Cybersecurity News and Magazine

ClickUp Discloses Feature Flag Misconfiguration That Exposed 893 Customer Email Addresses and a Live API Token

Mihir Bagwe — Wed, 29 Apr 2026 03:34:18 +0000

A security researcher's public disclosure on April 27 forced ClickUp to confront a misconfiguration its own engineering review process had missed for months. 893 customer email addresses embedded directly inside feature flag targeting rules, queryable by anyone with the platform's intentionally public client-side SDK key.

ClickUp published its incident disclosure the following day. The company did not minimize what happened. "We should have caught this sooner. We didn't," the company said.

What Did ClickUp Expose

The exposure involved two distinct issues within the same feature flag configuration system. The first was the email addresses themselves — 893 customer addresses that ClickUp engineers had embedded in flag targeting rules to control which users received specific features during staged rollouts.

The Split.io SDK's publicly queryable splitChanges endpoint returns the full set of flag definitions, including those targeting rules, to anyone holding the client-side SDK key. Because that key is intentionally embedded in ClickUp's frontend JavaScript bundle — standard, documented behavior across Split.io, LaunchDarkly, and similar platforms — the email addresses were accessible without authentication to anyone who knew where to look.

Also read: AI-Coded Moltbook Platform Exposes 1.5 Mn API Keys Through Database Misconfiguration

No workspace content, passwords, billing data, or account credentials were exposed for any of the 893 affected customers, with one exception, the company said.

The second and more serious issue was a single live customer API token embedded in a rate-limiting flag configuration. An on-call engineer responding to API abuse had placed the token directly inside the flag config to throttle traffic from that workspace — a decision that made the token recoverable through the same SDK endpoint.

The token was added on October 7, 2025, and remained in the flag configuration until ClickUp invalidated it, this Monday. Log investigation showed no signs of malicious access beyond the researcher's own investigation. ClickUp said it is working directly with the affected customer.

All 893 third-party email addresses were removed from flag configurations by Tuesday.

The Technical Root Cause

The misconfiguration is architectural in nature and required no exploitation in the conventional sense. ClickUp uses Split.io for feature flag management. Client-side feature flag SDKs by design require a public-facing key embedded in the application bundle — this is how they evaluate flags for users in the browser, and it is standard behavior across the industry. The key being public is not a vulnerability.

What made this an exposure is what ClickUp's engineers placed inside the flag configurations themselves. Flag targeting rules allow engineers to specify exactly which users receive a given feature — by email address, user ID, or other identifiers. ClickUp's teams had used customer email addresses directly in those rules for beta rollouts. Because the splitChanges endpoint returns the full flag definition set including targeting rules, and because the client-side key needed to query it was always accessible in the frontend JavaScript, those email addresses were queryable by design of the SDK — just not by design of ClickUp's intent.

Engineers treated flag configurations as internal tooling, the company acknowledged, when the SDK architecture makes them publicly queryable by design. Flag updates at ClickUp required peer review — a process analogous to code review — but that review step did not catch the accumulation of PII in targeting rules.

The Disclosure Timeline

ClickUp's blog includes a precise timeline that addresses a specific claim circulating in public reporting: that this vulnerability went unremediated for 15 months after an initial disclosure in January 2025. ClickUp disputes that characterization and the timeline explains why.

On January 17, 2025, a researcher reported the Split.io SDK key disclosure to ClickUp's bug bounty program, which was then hosted on BugCrowd. ClickUp and BugCrowd classified that report as informational — because the client-side SDK key alone is not a vulnerability. It is public by design. That classification was correct given the report's contents, ClickUp says, because the email addresses embedded in the flag configurations were not included in that original report.

ClickUp migrated its bug bounty program from BugCrowd to HackerOne on June 3, 2025, with all past reports carried over.

On April 8, 2026, the researcher filed a new, detailed report on HackerOne — a different report from the January 2025 submission — documenting the expanded impact of 893 customer email addresses in flag targeting rules and the embedded API token. ClickUp says it was not aware of the email address exposure until April 27, the day the researcher went public. The company says the flag configurations themselves were not included in the original 2025 report, and the "15 months" framing conflates two separate reports about two different findings.

What ClickUp Has Changed

ClickUp described four remediation steps taken in the immediate aftermath. All customer email addresses were purged from flag targeting rules and replaced with internal user identifiers that carry no PII. The company has implemented automated tooling to detect email addresses and credential patterns in flag configurations before they can be saved. A secrets scanning step has been added to the flag configuration deployment pipeline. And the engineering team has updated its internal guidance on what data is permissible inside flag targeting rules.

The peer review process that existed prior to the incident — a required +1 approval on all flag changes — remains in place but clearly did not catch this class of misconfiguration. The new automated tooling is designed to fill that gap at the system level rather than relying on reviewers to catch it manually.

