[SECURITY]

Digital security organizers are hosting privacy-focused events at bars, parties, and social gatherings to educate the public about breaking free from Big Tech. The Cypurr Collective in New York City launched "Break Up With Google," blending cybersecurity education with entertainment.

Legal experts argue that the commercial trade in detailed location information poses significant privacy risks and should be prohibited. The proposal reflects growing concern over how tech companies monetize granular tracking data.

Threat actors use underground guides to vet carding shops based on data quality, reputation, and longevity. Security firm Flare has detailed how trust operates within cybercrime markets.

Kamerin Stokes, 23, of Memphis, Tennessee, received a 30-month prison sentence for selling access to tens of thousands of hacked DraftKings accounts.

Cybersecurity experts have identified significant privacy and security vulnerabilities in the EU's age verification application, contradicting earlier claims that it was ready for deployment. EU officials have since downgraded the status to a "demo."

Bluesky has endured a distributed denial-of-service (DDoS) attack lasting nearly 24 hours, disrupting service for users of the decentralized social network.

Major technology companies are accelerating efforts to adopt post-quantum cryptography as quantum computing advances threaten current security standards. The industry is transitioning to encryption resistant to future quantum attacks before the theoretical "Q-Day" arrives.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a high-severity Apache ActiveMQ vulnerability as actively exploited in attacks. The flaw remained undetected for 13 years before patching earlier this month.

A new US bill requires age verification to occur directly on user devices rather than through centralized servers. The measure aims to balance content restrictions with privacy concerns.

Threat actors are actively exploiting three recently disclosed Windows security vulnerabilities to gain SYSTEM and elevated administrator permissions on targeted systems.

Europe has released a free age verification application designed to block minors from accessing adult content and social media platforms. The anonymous tool is now available to any company willing to implement it.

Governments worldwide are mandating age verification to restrict minors from accessing adult content and social media, but no reliable verification method exists.

The U.S. Department of Justice announced sentences for two Americans who helped the North Korean government place fraudulent IT workers in U.S. companies, resulting in approximately $5 million in stolen funds.

Law enforcement shut down 53 domains in a coordinated crackdown on distributed denial-of-service infrastructure across 21 countries on April 13, 2026.

Zara owner Inditex disclosed a data breach at an external contractor, confirming that intruders accessed information on commercial relations but stating customer records remain secure.

A newly discovered malware called ZionSiphon has been specifically engineered to attack operational technology in water treatment and desalination facilities. The malware poses a direct threat to critical infrastructure systems.

A federal judge sentenced two New Jersey residents to a combined 16 years in prison for operating laptop farms that enabled North Korean IT workers to pose as American employees.

Most AI-powered security operations center platforms merely accelerate alert triage rather than reduce actual security workload. Real automation requires end-to-end workflows that execute actions across systems, not just summarize findings.

Anthropic has begun requiring identity verification for Claude users accessing certain capabilities. The company is requesting government-issued photo IDs and selfies but has not disclosed which specific use cases will trigger the requirement.

China has demonstrated a new underwater cable-cutting tool as incidents of subsea Internet cable damage escalate globally. The timing raises concerns about threats to critical infrastructure that carries 99% of intercontinental data.

Democrats are pressing the Department of Homeland Security for details on Palantir Technologies and other surveillance firms' involvement in Trump administration immigration enforcement operations.

Researchers are creating synthetic media to help people recognize AI-generated voices and videos. The strategy involves exposing audiences to deepfakes so they can better identify them in the wild.

European police coordinated a major operation against distributed denial-of-service services, emailing 75,000 people suspected of participating in attacks. The effort resulted in four arrests and the takedown of 53 domains.

Attackers are exploiting a critical vulnerability in Marimo, a reactive Python notebook tool, to distribute NKAbuse malware hosted on Hugging Face Spaces. The campaign targets developers using the popular open-source platform.

Researchers demonstrated that OpenAI's Codex AI model successfully identified and exploited a security flaw in Samsung televisions, highlighting potential risks in automated code generation systems.

A new cybercrime platform called ATHR enables fully automated voice phishing attacks using AI voice agents and human operators to harvest user credentials.

