data protection | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a serious security issue that allows leaked Laravel APP_KEYs to be weaponized to gain remote code execution capabilities on hundreds of applications. "Laravel's APP_KEY, essential for encrypting sensitive data, is often leaked publicly (e.g., on GitHub)," GitGuardian said . "If attackers get access to this key, they can exploit a deserialization flaw to execute arbitrary code on the server – putting data and infrastructure at risk." The company, in collaboration with Synacktiv, said it was able to extract more than 260,000 APP_KEYs from GitHub from 2018 to May 30, 2025, identifying over 600 vulnerable Laravel applications in the process. GitGuardian said it observed over 10,000 unique APP_KEYs across GitHub, of which 400 APP_KEYs were validated as functional. APP_KEY is a random 32-byte encryption key that's generated during the installation of Laravel. Stored in the .env file of the application, it's used ...

Generative AI is changing how businesses work, learn, and innovate. But beneath the surface, something dangerous is happening. AI agents and custom GenAI workflows are creating new, hidden ways for sensitive enterprise data to leak —and most teams don't even realize it. If you're building, deploying, or managing AI systems, now is the time to ask: Are your AI agents exposing confidential data without your knowledge? Most GenAI models don't intentionally leak data. But here's the problem: these agents are often plugged into corporate systems—pulling from SharePoint, Google Drive, S3 buckets, and internal tools to give smart answers. And that's where the risks begin. Without tight access controls, governance policies, and oversight, a well-meaning AI can accidentally expose sensitive information to the wrong users—or worse, to the internet. Imagine a chatbot revealing internal salary data. Or an assistant surfacing unreleased product designs during a casual query. This isn't hypot...

Google has been ordered by a court in the U.S. state of California to pay $314 million over charges that it misused Android device users' cellular data when they were idle to passively send information to the company. The verdict marks an end to a legal class-action complaint that was originally filed in August 2019. In their lawsuit, the plaintiffs argued that Google's Android operating system leverages users' cellular data to transmit a "variety of information to Google" without their permission, even when their devices are kept in an idle state. "Although Google could make it so that these transfers happen only when the phones are connected to Wi-Fi, Google instead designed these transfers so they can also take place over a cellular network," they said. "Google's unauthorized use of their cellular data violates California law and requires Google to compensate Plaintiffs for the value of the cellular data that Google uses for its own be...

If you're evaluating AI-powered SOC platforms, you've likely seen bold claims: faster triage, smarter remediation, and less noise. But under the hood, not all AI is created equal. Many solutions rely on pre-trained AI models that are hardwired for a handful of specific use cases. While that might work for yesterday's SOC, today's reality is different. Modern security operations teams face a sprawling and ever-changing landscape of alerts. From cloud to endpoint, identity to OT, insider threats to phishing, network to DLP, and so many more, the list goes on and is continuously growing. CISOs and SOC managers are rightly skeptical. Can this AI actually handle all of my alerts, or is it just another rules engine in disguise? In this post, we'll examine the divide between two types of AI SOC platforms. Those built on adaptive AI, which learns to triage and respond to any alert type, and those that rely on pre-trained AI, limited to handling predefined use cases only. Understanding t...

Cybersecurity researchers have discovered a critical security vulnerability in artificial intelligence (AI) company Anthropic's Model Context Protocol ( MCP ) Inspector project that could result in remote code execution (RCE) and allow an attacker to gain complete access to the hosts. The vulnerability, tracked as CVE-2025-49596 , carries a CVSS score of 9.4 out of a maximum of 10.0. "This is one of the first critical RCEs in Anthropic's MCP ecosystem, exposing a new class of browser-based attacks against AI developer tools," Oligo Security's Avi Lumelsky said in a report published last week. "With code execution on a developer's machine, attackers can steal data, install backdoors, and move laterally across networks - highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP." MCP, introduced by Anthropic in November 2024, is an open protocol that standardizes the way large language model (LLM) appli...

Facebook, the social network platform owned by Meta, is asking for users to upload pictures from their phones to suggest collages, recaps, and other ideas using artificial intelligence (AI), including those that have not been directly uploaded to the service. According to TechCrunch, which first reported the feature, users are being served a new pop-up message asking for permission to "allow cloud processing" when they are attempting to create a new Story on Facebook. "To create ideas for you, we'll select media from your camera roll and upload it to our cloud on an ongoing basis, based on info like time, location or themes," the company notes in the pop-up. "Only you can see suggestions. Your media won't be used for ads targeting. We'll check it for safety and integrity purposes." Should users consent to their photos being processed on the cloud, Meta also states that they are agreeing to its AI terms , which allow it to analyze their med...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

Popular messaging platform WhatsApp has added a new artificial intelligence (AI)-powered feature that leverages its in-house solution Meta AI to summarize unread messages in chats. The feature, called Message Summaries, is currently rolling out in the English language to users in the United States, with plans to bring it to other regions and languages later this year. It "uses Meta AI to privately and quickly summarize unread messages in a chat, so you can get an idea of what is happening, before reading the details in your unread messages," WhatsApp said in a post. Message Summaries is optional and is disabled by default. The Meta-owned service said users can also enable " Advanced Chat Privacy " to choose which chats can be shared for providing AI-related features. Most importantly, it's made possible by Private Processing , which WhatsApp launched back in April as a way to enable AI capabilities in a privacy-preserving manner. Private Processing is de...

