San Mateo, CA, March 23, 2026 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Meta and TikTok pixels collect user data before consent
Researchers at Jscrambler say Meta and TikTok tracking pixels are collecting more user data than most people or advertisers realize, potentially even before visitors consent to tracking or explicitly opt out. According to the report, the pixels can capture names, email addresses, phone numbers, location details, shopping behavior, cart values, and even partial credit card information when users visit advertisers’ websites after clicking social media ads. Jscrambler argues this behavior makes the pixels function more like infostealers than analytics tools, raising potential GDPR and CCPA concerns for both the platforms and the companies that deploy them. Meta dismissed the findings as misleading, while TikTok said advertisers control what data is sent. “The main difference between pixel scripts and ‘real’ infostealers is that pixel scripts have a privacy policy and some configuration settings, so the description isn’t far off,” says Jscrambler head of security research Gareth Bowker. Read more.
Claude flaw turns chat sessions into data exfiltration paths
Researchers disclosed a chained Claude.ai attack dubbed Claudy Day, showing how a default chat session could be turned into a silent data-exfiltration path without tools, integrations, or MCP configuration. The chain combined invisible prompt injection through pre-filled URL parameters, abuse of Anthropic’s Files API, and an open redirect on claude.com. In practice, an attacker could hide instructions inside what appeared to be a normal shared prompt, direct Claude to search the conversation history for sensitive information, package that data into a file, and upload it to an attacker-controlled Anthropic account. Researchers said the same technique could be used to profile users or extract high-value business, medical, or personal content. Anthropic patched the main prompt injection flaw, while researchers urged tighter permissions, audits, and user education. Read more.
FBI resumes buying location data to track citizens
FBI Director Kash Patel told lawmakers Wednesday that the bureau has resumed buying commercially available Americans’ data, including location histories, for federal investigations, reviving a controversial surveillance practice the agency last distanced itself from in 2023. Patel said the FBI uses purchased data in ways consistent with the Constitution and the Electronic Communications Privacy Act, arguing it has produced valuable intelligence. Senator Ron Wyden blasted the practice as an “outrageous end-run around the Fourth Amendment” because agencies can obtain location information from brokers without first getting a warrant. The data often originates from phone apps, games, and advertising technology that feeds the data broker ecosystem. Wyden and other lawmakers have introduced bipartisan legislation requiring federal agencies to obtain a warrant before purchasing Americans’ data. Read more.
DarkSword iPhone exploit used for spying and theft
A newly disclosed iOS exploit chain dubbed DarkSword shows how advanced mobile intrusion tooling is no longer confined to classic espionage use. Researched by Google, iVerify, and Lookout, the campaign targeted iPhones running iOS 18.4 through 18.7. It relied on multiple zero-day flaws to achieve remote code execution, sandbox escape, kernel privilege escalation, and rapid data theft before removing itself from infected devices. Google linked activity to commercial surveillance vendors and suspected state-backed actors targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025. Researchers said DarkSword also includes capabilities for cryptocurrency theft, underscoring its dual use for spying and financial crime. Although Apple has patched the bugs, iVerify estimates that more than 200 million users remain broadly exposed globally today. Read more.
Perseus malware targets note apps to steal sensitive data
ThreatFabric has identified Perseus, a new Android malware family actively used for device takeover and financial fraud, highlighting how older banking trojans keep evolving rather than disappearing. Built on Cerberus and Phoenix code, Perseus spreads through phishing sites and IPTV-themed sideloaded apps, with campaigns focused on Turkey and Italy but also hitting Poland, Germany, France, the U.A.E., and Portugal. Once installed, it can steal credentials via overlays and keylogging, monitor note-taking apps for sensitive financial information, stream the victim’s screen, automate taps, blackout the display, and help operators approve fraudulent transactions remotely. Researchers also found anti-analysis checks and signs that the developers may have used an LLM to speed coding. It scores device environments first to decide whether theft is worth the risk. “Its capabilities, which range from Accessibility-based remote control and overlay attacks to note monitoring, show a clear focus on maximizing both interaction with the device and the value of the data collected. This balance between inherited functionality and selective innovation reflects a broader trend toward efficiency and adaptability in malware development,” said ThreatFabric. Read more.
