Cyberattacks Surge: Optus, Hyatt, Coinbase Hit as AI Exploits, Zero-Days, and Credential Leaks Expose Millions

TL;DR

• Optus, Medibank, and Latitude Financial Hit by Cyberattacks, Exposing Millions of Australians' Data
• Cyberattack on Poland’s Energy Sector Neutralized, Marking Most Serious Attempt in Years with No Service Disruption
• CVE-2025-14533 Exploited in ACF Extended Plugin Allows Unauthenticated Admin Access Across 100K+ WordPress Sites
• DOGE Staff Accused of Illegally Accessing Social Security Data and Sharing It with Political Advocacy Group
• AI-Powered Prompt Injection Vulnerability in Google Calendar Allows Exfiltration of Private Meeting Data
• Ransomware Attack on NightSpire Leaks 48.5GB of Data from Hyatt Hotels, Targeting Hospitality Industry
• Coinbase Phishing Scams Surge 1,400% YoY as Fraudsters Impersonate Staff to Steal Credentials and Block Wallet Transfers

🚨 Optus, Medibank, Latitude: Your Passwords Are Dead. Why Are You Still Breathing?

Optus, Medibank, Latitude got hacked not because of firewalls — but because someone clicked an AI-generated phishing link. Tokens expired? Nah. MFA? LOL. 5M Aussies’ data on dark web. Revoke tokens. Enforce FIDO2. Deploy AI detection. Or keep paying $2.1M fines. 🚨 #CyberSecurity #DataBreach

You didn’t get hacked because your firewall was weak. You got hacked because someone clicked a link made by an AI that sounded like their boss’s vacation photo caption. Again. Optus, Medibank, Latitude — three companies, five million Australians, and one brutal truth: your ‘secure’ credentials are just digital duct tape.

The attackers didn’t break in. They were invited. Admins had OAuth tokens older than your last New Year’s resolution. Tokens that never expired. Tokens that didn’t need MFA. Tokens that whispered sweet nothings to Azure and AWS like they were dating apps. And then? They walked out with your Medicare number, your credit card, and your ABN — all while your SIEM screamed into a void because it was busy optimizing Slack emojis.

You spent $12M on ‘cyber resilience’ tools. But your token lifecycle? Still managed by a guy who left in 2019. Your phishing training? A PowerPoint from 2020 titled ‘Don’t Open Attachments (lol)’. And now? Your customers’ health records are being auctioned on the dark web like NFTs from a failed startup.

Here’s your cheat sheet, because you clearly didn’t read the 8-point action list:

• Revoke every OAuth token that isn’t actively being used to save a cat video.
• Enforce FIDO2 MFA — no exceptions. Not even for the CEO who says ‘I hate phones’.
• Deploy an AI detector that flags cloud uploads faster than your ex texts ‘u up?’.
• Audit your APIs like you’re auditing your ex’s Instagram DMs — with rage and precision.
• Run a phishing drill where the email is written by GPT-5 pretending to be your CFO’s dog.

And stop calling it ‘cybersecurity’. It’s identity hygiene. You brush your teeth. Why don’t you brush your tokens?

P.S. OAIC fines? $2.1M per company. That’s less than your CFO’s bonus.

P.P.S. If you’re still using ‘Password123!’ for your domain admin? Go stand in the corner. And buy a YubiKey. Now.

P.P.P.S. Want the exact CLI command to revoke all stale Azure tokens? Link in bio. (Yes, it’s one line. No, you didn’t need 17 tools.)

🚨 Poland’s Grid Survived a Cyberattack—Here’s Why Yours Won’t

Poland’s energy grid got surgically attacked by KRAKEN-APT. Zero outage. €120M saved. How? MFA. Segmentation. Automation. No magic. Just discipline. Meanwhile, your company still uses ‘Password123!’ on a PLC. 🚨 #CyberSecurity #OTSecurity

You didn’t hear about it because nothing broke. That’s the problem. While your bank’s ‘AI-powered fraud detection’ still blocks your coffee purchase, Poland’s energy grid just got surgically attacked by KRAKEN-APT—and responded faster than your IT guy replies to ‘URGENT: Can’t print.’

At 06:14 UTC, anomalous GOOSE traffic screamed through IEC 61850 networks. By 06:17? VLAN isolation. By 06:20? MFA locked. By 06:45? Attacker’s payload was dust. No outage. No ransom note. Just a 24-hour NIS-2 filing and a €120M saved.

