VulnHub

Booking.com has reported a data breach involving unauthorized access to its systems, which has compromised sensitive reservation and user data. The company is urging affected users to reset their reservation PINs as a precautionary measure. This incident raises significant concerns for travelers who use the booking platform, as the exposed data could potentially be used for fraudulent activities. Booking.com has not disclosed the exact number of users affected or the specific data that was accessed, but the breach underscores the ongoing risks associated with online booking systems. Users are advised to monitor their accounts for any suspicious activity and to take steps to secure their information.

Anthropic has introduced a new AI model called Claude Mythos Preview, which has raised concerns in the cybersecurity community due to its potential for cyberattack capabilities. To mitigate these risks, Anthropic is not releasing the model to the public and has initiated Project Glasswing. This project aims to test the model against a variety of software—both public and proprietary—to identify and fix vulnerabilities before they can be exploited by malicious actors. The focus on preemptively addressing weaknesses highlights the growing intersection of AI technology and cybersecurity. As AI models become more advanced, the potential for misuse increases, making it crucial for companies to stay ahead of potential threats.

Booking.com has reported that hackers gained access to user information, although the company has not disclosed how many customers were affected. They have stated that the situation has been contained, but specifics about the type of data compromised remain unclear. This incident raises concerns for users who may have shared sensitive booking details on the platform. Protecting user data is crucial for maintaining trust in online services, especially in industries like travel where personal information is frequently exchanged. Booking.com will likely need to assess its security measures to prevent future breaches and reassure customers about their data safety.

Recent allegations suggest that Microsoft is engaging in corporate espionage through its LinkedIn browser extension, raising concerns about user privacy. However, security researchers are analyzing these claims and have found mixed results regarding the extent of data collection by the extension. While some users are worried about their information being tracked or misused, the research indicates that the data collection practices may not be as invasive as initially claimed. This debate over LinkedIn's data handling practices is crucial as it could impact user trust and privacy standards across similar platforms. Understanding the reality behind these accusations is important for users who rely on LinkedIn for networking and job opportunities.

A recent report indicates that AI browser extensions are more likely to contain known security vulnerabilities compared to other types of extensions. The study found that these AI tools often request permissions related to cookies, scripting, and tabs, which can increase the risk of exploitation. Users of these extensions may unknowingly expose themselves to threats as these vulnerabilities can allow attackers to manipulate browser behavior or access sensitive data. This situation raises concerns for both individual users and organizations that rely on these AI tools for productivity. As the popularity of AI extensions grows, it becomes increasingly important for developers to prioritize security in their design and for users to remain vigilant about the permissions granted to these tools.

An international law enforcement operation has successfully frozen over $12 million linked to cryptocurrency scams and identified more than 20,000 victims. The crackdown revealed that suspected losses from cryptocurrency fraud worldwide exceed $45 million. One notable case involved a victim from the UK who lost more than £52,000. According to the FBI, cryptocurrency scams are a significant issue, with total losses reaching $11.3 billion. This incident underscores the ongoing risks associated with cryptocurrency investments, highlighting the need for increased awareness and caution among potential investors.

Last week, Anthropic took action to limit access to its Mythos Preview model after it autonomously discovered and exploited zero-day vulnerabilities across all major operating systems and web browsers. This incident raises alarms among cybersecurity experts, with Palo Alto Networks' Wendi Whitmore warning that similar capabilities could soon be available to malicious actors. According to CrowdStrike's 2026 Global Threat Report, the average time for eCrime to escalate into an attack is just 29 minutes, emphasizing the urgency for organizations to address vulnerabilities quickly. The implications of such advanced AI-driven exploits could make it significantly easier for attackers to compromise systems, putting countless users and organizations at risk. Companies need to be vigilant and enhance their security protocols to prevent potential breaches.

Google is enhancing the security of its Pixel smartphones by focusing on the cellular baseband modem, which is responsible for mobile network communication. In the previous Pixel 9 model, the company implemented measures to mitigate memory-related vulnerabilities. With the upcoming Pixel 10, Google is taking further steps by incorporating a DNS parser built in the Rust programming language into the modem firmware. This change aims to bolster the device's defenses against potential exploitation of the modem, which can process external data. By addressing these vulnerabilities, Google is working to protect users from possible attacks that could compromise their devices through the modem interface.

The FBI has successfully dismantled a phishing operation known as W3LL, which was linked to fraudulent activities totaling around $20 million. This operation utilized a specialized phishing kit that enabled attackers to trick individuals into providing sensitive information. The takedown is a significant step in combating online fraud, as phishing remains a common tactic used by cybercriminals to exploit unsuspecting users. The operation's disruption not only affects the criminals behind it but also aims to protect potential victims from falling prey to similar scams. Authorities are urging individuals and businesses to remain vigilant against phishing attempts, which can lead to financial loss and data breaches.

A German national, suspected of being a key figure in the DDoS-for-hire scene, was arrested in Thailand. This individual is believed to be the mastermind behind services like Fluxstress and Neldowner, which have been used to launch distributed denial-of-service (DDoS) attacks globally. His arrest marks a significant step in combating online cybercrime, particularly as DDoS attacks continue to disrupt businesses and services across various sectors. The operation he led allowed users to pay for attacks that could overwhelm targets, causing significant downtime and financial losses. His capture may deter others from engaging in similar illegal activities and could lead to further investigations into the networks supporting these services.

In a significant crackdown on identity fraud, Dutch police arrested eight men, aged 20 to 34, during an operation targeting the VerifTools platform on April 7 and 8. The suspects are linked to identity fraud, forgery, and various cybercrime offenses. Authorities seized a substantial amount of evidence, including smartphones, laptops, cash, cryptocurrency, and weapons. This investigation stems from a case that began on August 27, 2025, when police discovered that VerifTools was facilitating the creation of fake identification documents. The seizure of over 915,655 fake IDs raises concerns about the ease with which such fraudulent activities can be carried out and the potential risks to personal security and public safety.