CISA warns on Intune after attackers wipe 80,000 devices
CISA is warning U.S. organizations to harden Microsoft Intune and other endpoint management platforms after attackers used Intune’s built-in wipe function to devastate medical technology giant Stryker. According to reporting cited by the agency, the March 11 attack began after hackers compromised an administrator account, created a new Global Administrator account, stole 50 terabytes of data, and then wiped nearly 80,000 devices. CISA said organizations should apply Microsoft’s guidance, including least-privilege role assignments, MFA enforcement, Entra ID conditional access controls, and multi-admin approval for high-risk actions such as device wipes, app updates, and RBAC changes. The incident was claimed by Handala, an Iranian-linked hacktivist group previously associated with destructive attacks, data theft, and leaks targeting Israeli organizations using Windows and Linux wiper malware before. Read more.
Attackers outpace defenders in AI-driven cyber operations
Booz Allen Hamilton warned that cybersecurity has entered a new phase in which attackers are using artificial intelligence to move at machine speed while most defenders still rely on slower, human-centered processes. The firm said threat actors have adopted AI faster than governments and private companies have adopted it for defense, allowing them to identify obscure weaknesses, exploit them quickly, and scale operations across many targets at once. The report described AI as both an amplifier for human-led hacking and an orchestration layer for automated offensive tooling. It argued that patching timelines and traditional response models are increasingly inadequate, while automated defenses carry real operational risk. “I think that we’re going to be forced to kind of move outside of our comfort zone and really embrace some of this more automated remediation much faster than we’re probably comfortable with,” said Brad Medairy, executive vice president and lead for Booz Allen’s National Cyber Business. Read more.
API attacks surge as abuse overtakes traditional exploits
Akamai said APIs have become the dominant attack surface for enterprises, with 87% of organizations reporting an API-related security incident in 2025, and the average number of attacks per company rising 113% year over year. The report found that attackers are shifting from traditional web exploitation to behavior-based abuse, as unauthorized workflows and abnormal activity accounted for 61% of incidents, up from 30% in 2024. Security misconfigurations, broken object property-level authorization, and broken authentication were the most exploited weaknesses. Akamai also warned that agentic AI is expanding API risk by increasing the exposure of sensitive data across connected systems. As Patrick Sullivan put it, automation and AI are making sophisticated API attacks “cheap, repeatable, and fast,” raising both security and infrastructure cost concerns for defenders worldwide this year. Read more.
Fake delivery scams surge with global e-commerce growth
Fake shipment tracking scams are scaling fast as threat actors exploit the 161 billion parcels moving through global e-commerce each year, according to Group-IB. Researchers said activity surged in 2025 from almost nothing in 2024 to more than 100 fake tracking campaigns per month, with peaks of 218 in June and 208 in December. The scams typically begin with phishing domains and SMS messages claiming failed deliveries, then use spoofed sender IDs, anonymous numbers, and masked URLs to push victims toward fake mobile pages that request address updates, fees, personal data, and payment information. Group-IB said many of the sites share infrastructure linked to Darcula, a Chinese-language phishing-as-a-service platform offering more than 20,000 spoofed domains and 200 templates used in over 100 countries worldwide. Read more.
Meta drops end-to-end encryption plans for Instagram
Meta will end support for end-to-end encryption in Instagram direct messages after May 8, 2026, pulling back from a privacy vision it once promoted across its apps. The feature was never widely available and never turned on by default, so Meta says low adoption justified its removal. Experts blame low adoption on the fact that encryption on Instagram was treated as an optional extra rather than a standard safeguard, making it easy for users to skip and for Meta to cancel. The company is now pushing people toward WhatsApp for encrypted messaging while leaving Messenger’s status unclear for the time being. The company is navigating the social media security landscape as child safety critics and law enforcement argue that stronger privacy makes it harder to detect predators and investigate abuse on platforms at scale. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