A developer exposed an unrestricted Firebase browser API key, resulting in €54,000 in unexpected Gemini API charges within 13 hours. The incident highlights critical risks when authentication tokens lack proper access controls.

Fashion retailer Express left personal and order information accessible on the internet due to a software bug. TechCrunch discovered the exposure and notified the company, which has since patched the vulnerability.

Cisco has released security updates for four critical vulnerabilities in Webex Services, including an improper certificate validation bug that demands additional customer intervention beyond standard patching.

The National Vulnerability Database will prioritize only critical software vulnerabilities and those under active exploitation, a strategic shift to address a significant backlog created by a 2024 funding lapse.

A newly documented exploit called RedSun enables system-level user access on Windows 11, Windows 10, and Windows Server systems running the April 2026 Update. The vulnerability has been publicly disclosed on GitHub.

The ShinyHunters extortion group has leaked data from 13.5 million McGraw Hill user accounts following a breach of the edtech company's Salesforce environment. The stolen data was disclosed earlier this month.

A lawsuit alleges that Norway's state-owned telecom firm Telenor provided user data to Myanmar's military junta, enabling the arrest of approximately 1,200 anti-coup activists. The company reportedly shared information even when torture failed to extract details from detainees.

Spotify and the three major record labels secured a $322 million default judgment against Anna's Archive, an open-source piracy platform that planned to release millions of Spotify music files. The ruling came after the operator failed to respond to the lawsuit.

The Free Software Foundation is attempting to contact Google about a spammer operating from a Gmail account that has sent over 10,000 unsolicited emails. The incident highlights ongoing challenges with abuse management on major email platforms.

Two U.S. nationals have been sentenced to prison for operating a scheme that allowed North Korean remote IT workers to pose as American residents and secure employment at over 100 companies, including multiple Fortune 500 firms.

A US judge issued a $322.2 million judgment against Anna's Archive, a pirate library that scraped content from Spotify. The ruling is largely symbolic since the site operates anonymously.

Cybercriminals are exploiting weaknesses in banks' know-your-customer (KYC) facial recognition systems by using stolen biometric data and virtual camera tools available on Telegram. The scheme, documented by MIT Technology Review, reveals a significant gap in financial institutions' identity verification protocols.

A Southern District of New York court has determined that conversations with AI systems do not qualify for attorney-client privilege protection. The ruling in US v. Heppner establishes that communications with artificial intelligence lack the confidentiality safeguards afforded to attorney-client discussions.

A report questions Flock's practice of having employees monitor children, sparking debate about data collection, consent, and oversight in the company's operations.

A critical authentication bypass vulnerability in Nginx UI with Model Context Protocol support is being actively exploited to gain full server access without credentials. The flaw allows attackers to completely compromise affected systems.

Security has shifted from a one-time implementation to an ongoing computational burden, mirroring blockchain's proof-of-work model. Organizations must now continuously expend resources to maintain their defenses.

Security researchers have identified a new malware family called AgingFly being used in attacks against Ukrainian government agencies and hospitals. The malware steals authentication credentials from Chromium-based browsers and WhatsApp messenger.

A new tool called "TotalRecall Reloaded" has discovered a vulnerability that allows unauthorized access to Windows 11's Recall screenshot database, circumventing Microsoft's security measures.

Over 30 WordPress plugins in the EssentialPlugin package have been infected with malicious code, granting attackers unauthorized access to affected websites. The compromise potentially impacts thousands of sites running these plugins.

Anna's Archive, a book piracy platform, defaulted on a $322 million judgment in a copyright infringement case brought by Spotify and other music rights holders. The site made no legal defense.

Google failed to honor its commitment to protect user data from law enforcement, according to a report from the Electronic Frontier Foundation. Immigration and Customs Enforcement obtained personal information despite Google's stated privacy safeguards.

A digitally signed adware tool has deployed malicious payloads with SYSTEM privileges to disable antivirus protections across thousands of endpoints. Affected organizations span education, utilities, government, and healthcare sectors.

Nearly 90 schools worldwide and approximately 600 students have been impacted by AI-generated deepfake nude images, with North America reporting almost 30 cases since 2023, according to a Wired analysis.

Adobe has released patches for a zero-day vulnerability in Acrobat DC, Reader DC, and Acrobat 2024 that attackers actively exploited for at least four months before disclosure.

