<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[CodeAIntel: Data Breaches]]></title><description><![CDATA[Data is the new blood, and the network sharks are already circling. As automated malware outpaces traditional security and threat vectors multiply exponentially, staying alive requires more than just a software patch. We track the cracks in the digital armor before they shatter, delivering breakdowns of the world's most devastating network infiltrations. Read the room, read the code, and get the intel required to survive the crossfire.]]></description><link>https://www.codeaintel.com/s/data-breaches</link><image><url>https://substackcdn.com/image/fetch/$s_!kBBb!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd94d629d-2720-4f24-a8bf-c3f5d1a4200f_500x500.png</url><title>CodeAIntel: Data Breaches</title><link>https://www.codeaintel.com/s/data-breaches</link></image><generator>Substack</generator><lastBuildDate>Thu, 09 Jul 2026 03:23:24 GMT</lastBuildDate><atom:link href="https://www.codeaintel.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Tom]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[CodeAIntel@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[CodeAIntel@substack.com]]></itunes:email><itunes:name><![CDATA[Tom]]></itunes:name></itunes:owner><itunes:author><![CDATA[Tom]]></itunes:author><googleplay:owner><![CDATA[CodeAIntel@substack.com]]></googleplay:owner><googleplay:email><![CDATA[CodeAIntel@substack.com]]></googleplay:email><googleplay:author><![CDATA[Tom]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[Argos Fraud Shows The Retail ATO Problem Has Left The Browser]]></title><description><![CDATA[Leaked credentials, online accounts, and Click & Collect turn account takeover into a storefloor control failure.]]></description><link>https://www.codeaintel.com/p/argos-fraud-shows-the-retail-ato</link><guid isPermaLink="false">https://www.codeaintel.com/p/argos-fraud-shows-the-retail-ato</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Wed, 01 Jul 2026 08:11:12 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!QvJV!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffeeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><em>Leaked credentials, online accounts, and Click &amp; Collect turn account takeover into a store-floor control failure.</em></p><p>The Argos fraud spike is not just another reminder that people reuse passwords.</p><p>It is a reminder that retail identity controls now have a physical endpoint.</p><p>According to BushidoToken's write-up of UK police reporting, Report Fraud saw 652 reports mentioning Argos in May 2026, up from 154 in April. That is a reported <strong>323% month-over-month spike</strong> in cases tied to a familiar fraud pattern: criminals gain access to customer retail accounts, place orders, and collect goods in person.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!QvJV!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffeeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!QvJV!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffeeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!QvJV!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffeeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!QvJV!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffeeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!QvJV!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffeeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!QvJV!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffeeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/feeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1163464,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204404498?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffeeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!QvJV!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffeeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!QvJV!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffeeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!QvJV!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffeeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!QvJV!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffeeecff3-3a71-4972-b0ad-ed3b2c58fbaa_1672x941.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>The useful lesson is not that Argos is uniquely exposed. The lesson is broader and more uncomfortable for retail risk teams: <em>when online identity is weak, store operations inherit the fraud.</em></p><h2>The Account Is The Pickup Ticket</h2><p>The City of London Police warning cited by BushidoToken says criminals are using credentials leaked in historical data breaches to hijack Argos accounts. Once inside, they can place orders and retrieve goods through Click &amp; Collect.</p><p>That makes the customer account more than a login.</p><p>It becomes the fraud actor's pickup ticket, purchase context, and legitimacy layer. A familiar account with order history can look less suspicious than a brand-new identity, especially if the transaction is routed through ordinary retail workflows.</p><p>BushidoToken also notes that some fraudulent orders were reportedly paid for using payment details not connected to the account victim. That matters because it blends two signals that many teams still treat separately: compromised customer identity and separate payment fraud.</p><p>The result is a messy operational case. The victim may own the account. A different stolen payment instrument may fund the order. The goods may leave through a legitimate collection lane.</p><p>No single team owns that whole chain by default.</p><h2>Convenience Became The Attack Surface</h2><p>Click &amp; Collect is designed to be fast. That is the product promise.</p><p>But speed changes the fraud window. If a criminal can move from account access to order placement to in-store collection before the real account holder notices an email or push notification, the control point has shifted from the website to the store counter.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!trbh!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F588fcc42-e30d-401e-85f6-896d3639790e_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!trbh!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F588fcc42-e30d-401e-85f6-896d3639790e_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!trbh!