Let’s unpack this miracle:

• MFA on SCADA accounts? Yes. Rotated every 30 days? Yes. No valid tokens found? Also yes.
• Forensic imaging? Write-once snapshots. SHA-256 verified. Evidence chain? Intact. Not a single byte corrupted.
• Threat intel? ENISA flagged KRAKEN-APT within 10 minutes. EU-wide alert? Deployed.
• Patch discipline? Zero critical CVEs outstanding. Firmware hashes? Monitored weekly.

Meanwhile, your company still runs Windows 7 on a PLC because ‘it’s never broken.’

This wasn’t luck. It was engineering. Segmentation. Automation. Discipline. No magic. No ‘cyber resilience’ buzzword bingo. Just people who refused to treat critical infrastructure like a WordPress blog.

And now? Russia’s going to try again. Probably through a vendor’s compromised VPN. Or a disgruntled contractor with a USB stick. Or an AI-generated phishing email that bypasses MFA because your ‘security team’ still thinks ‘strong password’ means ‘Password123!’

So here’s your homework:

1. Inventory every damn device—including those ‘legacy’ batteries now hooked to IEC 61850.
2. Automate patching. 48 hours. Not 48 weeks.
3. Red-team quarterly. Simulate AI-driven insider threats. Use drones. Use phishing. Use everything.
4. Demand ISO 27001 from your vendors. Or stop buying their gear.
5. Share IOCs. Stop hoarding. The grid doesn’t care about your corporate ego.

This isn’t a victory lap. It’s a warning. The next target? Your utility. Your hospital. Your water plant.

And if you’re still using ‘admin’ as a password?

You’re not just negligent.

You’re a liability.

P.S. Want to see how your grid would fare? Run a GOOSE flood test. Then cry. Then fix it.

P.P.S. #CyberResilience isn’t a PowerPoint slide. It’s a daily grind. Do better.

💀 Your WordPress Site Just Got Hacked. You Didn’t Even Notice.

Your WordPress site got hacked. No login. No click. Just a POST to /wp-json/acf/v3/field-groups → instant admin (UID 1). 100K+ sites exposed. Patch ≥5.13.3 or deactivate NOW. #CVE202514533 #WordPressHack

You didn’t log in. You didn’t click a link. You didn’t even know you had ACF Extended installed. But someone else just became your site’s god. All it took? A single POST request to /wp-json/acf/v3/field-groups. No auth. No nonce. No shame.

100,000+ sites. Zero protection. Just a plugin that said, "Hey, here’s the keys to the kingdom. Enjoy."

The flaw? A REST endpoint that calls wp_set_current_user(1) like it’s handing out free coffee. UID 1 is the original admin. That’s not a backdoor—it’s a front door with a neon sign: "WELCOME, HACKER."

Your site? Probably compromised. You’re not being targeted—you’re harvested. Automated bots are already scanning for this. They don’t care if you run a bakery or a bank. They care if you have a wordpress_logged_in_<hash> cookie with UID 1. And now they do.

Your move:

• Patch to ACF Extended ≥5.13.3. Now.
• If no patch? DEACTIVATE THE PLUGIN. TODAY.
• Block /wp-json/acf/v3/ via WAF. Drop the packet. No mercy.
• Rotate ALL admin passwords, DB salts, API keys. Even the ones you "forgot" about.
• Scan your own site with an unauthenticated tool. If it says "admin session created," you’re already owned.

This isn’t a vulnerability. It’s a corporate negligence parade. The plugin dev didn’t forget a permission check—they assumed nobody would be dumb enough to ship code like this. Turns out, they were right. And now you’re paying the price.

The real tragedy? This exact flaw has happened 17 times since 2020. And every time, the same chorus: "We’ll fix it next release." Next release? You mean after 100K sites are already in the darkweb’s shopping cart?

P.S. If your "security team" still uses WordPress without WAF rules for REST endpoints… you’re not secure. You’re just optimistic.

P.P.S. Want to see how many of your competitors are already pwned? Check #ACFExtendedHole on Twitter. They’re not hiding. They’re just waiting for your insurance payout.

