Security incidents, practical advisories, and privacy-focused insights from the KzNet team.
Analysis
May 2026
The Two Threat Models You're Actually Fighting
Most people defending their data are quietly fighting two wars at once — a targeted attacker trying to break in, and an entire industry collecting their data with consent they technically gave — and using the wrong weapon for one of them. The first is beaten by reducing attack surface and guarding secrets; the second only by minimizing what you emit and compartmentalizing so the data points can't be linked. The concept that bridges both is reconnaissance value: the idea that a map of your systems can be as dangerous as the keys to them, even though it was never secret. This piece breaks down the distinction, why "I have nothing to hide" fails over a twenty-year horizon, and why the likeliest breach of a careful person's security is locking themselves out.
Incident Spotlight
May 2026
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
A critical heap buffer overflow in NGINX's ngx_http_rewrite_module — introduced in 2008 and present in every version from 0.6.27 through 1.30.0 — is now under active exploitation, just days after public disclosure on May 13. Tracked as CVE-2026-42945 with a CVSS v4 score of 9.2, the flaw lets unauthenticated attackers crash worker processes with crafted HTTP requests, and can escalate to remote code execution on systems where ASLR is disabled. VulnCheck confirmed exploitation attempts against its honeypot networks, though the threat actors' end goals remain unknown. F5 has released patches and organizations running NGINX Plus or NGINX Open Source should treat this as urgent.
Analysis
May 2026
Your AI Coding Assistant Is Keeping a Diary — And It's Not Encrypted
Claude Code stores session transcripts in plaintext under ~/.claude/projects/ for 30 days by default. That's every prompt, every pasted config, every stack trace containing an internal hostname — sitting on disk, unencrypted. Samsung found out the hard way in 2023 when employees fed proprietary source code and internal meeting notes into ChatGPT; three separate incidents happened within a single month before the company banned the tool outright. The pattern has only accelerated: Check Point researchers later demonstrated that simply cloning a malicious repository was enough to trigger API key theft in Claude Code via crafted project-level config files (CVE-2025-59536). The blast radius of a compromised developer machine now includes not just your git history, but weeks of AI conversation history — and most developers haven't thought about that yet.
Analysis
May 2026
You're Probably Sending More Personal Data to AI Providers Than You Think
AI coding tools like Claude Code and ChatGPT are designed to be helpful by consuming as much context as you'll give them — project files, instructions, preferences, history. What many developers haven't stopped to audit is exactly what that context contains. Configuration files automatically injected into every session can carry names, email addresses, internal IP ranges, API keys, and hostnames without a single conscious decision to share them. Anthropic and OpenAI both retain API prompt data for at least 30 days by default, with flagged content held for up to two years — meaning whatever lands in that context window doesn't disappear the moment the chat does. The habit of "just letting the AI remember everything" is fast becoming a quiet data-hygiene problem with real privacy consequences.
Advisory
Mar 2026
Google Patches Two Chrome Zero-Days Exploited in the Wild
Google released an emergency Chrome update (v146.0.7680.75+) fixing two actively exploited zero-days: CVE-2026-3909, an out-of-bounds write in the Skia graphics library, and CVE-2026-3910, an inappropriate implementation in the V8 JavaScript engine enabling arbitrary code execution. Both were triggered via crafted HTML pages with confirmed in-the-wild exploits. Update Chrome immediately.
Incident Spotlight
Mar 2026
Iran's MuddyWater Deploys New Dindoor Backdoor Against U.S. Banks, Airports, and Defense Firms
Iranian state-sponsored group MuddyWater has been active inside U.S. and Canadian networks since early February 2026, deploying two previously unseen tools: Dindoor, a backdoor built on the Deno JavaScript runtime, and Fakeset, a Python-based backdoor hosted on Backblaze cloud storage. Targets include U.S. banks, airports, a Canadian non-profit, and a defense software firm with Israeli operations — with initial access gained through spear-phishing and social engineering. The timing follows U.S. and Israeli military strikes on Iran, consistent with MuddyWater's pattern of ramping up intrusions during geopolitical escalation.
Incident Spotlight
Mar 2026
FBI and Europol Seize LeakBase: 142,000-Member Credential Marketplace Shut Down
In a coordinated sweep across eight countries, the FBI and Europol seized LeakBase — a forum where stolen credentials, stealer logs, and financial data from hundreds of millions of accounts were bought and sold since 2021. Around 100 enforcement actions were carried out globally, with 37 of the platform's most active users directly targeted. The forum's Russian administrator, identified as 33-year-old Artem Kuchumov, was named as part of the operation, and all user accounts, private messages, and IP logs were secured as evidence — a reminder that criminal forums are rarely as anonymous as their members assume.