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F588fcc42-e30d-401e-85f6-896d3639790e_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!trbh!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F588fcc42-e30d-401e-85f6-896d3639790e_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!trbh!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F588fcc42-e30d-401e-85f6-896d3639790e_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!trbh!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F588fcc42-e30d-401e-85f6-896d3639790e_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/588fcc42-e30d-401e-85f6-896d3639790e_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1092526,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204404498?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F588fcc42-e30d-401e-85f6-896d3639790e_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!trbh!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F588fcc42-e30d-401e-85f6-896d3639790e_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!trbh!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F588fcc42-e30d-401e-85f6-896d3639790e_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!trbh!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F588fcc42-e30d-401e-85f6-896d3639790e_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!trbh!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F588fcc42-e30d-401e-85f6-896d3639790e_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>That does not mean retailers should make collection painful for everyone. It means high-risk collection events need context.</p><p>An account that suddenly orders higher-value goods, changes delivery or collection behavior, uses a new device, or combines suspicious login patterns with separate payment signals should not be treated like a normal repeat purchase.</p><p>The practical question is simple: can the retail system tell store staff when a pickup requires stronger verification without turning every collection into a manual investigation?</p><h2>The Numbers Point To A Control Gap</h2><p>The police figures in the BushidoToken summary are sharp enough to treat as an operational warning.</p><p>May had 652 reports mentioning Argos. April had 154. Since the start of 2026, there were 1,175 reports mentioning the retailer, with May the highest month cited in the alert.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!c1JE!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6266b206-0596-4f0b-aecc-77c59c342240_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!c1JE!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6266b206-0596-4f0b-aecc-77c59c342240_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!c1JE!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6266b206-0596-4f0b-aecc-77c59c342240_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!c1JE!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6266b206-0596-4f0b-aecc-77c59c342240_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!c1JE!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6266b206-0596-4f0b-aecc-77c59c342240_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!c1JE!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6266b206-0596-4f0b-aecc-77c59c342240_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/6266b206-0596-4f0b-aecc-77c59c342240_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1228713,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204404498?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6266b206-0596-4f0b-aecc-77c59c342240_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!c1JE!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6266b206-0596-4f0b-aecc-77c59c342240_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!c1JE!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6266b206-0596-4f0b-aecc-77c59c342240_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!c1JE!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6266b206-0596-4f0b-aecc-77c59c342240_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!c1JE!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6266b206-0596-4f0b-aecc-77c59c342240_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>There was earlier public warning activity too. BushidoToken references a November 2025 East Midlands Cyber Resilience Centre warning about Argos and Currys accounts being compromised and unauthorized purchases being made. In some Currys cases, the report says Buy Now Pay Later options were used, creating finance-plan risk for account holders.</p><p>That earlier warning matters because it shows the pattern is not limited to one month or one retailer's queue. Retail accounts, saved identity context, payment workflows, finance options, and pickup operations are all converging into one fraud surface.</p><h2>Breach Data Is Still Paying Dividends</h2><p>This is where historical data breaches keep compounding.</p><p>Credential stuffing does not require a new breach at the targeted retailer. It relies on old username and password pairs, password reuse, and weak or optional step-up controls. Cloudflare describes credential stuffing as attackers using previously exposed login pairs against other services at scale.</p><p>For retail, that means yesterday's breach at an unrelated service can become today's account takeover queue.</p><p>MFA, passkeys, password managers, breached-password checks, and anomaly detection are not cosmetic account-security features. They are loss-prevention controls. They decide whether a stolen password becomes a completed collection.</p><p>The same applies to rate, source, and device context. If a proxy-heavy source IP is attempting logins across many accounts, or if successful sessions cluster around new devices and unusual purchase behavior, the fraud program needs that signal before goods are handed over.</p><h2>The Store Counter Needs Risk Context</h2><p>The least useful response would be to push the whole problem onto store staff.</p><p>Collection workers should not have to become fraud analysts. They need simple, reliable prompts backed by online identity telemetry: request ID, require a one-time pickup code, ask for stronger identity verification, or escalate the order before release.</p><p>That is where online and physical controls need to meet.