In partnership with
☀️ Good afternoon. Here's everything that happened in cybersecurity yesterday — in under 5 minutes.
ShinyHunters breached ADT — the world's largest home security provider — via a phone call, 1.7 million patients are discovering their records were stolen from a hospital that thought it had recovered, Germany's Bundestag president had her Signal account hijacked by suspected Russian operatives, a 12-year-old Linux bug lets any local user become root on nearly every major distro, and Notion's "publish to web" feature is silently leaking your entire team's emails and photos.
🔥 Top Stories
01 — ShinyHunters Breached ADT by Calling Their Help Desk
Data Breaches
ADT — the $5 billion home security giant that monitors 6 million American homes — has confirmed a data breach after ShinyHunters used English-speaking vishing callers to impersonate internal IT support, harvest employee credentials, and pivot from Okta SSO into Salesforce. The group claims 10 million customer records. ADT describes it as a "limited subset." On April 23 they listed the data on BreachForums with a leak deadline of April 27 if no ransom is paid.
What was confirmed stolen: full names, emails, addresses, phone numbers, and in limited cases partial SSNs and dates of birth. What wasn't: full SSNs, payment data, and home security system credentials. The brand damage is the real story. This is ADT's third major breach in under two years. The irony that the company whose entire product is security cannot secure its own employee portal is not subtle — and it is exactly what ShinyHunters exploits. A home address tied to an ADT account isn't just PII. It's a targeted list of homes identified as containing assets valuable enough to protect.
02 — ShinyHunters Also Hits Udemy — 1.4M Records, April 27 Deadline
Data Breaches
The same group, the same week: ShinyHunters has claimed 1.4 million Udemy user records and posted a "pay or leak" ultimatum on BreachForums with an April 27 deadline — the same day as ADT's. The suspected method mirrors ADT exactly: vishing into a SaaS stack via Okta/Auth0 SSO compromise. Udemy has not confirmed the breach.
Two major brands, two simultaneous deadlines, one threat actor. ShinyHunters is running a coordinated Q2 2026 campaign at industrial scale — ADT, Udemy, Zara, Carnival, 7-Eleven, Rockstar, Vercel. The common thread across all of them: the SaaS identity layer. Not a zero-day in sight. Just a phone call.
03 — Germany's Bundestag President Had Her Signal Account Hijacked by Russian-Linked Operatives
Nation-State Threats
Julia Klöckner — President of Germany's Bundestag and senior CDU member — had her Signal account compromised via social engineering. Attackers posed as Signal support or trusted CDU group members, tricked her into sharing her verification code, and re-registered her account on a device they controlled. Federal prosecutors have opened an espionage investigation. German intelligence suspects Russian-linked state actors.
The impact: Klöckner is a member of closed Signal groups that include Federal Chancellor Friedrich Merz. By compromising her account, attackers gained passive surveillance access to Germany's highest-level government communications. At least one other CDU lawmaker was confirmed compromised. The technique is identical to the one Apple just patched in iOS — except Signal's encryption is fine. It was the human who handed over the keys. The more secure the platform, the more attackers focus on the user.
04 — Pack2TheRoot: A 12-Year Linux Bug Lets Any Local User Become Root
Vulnerabilities
Deutsche Telekom's Red Team has disclosed CVE-2026-41651 — dubbed "Pack2TheRoot" — a CVSS 8.8 local privilege escalation flaw that has existed in PackageKit since 2014. Any user with a low-privilege local account can exploit a TOCTOU race condition in the PackageKit state machine to install arbitrary system packages as root — no password required. Affected: Ubuntu 18.04–26.04, Fedora 43, Debian Trixie, Rocky Linux 10.1.
The exploit is silent by design. It uses pkcon — a legitimate system administration tool — to install attacker-controlled packages complete with root-level scriptlets. EDR tools see a normal package management operation. The 12-year lifespan of this bug means it's a strong candidate for prior abuse by sophisticated actors who prefer quiet, legitimate-tool escalation over noisy kernel exploits that trigger alerts. Patch to PackageKit 1.3.5+ and reboot immediately.