H.R.8250, introduced in the 119th Congress, proposes mandating operating system providers to implement age verification for all users. The bill marks a significant shift in how tech companies would handle user identity requirements.

Cal.com, a scheduling software provider, is moving its core codebase from open source to a closed repository. The company cited vulnerabilities to AI-powered attacks as the primary reason for the shift.

Microsoft confirmed that some Windows Server 2025 devices boot into BitLocker recovery mode after installing the April 2026 KB5082063 security update. The issue affects a subset of servers and requires BitLocker recovery keys to proceed.

The U.S. Cybersecurity and Infrastructure Security Agency has alerted federal agencies to a Windows Task Host vulnerability being actively exploited in attacks. The flaw allows attackers to escalate privileges to SYSTEM level on affected systems.

Sweden's civil defense minister has blamed Russian hackers for attempting a destructive cyberattack on a thermal power plant. The incident reflects escalating cyber threats against European infrastructure.

Modern vehicles are increasingly connected networks vulnerable to cyberattacks. The NMFTA's Cybersecurity Conference is bringing transportation leaders together to address emerging security risks.

ShinyHunters claims to have breached Rockstar Games and stolen Grand Theft Auto VI data. The group set an April 14 deadline for ransom negotiations, threatening to release the stolen information.

A joint investigation by WIRED and Indicator reveals nearly 90 schools and 600 students worldwide have been affected by AI-generated deepfake nude images. The problem continues to spread with no clear resolution in sight.

A new initiative called Stop Flock aims to counter widespread digital tracking practices. The movement has gained significant traction with 444 upvotes on Hacker News.

Adobe has released a security fix for a zero-day vulnerability in its PDF software that hackers actively exploited since at least November 2025. The scope of compromise remains unknown.

California legislation aimed at restricting 3D printing capabilities raises free speech and censorship concerns, according to digital rights advocates. The proposed rules could limit access to manufacturing technology and designs.

California's proposed legislation would require 3D printers to detect and block the manufacture of untraceable firearms, a move the Electronic Frontier Foundation warns could expand government surveillance of consumer devices.

The FCC has given Netgear conditional approval to bypass a foreign-made router ban, effectively granting the company a monopoly on new consumer router sales in the US. Netgear is the first retail consumer router company to receive this exemption.

Kraken, one of the world's largest cryptocurrency exchanges, is being targeted by criminals who claim to possess access to some client account information. The criminal group is attempting to extort the platform.

Cryptocurrency exchange Kraken disclosed that hackers obtained internal system access through an insider and are now demanding payment to prevent the release of sensitive videos. The threat targets footage showing systems that store client data.

The UK designated Xinbi Guarantee as an enabler of cryptocurrency scams and human trafficking weeks ago. The operation continues operating openly on Telegram.

Stolen credentials remain a primary attack vector, but identity-first Zero Trust architectures can limit damage by restricting access, enforcing device verification, and blocking lateral movement across networks.

Fiverr left sensitive work files publicly accessible and searchable through its Cloudinary integration, potentially exposing confidential client-worker communications and deliverables.

Spain is broadening its internet blocking measures to cover tennis, golf, and movie broadcasting times, extending beyond current piracy restrictions. The expansion follows pressure from sports leagues and entertainment companies seeking stronger anti-piracy enforcement.

More than 100 malicious extensions discovered in Google's official Chrome Web Store are targeting user accounts and data. The extensions attempt to steal Google OAuth2 Bearer tokens, deploy backdoors, and execute ad fraud schemes.

The UK government has tested Mythos AI, the first system to complete a multi-step infiltration challenge, providing concrete data on AI-driven cybersecurity risks.

A user contacted Flock's privacy team to request removal from the company's domestic surveillance initiative. The move highlights growing scrutiny over data collection practices in the platform.

The Electronic Frontier Foundation is calling on California and New York attorneys general to investigate Google for allegedly breaking its promise to notify users before handing their data to law enforcement agencies like ICE.

Booking.com has notified customers that hackers accessed personal data in a security incident. The compromised information includes names, emails, physical addresses, and phone numbers.

McGraw-Hill disclosed that hackers exploited a misconfigured Salesforce instance to access internal data, following an extortion threat. The education company confirmed the breach to BleepingComputer.