</p><p>High-risk actions can trigger step-up authentication before the order is confirmed. High-value Click &amp; Collect purchases can require a single-use PIN or QR code sent through a trusted channel. BNPL or finance-plan creation can require stronger identity proofing than a normal basket checkout. Collection events can inherit risk decisions already made online.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!gRga!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7ed2819-ccdf-4e63-a3bc-5d183aa3c245_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!gRga!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7ed2819-ccdf-4e63-a3bc-5d183aa3c245_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!gRga!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7ed2819-ccdf-4e63-a3bc-5d183aa3c245_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!gRga!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7ed2819-ccdf-4e63-a3bc-5d183aa3c245_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!gRga!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7ed2819-ccdf-4e63-a3bc-5d183aa3c245_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!gRga!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7ed2819-ccdf-4e63-a3bc-5d183aa3c245_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/b7ed2819-ccdf-4e63-a3bc-5d183aa3c245_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1196696,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204404498?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7ed2819-ccdf-4e63-a3bc-5d183aa3c245_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!gRga!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7ed2819-ccdf-4e63-a3bc-5d183aa3c245_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!gRga!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7ed2819-ccdf-4e63-a3bc-5d183aa3c245_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!gRga!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7ed2819-ccdf-4e63-a3bc-5d183aa3c245_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!gRga!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7ed2819-ccdf-4e63-a3bc-5d183aa3c245_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>None of this needs exploit detail. It needs business-process discipline.</p><h2>Treat Retail ATO As An End-To-End Workflow</h2><p>The useful control model is end-to-end.</p><p>Detect credential-stuffing patterns. Step up risky sessions. Review unusual orders before fulfillment. Verify the person collecting high-risk goods. Notify customers quickly when account behavior changes.</p><p>The order matters less than the handoff. A login risk signal that never reaches fulfillment is wasted. A store verification policy that has no idea which orders are risky becomes friction without precision. A fraud review that starts after goods leave the store is already late.</p><p><strong>Retail account takeover is no longer contained inside the browser.</strong></p><p>For defenders, that is the central point. Account security, fraud operations, payment risk, BNPL governance, and store collection processes are now part of the same incident surface. If they do not share signals, criminals can move through the gaps using the retailer's own convenience model as the path.</p><h2>Sources</h2><ul><li><p><a href="https://blog.bushidotoken.net/2026/07/uk-cybercrime-journal-argos-account.html">BushidoToken Threat Intel: UK Cybercrime Journal: Argos Account Takeover Fraud</a></p></li><li><p><a href="https://www.cityoflondon.police.uk/news/city-of-london/news/2026/june/report-fraud-alert-warning-for-argos-shoppers-after-323-per-cent-spike-in-fraud-reports-mentioning-the-retailer/report-fraud-alert-warning-for-online-shoppers-after-spike-in-criminals-gaining-unauthorised-access-to-retailer-accounts/">City of London Police: Report Fraud alert warning for Argos shoppers after spike in fraud reports</a></p></li><li><p><a href="https://www.emcrc.co.uk/post/currys-and-argos-account-warning-issued-by-police">East Midlands Cyber Resilience Centre: Currys and Argos account warning issued by police</a></p></li><li><p><a href="https://www.cloudflare.com/learning/bots/what-is-credential-stuffing/">Cloudflare: What is credential stuffing?</a></p></li></ul>]]></content:encoded></item><item><title><![CDATA[Nissan's PeopleSoft Breach Turns HR Data Into the Blast Radius]]></title><description><![CDATA[A zeroday campaign against Oracle PeopleSoft is now a workforce identity problem for Nissan employees across the Americas.]]></description><link>https://www.codeaintel.com/p/nissans-peoplesoft-breach-turns-hr</link><guid isPermaLink="false">https://www.codeaintel.com/p/nissans-peoplesoft-breach-turns-hr</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Tue, 30 Jun 2026 15:26:21 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!HzyL!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><em>A zero-day campaign against Oracle PeopleSoft is now a workforce identity problem for Nissan employees across the Americas.</em></p><p>Nissan's latest breach disclosure is not limited to whether employee data may have been exposed.</p><p>It is where that data lived.</p><p>Nissan says the incident is tied to Oracle PeopleSoft, the enterprise system it uses for employee information, payroll, tax administration, and personnel records. That shifts the risk from a narrow software incident into something larger: <strong>a third-party enterprise platform compromise can become a payroll, identity, and workforce-trust event almost immediately.</strong></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!HzyL!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!HzyL!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png 424w, https://substackcdn.com/image/fetch/$s_!HzyL!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png 848w, https://substackcdn.com/image/fetch/$s_!HzyL!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png 1272w, https://substackcdn.com/image/fetch/$s_!HzyL!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!HzyL!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png" width="1456" height="728" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:728,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1370437,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204290793?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!HzyL!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png 424w, https://substackcdn.com/image/fetch/$s_!HzyL!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png 848w, https://substackcdn.com/image/fetch/$s_!HzyL!