The U.S. House of Representatives has formally banned congressional staff members from using WhatsApp on government-issued devices, citing security concerns. The development was first reported by Axios. The decision, according to the House Chief Administrative Officer (CAO), was motivated by worries about the app's security. "The Office of Cybersecurity has deemed WhatsApp a high-risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved with its use," the CAO said in a memo, according to Axios. To that end, House staff are prohibited from downloading the app on any device issued by the government, including its mobile, desktop, or web browser versions. WhatsApp has pushed back against these concerns, stating messages sent on the platform are end-to-end encrypted by default, and that it offers a "higher level" of security than most of the apps on CAO's approved ...

Hackers never sleep, so why should enterprise defenses? Threat actors prefer to target businesses during off-hours. That's when they can count on fewer security personnel monitoring systems, delaying response and remediation. When retail giant Marks & Spencer experienced a security event over Easter weekend, they were forced to shut down their online operations, which account for approximately a third of the retailer's clothing and home sales. As most staff are away during off-hours and holidays, it takes time to assemble an incident response team and initiate countermeasures. This gives attackers more time to move laterally within the network and wreak havoc before the security team reacts. While not every organization may be ready to staff an in-house team around the clock, building a 24/7 SOC remains one of the most robust and proactive ways to protect against off-hours attacks. In the rest of this post, we'll explore why 24/7 vigilance is so important, the challenges ...

Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions. The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0. "A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," the company said in an advisory. CVE-2025-23121 impacts all earlier version 12 builds, including 12.3.1.1139. It has been addressed in version 12.3.2 (build 12.3.2.3617). Security researchers at CODE WHITE GmbH and watchTowr have been credited with discovering and reporting the vulnerability. Cybersecurity company Rapid7 noted that the update likely addresses concerns shared by CODE WHITE in late March 2025 that the patch put in place to plug a similar hole ( CVE-2025-23120 , CVSS score: 9.9) could be bypassed. Also addressed by Veeam is another flaw in the same product (CVE-2025...

Meta Platforms on Monday announced that it's bringing advertising to WhatsApp, but emphasized that the ads are "built with privacy in mind." The ads are expected to be displayed on the Updates tab through its Stories-like Status feature, which allows ephemeral sharing of photos, videos, voice notes, and text for 24 hours. These efforts are "rolling out gradually," per the company. The social media giant, which acquired WhatsApp for a record $19.3 billion in February 2014, first announced its plans for ads in Status way back in November 2018. Meta also claimed that the ads implementation was developed in the "most privacy-oriented way possible" and that it only uses limited information to serve ads. "Your personal messages, calls, and statuses remain end-to-end encrypted, meaning no one can see or hear them," the company said.

Cybersecurity researchers have uncovered over 20 configuration-related risks affecting Salesforce Industry Cloud (aka Salesforce Industries ), exposing sensitive data to unauthorized internal and external parties. The weaknesses affect various components like FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions. "Low-code platforms such as Salesforce Industry Cloud make building applications easier, but that convenience can come at a cost if security isn't prioritized," Aaron Costello, chief of SaaS Security Research at AppOmni, said in a statement shared with The Hacker News. These misconfigurations, if left unaddressed, could allow cybercriminals and unauthorized to access encrypted confidential data on employees and customers, session data detailing how users have interacted with Salesforce Industry Cloud, credentials for Salesforce and other company systems, and business logic. Following responsible discl...

Traditional data leakage prevention (DLP) tools aren't keeping pace with the realities of how modern businesses use SaaS applications. Companies today rely heavily on SaaS platforms like Google Workspace, Salesforce, Slack, and generative AI tools, significantly altering the way sensitive information is handled. In these environments, data rarely appears as traditional files or crosses networks in ways endpoint or network-based DLP tools can monitor. Yet, most companies continue using legacy DLP systems, leaving critical security gaps. A new white paper, Rethinking DLP For The SaaS Era: Why Browser-Centric DLP is the New Mandate , identifies precisely why current DLP methods struggle to secure modern SaaS-driven workflows. It also explores how browser-native security addresses these gaps by focusing security efforts exactly where user interactions occur, in the browser. Why Traditional DLP Tools Fall Short Traditional DLP solutions were built for a simpler time when sensitive...

It's not enough to be secure. In today's legal climate, you need to prove it. Whether you're protecting a small company or managing compliance across a global enterprise, one thing is clear: cybersecurity can no longer be left to guesswork, vague frameworks, or best-effort intentions. Regulators and courts are now holding organizations accountable for how "reasonable" their security programs are—and that's not just a buzzword anymore. But what does " reasonable" even mean in cybersecurity? That's exactly what this free webinar  we hosted with the experts from Center for Internet Security (CIS) will help you answer. New privacy laws, ransomware lawsuits, and regulatory investigations are raising the bar for cybersecurity expectations. If your defense program can't show structure, strategy, and measurable maturity, you're not just at risk—you're already falling behind. This isn't about hype. It's about legal risk, operational readiness, and your reputation. In this...

Cybersecurity researchers have discovered risky default identity and access management (IAM) roles impacting Amazon Web Services that could open the door for attackers to escalate privileges, manipulate other AWS services, and, in some cases, even fully compromise AWS accounts. "These roles, often created automatically or recommended during setup, grant overly broad permissions, such as full S3 access," Aqua researchers Yakir Kadkoda and Ofek Itach said in an analysis. "These default roles silently introduce attack paths that allow privilege escalation, cross-service access, and even potential account compromise." The cloud security firm said it identified security issues in default IAM roles created by AWS services like SageMaker, Glue, EMR, and Lightsail. A similar flaw has also been unearthed in a popular open-source framework called Ray, which automatically creates a default IAM role (ray-autoscaler-v1) with the AmazonS3FullAccess policy. What's concer...