Analysis
Feb 2026
Meta's Shadow Web: How the Pixel and Conversions API Track You Everywhere
You don't need a Facebook account for Meta to know which medications you searched for, what you put in your shopping cart, or which news articles you read. Through the Meta Pixel — a snippet of JavaScript installed on millions of third-party websites — and its server-side successor, the Conversions API, Meta collects behavioral data from across the web and ties it back to identifiable profiles. Roughly one-third of top US hospital websites were found running the Pixel, exposing protected health information to Meta without patient knowledge or consent. State attorneys general in Texas and Washington have both taken legal action against Meta over its data practices, and the courts are still working out exactly which laws can reach the company's surveillance infrastructure.
Advisory
Feb 2026
Hardware Security Keys Are the Gold Standard for MFA — Here's What to Look For
Push-based MFA is better than nothing, but it's vulnerable to fatigue attacks and real-time phishing. Hardware keys (FIDO2/WebAuthn) eliminate this attack surface by requiring physical presence and cryptographically binding each login to the legitimate site — a phishing page can't intercept the handshake. When choosing one: look for FIDO2 certification, USB-C and NFC support for cross-device compatibility, open or audited firmware, and a pin-protection option. Always register a backup key. The YubiKey 5 series and Google Titan keys are widely recommended starting points.
Analysis
Jan 2026
What Microsoft Is Really Collecting from Your Windows 11 and M365 Environment
Windows 11's Recall feature takes a screenshot of your screen every few seconds, runs OCR on it, and stores the results in an encrypted local database searchable by plain-language query — and a year after its relaunch, security researchers are still publishing proof-of-concept exploits against it. Separately, Microsoft 365 Copilot hoovers up content from Microsoft Graph — emails, chats, Teams messages, SharePoint documents — to power its AI responses, with interaction logs retained under your existing M365 retention policies. Microsoft's own documentation confirms that even when admins set diagnostic data to "Neither," a category called "required service data" continues flowing to Microsoft regardless. For AV and IT teams managing mixed Windows 11 fleets, both surfaces deserve explicit policy decisions before hardware refreshes land Copilot+ PCs on every desk.
Advisory
Jan 2026
GrapheneOS in 2026: The Privacy-First Mobile OS That's Ready for Daily Use
GrapheneOS has matured significantly. With broad app compatibility, hardened sandboxing, and a growing user community, it's no longer just for security researchers — it's a practical choice for anyone who values their data. The OS supports the Google Play Store via isolated profiles, meaning most apps work normally while being denied access to the underlying hardware and identifiers they'd typically exploit. If you're running a stock Android device and wondering whether there's a better option, the answer in 2026 is yes.
Analysis
Oct 2025
Google's "Privacy Sandbox" Was Surveillance With a Friendlier Label
For five years, Google promised that the Privacy Sandbox — anchored by its Topics API — would replace the tracking cookies it publicly condemned while keeping ad revenue intact. In October 2025, Google quietly killed the whole project, retiring Topics, Protected Audience, and eight other APIs after the ad industry refused to adopt them. Third-party cookies never actually went away. Android continued logging everywhere you go. And the DOJ's antitrust remedies, handed down the same month, left Google's data empire largely standing. The sandbox wasn't a privacy reform — it was a stalling strategy, and its own failure exposed exactly that.
Analysis
Mar 2025
Amazon's Data Web: Voice, Video, Groceries, and What They Share in Common
Amazon quietly removed the option to keep Alexa voice recordings off its cloud servers in March 2025, making cloud upload mandatory for all Echo users — a change driven by its new AI-powered Alexa+ rollout. Ring, meanwhile, reversed its 2024 commitment to keep police at arm's length, partnering with Axon and Flock Safety to re-enable law enforcement requests for doorbell footage, in some cases without a warrant. Layer in the ad-attribution pipeline that connects Prime Video viewing, Whole Foods in-store purchases, and Amazon DSP targeting, and the picture that emerges is less "smart home ecosystem" and more surveillance infrastructure with a Prime badge on it. The company's data practices now face scrutiny from privacy advocates, the FTC, and European regulators — and the stakes are rising as AI makes the data more actionable, not less.
Analysis
Mar 2025
Green Bubbles Grow Up — But Signal Still Has a Job
Apple's iOS 26.5 finally delivers end-to-end encrypted RCS messaging between iPhones and Androids, closing the longest-running privacy gap in everyday texting. The rollout uses the GSMA's Messaging Layer Security (MLS) standard — a genuine technical milestone built on proven cryptography. But the feature ships in beta, requires carrier support on both ends, skips group chats entirely for now, and does nothing to protect message metadata. For one-on-one conversations between two well-supported carriers, it's a meaningful upgrade over years of unencrypted cross-platform texts — just don't mistake it for Signal.
