Month: May 2026

In mid-April 2026, Fashion giant Zara lost customer data on almost 197,400 people, but it seems very little private information was actually stolen.

Zara is one of the biggest fashion retailers in the world, with more than 1,500 stores worldwide, and is the flagship brand of the Inditex Group, which also owns Bershka, Zara Home, Oysho, Pull&Bear, Massimo Dutti, Stradivarius, and Uterqüe.

Extortion gang ShinyHunters has claimed responsibility for the data breach, and leaked a 140GB archive, which seems to contain email addresses, geographic locations, purchases (product SKUs, order ID), and support tickets information. In a statement made by the company, it said the attackers did not access private information such as names, phone numbers, addresses, login credentials, or payment information.

Read more about it here.

In April 2026, Anthropic made considerable noise announcing Mythos, a new artificial intelligence model described as extremely effective at identifying vulnerabilities in code. In a recent scan of the curl source code, Mythos found five vulnerabilities.

“Curl is currently 176,000 lines of C code when we exclude blank lines. The source code consists of 660,000 words, which is 12% more words than the entire English edition of the novel War and Peace.” wrote Daniel Stenberg, the creator of curl. “Five issues felt like nothing as we had expected an extensive list,” he added. “Once my curl security team fellows and I had poked on the this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability. The other four were three false positives (they highlighted shortcomings that are documented in API documentation) and the fourth we deemed just a bug.” The single confirmed vulnerability is going to end up a severity low CVE planned to get published in sync with the pending next curl release 8.21.0 in late June.

Some members of the cybersecurity industry have pointed out that curl has been heavily audited and tested, including by other AI tools, making it difficult for major vulnerabilities to remain hidden. They argue that Mythos’ limited findings reflect the maturity and robustness of curl’s codebase, rather than any shortcoming of the model itself.

Read more about it here.

Google has overhauled its Vulnerability Reward Programs (VRP) for Android and Chrome, reshaping how it incentivizes external security researchers to find and disclose security flaws in its products. The most headline-grabbing change is a dramatic increase in the top Android bounty: a zero-click full-chain exploit targeting the Pixel’s Titan M2 security chip with persistence now pays up to $1.5 million, up from $1 million, while the same exploit without persistence earns $750,000. Shailesh Saini, Alex Gough, and Tony Mendez from Google said in a joint announcement, “We know that certain particularly impactful exploits remain incredibly difficult to achieve,” explaining the rationale behind maintaining and expanding top-tier rewards.

The overhaul is driven largely by the rise of AI tools, which have accelerated vulnerability discovery to the point where Google is now being flooded with low-quality, AI-generated submissions that strain its security teams. In response, Google stated that it wants researchers to shift toward concise, verifiable reports: “we are shifting our program’s focus to prioritize concrete proof that a bug exists.” Reflecting this quality-over-quantity philosophy, Chrome bounties are actually being reduced across most standard categories, since AI has made many routine exploit demonstrations far easier to produce. Despite lower individual payouts in some areas, Google expects its total rewards paid in 2026 to exceed the record $17.1 million distributed in 2025. The changes signal a broader industry reckoning with AI’s double-edged role in cybersecurity — accelerating both the discovery of genuine vulnerabilities and the generation of noise that makes managing security programs increasingly complex.

Read more about it here.