Customers whose email addresses were among the 893 affected were notified directly by ClickUp on or before April 29, 2026. Customers who did not receive a direct communication were not in the exposed list.

Cybersecurity Incident Strikes Contractor Handling JRL MRT Stations and NEWater Factory 3 Projects

Ashish Khaitan — Tue, 28 Apr 2026 10:29:17 +0000

A cybersecurity incident has raised concerns after it was revealed that sensitive data associated with the Jurong Region Line (JRL) MRT stations and the Changi NEWater Factory 3 were compromised. The contractor responsible for both critical infrastructure projects, Shanghai Tunnel Engineering Co (Singapore), is currently facing scrutiny as authorities investigate the breach.

Data Compromise Involving Shanghai Tunnel Engineering Co

The breach primarily affects the civil engineering firm Shanghai Tunnel Engineering Co, which has been engaged in the construction of three key stations along the JRL and the new Changi NEWater Factory 3. While the exact timing of the incident remains unclear, the compromised data has since been identified as tender documents for the projects. These documents, however, are available on the government’s GeBIZ procurement portal, which mitigates concerns over the theft of sensitive information. On April 27, the Land Transport Authority (LTA) responded to public queries by confirming that it was aware of the cybersecurity breach and had reported the matter to the police and other relevant authorities. In an effort to minimize potential risks, the LTA temporarily suspended the contractor’s access to its digital systems, although the breach has not been reported to have disrupted the ongoing construction of the JRL MRT stations.

Impact on Changi NEWater Factory 3

While the data breach raises alarms, the national water agency PUB (Public Utilities Board) has reassured the public that there has been no access to its digital systems by Shanghai Tunnel Engineering Co. Following an internal investigation, PUB concluded that no sensitive data related to the Changi NEWater Factory 3 had been stolen. The only data compromised were the project tender documents, which, as mentioned, are publicly accessible on GeBIZ. A PUB spokesperson emphasized that the agency maintains a "serious view" of cybersecurity and has advised the contractor to review its security protocols. Despite extensive checks on known ransomware portals and hacker forums, no evidence of leaked data related to the breach has surfaced, alleviating some concerns among stakeholders.

Company’s Response to Cybersecurity Incident

In a statement issued on April 28, Shanghai Tunnel Engineering Co (Singapore) acknowledged the cybersecurity incident, confirming that it had taken immediate steps to contain the situation. While the company did not specify when the breach occurred, it assured the public that it was cooperating fully with the authorities. Furthermore, the company has enlisted an external cybersecurity specialist to aid in the investigation. "We are cooperating fully with the relevant authorities and kindly request that all parties allow the investigation to proceed without interference," a company representative said. Shanghai Tunnel Engineering Co, established in 1996, is a well-established contractor with significant experience in MRT projects across Singapore. The firm has previously worked on various stations for the Circle, Downtown, and Thomson-East Coast lines. Its latest projects involve critical infrastructure, including the JRL stations and the Changi NEWater Factory 3.

Contract Details and Future Expectations

In 2019, Shanghai Tunnel Engineering Co was awarded a $465.2 million contract to design and build three JRL stations, Choa Chu Kang, Choa Chu Kang West, and Tengah—along with a 4.3km viaduct connecting them. This work includes integrating the existing Choa Chu Kang MRT station on the North-South Line into the JRL network. In addition to the JRL projects, Shanghai Tunnel Engineering Co is also involved in the construction of the Changi NEWater Factory 3. In November 2025, a $205 million contract was awarded to Sanli M&E Engineering, which formed a joint venture with Shanghai Tunnel Engineering Co in February 2026. The joint venture will be responsible for several key aspects of the factory’s construction, including civil, structural, and architectural works, as well as external and building services. The Changi NEWater Factory 3 is expected to be operational by 2028 and will replace the existing Bedok facility. Once completed, the factory will be capable of producing up to 50 million gallons of NEWater daily, contributing significantly to Singapore's water sustainability efforts.

Medtronic Confirms Data Breach, No Impact on Operations or Patient Safety

Ashish Khaitan — Tue, 28 Apr 2026 10:25:21 +0000

Medtronic, the global leader in medical technology, disclosed a data breach affecting its corporate IT systems. On April 24, the company confirmed that an unauthorized third party gained access to certain systems, although the Medtronic data breach is not expected to have any material impact on the company’s financial performance or business operations. The breach has raised concerns across the healthcare and medtech sectors, but Medtronic assured investors and customers that it had taken immediate action to contain the situation.

What Happened to the Medtronic Data Breach?