Microsoft has released cumulative updates KB5083769 and KB5082052 for Windows 11, addressing security vulnerabilities, bugs, and introducing new features across multiple versions.

Microsoft released its April 2026 Patch Tuesday addressing 167 security vulnerabilities, including two zero-day exploits currently being leveraged in active attacks.

Apple removed the rewards app Freecash from its App Store following an investigation by TechCrunch that revealed deceptive practices. The app had climbed to the top of app store charts despite the fraudulent scheme.

A malicious clone of Ledger Live bypassed Apple's App Store security checks and drained approximately $9.5 million from over 50 victims in a week-long phishing campaign running April 7-13.

Anthropic is restricting access to Claude Mythos, an advanced AI model designed to identify security vulnerabilities. The move has left European authorities with minimal visibility while the UK conducts independent testing.

A software developer has published what they claim is a reverse-engineered version of Google DeepMind's SynthID watermarking system, allegedly allowing watermarks to be removed from AI-generated images or added to other works. Google disputes the claim.

The US Treasury Department's technology team is requesting access to Anthropic's Mythos AI model to identify security vulnerabilities and potential flaws.

Backblaze has halted its backup operations, leaving users without access to their stored data. The cloud backup service provided no advance warning to customers.

An unnamed hacker compromised an Andreessen Horowitz-backed phone farm infrastructure company, gaining access to systems and posting critical content. The attacker attempted to share memes denouncing A16Z before the breach was contained.

Evidence suggests tech support scam operators are deepening fraudulent practices rather than ceasing operations. The industry continues to prioritize concealment tactics over legitimate business practices.

CodeWall, an AI penetration testing company, successfully breached one of Bain & Company's internal AI tools, marking the second major consulting firm targeted in similar attacks following a McKinsey incident.

Dutch fitness chain Basic-Fit disclosed a security breach affecting approximately 1 million customer accounts. The hackers accessed personal information stored in the company's systems.

Booking.com has confirmed unauthorized access to its systems exposed sensitive reservation and user data, prompting the company to force users to reset their reservation PINs.

HackerOne CEO Kara Sprague warns that cybersecurity vulnerabilities are expanding as AI advances create dual-use risks. Anthropic's new Mythos model has triggered regulatory and corporate concerns about potential AI-enabled exploits, even as select companies use it to test defenses.

A critical vulnerability in the wolfSSL cryptographic library can be exploited to bypass certificate verification by weakening ECDSA signature checks. The flaw affects systems relying on the library for SSL/TLS security.

A coalition of over 70 civil rights organizations has written to Meta CEO Mark Zuckerberg urging the company to abandon facial recognition technology in its smart glasses, citing risks to public safety.

A threat actor purchased 30 WordPress plugins and injected backdoor code into all of them, potentially exposing thousands of websites. The compromised plugins have since been identified and removed from the WordPress repository.

The FBI has dismantled a phishing operation that used the W3LL toolkit to compromise over 17,000 victims worldwide. The cybercriminals harvested passwords and multi-factor authentication codes from their targets.

The FBI Atlanta Field Office and Indonesian authorities have taken down the W3LL phishing platform in a historic joint enforcement action. The operation marks the first coordinated U.S.-Indonesia effort targeting a phishing kit developer.

Security researchers warn that current geopolitical and technological developments could shape the cyber landscape for years to come. The period marks unprecedented convergence of vulnerabilities, state-level threats, and infrastructure exposure.

OpenAI is rotating potentially compromised macOS code-signing certificates following a supply chain attack that injected malicious code through a compromised Axios package into its GitHub Actions workflow.

Michigan lawmakers withdrew proposed 'digital age' legislation after privacy advocates raised concerns about data collection and user protections. The bills faced opposition during the review process.

Adobe has released an emergency security update for Acrobat Reader addressing CVE-2026-34621, a zero-day vulnerability actively exploited since December.

A new report exposes how photos shared online are collected and analyzed at scale. The investigation reveals widespread practices of image harvesting across platforms.

A data breach at Anodot, a cloud monitoring platform, has compromised multiple major corporate clients including Rockstar Games. The attackers are reportedly attempting extortion against the affected companies.