A cybersecurity researcher has found a publicly accessible cloud repository holding 86,859 screenshots, private messages and personal documents apparently collected via stalkerware from a European celebrity’s phone. Jeremiah Fowler of Black Hills Information Security discovered the open, unprotected dataset and says the files — spanning mid‑2024 to mid‑2025 — included intimate photos, chat logs from Instagram, Facebook, TikTok and WhatsApp, invoices, partial payment details and phone numbers of the victim’s contacts. Fowler reported the exposure to the cloud host and local law enforcement; he did not name the victim or the hosting company. The repository’s name and characteristics point to Cocospy, an off‑the‑shelf spy app previously taken offline after earlier breaches. Researchers warn the incident shows the compounded danger of stalkerware: not only are primary victims surveilled, but the data collected can create secondary victims when insecure storage is breached. The researcher attempted to contact affected contacts and urged authorities and the host to secure the data.

The UK government’s Cyber Security Breaches Survey for 2025/26, published in late April 2026, found that 43% of businesses — around 612,000 firms — and 28% of charities (about 57,000) reported at least one cyber breach or attack in the past year. Incidence rates were higher among larger organisations (69% of large firms, 65% of medium firms) while micro businesses reported 42%. Phishing remained by far the most common and disruptive vector, affecting 38% of businesses and 25% of charities. Ransomware fell to 1% of respondents and impersonation attacks declined to 12%. The survey shows modest governance gains — board-level cybersecurity responsibility rose to 31% — but only 25% of businesses have formal incident response plans. Ministers and cybersecurity officials warned of heightened risks from offensive AI and potential state-linked activity; the cyber security minister has urged executives to adopt NCSC guidance, sign up for its Early Warning service, and consider the forthcoming Cyber Resilience Pledge aimed at senior leadership and supply-chain certification.

Two former U.S.-based cybersecurity professionals were each sentenced to four years in prison on April 30, 2026 for their roles in a string of BlackCat (ALPHV) ransomware attacks in 2023, the Department of Justice said. Ryan Clifford Goldberg, 40, formerly an incident response manager at Sygnia, and Kevin Tyler Martin, 36, a ransomware negotiator at DigitalMint, pleaded guilty in December 2025. Prosecutors say the pair conspired with Angelo John Martino III to deploy ALPHV/BlackCat and extort victims across the United States between April and December 2023, including a Florida medical firm, a Maryland pharmaceutical company, California engineering and medical practices, and a Virginia drone manufacturer. In one incident the trio extorted roughly $1.2–1.3 million in bitcoin, sharing a 20% fee with BlackCat administrators and splitting remaining proceeds among themselves; other attacks involved leaked patient data. Goldberg fled the country in June 2023 and was later arrested abroad and deported; Martin was arrested in October 2023 and released on bond before sentencing. Martino has pleaded guilty and faces a July sentencing. U.S. prosecutors and FBI officials highlighted the abuse of specialised cyber skills to commit and profit from ransomware.

OpenAI has launched Advanced Account Security (AAS), an opt-in, phishing-resistant protection tier for ChatGPT and Codex accounts announced April 30–May 1, 2026. AAS removes password and email/SMS recovery routes, requiring two passkeys, two FIDO2 hardware keys, or a combination; it shortens session lengths, issues login alerts, and automatically opts enrolled accounts out of model training. OpenAI partnered with Yubico to offer co-branded YubiKey bundles (YubiKey C NFC and YubiKey C Nano) at a discounted two-pack price to lower adoption barriers. The company says AAS targets high-risk users — journalists, political dissidents, researchers, elected officials — but is available to all tiers, including free users. Members of OpenAI’s Trusted Access for Cyber program must enable AAS or demonstrate equivalent phishing-resistant auth by June 1. AAS also carries a trade-off: if users lose registered keys and recovery material, OpenAI cannot restore account access, potentially making chat histories irretrievable. The rollout follows broader industry and OpenAI moves toward stronger account defenses amid rising credential theft and targeted phishing campaigns.

Security researchers and hosting providers warned on April 28–30, 2026 that a critical authentication bypass in cPanel and WebHost Manager (CVE-2026-41940) is being actively exploited in the wild. The flaw, rated 9.8 CVSS, affects all supported cPanel/WHM versions after 11.40 and WP Squared builds, and allows attackers to forge authenticated sessions via a CRLF injection and session-token manipulation to gain root-level access. Rapid7 scans indicate roughly 1.5 million cPanel instances exposed online, though the number of vulnerable systems is unknown. Evidence suggests exploitation began as early as February 23, and a public proof-of-concept and technical writeups have been released. cPanel published emergency patches across multiple version branches and supplied detection scripts; several major hosts (including Namecheap and HostGator) temporarily blocked cPanel ports and applied fixes. CISA added the CVE to its Known Exploited Vulnerabilities list. Recommended mitigations include immediate patching, restarting cPanel services, blocking ports 2083/2087/2095/2096, and running detection tools to hunt for indicators of compromise.

Google has released emergency patches to fix a maximum-severity (CVSS 10.0) remote code execution flaw in its Gemini command-line interface and the google-github-actions/run-gemini-cli workflow, warning that unpatched CI/CD pipelines processing untrusted inputs could be exploited. The vulnerability, disclosed by researchers Elad Meged of Novee Security and Dan Lisichkin of Pillar Security and detailed publicly on April 30, 2026, stemmed from Gemini CLI’s headless mode automatically trusting workspace folders and loading configuration and environment variables before sandboxing. An attacker could plant malicious config files via a pull request and achieve command execution on the host, exposing secrets, credentials and source code. Google patched @google/gemini-cli in versions 0.39.1 and 0.40.0-preview.3 and the GitHub Action in 0.1.22. The fix removes implicit workspace trust and tightens tool allowlisting (including changes to --yolo behavior). Operators who pinned versions or relied on previous permissive behavior should review workflows: defaulting to the newest CLI release may cause some pipelines to fail unless workflows are updated to explicitly trust folders or harden against untrusted inputs.