The Medtronic data breach, which was identified on April 24, involved unauthorized access to some of Medtronic’s corporate IT systems. However, the company was quick to clarify that no disruption had occurred in key operational areas, including product safety, customer connections, and manufacturing or distribution activities. Importantly, there was no reported impact on patient safety or the company’s ability to meet its patient care commitments. In a public filing with the U.S. Securities and Exchange Commission (SEC), Medtronic stated, “We have not identified any impact to our products, patient safety, connections to our customers, our manufacturing and distribution operations, or our financial reporting systems.” The company emphasized that the networks supporting corporate IT systems are separate from those used for products, manufacturing, and distribution, which remain unaffected by the breach. Additionally, Medtronic highlighted that the IT systems supporting hospitals and healthcare customers are managed separately and secured by the customers’ IT teams. As such, hospital networks were not impacted by the breach, nor was there any disruption to hospital operations or services.

Immediate Actions Taken by Medtronic

Following the identification of the breach, Medtronic moved quickly to contain the incident. The company activated its incident response protocols and sought assistance from cybersecurity experts to investigate the breach and implement necessary remediation measures. Medtronic has also initiated an effort to determine if any personal information was accessed during the breach. If any sensitive data has been compromised, the company assured it would provide necessary notifications and support services to affected individuals. The company remains committed to enhancing its cybersecurity measures. “We are simultaneously identifying additional ways to further optimize our system security,” said a Medtronic spokesperson. The company has also assured its stakeholders that it does not expect the incident to have an impact on its financial results or overall business operations.

The Broader Impact on the Medtech Sector

The data breach at Medtronic follows a series of similar cybersecurity incidents that have affected other companies in the medtech industry. In March 2026, a cyberattack disrupted operations at Stryker, another major player in the medical technology sector. The attack targeted Stryker’s Microsoft environment, affecting ordering, shipping, and manufacturing processes. It took several weeks for Stryker to fully recover and return to normal operations. Simultaneously, Intuitive Surgical, a leading manufacturer of surgical robots, reported a phishing incident. The unauthorized party gained access to sensitive customer, employee, and corporate data. Intuitive Surgical also claimed that the issue was contained without significant financial impact, echoing Medtronic’s own assessment that the data breach would not affect its financial standing. These incidents highlight the frequency and sophistication of cyberattacks within the healthcare and medtech industries. As digital transformation accelerates in these sectors, companies are vulnerable to cyber threats.

Notepad++ Releases 8.9.4 Patch to Fix String Injection Vulnerability (CVE-2026-3008) in 8.9.3

Ashish Khaitan — Tue, 28 Apr 2026 10:20:13 +0000

A vulnerability has been identified in the popular open-source text editor, Notepad++, with the release of CVE-2026-3008. The vulnerability, discovered and reported by CSA under its Responsibility Vulnerability Disclosure Policy, is linked to a potential string injection flaw in Notepad++ version 8.9.3. To mitigate the risk associated with this vulnerability, users and administrators are strongly urged to update their installations to version 8.9.4 immediately.

A Deeper Look at CVE-2026-3008

The CVE-2026-3008 bug addresses a string-injection vulnerability in Notepad++, a widely used text editor for software development, writing, and other professional environments. The vulnerability allows attackers to exploit it, potentially gaining access to sensitive memory to read information or, in some cases, causing the application to crash. This flaw was first flagged by a contributor, Hazley Samsudin, whose prompt reporting allowed the Notepad++ team to act swiftly to resolve the issue. As part of Notepad++'s ongoing security commitment, the Product Owner quickly released an official patch in version 8.9.4 to rectify the issue, ensuring the software remains secure for all users.

The Impact of CVE-2026-3008 on Notepad++ Users

The vulnerability in Notepad++ version 8.9.3 has the potential for significant impacts on users. If successfully exploited, attackers could manipulate the string injection vulnerability to access memory addresses or even crash the application entirely. This could compromise the integrity of unsaved data or disrupt workflow, particularly in environments where Notepad++ is a critical tool for coding or note-taking. While this vulnerability may not allow for direct execution of arbitrary code, its potential for causing application crashes poses a risk to stability, especially if users are working with large or complex files. Given the widespread use of Notepad++ across multiple industries, it is crucial for users to take immediate action by upgrading to the secure 8.9.4 version.

Affected Versions of Notepad++

The vulnerability (CVE-2026-3008) is present exclusively in Notepad++ version 8.9.3. Therefore, anyone using this version or earlier versions is at risk of exploitation. The update to version 8.9.4, which includes necessary security patches, should be prioritized to prevent any potential exploitation of this vulnerability. Users of Notepad++ are strongly encouraged to update their installations to the latest version, 8.9.4, which has been designed to address the vulnerabilities identified, including CVE-2026-3008. The Notepad++ development team worked quickly to release this update, which also includes a series of bug fixes and performance improvements. To ensure that systems remain secure, users can download the latest release directly from the official Notepad++ website or the GitHub repository. Administrators managing multiple machines should push the update across their networks to guarantee all affected systems are secured. In addition to this update, Notepad++ version 8.9.4 includes several other improvements aimed at enhancing the software's overall stability and performance. These include fixes for crashes related to undo actions, improvements to file path handling, and updates to Scintilla and Lexilla for better language processing.

