John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Physical Failures: The Tile Tracker Leak and the Security Irony
A hacker breached the Tile/Life360 law enforcement portal using a former employee's stolen credentials. The tool built to help police find your kids became a stalker's dashboard.
Read More
The Shadow API Tsunami: Toyota, Telefonica, and the 90% Problem
Salt Labs says 90% of security investigations uncover API vulnerabilities. Toyota (6.3M records) and Telefonica Brasil (15M records) just proved the point.
Read More
The Megaleak Stage: Why the Standard Bank Breach is 2026's Scariest Proof-of-Failure
Standard Bank South Africa's breach just hit the 154-million-row stage. This is no longer an investigation. It is a permanent intelligence library for identity thieves. When negotiations fail, the consumer picks up the bill.
Read More
When the Breach Isn't at Your Bank: Third-Party Risk Hits Healthcare and Finance in the Same Week
A hospital email account, a fintech ransomware attack still sending notifications eight months later, and a Lapsus$ claim against a financial vendor. Third-party concentration risk landed in two sectors at once this week.
Read More
The AI Espionage Playbook: How a Hacker Used Claude and GPT-4.1 to Steal 415 Million Records
A threat actor used Claude Code and GPT-4.1 to automate a government-scale data breach in Mexico, exfiltrating 415 million records through 5,317 AI-generated commands. This is the first documented case of AI coding tools used as a nation-state espionage engine.
Read More
Two Breaches Today. One Was Careful. One Was a Unlocked Door. Both Were Catastrophic.
ShinyHunters dumped 78.6 million Rockstar records after the ransom deadline expired. They never touched Rockstar directly. They went through a cloud analytics vendor. Meanwhile, a French email provider left an Elasticsearch cluster open to the internet and exposed 40 million records across L'Oreal, Renault, and French government embassies.
Read More
The Breach Happened in February 2025. Patients Are Just Hearing About It Now.
DermCare Management, which handles billing and records for dozens of dermatology practices, suffered a breach in February 2025. They confirmed it in March 2026. Patients are getting notified now. The exposed data includes Social Security numbers, financial account info, and medical records.
Read More
They Didn't Get Your Password. They Got Everything Else.
Booking.com forced PIN resets. Basic-Fit disclosed a breach hitting roughly one million EU gym members. No passwords were stolen, both companies say. That's not the reassurance it sounds like.
Read More
The LAPD Was Not Hacked. But 7.7 Terabytes of Its Data Leaked Anyway.
World Leaks didn't touch LAPD's network. They breached a third-party file-sharing app connected to the LA City Attorney's Office that apparently had no password protecting it. 337,000 files including Internal Affairs records and witness names are now in an extortion group's hands.
Read More
One IT Admin Locked 254 Servers. T-Mobile Lost Another Insider. Same Day.
A Kansas City engineer held his employer hostage for 20 bitcoin while T-Mobile quietly filed yet another insider breach. Privileged access is still the hardest problem in security.
Read More
TeamPCP's First Confirmed Victim Lost Passport Scans and Video Interviews
AI hiring platform Mercor confirmed a breach tied to the LiteLLM compromise. The stolen data includes passport scans and video interviews you can't exactly rotate like a password.
Read More
Healthcare Had a Bad Week. A Really, Really Bad Week.
Three healthcare breaches in one week, all tracing back to the same problem: third-party vendors with access to patient data and not enough security around it.
Read More
Crunchyroll Got Breached. Their Systems Were Never Touched.
6.8 million Crunchyroll users had their data stolen through a three-hop attack chain that went from a vendor's infected laptop through Okta into Crunchyroll's customer service platform, without ever touching Crunchyroll's own systems.
Read More
Kaplan and Mazda Both Disclosed Breaches This Week. Both Happened Months Ago.
Kaplan's breach exposed SSNs for 173,000+ people in October 2025. Victims found out in March 2026. Mazda disclosed a December breach the same week. Both timelines are legal. That's the problem.
Read More
Sears' AI Chatbot Stored 3.7 Million of Your Conversations. Could Be Read Online.
Security researcher Jeremy Fowler found 3.7 million Sears chatbot conversations and 1.4 million audio files sitting wide open online -- including home addresses and appointment times. This one crosses into physical security territory.
Read More
The Healthcare Benefits Breach You Haven't Heard About (or the One After It, or the One After That)
Three healthcare and benefits data breaches disclosed in the same week -- TriZetto (3.4M), Navia (2.7M), and Marquis (672K) -- follow the same disturbing pattern: your most sensitive data lives with vendors you've never heard of, and you find out months later.
Read More
An Identity Theft Protection Company Was Just Hacked by a Phone Scammer
Aura sells identity protection. A scammer called one employee, said the right things, and walked out with data on 900,000 people. The irony is real, but the lesson is bigger.
Read More
Your Data This Week: Starbucks Employee Breach, Loblaw Customer Data, Steam Malware, and How to Respond to Each
Three breaches hit this week through platforms people already trust. Starbucks employee data, Loblaw customer accounts, and FBI-flagged malware hiding in Steam games.
Read More
Your Enterprise SaaS Is Getting Picked Apart: Salesforce Hit Three Times, Michelin Breached Through Oracle EBS
Salesforce just dropped its third Experience Cloud security alert in six months. Michelin got popped through Oracle EBS. Attackers aren't breaking down your perimeter anymore. They're walking straight through your business apps.
Read More