San Mateo, CA, April 20, 2026 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
LLMs hallucinate breaches and create real-world risk
AI-generated false breach narratives are becoming a real cyber-crisis risk, according to cybersecurity experts, who described three recent incidents involving fabricated or resurfaced reports. In one case, a language model invented a detailed breach that never happened. In another, old breach coverage was reindexed as new after a website redesign, prompting fresh scrutiny of a long-resolved incident. A third case involved AI-generated quotes falsely attributed to a security researcher in a story about a business email compromise. The problem is that AI can now create, amplify, and legitimize false security events before defenders verify anything, pushing fiction into threat intelligence feeds, media coverage, and operational workflows. That means already strained security and communications teams now need narrative monitoring alongside incident response and planning. Read more.
Big tech firms ignore California privacy signals, audit finds
A WebXray audit found that Google, Meta, and Microsoft often fail to honor Global Privacy Control opt-out signals in California, raising questions about compliance with the California Consumer Privacy Act. The privacy firm scanned 7,634 popular websites from a California IP address, with and without GPC enabled, and found that 194 online advertising services ignored the legally recognized signal. Google posted the worst failure rate at 86%, with Meta at 69% and Microsoft at about 50%, according to the report. WebXray said Google still set an advertising cookie even when browsers sent the “sec-gpc: 1†opt-out signal, while Meta and Microsoft also continued tracking in other ways. The findings add to broader concerns that online privacy rules are still not being meaningfully enforced. Read more.
Fashion retailer exposes customers’ personal data
Express has fixed a website flaw that exposed customer order confirmation pages and allowed anyone to view other shoppers’ personal information. The bug revealed names, phone numbers, email addresses, billing and delivery addresses, order details, and partial payment card data, including card type and the last four digits. Security advocate Rey Bango discovered the issue while investigating a fraudulent purchase and found that Express order numbers were largely sequential, making it possible to cycle through other people’s orders. Express head of marketing Joe Berean said, “We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.” However, he did not say whether Express will notify customers, disclose the lapse to regulators, or create a formal vulnerability disclosure channel. Read more.
OpenAI launches GPT-5.4-Cyber for defensive work
OpenAI has expanded its Trusted Access for Cyber program and launched GPT-5.4-Cyber, a version of GPT-5.4 fine-tuned for cybersecurity use cases and designed to be more permissive for legitimate defensive work. The company said the model lowers refusal boundaries for vetted defenders while adding stronger identity verification to limit misuse, since cyber tools are inherently dual-use. OpenAI is releasing the model gradually to understand both benefits and risks better, and said top TAC tiers will be reserved for authenticated cybersecurity defenders. The move follows Anthropic’s own recent cyber initiatives and reflects what OpenAI described as steady gains in agentic coding. The company said integrating these capabilities into development workflows could help identify, validate, and fix security issues earlier during software creation. Read more.
Backdoors in WordPress plugins compromise thousands of websites
Multiple WordPress plugins from Essential Plugin were taken offline when a backdoor was found distributing malicious code to the sites running them. Anchor Hosting founder Austin Ginder said the compromise followed a change in ownership last year, with the malicious code lying dormant until it was activated earlier this month. The case highlights a familiar risk in open-source ecosystems, where trusted tools can become attack vectors after an acquisition, especially when users are not alerted to the ownership changes. The affected plugins had tens of thousands of active installations, giving the campaign a broad reach. While the plugins have now been permanently removed from WordPress’ directory, site owners still need to check their environments and uninstall any compromised extensions immediately. Read more.
Adobe patches actively exploited Acrobat and Reader zero-day
Adobe has issued an emergency update for Acrobat Reader and Acrobat to patch CVE-2026-34621, a zero-day flaw that has been exploited since at least December through malicious PDF files. The bug lets attackers bypass sandbox protections, call privileged JavaScript APIs, read arbitrary local files, and pull down more code, creating a path to code execution with no action beyond opening the document. Researcher Haifei Li discovered the issue after analyzing a suspicious sample that triggered EXPMON’s deeper Adobe Reader detections, while Gi7w0rm linked in-the-wild attacks to Russian-language oil-and-gas lures. Adobe first rated the flaw critical, then lowered it after changing the attack vector to local. There are no listed workarounds, so affected Windows and macOS users should update immediately. Read more.
Advocacy groups warn Meta over facial recognition risks in smart glasses
More than 70 civil rights groups, including the ACLU, EPIC, Fight for the Future, and Access Now, warned Meta CEO Mark Zuckerberg against adding facial recognition to the company’s smart glasses, arguing the feature would enable stalking, harassment, and abuse. In a letter, the coalition said the risks are too severe to be solved through safeguards or opt-out tools because bystanders would have no meaningful way to know they were being identified or to consent. The groups also want Meta to disclose any known misuse of its wearables and any discussions with federal agencies, including ICE. Their concerns were heightened by reports of an internal memo suggesting rollout during a distracted political moment. Meta said it does not currently offer such a product. Read more.
AI Security Institute says basic cybersecurity still matters despite Mythos
The U.K.’s AI Security Institute (AISI) said Anthropic’s Claude Mythos Preview marks another leap in offensive cyber capabilities, even if its real-world impact remains unclear. “In controlled evaluations where Mythos Preview was explicitly directed and given network access to do so, we observed that it could execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously — tasks that would take human professionals days of work,†the AISI said. However, AISI stressed that its cyber range lacked active defenders, defensive tools, and consequences for noisy behavior. That means the institute cannot yet say whether Mythos could compromise well-defended systems. For now, it urged organizations to strengthen basic cyber hygiene, including patching, access controls, configuration, and logging, while also exploring AI to improve detection, investigation, and response more effectively. Read more.
FBI and Indonesian police dismantle W3LL phishing network
The FBI and Indonesian National Police dismantled infrastructure tied to the W3LL phishing operation, detained its alleged developer, identified as G.L, and seized domains linked to a scheme that stole credentials from thousands of victims and enabled more than $20 million in fraud. Sold for about $500, the off-the-shelf toolkit let criminals create fake login pages, primarily targeting Microsoft 365 accounts and using adversary-in-the-middle techniques to hijack session cookies and bypass multifactor authentication. Authorities said W3LL evolved into a full-service cybercrime platform, with the W3LL Store selling phishing kits, stolen credentials, remote desktop access, and other tools. The FBI said more than 17,000 victims worldwide were targeted from 2023 to 2024, while over 25,000 compromised accounts were sold between 2019 and 2023. Read more.
Booking.com says breach exposed reservation data
Booking.com confirmed that unauthorized parties accessed some users’ reservation data, exposing information tied to specific bookings and prompting immediate PIN resets for affected reservations. The company said impacted users were notified by email after it detected suspicious activity and contained the issue. Exposed data may include names, email addresses, postal addresses, phone numbers, and messages shared with property providers. Booking.com urged users to treat emails and phone calls with caution and said it will never ask for sensitive information or bank transfers. The lack of alerts inside the Booking.com app appears to have caused confusion among recipients. While Reddit users also reported scams involving accurate reservation details, it remains unclear whether those incidents are directly connected to the newly disclosed breach over the weekend. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