Notable Fixes in Notepad++ v8.9.4

The v8.9.4 update not only resolves the CVE-2026-3008 vulnerability but also brings a host of other important bug fixes and stability improvements. Some of the notable changes include:

Fixes to Crashes: Issues such as crashes when using the FindInFiles feature or when dropping files with long paths (over 259 characters) have been addressed.
Undo Action Issues: Previous versions had an issue with crashes caused by undoing actions in the column editor, especially when bad inputs were entered. This issue has now been resolved.
UI and Rendering Fixes: Improvements have been made to the user interface, including fixes for visual glitches in the Mark dialog and Document List view.
Improved Language Support: Updates to Scintilla and Lexilla provide better handling of C++ 11 raw string literals and enhanced syntax highlighting for various file formats.

Additionally, the update addresses installation issues that impacted users of the MSI installer, including problems with context menu registrations and incorrect hexadecimal display names during installation.

Toronto Police Bust Mobile Smishing Network Targeting Thousands

Samiksha Jain — Mon, 27 Apr 2026 12:20:24 +0000

A major Canada SMS blaster cybercrime case has come to light as Toronto Police charge three men with 44 offences in what authorities describe as a first-of-its-kind investigation in the country. The case, part of Project Lighthouse, highlights a growing threat where cybercriminals use mobile technology to target thousands of people at once. The investigation began in November 2025 after a security partner alerted police to a suspected SMS blaster operating in downtown Toronto. What followed was a months-long probe into a sophisticated operation that combined mobility, deception, and large-scale disruption.

What Is the Canada SMS Blaster Cybercrime Case?

At the center of the Canada SMS blaster cybercrime case is a device that mimics a legitimate cellular tower. When nearby mobile phones connect to it, users receive fraudulent messages that appear to come from trusted organizations. These messages often include links to fake websites designed to steal sensitive information such as banking credentials and passwords. This method is widely known as “smishing,” a form of phishing carried out through text messages. However, the scale and mobility of the device used in this case set it apart from typical cyber fraud schemes. Deputy Chief Rob Johnson said the operation posed serious risks beyond financial fraud. He noted that the technology had the capability to reach thousands of devices simultaneously, raising concerns about public safety.

Large-Scale Disruption Across the Greater Toronto Area

Investigators found that the SMS blaster was not stationary. It was operated from vehicles, allowing suspects to move across the Greater Toronto Area and deploy the device in multiple locations. According to Detective Sergeant Lindsay Riddell, tens of thousands of devices connected to the rogue network over several months. Police also recorded more than 13 million network disruptions, during which affected devices were unable to connect to legitimate cellular networks. These disruptions had serious implications. During those moments, access to emergency services such as 9-1-1 could have been impacted, making the Canada SMS blaster cybercrime case not just a financial threat but also a public safety concern.

Arrests and Seizure of Devices

Toronto Police executed search warrants on March 31 at residences in Markham and Hamilton, leading to the arrest of two suspects. Authorities seized multiple SMS blasters along with a significant amount of electronic evidence. A third individual later turned himself in on April 21. All three now face a combined total of 44 charges linked to the operation. The Canada SMS blaster cybercrime case involved extensive coordination between multiple agencies, including the Royal Canadian Mounted Police National Cybercrime Coordination Centre, regional police services, financial institutions, and telecom providers. Officials say this collaboration was key to identifying and disrupting the activity.

A New Type of Cyber Threat in Canada

Law enforcement officials emphasized that this is the first known case of SMS blaster technology being used in Canada. The case reflects how cyber-enabled crimes are becoming more advanced and harder to detect. Authorities noted that while the technology is new, the objective remains the same: to gain unauthorized access to personal and financial information. The Canada SMS blaster cybercrime case shows how attackers are combining traditional fraud tactics with newer tools to scale their operations.

Public Advisory and Safety Measures

Police are urging the public to remain cautious when receiving unexpected text messages. Users are advised not to click on suspicious links or share personal information through unsolicited messages. Officials recommend accessing banking services only through official applications or by directly entering website addresses into browsers. Victims of suspected fraud are encouraged to report incidents to law enforcement. Deputy Chief Johnson also acknowledged the role of the Toronto Police Coordinated Cyber Centre and partner agencies in handling the investigation. He stressed that staying informed and vigilant remains one of the most effective defenses against such threats.

Operation TrustTrap Reveals 16,800 Fake Domains Exploiting User Trust

Ashish Khaitan — Mon, 27 Apr 2026 11:06:14 +0000

In a world where digital threats are becoming more confusing, Cyble Research and Intelligence Labs (CRIL) has uncovered one of the most extensive deceptive domain spoofing campaigns to date.