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png 1272w, https://substackcdn.com/image/fetch/$s_!HzyL!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1f96e316-5498-4620-a184-09c7b5edaf7f_1774x887.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>According to BleepingComputer, Nissan warned current and former employees that attackers exploited an Oracle PeopleSoft vulnerability in a broader data theft campaign previously linked to ShinyHunters. The disclosure says Nissan was specifically targeted and that the company is still assessing the full impact.</p><p>For defenders outside Nissan, the useful signal is clear: a business-application incident can force payroll and identity-control decisions before the final breach scope is settled.</p><h2>The Business System Became The Incident</h2><p>PeopleSoft is not a random application buried in the corner of the estate. For many organizations, it sits close to the data employees depend on: payroll, tax records, HR workflows, benefits, and identity-adjacent administrative data.</p><p>That is why this disclosure matters.</p><p>Nissan says the investigation is still early and the company has not finalized the full scope. But the categories under review are sensitive by design. The affected information may include employee contact information, banking details, Social Security numbers, Social Insurance Numbers, national identification numbers, financial and tax information, and dependent or beneficiary information.</p><p>The reported geography is broad. BleepingComputer says the incident is believed to affect current and former Nissan employees in the United States, Canada, Mexico, and Brazil.</p><p>This is the uncomfortable shape of modern enterprise risk: an application compromise can quickly become an employee identity problem even when customer-facing systems are not the headline.</p><h2>The PeopleSoft Thread</h2><p>BleepingComputer ties the Nissan disclosure to a wider set of Oracle PeopleSoft data theft attacks first reported earlier in June. The reporting says threat actors exploited a zero-day vulnerability in PeopleSoft instances and stole data.</p><p>Oracle later disclosed a critical PeopleSoft PeopleTools vulnerability, tracked as CVE-2026-35273, and released emergency mitigations. BleepingComputer also reports that Mandiant confirmed exploitation of that vulnerability as a zero-day in data theft attacks between May 27 and June 9.</p><p>That does not mean every detail of the Nissan impact is settled.</p><p>This is not just a single-company anomaly. Business applications with privileged data access can become collection points when a vulnerability is exploited at scale.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Ro7x!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F288ed8d0-39a9-41cf-9dbe-d90e08a1a8c9_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Ro7x!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F288ed8d0-39a9-41cf-9dbe-d90e08a1a8c9_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!Ro7x!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F288ed8d0-39a9-41cf-9dbe-d90e08a1a8c9_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!Ro7x!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F288ed8d0-39a9-41cf-9dbe-d90e08a1a8c9_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!Ro7x!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F288ed8d0-39a9-41cf-9dbe-d90e08a1a8c9_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Ro7x!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F288ed8d0-39a9-41cf-9dbe-d90e08a1a8c9_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/288ed8d0-39a9-41cf-9dbe-d90e08a1a8c9_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:2048149,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204290793?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F288ed8d0-39a9-41cf-9dbe-d90e08a1a8c9_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Ro7x!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F288ed8d0-39a9-41cf-9dbe-d90e08a1a8c9_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!Ro7x!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F288ed8d0-39a9-41cf-9dbe-d90e08a1a8c9_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!Ro7x!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F288ed8d0-39a9-41cf-9dbe-d90e08a1a8c9_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!Ro7x!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F288ed8d0-39a9-41cf-9dbe-d90e08a1a8c9_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>The reported ShinyHunters connection adds extortion context, but it should not distract from the more operational point. The named group matters less to most defenders than the system class, the data class, and the control failures attackers can turn into leverage.</p><h2>The Data Is Identity-Heavy</h2><p>Nissan has not said every listed data type was definitely exposed for every person. That caveat matters.</p><p>But the possible categories are enough to make this a high-friction employee-risk event. Contact data supports targeting. Banking and payroll-related details raise fraud concerns. Government identifiers can affect long-term identity exposure. Dependent and beneficiary information widens the human blast radius beyond the employee alone.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!sTRq!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a32f977-3c84-4e74-ad7f-4885e8e89649_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!sTRq!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a32f977-3c84-4e74-ad7f-4885e8e89649_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!sTRq!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a32f977-3c84-4e74-ad7f-4885e8e89649_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!sTRq!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a32f977-3c84-4e74-ad7f-4885e8e89649_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!sTRq!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a32f977-3c84-4e74-ad7f-4885e8e89649_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!sTRq!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a32f977-3c84-4e74-ad7f-4885e8e89649_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/6a32f977-3c84-4e74-ad7f-4885e8e89649_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1311540,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204290793?