Cyber Victor – a leading blog on cyber security

The ShinyHunters extortion group has published a 234 GB archive of data allegedly stolen from dental benefits administrator DentaQuest. The cybergang added the company to its Tor data leak site in May 2026, and the data was released after negotiations failed. The breach could affect approximately 2.6 million individuals whose information may have been exposed.

DentaQuest acknowledged the data breach and quickly moved to contain the attack. It said its systems remain operational with minimal disruption. Technical details about the security breach haven’t been disclosed yet.

According to data breach notification service HaveIBeenPwned, the leaked data includes 2.6 million email addresses, names, phone numbers, addresses, dates of birth, and healthcare-related records, some containing Medicaid IDs.

DentaQuest is the second largest dental benefits administrators in the US and a subsidiary of Sun Life US. The company manages dental and vision benefits for over 32 million Americans, with a strong focus on Medicaid, CHIP, Medicare Advantage, and commercial plans. It operates more than 70 dental practices.

Read more about it here.

In mid-April 2026, Fashion giant Zara lost customer data on almost 197,400 people, but it seems very little private information was actually stolen.

Zara is one of the biggest fashion retailers in the world, with more than 1,500 stores worldwide, and is the flagship brand of the Inditex Group, which also owns Bershka, Zara Home, Oysho, Pull&Bear, Massimo Dutti, Stradivarius, and Uterqüe.

Extortion gang ShinyHunters has claimed responsibility for the data breach, and leaked a 140GB archive, which seems to contain email addresses, geographic locations, purchases (product SKUs, order ID), and support tickets information. In a statement made by the company, it said the attackers did not access private information such as names, phone numbers, addresses, login credentials, or payment information.

Read more about it here.

In April 2026, Anthropic made considerable noise announcing Mythos, a new artificial intelligence model described as extremely effective at identifying vulnerabilities in code. In a recent scan of the curl source code, Mythos found five vulnerabilities.

“Curl is currently 176,000 lines of C code when we exclude blank lines. The source code consists of 660,000 words, which is 12% more words than the entire English edition of the novel War and Peace.” wrote Daniel Stenberg, the creator of curl. “Five issues felt like nothing as we had expected an extensive list,” he added. “Once my curl security team fellows and I had poked on the this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability. The other four were three false positives (they highlighted shortcomings that are documented in API documentation) and the fourth we deemed just a bug.” The single confirmed vulnerability is going to end up a severity low CVE planned to get published in sync with the pending next curl release 8.21.0 in late June.

Some members of the cybersecurity industry have pointed out that curl has been heavily audited and tested, including by other AI tools, making it difficult for major vulnerabilities to remain hidden. They argue that Mythos’ limited findings reflect the maturity and robustness of curl’s codebase, rather than any shortcoming of the model itself.

Read more about it here.

Google has overhauled its Vulnerability Reward Programs (VRP) for Android and Chrome, reshaping how it incentivizes external security researchers to find and disclose security flaws in its products. The most headline-grabbing change is a dramatic increase in the top Android bounty: a zero-click full-chain exploit targeting the Pixel’s Titan M2 security chip with persistence now pays up to $1.5 million, up from $1 million, while the same exploit without persistence earns $750,000. Shailesh Saini, Alex Gough, and Tony Mendez from Google said in a joint announcement, “We know that certain particularly impactful exploits remain incredibly difficult to achieve,” explaining the rationale behind maintaining and expanding top-tier rewards.

The overhaul is driven largely by the rise of AI tools, which have accelerated vulnerability discovery to the point where Google is now being flooded with low-quality, AI-generated submissions that strain its security teams. In response, Google stated that it wants researchers to shift toward concise, verifiable reports: “we are shifting our program’s focus to prioritize concrete proof that a bug exists.” Reflecting this quality-over-quantity philosophy, Chrome bounties are actually being reduced across most standard categories, since AI has made many routine exploit demonstrations far easier to produce. Despite lower individual payouts in some areas, Google expects its total rewards paid in 2026 to exceed the record $17.1 million distributed in 2025. The changes signal a broader industry reckoning with AI’s double-edged role in cybersecurity — accelerating both the discovery of genuine vulnerabilities and the generation of noise that makes managing security programs increasingly complex.

Read more about it here.