Dubbed Operation TrustTrap, this large-scale operation has leveraged over 16,800 malicious domains to exploit cognitive trust mechanisms and harvest sensitive user data from unsuspecting victims.

The scope and scale of this operation reveal a shift in how cybercriminals are evolving their tactics to bypass traditional technical security measures.

What is Operation TrustTrap

Since early 2026, CRIL has been tracking a well-coordinated infrastructure involving a massive network of spoofed domains. These domains were designed to mimic legitimate government portals, particularly those related to transportation services like Department of Motor Vehicles (DMV) portals, toll payment systems, and vehicle registration services in the United States. The aim of this campaign is clear: credential and payment card harvesting through the exploitation of trusted government-facing services.

However, the technical complexity of the attack isn't based on advanced hacking techniques. Instead, Operation TrustTrap exploits how humans visually interpret URLs. By embedding government-like subdomains, attackers have created fraudulent domains that resemble legitimate government addresses, deceiving individuals into visiting these sites and providing sensitive information.

Tencent Cloud and Alibaba Cloud APAC

The spoofed domains were predominantly hosted on Tencent Cloud and Alibaba Cloud APAC, both of which have significant data centers in the Asia-Pacific region. These platforms have been linked to the infrastructure of the campaign, and their concentrated use adds another layer of complexity to the attribution process.

Furthermore, CRIL found that the domains were primarily registered through Gname.com Pte. Ltd., a registrar known for its significant Chinese customer base. Other registrars, such as Dominet (HK) Limited and NameSilo LLC, were also identified in the campaign.

These domain names were often associated with .bond, .cc, and .cfd top-level domains (TLDs), which were frequently used to evade detection and blacklisting.

The Key Technique: Subdomain Trust Injection

The most common method used in Operation TrustTrap is subdomain trust injection. This technique involves embedding trusted government tokens, such as mass.gov or wa.gov, in subdomains rather than the root domain. In legitimate URLs, the .gov component typically appears at the end of the domain string, but in these malicious domains, .gov is cleverly placed as part of a subdomain.

For instance, a URL such as mass.gov-bzyc[.]cc will lead a user to believe they are accessing an official Massachusetts government page, but in reality, they are on a fraudulent site designed to capture personal and financial data.

[caption id="" align="alignnone" width="1024"] Fake Massachusetts RMV citation landing page (Source: Cyble)[/caption]

This manipulation of the domain’s structure is visually convincing, but it bypasses traditional security filters that only check the root domain for trusted indicators like .gov.

Another obfuscation technique used is hyphen-based semantic manipulation, where hyphens are inserted into familiar government identifiers to create visually similar URLs. This tactic further complicates the detection of malicious domains.

Global Targeting and Regional Focus

While Operation TrustTrap is heavily focused on the United States, targeting state portals such as those in California, Washington, and Florida, the operation is not confined to one region. CRIL identified similar spoofing efforts targeting government portals in India, Vietnam, and the United Kingdom.

In India, attackers have specifically targeted portals that follow the .gov.in domain structure. By injecting subdomains like www.in.gov-bond, the attackers were able to replicate the appearance of legitimate government websites, particularly those related to the Indian Department of National Investigation (NIA) and other defense-adjacent sites.

[caption id="" align="alignnone" width="939"] APT36 impersonating NIA (Source: Cyble)[/caption]

This specific targeting suggests that the threat actor has knowledge of government infrastructure and how it operates.

APT36 and the Connection to Operation TrustTrap

In addition to the use of Tencent Cloud and Alibaba Cloud, the tactics, techniques, and procedures (TTPs) observed in the campaign bear a striking resemblance to those used by APT36 (also known as Transparent Tribe). This Pakistan-based Advanced Persistent Threat (APT) group has a long history of targeting Indian government entities, defense personnel, and diplomatic infrastructure.

The infrastructure used in Operation TrustTrap shows similarities to APT36’s previous campaigns, particularly in terms of the domain registration patterns and use of Tencent Cloud and Alibaba Cloud APAC infrastructure. Furthermore, the behavior observed, including domain rotation and the use of disposable domains, matches previous APT36 activities.

Registrar and Hosting Analysis

The dominance of Gname.com as the registrar of choice for over 70% of the spoofed domains points to a specific trend in the campaign’s operational setup. This Singapore-based registrar, which serves a large number of Chinese entities, is part of the broader infrastructure strategy that focuses on low-cost hosting in the Asia-Pacific region.

Notably, Tencent Cloud and Alibaba Cloud APAC offer cloud services with global reach, providing the necessary infrastructure to scale this type of malicious operation. These services have been instrumental in supporting the rapid deployment of phishing sites across a variety of government services, especially those involving time-sensitive financial transactions.