Analysis
2024
Your Fingerprint Unlocks Passkeys — But Never Leaves Your Phone
When you log in to Amazon with a passkey and your phone asks for your fingerprint, Amazon never sees that fingerprint — not even a hash of it. The biometric check happens entirely on your device; what travels to Amazon's servers is a cryptographic signature that proves you authorised the login, nothing more. It's a clean architectural split that most users don't know exists, and it's the reason passkeys are fundamentally different from password-based login. The FIDO Alliance reports that over 15 billion online accounts can now leverage passkeys, and understanding why they're safe requires a short detour into public-key cryptography.
Incident Spotlight
Sep 2023
MGM Resorts: A LinkedIn Search and a Phone Call Led to a $100M Outage
Attackers found an MGM employee on LinkedIn, called the IT helpdesk impersonating them, and gained access to internal systems — causing widespread outages across hotels and casinos. No technical exploit was needed. A single successful social engineering call was enough to begin the breach. Identity verification at the service desk isn't a formality — it's a control that, when bypassed, can cascade into a nine-figure incident.
Analysis
Dec 2022
Apple Sells Privacy — But Reads the Fine Print Differently Than You Do
Apple's privacy marketing — "What happens on your iPhone, stays on your iPhone" — sits alongside one of the App Store's largest advertising businesses, default-on telemetry, and a 2021 CSAM scanning proposal that was only shelved after researchers warned the architecture could be repurposed by any government with sufficient leverage. The distinction between Apple and Google is real but narrower than the marketing implies: Apple monetizes your trust rather than your data — a different business model, not a different category of surveillance. When your threat model is a data broker, Apple's approach is meaningfully better. When it includes a national security letter, the gap closes fast.
Incident Spotlight
Sep 2022
Uber: MFA Push Fatigue Exploited in Under 20 Minutes
An attacker bombarded an Uber employee with MFA push notifications until they accepted one out of frustration — then impersonated IT support to escalate access further. The attacker had already obtained the employee's password through other means; the MFA prompt was the last barrier. Number-matching MFA, push rate limits, and awareness training around helpdesk impersonation are now baseline expectations for any organization using push-based authentication.
Incident Spotlight
Mar 2022
Dirty Pipe (CVE-2022-0847): GrapheneOS Patched in 24 Hours. Stock Android Took Two Months.
Dirty Pipe is a Linux kernel vulnerability that allows unprivileged processes to overwrite the contents of read-only files — including setuid binaries. On Android, this meant local privilege escalation to root. The CVE was publicly disclosed on March 7, 2022. GrapheneOS shipped a patch the following day. Google's May 2022 Android Security Bulletin — released roughly eight weeks later — was when most Pixel users received the fix. The gap between public disclosure and patch delivery is exactly when exposure is highest.
Incident Spotlight
Dec 2021
Log4Shell (CVE-2021-44228): The Vulnerability Hiding in Half the Internet
A critical remote code execution flaw in Apache Log4j — a logging library embedded in hundreds of thousands of applications, from enterprise software to cloud services — allowed attackers to execute arbitrary code by triggering a single malicious log entry. No authentication required. The vulnerability was actively exploited within hours of public disclosure by ransomware groups, cryptominers, and nation-state actors. CISA described it as one of the most serious vulnerabilities ever seen. Full remediation required organizations to audit every product in their stack for a dependency most had never thought to inventory.
Incident Spotlight
Jul 2021
Kaseya VSA: REvil's $70M Supply Chain Ransomware Attack Over the Fourth of July Weekend
REvil exploited a zero-day in Kaseya VSA — remote monitoring software used by managed service providers — to simultaneously push ransomware to approximately 1,500 downstream businesses. The attackers chose the Fourth of July weekend deliberately, when security teams are understaffed. By targeting the MSP layer rather than individual organizations, a single vulnerability multiplied into a mass-casualty ransomware event. The $70 million ransom demand was among the largest ever made, and the incident accelerated scrutiny of third-party and MSP supply chain risk across the industry.
Incident Spotlight
Jun 2021
Colonial Pipeline: How One Compromised Password Shut Down Critical Infrastructure
A single reused VPN credential — with no MFA — gave attackers a foothold that led to a 6-day shutdown of the largest fuel pipeline in the United States. The account wasn't even actively in use at the time. Credentials don't expire when an employee stops using them, and legacy remote access accounts are rarely audited. This incident made clear that remote access hygiene — MFA, disabled unused accounts, credential monitoring — is not optional for critical infrastructure.
Incident Spotlight
Dec 2020
SolarWinds SUNBURST: The Supply Chain Attack That Compromised the US Government
Nation-state attackers attributed to Russia's SVR compromised SolarWinds' build pipeline, injecting backdoor code into digitally signed Orion software updates distributed to approximately 18,000 organizations — including the US Departments of Treasury, Commerce, Homeland Security, and State. The malware lay dormant for two weeks after installation before activating and went undetected for months. SolarWinds redefined the threat model for software supply chains: a trusted vendor, a legitimate signed update, and a routine patch cycle were all weaponized simultaneously.