Anthropic’s new cybersecurity-focused AI model, Claude Mythos, recently uncovered 271 vulnerabilities in Firefox, with the findings prompting Mozilla to release patches in Firefox version 150 this week. While over 40 CVEs were addressed, only three were officially credited to Claude – suggesting most of the bugs were lower-severity issues that don’t clear the bar for a public CVE. Mozilla’s Firefox CTO offered a grounded take on the achievement, noting that none of the bugs were beyond what “an elite human researcher” could have found, pushing back on predictions that AI will soon discover entirely novel vulnerability classes. Because of Mythos’s remarkable capabilities – Palo Alto Networks said it completed the equivalent of a year’s worth of pen testing in under three weeks – Anthropic has kept the model out of public hands, offering it only to a select group of major organizations like Microsoft, Google, Apple, and AWS through a program called Project Glasswing. Palo Alto’s chief product officer warned that within six months, similarly powerful AI security tools will likely be widespread, and organizations that haven’t prepared “will face an entirely new class of risk.”.

Read more about it here.

On April 13, 2026, Booking.com warned its customers that hackers may have accessed customer data linked to travel reservations. Exposed customer details could include names, email addresses, phone numbers, booking information and any information customers may have shared with accommodations.

“Financial information was not accessed from Booking.com’s systems, nor were guests’ physical addresses,” the company stated. “Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests.”

Cybersecurity firm Norton has dubbed the scams “reservation hijacks”, because criminals have contacted Booking.com customers pretending to be hotels in order to trick customers into sending them money based on bogus reservation problems.

Founded in Amsterdam in 1996, Booking.com has grown to become one of the largest one-stop digital marketplaces for vacations, where customers can book flights, accommodations, transportation, and activities. It boasts almost seven billion check-ins since 2010.

Read more about it here.

Anthropic recently confirmed that the source code for its Claude Code AI agent was accidentally exposed through a large JavaScript source map in a public npm package. This leak, totaling over 500,000 lines of TypeScript, revealed the tool’s internal orchestration logic and security protocols to the public. Tens of thousands of users quickly sought out the code, leading to a surge in unauthorized forks and re-uploads across platforms like GitHub.

Cybercriminals capitalized on the interest by creating fraudulent GitHub repositories that appear at the top of search engine results for “leaked Claude Code.” These repositories often promise unlocked enterprise features but instead deliver a Rust-based dropper containing the Vidar information-stealer and GhostSocks proxy malware. Once executed, the malicious software exfiltrates sensitive credentials and turns the infected machine into a residential proxy for further illegal traffic.

Security researchers from firms like Zscaler noted that these malicious archives are frequently updated, indicating that attackers are actively refining their delivery methods and payloads. While GitHub has since removed several of the offending accounts, the incident serves as a stark reminder of how quickly hackers exploit trending AI news to target developers. Experts urge extreme caution when downloading unofficial source code, as the rapid pace of AI development can often outrun traditional security vetting.

Read more about it here.

The European Commission has confirmed a data breach after its Europa.eu web site was hacked in a cyberattack claimed by the ShinyHunters data extortion group. This was first reported on March 26, 2026.

The EC stated that “the Commission’s internal systems were not affected by the cyber-attack”.

The threat actor claimed that they stole over 350 GB of data, and they released 90 GB of data.

Read more about it here.

Anthropic accidentally leaked the source code of its Claude Code tool, after a large debug file was included in a public npm release. A 59.8 MB JavaScript source map file (.map), intended for internal debugging, was inadvertently included in version 2.1.88 of the @anthropic-ai/claude-code package on the public npm registry pushed live on March 31, 2026.

The file exposed 1,900 TypeScript files, consisting of more than 512,000 lines of code, full libraries of slash commands and built-in tools. Once flagged online, the code was quickly shared and analyzed by developers.

The leaked source reveals a sophisticated, three-layer memory architecture that moves away from traditional “store-everything” retrieval.

Read more about it here.

Anthropic said on March 6, 2026 it discovered during a two week period in January 2026 22 new security vulnerabilities in the Firefox web browser as part of a security partnership with Mozilla. It was using the Claude Opus 4.6 AI model. Of these, 14 were classified as high, 7 were classified as moderate, and 1 was rated low in severity. The issues were addressed in Firefox 148, released in late February 2026.

Claude identified a Use After Free vulnerability, which the team validated and reported to Mozilla along with a proposed patch written by Claude. By the end of this effort, Claude scanned nearly 6,000 C++ files and submitted a total of 112 unique reports, including the high- and moderate-severity vulnerabilities mentioned above. Most issues have been fixed in Firefox 148, with the remainder to be fixed in upcoming releases.

Read more about it here.