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a32f977-3c84-4e74-ad7f-4885e8e89649_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!sTRq!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a32f977-3c84-4e74-ad7f-4885e8e89649_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!sTRq!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a32f977-3c84-4e74-ad7f-4885e8e89649_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!sTRq!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a32f977-3c84-4e74-ad7f-4885e8e89649_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!sTRq!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a32f977-3c84-4e74-ad7f-4885e8e89649_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p><em>The sensitive data model of HR systems makes containment harder after compromise.</em></p><p>Once a personnel system is in play, the organization has to answer more than whether unauthorized access happened. It has to answer which workflows can still be trusted, which records may have been touched, who needs notice, and what compensating controls should stay in place until the review is complete.</p><h2>Payroll Is Now A Security Boundary</h2><p>Nissan's reported response is worth paying attention to because it focuses on workflow restriction, not just notification.</p><p>BleepingComputer says Nissan activated incident response, brought in external cybersecurity experts, secured affected systems, and worked with Oracle on the issue. The company also said it took steps to end unauthorized access and prevent further disclosure of employee information.</p><p>The operationally important control move is around payroll.</p><p>As an additional precaution, Nissan is reportedly restricting access to employee pay slips and direct deposit changes to company network computers or secured VPN connections while it adds identity verification before processing payroll requests.</p><p>That is exactly the kind of post-breach control security teams should expect from an HR-system incident. When employee banking or payroll-adjacent data may be exposed, the next risk is not theoretical. It is account takeover, payroll redirection, social engineering, and fraudulent change requests.</p><p>This is where security and HR operations have to stop pretending they are separate systems.</p><h2>The Vendor Question Cannot Wait</h2><p>The Oracle layer is not background detail. It is central to the risk model.</p><p>When a core enterprise application is implicated in a zero-day campaign, defenders need more than a patch-status screenshot. They need a live operating picture across vendor advisories, incident notifications, identity logs, privileged access, data export paths, and business-process restrictions.</p><p>In practice, that means asking blunt questions:</p><ul><li><p>Which PeopleSoft instances were exposed or reachable during the reported exploitation window?</p></li><li><p>Which service accounts, administrators, and integrations had access to personnel records?</p></li><li><p>Which payroll, benefits, and tax workflows can change employee financial outcomes?</p></li><li><p>Which data exports, reports, or batch jobs touched the affected record sets?</p></li><li><p>Which employee-facing actions should be restricted until scope is validated?</p></li></ul><p>Those questions are not exploit steps. They are governance steps.</p><h2>Before Sensitive Workflows Reopen</h2><p>The strongest move after an HR platform data theft incident is to treat identity, payroll, and notification as one response track.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!c6Tu!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe55e8503-1072-4790-9feb-e327c5e2293f_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!c6Tu!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe55e8503-1072-4790-9feb-e327c5e2293f_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!c6Tu!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe55e8503-1072-4790-9feb-e327c5e2293f_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!c6Tu!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe55e8503-1072-4790-9feb-e327c5e2293f_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!c6Tu!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe55e8503-1072-4790-9feb-e327c5e2293f_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!c6Tu!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe55e8503-1072-4790-9feb-e327c5e2293f_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e55e8503-1072-4790-9feb-e327c5e2293f_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1418818,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204290793?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe55e8503-1072-4790-9feb-e327c5e2293f_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!c6Tu!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe55e8503-1072-4790-9feb-e327c5e2293f_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!c6Tu!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe55e8503-1072-4790-9feb-e327c5e2293f_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!c6Tu!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe55e8503-1072-4790-9feb-e327c5e2293f_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!c6Tu!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe55e8503-1072-4790-9feb-e327c5e2293f_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>Contain the affected environment. Verify privileged access. Restrict payroll and direct-deposit changes. Monitor sensitive-data access and authentication anomalies. Notify employees with clear guidance when the record review supports it.</p><p>The timing matters too. Sensitive workflows should not reopen simply because a system is back online. They should reopen when the organization can show that access was reviewed, risky changes are controlled, and employees are not being pushed into a fraud window without support.</p><p>The Nissan disclosure points to the same control problem.</p><p>The breach is not only about a vulnerability. It is about the business process attached to the vulnerable system.</p><p><strong>If the system holds workforce identity and payroll data, the incident response has to protect workforce identity and payroll decisions, not just servers.