Incident Spotlight
Jul 2020
Twitter's $120K Bitcoin Scam: How Three People Social-Engineered the World's Most Visible Platform
Attackers used phone-based social engineering to manipulate Twitter employees into granting access to internal admin tools. Within hours, the verified accounts of Barack Obama, Elon Musk, Jeff Bezos, Apple, and others were hijacked to run a Bitcoin scam — generating roughly $120,000 before the platform was locked down. Three individuals, the youngest just 17, were responsible. No sophisticated exploit was used. The breach demonstrated that privileged internal tooling can be more accessible than public-facing security would suggest, and that social engineering scales against the highest-value targets.
Incident Spotlight
Jul 2019
Capital One: A Misconfigured WAF and an SSRF Vulnerability Exposed 100 Million Records
A former AWS engineer exploited a misconfigured web application firewall to execute a server-side request forgery (SSRF) attack against Capital One's cloud infrastructure — accessing the EC2 instance metadata service and pivoting to S3 buckets containing sensitive customer data. Over 100 million records were exfiltrated, including names, addresses, credit scores, and Social Security numbers. Capital One later paid $190 million to settle class-action suits. The incident established SSRF against cloud metadata endpoints as a headline attack vector and made cloud WAF misconfiguration a board-level conversation.
Incident Spotlight
Nov 2018
Marriott/Starwood: Attackers Had Undetected Access for Four Years — Starting Before the Acquisition
Marriott disclosed that attackers had maintained persistent access to the Starwood guest reservation database since at least 2014 — two years before Marriott acquired Starwood. By the time the breach was detected in 2018, the compromised database contained records for up to 500 million guests: names, addresses, passport numbers, payment card data, and dates of birth. Four years of undetected access represented failures across asset discovery, network segmentation, and anomaly detection — and raised a question rarely asked during M&A: what security debt are we inheriting?
Incident Spotlight
Sep 2017
Equifax: An Unpatched Server and an Expired Certificate Exposed Half of America
Equifax failed to patch a known Apache Struts vulnerability (CVE-2017-5638) for five months after a fix was available. Attackers exploited it to exfiltrate Social Security numbers, birth dates, addresses, and driver's license numbers for 147 million Americans — roughly half the adult US population. An expired SSL inspection certificate had left malicious traffic unexamined for 76 days. Equifax paid over $700 million in settlements. The breach became a landmark case for the legal consequences of documented, known-but-unpatched vulnerability management failures.
Report
Jun 2017
How Google Analyzes Your Email
The Gmail "Teach Gmail this conversation is important" tooltip is a small disclosure of a much larger system. This KzNet report unpacks what Gmail actually reads, what it infers from metadata alone, what changed in 2017 (and what didn't), and the privacy controls most users never open.
Incident Spotlight
May 2017
WannaCry: A Leaked NSA Exploit Shut Down 200,000 Systems Across 150 Countries in 24 Hours
WannaCry ransomware spread globally by exploiting EternalBlue — an NSA-developed exploit for a Windows SMBv1 vulnerability leaked by a group calling itself the Shadow Brokers. Microsoft had issued patch MS17-010 two months prior, but millions of unpatched systems remained exposed. The UK's NHS was among the hardest hit: hospitals diverted ambulances, cancelled surgeries, and reverted to paper records. A kill-switch domain discovered by researcher Marcus Hutchins halted propagation. WannaCry was widely attributed to North Korea and defined ransomware as a geopolitical weapon.
Incident Spotlight
Apr 2014
Heartbleed (CVE-2014-0160): A Silent Two-Year Leak in Two-Thirds of the Internet
A buffer over-read bug in OpenSSL's TLS heartbeat extension allowed anyone to read up to 64KB of server memory per request — no authentication required, no trace in logs. The affected memory could contain private SSL keys, session tokens, and user passwords. OpenSSL was used by an estimated two-thirds of the internet at the time, and the vulnerability had been silently present since December 2011. There was no way to know whether a server had already been exploited. Heartbleed was the first vulnerability to receive a branded identity — name, logo, dedicated website — setting a precedent for how critical disclosures are communicated.
Incident Spotlight
Nov 2013
Target: Stolen HVAC Vendor Credentials, Lateral Movement, and 40 Million Card Numbers
Attackers used credentials stolen from Fazio Mechanical, a third-party HVAC vendor, to gain initial access to Target's network during the 2013 holiday shopping season. They moved laterally to the point-of-sale network — a segment that should have been isolated — and installed RAM-scraping malware on payment terminals across all US stores. Roughly 40 million credit and debit card numbers were stolen, along with personal data for 70 million customers. Target's security tooling had generated automated alerts before the breach was discovered — they went uninvestigated. Target paid $18.5 million in a multistate settlement.