit following a significant data breach, casting a shadow over consumer trust and spending. Meanwhile, the education sector is under siege as ShinyHunters threaten to expose sensitive data, echoing the growing menace to academic institutions.

In the corporate realm, Doxim's costly settlement and Vimeo's third-party breach highlight the critical need for robust data protection strategies. The alarming breach at Fujairah Port further underscores vulnerabilities in critical infrastructure, demanding urgent attention.

On the tech front, Microsoft Edge's controversial password storage practice raises eyebrows, while Google's lucrative bounty for Pixel Titan M exploits signals a proactive stance against sophisticated threats. Kelp's blockchain debacle and the DAEMON Tools supply chain attack remind us of the persistent risks in digital ecosystems.

Finally, we delve into the realm of embodied AI, exploring the unique cybersecurity challenges posed by intelligent systems in physical forms. As we navigate these complex issues, today's newsletter serves as a stark reminder of the ongoing battle to secure our digital future.

Data Breaches

1. Coupang Warns of 2026 Slowdown After Data Breach Hits Spending: Coupang Inc. has announced that its revenue growth is expected to slow down this year following a significant data breach that resulted in a larger-than-expected loss in the March quarter. The breach has impacted consumer spending and raised concerns about the company's data security measures. Source: Bloomberg.
2. “PAY OR LEAK”: Hackers Target Big Higher Ed Vendor: The extortion group ShinyHunters has targeted a major higher education vendor, threatening to leak sensitive data unless their demands are met. This incident follows similar breaches at prestigious institutions like the University of Pennsylvania and Princeton, highlighting the growing threat to educational data security. Source: Inside Higher Ed.
3. Software Co. Doxim Inks $5.5M Deal To End Data Breach Suit: Doxim has agreed to a $5.5 million settlement to resolve a lawsuit stemming from a data breach that affected credit union customers. The breach raised significant concerns about the company's data protection practices and prompted legal action from affected parties. Source: Law360.
4. Vimeo Confirms Breach via Third-Party Vendor Impacts 119K Users: Vimeo has confirmed a data breach affecting 119,000 users, attributed to a third-party vendor. The breach exposed personal information, raising questions about the security of third-party partnerships and the protection of user data. Source: Security Affairs.
5. Cybersecurity Breach Claims: Massive Data Leak Report Involving Fujairah Port: A significant data leak involving Fujairah Port has been reported, raising alarms about cybersecurity vulnerabilities in critical infrastructure. The breach has sparked discussions on the need for enhanced security measures to protect sensitive data in strategic locations. Source: YouTube.

Security Research

1. REVEALED: Microsoft Edge Stores Passwords In Memory As Plaintext: A security researcher has discovered that Microsoft Edge stores user passwords in plaintext within the RAM, making them accessible to attackers with administrative privileges. This vulnerability persists throughout the session, posing a significant risk to user data security. Microsoft has confirmed that this behavior is intentional, raising concerns about the browser's security design. Source: LinkedIn, Cybernews, Windows Central, CSO Online, PCWorld, Forbes, Dark Reading.
2. Google to pay up to $1.5 million for zero-click Pixel Titan M exploits: Google has updated its Android and Chrome Vulnerability Reward Programs, offering up to $1.5 million for zero-click exploits targeting the Pixel Titan M chip. This initiative aims to incentivize security researchers to uncover and report vulnerabilities, enhancing the security of Google's hardware and software ecosystems. The substantial reward underscores the critical importance of securing mobile devices against sophisticated attacks. Source: Help Net Security.
3. Kelp says LayerZero approved setup it blamed for $292 million bridge hack: Kelp has attributed a $292 million exploit to a setup approved by LayerZero, which was linked to North Korea's Lazarus Group. As a result, Kelp has transitioned its rsETH from LayerZero's OFT standard to Chainlink's CCIP to mitigate future risks. This incident highlights the vulnerabilities in blockchain protocols and the need for robust security measures in decentralized finance. Source: CoinDesk.
4. Hacking Embodied AI: The research explores the security challenges posed by embodied AI, which includes intelligent systems in physical forms like humanoid and quadruped robots. As these systems transition from experimental to operational roles, they present unique cybersecurity risks that need to be addressed to prevent potential exploitation. This study emphasizes the importance of developing security frameworks tailored to the specific needs of embodied AI technologies. Source: Recorded Future.
5. DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware: A supply chain attack on DAEMON Tools has compromised its official installers with malware, posing a significant threat to users who download the software. This attack underscores the growing trend of targeting software supply chains to distribute malicious payloads, highlighting the need for enhanced security measures and vigilance in software distribution channels. Source: The Hacker News.

Top CVEs

1. CVE-2026-0300: This candidate has been reserved for a future security issue announcement. Details will be provided once the issue is publicized. Source: Vulners.
2. CVE-2026-25243: Redis versions up to 8.6.3 have a vulnerability in the RESTORE command, which does not properly validate serialized values. This flaw allows an authenticated attacker to execute remote code by supplying a crafted payload. The issue is resolved in version 8.6.3, and a workaround involves restricting access to the RESTORE command using ACL rules. Source: Vulners.
3. CVE-2026-23479: A vulnerability in Redis versions from 7.2.0 to 8.6.3 involves improper handling of blocked client flows, which can lead to a use-after-free condition and potential remote code execution. This issue has been patched in version 8.6.3. Source: Vulners.
4. CVE-2026-23631: Redis servers with Lua scripting are vulnerable to a use-after-free condition during master-replica synchronization, potentially leading to remote code execution. This issue affects all versions where replica-read-only can be disabled and has been patched in version 8.6.3. A workaround is to prevent Lua script execution or avoid using replicas with disabled replica-read-only. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cybersecurity landscape is as dynamic and challenging as ever. From Coupang's data breach impacting consumer trust to the unsettling revelations about Microsoft Edge's password storage practices, each story underscores the critical importance of robust security measures. Whether it's the vulnerabilities in educational institutions, the risks posed by third-party vendors, or the evolving threats in the world of blockchain and AI, staying informed is our best defense.

We hope you found today's insights valuable and thought-provoking. Cybersecurity is a collective effort, and knowledge is our most powerful tool. If you enjoyed this newsletter, please consider sharing it with your friends and colleagues. Together, we can build a more secure digital world, one informed reader at a time.

Thank you for joining us on this journey. Stay vigilant, stay informed, and we'll see you in the next edition of Secret CISO!