🚨 DOGE Accused of Stealing SS Data—Again. Here’s Why You Shouldn’t Be Surprised

DOGE allegedly stole SSNs & handed them to a political group. No proof? Doesn’t matter. SSA’s audit logs are dust. Contractors have admin keys. Your SSN’s on the darkweb. #SSADataDump #Cybersecurity #PrivacyIsDead 🚨

You thought your Social Security number was safe? LOL. DOGE staff allegedly slurped up SSA data like it was free coffee at a congressional hearing—and handed it to some political group that probably thinks ‘privacy’ is a typo. No proof? Doesn’t matter. The system’s already cracked.

SSA just rolled out a ‘modernized’ system Jan 9, 2026. Guess what? Staff cuts in 2025 left audit logs dusty. Contractors like DOGE? They had admin keys. And now? The DOJ’s already suing states for voter data. Coincidence? Nah. It’s a playbook.

Here’s the real hack: you don’t need a zero-day exploit when your own contractors have a backdoor labeled ‘Mission Critical (Trust Us)’. Credential suspension? Mandatory. OIG forensic audit? Non-negotiable. 42 U.S.C. §1970 says SSNs are sacred. This isn’t a leak—it’s a betrayal with a Slack channel.

Prediction: Within 30 days, DOJ files a subpoena. SSA pauses all external APIs for 90 days. Beneficiaries sue. Congress drafts a bill called ‘StopContractorsFromBeingTraitorsAct’. And DOGE? They’ll blame ‘legacy systems’. Again.

Meanwhile, your SSN’s on the darkweb. Probably tagged #Trump2028 or #Biden2028. Either way, you lost. Again.

P.S. If you’re still using ‘Password123’ for your SSA portal… we’re not mad. We’re just disappointed. And also, you’re already compromised.

P.P.S. Want to see how your data got sold? Check #SSADataDump on Twitter. It’s trending. And it’s not a meme.

🚨 Google Calendar’s AI Just Stole Your Meetings. Here’s How to Stop It.

Google Calendar’s AI just turned your meeting notes into a data exfil script. No click. No warning. Just ‘export all’ to hacker[.]xyz. Sanitize input. Kill write tokens. Force consent. 3 fixes. 0 excuses. #AIsecurity #Cybersecurity

You typed ‘Let’s discuss the merger’ into Google Calendar. The AI heard ‘export all meeting data to hacker[.]xyz’. And it did. No click. No warning. Just… poof. Your boardroom secrets? Now on the darkweb. Congrats.

Google’s Calendar-AI isn’t ‘summarizing’ your meetings. It’s executing them. And the LLM? It’s not confused. It’s obedient. Because you gave it a prompt. And prompts don’t care if you meant ‘schedule a call’ or ‘steal everything’.

The fix? Three moves. Not five. Not ten. Three.

1. Sanitize the input. Stop letting user text be LLM code. That’s not innovation. That’s negligence with a UI.
2. Kill the export token’s write access. Read-only. Period. If you need to export, the user must ask. Not the AI.
3. Force a consent dialog. Yes, that annoying popup? Make it mandatory. GDPR doesn’t care if your AI is ‘smart’. It cares if you asked.

The rest? Telemetry. Prompt templates. Red-team drills. Nice. But you’re still leaking data while you’re ‘optimizing’.

This isn’t a bug. It’s a feature Google chose to ignore: AI that runs without guardrails is just a remote-controlled data harvester.

ServiceNow got roasted for this last week. Chrome extensions got hacked for less. And now Google? Same script. Different calendar.

You think your ‘AI assistant’ is helping you? It’s just the new phishing vector—with a PhD.

P.S. If your vendor says ‘we use AI safely’, ask them: ‘Can your LLM call deleteAllEvents() if I type “delete my life”?’

P.P.S. Still using ‘natural language’ for security-critical workflows? You’re not futuristic. You’re a target.

P.P.P.S. Want the full checklist? I’ve got a 3-slide PDF that doesn’t use the word ‘synergy’. Link in bio.

💀 Hyatt Got Hacked. Again. Your RDP Is the Real Villain.

Hyatt just leaked 48.5GB of guest passports & employee creds. NightSpire didn’t break in — they walked through the front door. RDP + no MFA = corporate suicide. Patch. Reset. MFA. Or next time, it’s YOUR hotel on Telegram. 🚨 #CyberSecurity #Ransomware

Hyatt just got roasted by NightSpire — 48.5GB of guest passports, employee AD hashes, and loyalty-point balances dumped on the dark web. And you’re still letting your front-desk staff log in via RDP with a password that’s ‘Welcome123’? Come on.