05 — Notion's "Publish to Web" Is Silently Leaking Your Entire Team's Emails
Data Privacy
Researchers have confirmed that any Notion page published to the web exposes the full names, email addresses, and profile photos of every collaborator — even if none of that information is visible on the rendered page. The leak comes from an unauthenticated API endpoint (/api/v3/syncRecordValuesMain) that returns editor metadata in JSON without requiring any login token. Automated scrapers can harvest entire organizational rosters from public Notion docs at scale.
Notion has acknowledged the issue and is working on API stripping and email masking. Until the fix ships, every public Notion page is a recon goldmine — a phisher can extract verified executive email addresses paired with real profile photos directly from your public hiring board or help center. Immediate action: audit every page with "Publish to web" enabled and disable it for any page with sensitive collaborator history.
📊 By The Numbers
10M — Customer records ShinyHunters claims to have stolen from ADT
1.7M — Kettering Health patients notified of records stolen in a 2025 ransomware attack — confirmed in 2026 forensic review
12 — Years CVE-2026-41651 existed undetected in PackageKit before disclosure
1.4M — Udemy records claimed by ShinyHunters — leak deadline today
41 — Days Interlock ransomware operators spent inside Kettering Health's network before detection
⚡ The Signal
Yesterday’s top five stories had one pattern running through all of them: the attack surface is wherever you stopped looking.
ShinyHunters didn't exploit ADT's perimeter — they called the help desk. They didn't breach Udemy's database — they bypassed the identity layer. Russian operatives didn't break Signal's encryption — they called Julia Klöckner pretending to be support. Pack2TheRoot didn't exploit the kernel — it used a 12-year-old state machine logic error in a background daemon nobody audited. Notion didn't get hacked — its sharing feature just never stripped the metadata before making it public.
Every single one of these is an attack on something assumed to be safe: the employee, the SSO, the trusted app, the package manager, the share button. The consistent lesson of this entire week — and this entire month — is that your security posture is measured not by what you protect but by what you've stopped thinking about.
🔍 What You May Have Missed
Kettering Health: 1.7 million patients notified — a year after the ransomware hit — The Interlock ransomware group breached Kettering Health in May 2025, spent 41 days inside undetected, and stole 941GB. In 2026, the full scale became clear: 1.7 million patients exposed, 44+ consolidated lawsuits filed in Montgomery County, and a clinical negligence legal theory that's reshaping healthcare breach liability.
Incransom hits TruGreen — America's largest lawn care company — TruGreen, which services 2.3 million residential and commercial customers across 48 states, has been listed on the Incransom ransomware group's leak site. The attack is particularly notable for the volume of physical location data at risk — lawn care customers' home addresses linked to service schedules.
📅 What to Watch
ShinyHunters April 27 deadline — both ADT and Udemy deadlines expire today; watch for either data dumps on BreachForums or ransom payment confirmations.
Bundestag espionage probe — federal prosecutors investigating; watch for formal attribution and potential diplomatic response between Germany and Russia.
Pack2TheRoot distro patches — Ubuntu, Fedora, and Debian advisories in progress; watch for confirmed in-the-wild exploitation now that the PoC is public.
Notion API fix — no patch timeline confirmed; watch for the API stripping update and whether enterprise customers receive advance notice.
Stay sharp. Stay ahead.
Till next time,
The CyberSignal Team
Our Sponsor
Arnold Schwarzenegger has a newsletter.
Yeah. That Arnold Schwarzenegger.
So do Codie Sanchez, Scott Galloway, Colin & Samir, Shaan Puri, and Jay Shetty. And none of them are doing it for fun. They're doing it because a list you own compounds in ways that social media never will.
beehiiv is where they built it. You can start yours for 30% off your first 3 months with code PLATFORM30. Start building today.