In partnership with
☀️ Good afternoon. Here's everything that happened in cybersecurity yesterday — in under 5 minutes.
Happy Monday. Today: ShinyHunters is back with a triple-target extortion campaign hitting Zara, Carnival, and 7-Eleven simultaneously, Microsoft Teams is being weaponized as a helpdesk impersonation vector, Standard Bank is leaking 1.2TB of customer data in daily installments, Vercel confirms a supply chain breach via an AI integration, and Tallahassee quietly restores systems after a targeted attack.
🔥 Top Stories
01 — ShinyHunters Issues "Pay or Leak" to Zara, Carnival, and 7-Eleven — 9M Records at Stake
Data Breaches
ShinyHunters has claimed responsibility for breaching three globally recognized brands simultaneously — Zara (Inditex), Carnival Corporation, and 7-Eleven — and is threatening to release a combined 9 million records unless ransoms are paid. The common thread: preliminary investigations point to a shared third-party cloud or marketing automation provider as the entry point, not the brands' own perimeters.
Carnival faces the largest exposure with 8.7 million records allegedly stolen — potentially including passport details and travel itineraries. Zara's breach involved customer transaction records via a third-party provider. 7-Eleven's compromise is linked to a Salesforce campaign targeting loyalty program data. Same playbook as Rockstar: attack the vendor, own the client. Inditex has already distanced itself — "the incident originated at a third-party provider" — but the reputational damage lands on the brand regardless.
02 — Microsoft Teams Is Now a Helpdesk Impersonation Attack Vector
Threat Intelligence
Microsoft Threat Intelligence has issued a warning about a surge in human-operated attacks using Teams as the delivery mechanism. Attackers create a Microsoft 365 tenant named "IT Helpdesk" or "Technical Support," exploit Teams' External Access feature — enabled by default in most organizations — and send direct messages to employees warning of a "security anomaly" requiring MFA verification.
Because the interaction happens entirely within Teams, it bypasses every Secure Email Gateway in place. Employees who are trained to distrust external emails often treat a Teams message as inherently internal and safe. Once the victim approves the MFA prompt or reads their OTP, the attacker has full account access and begins lateral movement. Fix: restrict Teams External Access to approved domains only in your Entra ID admin settings.
03 — Standard Bank: 1.2TB Leaking in Daily Installments
Data Breaches
South Africa's largest bank by assets has confirmed a "data incident" after a threat actor began publicly releasing 1.2 terabytes of stolen customer data. The attacker is using a deliberate slow-release strategy — posting new segments daily to maximize sustained pressure and public exposure rather than dumping everything at once.
What's in the cache: full names, ID numbers, home addresses, and — most critically — plaintext credit card numbers and expiry dates for certain client segments. Standard Bank has begun proactively replacing cards for high-risk customers and is under investigation by the Information Regulator. The slow-drip release strategy is becoming a pattern: it extends news coverage, sustains reputational damage, and gives attackers ongoing leverage even after initial disclosure.
04 — Vercel Confirms Supply Chain Breach via AI Integration — Developer Credentials the Entry Point
Supply Chain Attack
Vercel has disclosed a breach originating from Context AI — an agentic analytics tool integrated into Vercel's product workflows. A developer at Context AI was infected with infostealer malware, which harvested administrative credentials. Those credentials gave attackers OAuth access to Vercel's internal environments, exposing customer emails, project names, and OAuth metadata.
The DeFi community is particularly alarmed — many crypto developers host dApp frontends on Vercel and are now scrambling to rotate API keys and environment variables. Claims of up to 2 million records being sold on illicit forums are circulating, though Vercel hasn't confirmed the volume. Vercel has terminated the Context AI integration and is naming the vendor publicly — a rare move in SaaS that signals both transparency and a deliberate warning to the developer ecosystem about AI integration risk.
05 — Tallahassee Restores Systems After Targeted Attack — Officials Deny Data Breach
Cyber Attacks
The City of Tallahassee has confirmed it successfully restored systems following a targeted cyberattack, with officials stating no data breach occurred. Details on the attack vector and threat actor remain limited — city officials have been deliberately tight-lipped beyond confirming containment and restoration.
The incident is notable as the latest in a growing pattern of municipal government attacks. The "no data breach" characterization from officials should be treated with appropriate scepticism — similar claims from other municipal victims have been revised as forensic investigations progress. Worth watching for updated disclosures over the coming weeks.
📊 By The Numbers
9M — Combined records ShinyHunters claims to hold across Zara, Carnival, and 7-Eleven
1.2TB — Data extracted from Standard Bank and being released in daily installments
8.7M — Carnival Corporation records allegedly stolen — potentially including passport data
2M — Records from the Vercel/Context AI breach reportedly listed for sale on illicit forums
⚡ The Signal
Four of today's five stories are about the same structural failure: the breach didn't happen at the brand — it happened at the vendor.
ShinyHunters hit Zara, Carnival, and 7-Eleven through a shared third-party provider. Vercel was compromised via Context AI — an AI analytics tool with OAuth access to internal environments. Standard Bank's breach likely originated from a third-party cloud or legacy storage server. Microsoft Teams is being weaponized because External Access is enabled by default, extending trust to tenants you've never approved.
The pattern is consistent and accelerating: attackers in 2026 aren't breaching your perimeter. They're breaching the vendor you trust, the tool you've integrated, the platform you've enabled by default. Your security posture is only as strong as your most permissive third-party integration. The question every CISO should be asking this Monday morning isn't "are our systems secure?" — it's "what do our vendors have access to, and how would we know if they were compromised?"
🔍 What You May Have Missed
Indonesia suspends game rating system after developer credential leak — The Indonesian government's game content rating portal was taken offline after developer credentials were leaked, exposing the system to potential manipulation. A reminder that government digital infrastructure carries the same vulnerability profile as enterprise systems.
Microsoft Defender zero-days RedSun and BlueHammer still unpatched — As of this morning, two of the three leaked Defender zero-days remain without an official patch. If you haven't isolated vulnerable endpoints or enabled enhanced monitoring, that's the priority before anything else today.
ATHR AI vishing platform — now documented, spreading fast — Following Friday's coverage, the ATHR platform is now documented in underground forums. Expect rapid adoption by lower-skilled criminal groups. Train your team: a legitimate service will never ask you to read an OTP over the phone.
📅 What to Watch
ShinyHunters deadline — watch for data dumps from Zara, Carnival, or 7-Eleven if ransom negotiations break down; Carnival's passport data would be the most damaging release
Standard Bank daily dumps — the slow-release strategy continues; watch for credit card fraud reports from South African customers this week
Microsoft Defender patches — RedSun and BlueHammer remain unpatched; watch for an emergency out-of-band update from Microsoft
Vercel/Context AI fallout — crypto developer community rotating keys; watch for any dApp frontend compromises linked to exposed OAuth metadata
Stay sharp. Stay ahead.
Till next time,
The CyberSignal Team
Our Sponsor
You earned the attention. Here's what to do next.
Most creators spend years building an audience on platforms that own it. The reach is real. The relationship isn't. One algorithm change and the people who chose you stop seeing you.
A newsletter is different. Your list is yours. Every subscriber is earned and stays earned. And on beehiiv, the tools to grow it, monetize it, and own it completely are built in from day one.
30% off your first 3 months with code LIST30. Start building today.