In partnership with
Here's everything that happened in cybersecurity yesterday — in under 5 minutes.
Today's edition covers the federal case that just put a face on one of America's biggest education breaches, Sweden naming Russian hackers for a power plant attack, a major FBI phishing takedown, the Rockstar data dump aftermath, and seven vulnerabilities you need to patch — one of them by tomorrow.
🔥 Top Stories
01 — PowerSchool's Hacker Is 20 Years Old — And He Said He Needed to Be Stopped
Education Security
Matthew Lane has pleaded guilty to one of the largest education breaches on record. Target: PowerSchool, used by 50+ million students. Method: weak credentials, no zero-days. SSNs, grades, and disciplinary records taken from students K through college. Lane told investigators the hacking had become an addiction. Federal prosecutors are using the case to set sentencing precedent for "Gen Z" hacker cells — technically skilled young people who drift into felony territory through Discord communities that gamify vulnerability research.
02 — Sweden Formally Names Pro-Russian Hackers for 2025 Power Plant Attack
Critical Infrastructure
Sweden has attributed a 2025 cyberattack on a thermal power plant to a pro-Russian group — and the intent wasn't espionage. Attackers targeted OT systems to physically manipulate pressure valves and temperature sensors during peak demand. The attack was stopped, but specialized ICS malware and persistent reconnaissance were found throughout the environment. Technique: Living-off-the-Land, blending into legitimate system activity. Same pattern as the exposed industrial controllers we covered last week.
03 — CISA Adds Seven Vulnerabilities — One Deadline Is Tomorrow
Vulnerabilities
Seven new KEV catalog entries across Microsoft, Adobe, and Fortinet. The urgent one: CVE-2026-21643 — unauthenticated SQL injection in Fortinet FortiClient EMS enabling RCE. Patch by April 16. That's tomorrow. Also notable: an Adobe Acrobat prototype pollution flaw already under active exploitation, a Microsoft Exchange deserialization flaw tied to active Medusa ransomware, and CVE-2012-1854 — a 14-year-old Microsoft VBA exploit that is still working against unpatched systems in 2026. Technical debt is security debt.
04 — Rockstar Holds Firm: ShinyHunters Drops 78 Million Records After Deadline Passes
Data Breach
ShinyHunters followed through. After Rockstar refused to pay, 78.6 million records were released on April 14. Independent analysis confirms the dump is Snowflake-hosted analytics — telemetry, in-game economy data, operational metadata. No player credentials. No source code. The "non-material" characterization is holding. What matters: attackers got in using stolen Anodot service tokens that bypassed MFA entirely. The third-party token is the new front door.
05 — FBI and Indonesian Police Shut Down W3LL — The Platform That Sold MFA Bypass as a Feature
Threat Intelligence
W3LL wasn't a hacking group — it was a software company for criminals. For nearly a decade it sold phishing kits, adversary-in-the-middle tools that stole session cookies post-authentication, and automated M365 target generation. 500+ paying customers. 56,000+ compromised accounts. $20M+ in BEC fraud. Standard push-based MFA was rendered useless by design. The takedown creates a window — use it to audit M365 conditional access policies and move high-privilege accounts to FIDO2 before a replacement platform spins up.
→ Read the full story
📊 By The Numbers
78.6M — Records released by ShinyHunters after Rockstar refused to pay
$20M+ — BEC fraud enabled by the W3LL phishing platform
14 — Years old: the Microsoft VBA exploit CISA just added to its active threat catalog
1 — Days until the Fortinet FortiClient EMS patch deadline
⚡ The Signal
Today's stories share one thread: the attack arrives as something you've already decided to trust.
A 20-year-old exploiting credentials schools never secured. A phishing empire selling MFA bypass to 500 paying criminals. A power plant hit using legitimate system tools that looked like normal traffic. A 14-year-old vulnerability still working because someone never closed it. Rockstar breached not through their own perimeter — through a monitoring vendor with cloud-wide access. None of this required nation-state sophistication. The W3LL takedown gives defenders a brief window. The Fortinet deadline closes tomorrow. Act now.
🔍 What You May Have Missed
Kraken defies extortion after rogue employee leak - The crypto exchange publicly refused demands following an insider data leak and is cooperating with law enforcement.
FINRA launches a Financial Intelligence Fusion Center - FINRA is combining market surveillance with cyber threat intelligence in a dedicated ops center — a quiet but significant move for financial sector defense.
AI-weaponized LLM attacks surge against Mexican government targets -LLM-assisted cyberattacks against Mexican government infrastructure confirm AI-augmented offensive tooling has moved from theoretical to operational.
📅 What to Watch
Fortinet patch deadline — April 16 — CVE-2026-21643 must be patched by tomorrow
PowerSchool federal sentencing — precedent being set for young adult cybercriminals outside organized groups
W3LL vacuum — 500+ criminal customers now shopping for a replacement; watch for new PhaaS activity
Sweden/Russia fallout — watch for NATO coordination and whether other European nations follow with public attributions
Stay sharp. Stay ahead.
Till next time,
The CyberSignal Team
Our Sponsor
Every headline satisfies an opinion. Except ours.
Remember when the news was about what happened, not how to feel about it? 1440's Daily Digest is bringing that back. Every morning, they sift through 100+ sources to deliver a concise, unbiased briefing — no pundits, no paywalls, no politics. Just the facts, all in five minutes. For free.