Litecoin Hit by Zero-Day Vulnerability, Triggers 13-Block Reorganization

Ashish Khaitan — Mon, 27 Apr 2026 11:01:55 +0000

The Litecoin network faced a security breach when a zero-day vulnerability triggered a 13-block reorganization, impacting several major mining pools. This disruption led to a temporary halt in transaction finality, drawing attention to the potential risks within the Litecoin ecosystem. The Litecoin team quickly confirmed the bug on their official X account and assured the community that a patch had been fully deployed to resolve the issue.

The Zero-Day Bug and Its Impact on the Litecoin Network

A zero-day vulnerability refers to a flaw that is unknown to the developers at the time of its exploitation. In this case, the bug targeted the handling of MimbleWimble Extension Block (MWEB) transactions, a privacy feature on the Litecoin network. The vulnerability allowed an attacker to exploit the network by triggering a Denial-of-Service (DoS) attack, flooding the network with invalid MWEB transactions. MWEB transactions are designed to offer enhanced privacy for Litecoin users by obscuring transaction details. However, due to the zero-day bug, some Litecoin nodes that had not updated their software accepted invalid MWEB transactions, violating the network’s consensus rules. As a result, a block reorganization (or “reorg”) took place when a competing chain of blocks replaced the existing chain, causing 13 blocks to be reorganized. A block reorg of this magnitude is a rare event and presents significant challenges, including the potential for double-spending and undermined user confidence.

Understanding the Denial-of-Service Attack and Its Impact on Miners

The core target of the attack was the mining pools, which play a critical role in securing the Litecoin network. Mining pools are groups of miners who pool their computational power to increase their chances of successfully finding a block. By launching a DoS attack, the attacker aimed to disrupt the mining process by overwhelming the network with invalid transactions. The impact on miners was particularly severe. Mining pools that failed to update their nodes were unable to process valid blocks during the attack. This resulted in temporary downtime for these pools, contributing to a short-term drop in the network’s hashrate. While the Litecoin network quickly recovered, the event highlighted the vulnerability of mining operations when software updates are delayed or ignored.

Quick Response and Deployment of the Patch

Despite the severity of the incident, the Litecoin team responded promptly. Within hours, the development team confirmed the bug and rolled out a patch that effectively closed the attack vector. The patch prevented nodes from accepting invalid MWEB transactions, thus stabilizing the network and mitigating further risks. The team urged all node operators to update their software immediately to ensure the security of their operations. Importantly, the Litecoin team confirmed that no funds were lost as a result of the reorganization. While users’ transactions that were part of the reorganized blocks were reversed, the overall integrity of the network remained intact. The incident, although disruptive, demonstrated the resilience and quick action of the Litecoin team.

The Role of MWEB and Zero-Day Bugs

Launched in 2011, Litecoin has earned a reputation as one of the oldest and most stable cryptocurrencies. As a fork of Bitcoin, it relies on a proof-of-work consensus mechanism to validate transactions. Over the years, Litecoin has faced relatively few security incidents, but the April 25 event serves as a stark reminder that even established networks are susceptible to vulnerabilities. The introduction of MWEB in 2022 marked a significant upgrade for Litecoin, providing users with enhanced privacy features. However, as seen with this recent zero-day vulnerability, new features can also introduce unforeseen risks.

eBay Struggles with Widespread Outage, Disrupting Transactions and API Access

Ashish Khaitan — Mon, 27 Apr 2026 10:04:00 +0000

The e-commerce platform eBay, a giant in online auctions and fixed-price listings, faced widespread disruptions beginning late Sunday, April 26, 2026, extending into Monday, as users across the globe reported severe technical issues. The eBay outage, which has crippled essential features of the site, particularly the API, has left many buyers and sellers frustrated, struggling to access critical functions, including search features, listings, and checkout processes. As users faced slow page loads, failed transactions, and difficulty completing sales, a series of unverified reports surfaced suggesting that the hacktivist group 313 Team was behind the massive denial-of-service (DDoS) attack, claiming responsibility for the outage. While the true cause remains unconfirmed by eBay, the timing and scale of the disruption have fueled speculation that a cyberattack was involved.

The Scope of the eBay Outage

The eBay outage first began to affect eBay users on the afternoon of April 26, when they began reporting issues with the platform’s functionality. According to Downdetector, a popular service that tracks online outages, the spike in complaints reached around 3:30 PM ET, with the situation worsening the evening. As of 10:30 PM ET, more than 1,300 outage reports were logged, although the number eventually decreased to about 600 by 11:50 PM ET. Users complained that essential functions like search were malfunctioning, and pages were loading extremely slowly. "I can't even search for anything or complete a purchase," one frustrated user posted on social media. Others echoed similar concerns, noting that critical transactions were unable to be completed, with error messages preventing them from checking out. Sellers also voiced their frustrations, noting that they could not access the API, which is crucial for the functioning of third-party tools used to manage listings, inventory, and sales. "It’s been nearly 6 hours since the API went down, and we have no word from support," one seller wrote, emphasizing the financial impact of the outage.

