Security

The smart ring company says on March 27th hackers used an internal analytics tool to access users’ contact and account details, transaction history, and “some fitness related data.” According to TechCrunch, the breach impacted 0.1 percent of Ultrahuman users, or an estimated 700 people.

With this expansion of Anthropic’s Project Glasswing initiative, organizations in “several industries that weren’t well represented” in the initial cohort, like power, water, and healthcare, will get access to the model so they can use it to find security vulnerabilities.

The @obamawhitehouse account briefly showed images of Iranian propaganda, which have since been taken down, as spotted earlier by TMZ. The account belonging to the US Space Force Chief Master Sergeant was also hijacked.

Attorney General Rob Bonta filed a lawsuit against Chrome Holding Co. — formerly 23AndMe — claiming that the company failed to protect user information, leading to the massive 2023 breach that included data belonging to 6.9 million users. In 2024, 23andMe agreed to pay $30 million to settle a class action lawsuit related to the breach.

The Aqara U500 lineup includes three separate models. There’s a “Rim Lock” for standard entrance and interior doors that doesn’t require a mortise, a “Gate Lock” for metal grille-style doors, and even a lock that’s designed for glass doors. They’re only available in Europe for now though.

Upon request, “qualifying” customers can use things like skills, a Claude harness, and a threat model builder, Anthropic says as part of a bigger update about Project Glasswing.

YouTuber Coffeezilla first reported the leak of customer details, now apparently fixed. Trump Mobile CEO Pat O’Brien has now confirmed to The Verge there was a breach, which he blames on “a third-party platform provider.”

A security bulletin from Nvidia breaks down new vulnerabilities found in some of its GPU drivers for Windows and Linux and vGPU software. As Digital Foundry and Club386 point out, they affect drivers prior to 596.36 on the current branch, so if you’re running the most recently released update (596.49, which was released on May 12th), you don’t have anything to do.

The company traced the incident to a “poisoned” VS Code extension on an employee’s device. While the hacking group TeamPCP has claimed responsibility for the breach, GitHub says it has since removed the malicious extension and that the exfiltration was limited to internal data, as reported by Bleeping Computer.

Researchers at the security firm Calif say they used Anthropic’s cybersecurity AI to create a privilege escalation exploit, the Wall Street Journal reports:

On Wednesday, the AISI, which evaluates AI models for the British government, said both Anthropic’s Claude Mythos Preview and OpenAI’s GPT-5.5 showed progress well above previous trends on cybersecurity testing. Separately, XBOW released data suggesting “frontier models have taken a major step forward in vulnerability discovery.”

Similar to the “Copy Fail” exploit revealed a week ago, the two “Dirty Frag” exploits (CVE-2026-43284) also allow a local user to give themselves root privileges on nearly any Linux distribution. The researcher who found it says that, “Because the embargo has now been broken, no patches or CVEs exist for these vulnerabilities.”

Sean Hollister let a hacked robot lawnmower run him over in the name of journalism, but it took a Verge commenter to find the right language that really sets the stakes.

Mozilla:

Ubuntu’s web infrastructure remains unavailable after going offline Thursday morning, blocking updates and other access at a time when Linux admins really need to apply a patch.

Claude Security uses the Opus 4.7 model to scan a business’s codebase for vulnerabilities and issue a fix. This tool is rolling out to enterprise customers globally and isn’t to be confused with Anthropic’s Mythos, a powerful AI model that can identify and exploit vulnerabilities across operating systems and web browsers.

The group is accused of using stolen cookies to hijack accounts, targeting profiles with high amounts of in-game currency and items, according to a press release spotted by Bleeping Computer. The hackers allegedly earned around $225,000 after selling the accounts on a Russian website.

The prolific ShinyHunters group is claiming responsibility and threatening to leak the stolen data unless a ransom is paid. ADT has said that the info was mostly limited to names, phone numbers, and addresses, and that credit card or bank account information was not compromised.

The hosting platform provided a new update on the recent compromise. It named Context.AI as the vector for the attack, found more customer data that had been stolen, and said it discovered that some accounts had been broken into during an earlier incident.