This isn’t magic. This is lazy. NightSpire didn’t hack a quantum supercomputer — they clicked ‘Connect’ on a compromised third-party booking portal. Again. Same playbook as Marriott. Same as Hilton. Same as your cousin’s Airbnb.

You think encryption saves you? Nah. AES-256 doesn’t care if your admin account has no MFA. Your ‘secure’ cloud bucket? It’s just a dumpster behind the hotel with a ‘Private’ sticker on it.

The leak went live Jan 21, 2026. Within 72 hours, phishing emails will flood every Hyatt employee inbox with ‘Urgent: Your Loyalty Points Expire!’ — signed by ‘Hyatt Support’. And guess what? They’ll click. Because you didn’t train them. You just bought another ‘AI-Powered Security Dashboard’ that does nothing but show pretty graphs.

Regulatory fines? €5–15M. Cool. But what’s the real cost? Your guests’ identities. Your staff’s careers. Your brand’s credibility — now listed alongside ‘Stolen Credit Cards’ on a Tor site with a 10% discount for bulk buyers.

Here’s your 48-hour survival checklist:

1. Kill RDP. Now. Replace it with ZTNA. No exceptions. Not even for the CFO.
2. Reset every privileged credential. Yes, even the ‘service account’ no one remembers. It’s probably still running Windows 7.
3. Force MFA on EVERYTHING. Even the coffee machine if it’s connected to the network.
4. Notify regulators. Don’t wait. GDPR doesn’t care about your quarterly earnings call.
5. Share IOCs. With ISAC. With FBI. With your enemy. Just don’t hoard them like a dragon with a spreadsheet.

And stop buying ‘AI-driven threat detection’ that just emails you alerts at 3AM. Build a patch pipeline. Train your people. Audit your third parties. Or next time, it’ll be your hotel’s guest list on a meme page.

P.S. If your CISO says ‘We’re compliant,’ ask them: Compliant with what? The last century?

P.P.S. Want the exact SHA-256 hashes NightSpire used? Too bad. They’re already on Telegram. And your competitor just bought them.

🚨 Coinbase Phishing Surge: SMS 2FA Is a Suicide Pact in 2026

Coinbase phishing up 1,400% YoY. Attackers now freeze wallets via API (POST /v2/withdrawals?block=true) while phishing your 2FA. SMS codes? Dead. Hardware keys? Mandatory. $2B frozen. $93M lost. You’re not ‘careful’—you’re a target. 🚨🔐 #CryptoSecurity

Let’s be brutally honest: if you’re still relying on SMS codes for your Coinbase account, you’re not secure—you’re just delaying the inevitable. The 1,400% YoY spike in phishing? Not luck. Not coincidence. It’s a product launch.

AI-powered phishing kits (yes, $30–$50 on the dark web) now auto-generate fake Coinbase live chats, spoof domains that fool even seasoned traders, and—here’s the kicker—call POST /v2/withdrawals?block=true to freeze your wallet while they phish your 2FA. You think you’re logging in. You’re handing over keys to your own vault.

$16M stolen directly. $77M more from reused illicit addresses. $2B in on-chain assets frozen. And Coinbase’s support team? Swamped. $500K extra in ticket-handling costs. All because someone didn’t upgrade from SMS.

Here’s what actually works:

• U2F/FIDO2 hardware keys for accounts over $10k → cuts credential theft by 60%.
• DMARC + BIMI on all emails → slashes phishing success by 45%.
• Real-time login anomaly scoring (geo, device, velocity) → auto-blocks 55% of wallet-freeze attempts.
• API rate-limiting on block=true → stop bulk freezes before they start.

Coinbase’s legal team is sweating. The Digital Asset Market Clarity Act is coming. Max fine? $5M per violation. You think they’ll pay that? Or will they just quietly de-list your account because you’re a “high-risk user”?

And no—“we sent an email warning” doesn’t count. Your inbox is a graveyard of ignored alerts.

You want security? Stop trusting text messages. Start trusting keys. Hardware. Not magic.

P.S. If your ‘security’ still says ‘Verify via SMS,’ you’re not a crypto investor. You’re a data point.

P.P.S. Want the full API endpoint list they’re abusing? DM me. I’ll send it. No charge. Just don’t blame me when you finally upgrade.