Social Media Users Complain About the Outage

While eBay has not officially confirmed the cause of the outage, rumors quickly began circulating on social media that the hacktivist group 313 Team was responsible for a DDoS attack targeting the platform. DDoS attacks, which flood a website with traffic to overwhelm its servers and take it offline, have become a frequent tactic for hacktivist groups in recent years. The group, which has previously targeted high-profile organizations, allegedly posted a claim on various forums, taking credit for the disruption. However, this attribution has not been independently verified, and eBay has not provided details about the nature of the attack. The company’s official status page displayed no alerts of a cyberattack, showing only minor updates on the system’s functionality. Despite these official updates, the community’s response has been vocal, with many users continuing to report issues well into the night. One individual posted, "It’s not just down for me, it’s down for everyone. Is this part of a bigger attack targeting e-commerce sites?" With eBay’s customer support channels largely silent or offering only generic responses, users took to social media to express their frustration. The company’s Instagram account, where many users had previously reached out for help, quickly became a forum for complaints. One commenter wrote, “Brooo you’re down—come on, get up! I need to pay for an auction.” Others left similar messages, questioning the reliability of the platform and demanding answers.

Norway to Introduce Social Media Age Limit of 16, Platforms to Enforce Verification

Samiksha Jain — Mon, 27 Apr 2026 10:02:13 +0000

The Norway social media age limit is moving closer to becoming law, with the government confirming it will introduce legislation this year to restrict access for children under 16. The proposal, expected to be presented to Parliament (Stortinget), aims to reshape how young users interact with digital platforms and place greater responsibility on technology companies for enforcing age restrictions. Prime Minister Jonas Gahr Støre said the move is designed to protect childhood experiences from being dominated by screens and algorithms. He emphasized that children should have space for play, friendships, and offline development, positioning the Norway social media age limit as a safeguard rather than a restriction.

How the Norway Social Media Age Limit Will Work

Under the proposed law, the Norway social media age limit will apply from January 1 of the year a child turns 16. This means access will be granted based on birth year rather than exact birthdate, ensuring that entire school cohorts are treated equally. In practice, most children will be at least 15 years old when they gain access. Minister for Children and Families Lene Vågslid explained that this approach addresses concerns raised during public consultations. Many respondents argued that differences based on birthdates could create social divides among peers. By aligning access with school cohorts, the government aims to balance protection with inclusion. “For me, it is important both to give better protection for children in the digital world and to listen to what young people are saying. I understand that social media can be an important social arena. We want to ensure inclusion and a sense of community. That is why we are proposing that the cutoff be based on the year of birth rather than the exact birth date, so that cohorts are given equal opportunities, regardless of when each person is born,” said Minister for Children and Families Lene Vågslid (Labour). At the same time, officials acknowledge that social media plays a role in young people’s social lives. The policy attempts to maintain that balance while reducing early exposure to potential harms linked to excessive screen time and online interactions.

Tech Companies to Enforce the Norway Social Media Age Limit

A key feature of the Norway social media age limit is the shift in responsibility to technology companies. Platforms will be required to implement effective age verification systems at login, ensuring that underage users cannot bypass restrictions. Minister of Digitalisation and Public Governance Karianne Tung made it clear that enforcement will not rely on children or parents alone. She stated that companies must take full responsibility for compliance and ensure that safeguards are operational from the first day the law takes effect. “I expect technology companies to ensure that the age limit is respected. Children cannot be left with the responsibility for staying away from platforms they are not allowed to use. That responsibility rests with the companies providing these services. They must implement effective age verification and comply with the law from day one,” said Minister of Digitalisation and Public Governance Karianne Tung (Labour). This approach aligns with broader European regulatory trends, particularly the Digital Services Act, which is expected to require platforms to take stronger accountability for user safety, including age verification measures.

Part of a Wider European Push

Norway is among the first countries in Europe to move forward with a nationwide social media restriction of this kind. However, it is not acting in isolation. Several European governments are exploring or advancing similar policies. In France, lawmakers have already backed a proposal to restrict social media use for children under 15, with strong support from President Emmanuel Macron. Spain has also announced plans to block access for users aged 15 and under, while the Netherlands is considering a minimum age of 15. In the United Kingdom, Prime Minister Keir Starmer has supported tighter controls, with pilot programs underway to assess the impact of limiting social media use among teenagers. These developments suggest that the Norway social media age limit is part of a broader shift across Europe toward stricter regulation of digital platforms and greater protection for minors.

Implementation Timeline and Next Steps

The Norwegian government plans to send the proposed legislation for consultation within the European Economic Area before the summer. This process typically lasts around three months. Full enforcement of the Norway social media age limit is expected once the Digital Services Act is incorporated into Norwegian law. Officials say recent trends support the move. Data indicates a decline in the number of children owning smartphones and using social media, partly due to national screen-time guidelines and initiatives such as mobile-free schools. The government intends to implement the policy in stages, but it has made clear that service providers are expected to begin compliance preparations immediately.

A Shift in Digital Policy

The Norway social media age limit reflects growing concern among policymakers about the impact of digital platforms on children’s mental health, privacy, and development. By placing legal responsibility on technology companies and aligning with European regulation, Norway is positioning itself at the forefront of this policy shift. As similar measures gain traction across Europe, the effectiveness of age verification and enforcement will be closely watched. The Norwegian model could become a reference point for other countries seeking to balance digital access with child protection.

The Cyber Express Weekly Roundup: Data Breaches, Malware Campaigns, and Cyber Fraud Investigations

Ashish Khaitan — Fri, 24 Apr 2026 11:57:27 +0000

In this week’s edition of The Cyber Express weekly roundup, we explore the latest developments in the world of cybersecurity, focusing on high-profile data breaches, growing malware campaigns, and law enforcement actions against cybercriminals. As the digital threat landscape continues to evolve, attackers are targeting sensitive personal and organizational data, from health records to financial credentials. Meanwhile, government regulators are ramping efforts to protect minors and combat harmful content on social platforms, while cybercriminals continue to exploit vulnerabilities in both public and private sectors. This weekly roundup highlights how various industries, from healthcare and social media to finance and government, are grappling with rising threats, making it clear that the intersection of data security, regulation, and cybercrime is more critical than ever.

The Cyber Express Weekly Roundup

UK Biobank Data Breach Triggers Urgent Review of Data Security Measures

A significant data breach at the UK Biobank has raised major concerns over the security of health-related data used in scientific research. In April 2026, de-identified participant information was discovered being sold on a Chinese consumer platform, sparking widespread alarm among the research community. Read more...

Vercel CEO Reveals Expansion of Malware Campaign Affecting Multiple Targets

Vercel's CEO, Guillermo Rauch, confirmed that the recent breach involving Context.ai was part of a much larger malware campaign affecting multiple targets. Following a review of network logs, Vercel’s security team uncovered evidence of malware distribution that compromised several customer accounts, including access to valuable Vercel account keys. Read more...

Ofcom Investigates Telegram and Teen Platforms

In the UK, Ofcom has launched an investigation into Telegram and several popular teen chat platforms, such as Teen Chat and Chat Avenue, after reports surfaced of online grooming and child sexual abuse material (CSAM) on these services. Under the Online Safety Act, platforms are required to take proactive steps to prevent harmful content and protect minors from exploitation. Read more...

Personal Data Exposed in Breach of France’s ANTS Portal

A recent breach of France’s ANTS (Agence Nationale des Titres Sécurisés) portal has compromised personal data, including names, email addresses, and birthdates, although no documents or sensitive attachments were affected. The breach, which occurred on April 15, 2026, raises significant concerns about identity theft and phishing risks, as the exposed data could be used to target individuals. Read more...

Bluesky Faces Coordinated DDoS Attack

Bluesky, the rapidly expanding social media platform, suffered a major disruption on April 15, 2026, when it was targeted by a sophisticated distributed denial-of-service (DDoS) attack. The attack caused widespread outages, impacting core platform functions such as user feeds, notifications, and search capabilities. Read more...

Indian Authorities Arrest Key SIM Card Supplier in Cyber Fraud Crackdown

India’s Central Bureau of Investigation (CBI) has arrested a key conspirator in a major cyber fraud operation as part of Operation Chakra-V. The suspect, arrested in Guwahati, is accused of supplying fraudulent SIM cards used in various cybercrime schemes, including extortion and fake loan scams. The SIM cards were acquired using fake identities and distributed to cybercriminal networks. Read more...

Weekly Takeaway

This week’s roundup highlights the diverse and evolving nature of cyber threats. From the exposure of sensitive health data and sophisticated malware campaigns to DDoS attacks and SIM card fraud schemes, the cybersecurity landscape remains fraught with challenges. Regulatory bodies and companies alike continue to grapple with emerging risks, particularly in sectors like public health data, social media platforms, and digital content safety. As these incidents unfold, it’s clear that both technical vulnerabilities and human factors, such as social engineering, continue to be central targets for attackers. With regulatory frameworks like the Online Safety Act and increased investigative efforts in places like India and France, the pressure on platforms and authorities to act quickly and decisively is higher than ever. As the cyber threat landscape becomes more interconnected, the need for enhanced security protocols, improved monitoring, and greater accountability in digital spaces remains critical.