</strong></p><h2>Sources</h2><ul><li><p><a href="https://www.bleepingcomputer.com/news/security/nissan-discloses-employee-data-breach-linked-to-oracle-zero-day-attacks/">BleepingComputer: Nissan discloses employee data breach linked to Oracle zero-day attacks</a></p></li></ul>]]></content:encoded></item><item><title><![CDATA[Google's Tensor Secrets Were in Tehran: The Insider Threat That Slipped Past Silicon Valley ]]></title><description><![CDATA[Three engineers. Hundreds of files. One family scheme. And trade secrets about Google's most sensitive chip technology &#8212; photographed and carried to Iran.]]></description><link>https://www.codeaintel.com/p/googles-tensor-secrets-were-in-tehran</link><guid isPermaLink="false">https://www.codeaintel.com/p/googles-tensor-secrets-were-in-tehran</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Fri, 20 Feb 2026 17:33:23 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!ltjC!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!ltjC!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!ltjC!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!ltjC!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!ltjC!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!ltjC!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!ltjC!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/ceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:77219,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/188637145?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!ltjC!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!ltjC!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!ltjC!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!ltjC!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fceafa619-8dbb-4217-94e3-ae9b032da35d_1600x900.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>The insider threat that cybersecurity teams train for just became real &#8212; and the target was one of the most guarded pieces of technology in consumer electronics: <strong>Google&#8217;s Tensor processor</strong>, the custom silicon inside every Pixel phone.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>The U.S. Department of Justice has indicted three people &#8212; two sisters who worked at Google and the husband of one of them &#8212; for an alleged scheme to systematically steal trade secrets from Google and at least two other major tech companies, and transfer them to unauthorized locations, <strong>including Iran</strong>.</p><p>The defendants: <strong>Samaneh Ghandali</strong>, 41, a former Google engineer; her husband <strong>Mohammadjavad Khosravi</strong>, 40; and her sister <strong>Soroor Ghandali</strong>, 32, also a former Google engineer. All three are Iranian nationals who were living in San Jose. All three were arrested on Thursday and appeared in federal district court the same day.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!1nwx!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd851c29-7b1f-471e-b954-cee4d4199516_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!1nwx!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd851c29-7b1f-471e-b954-cee4d4199516_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!1nwx!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd851c29-7b1f-471e-b954-cee4d4199516_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!1nwx!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd851c29-7b1f-471e-b954-cee4d4199516_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!1nwx!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd851c29-7b1f-471e-b954-cee4d4199516_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!1nwx!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd851c29-7b1f-471e-b954-cee4d4199516_1600x900.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/fd851c29-7b1f-471e-b954-cee4d4199516_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:97790,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/188637145?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd851c29-7b1f-471e-b954-cee4d4199516_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!1nwx!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd851c29-7b1f-471e-b954-cee4d4199516_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!1nwx!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd851c29-7b1f-471e-b954-cee4d4199516_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!1nwx!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd851c29-7b1f-471e-b954-cee4d4199516_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!1nwx!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffd851c29-7b1f-471e-b954-cee4d4199516_1600x900.png 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3><strong>The Anatomy of the Scheme</strong></h3><p>This wasn&#8217;t a sophisticated cyberattack from the outside. It was patient, methodical betrayal from the inside &#8212; and the operational security the defendants used makes it more alarming, not less.</p><p><strong>The exfiltration method:</strong> Both sisters used their legitimate employee access at Google to pull hundreds of files &#8212; including trade secrets related to <strong>processor security, cryptography, and chip architecture</strong> &#8212; and transferred them to a third-party communications platform. The channels they used were named after each defendant&#8217;s first name.</p><p><strong>The cover-up:</strong> When Google&#8217;s internal security systems flagged Samaneh Ghandali&#8217;s activity in August 2023 and revoked her access, she signed a sworn affidavit claiming she had never shared Google&#8217;s confidential information with anyone outside the company. She had.</p><p><strong>The analogue workaround:</strong> After digital channels were closed off, the defendants pivoted. Rather than electronically transferring files &#8212; which would leave a clear forensic trail &#8212; they <strong>manually photographed computer screens</strong> containing trade secret documents with their phones. The night before the couple traveled to Iran in December 2023, Samaneh allegedly photographed approximately 24 screens of her husband&#8217;s work computer, which contained trade secrets from his employer. Those photographs were later accessed from a device associated with her &#8212; in Iran.</p><p><strong>The cleanup attempt:</strong> The defendants searched online for how to delete communications and how long cellular providers retain messages. They then destroyed exfiltrated files from their electronic devices.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!ExJK!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3a5dffe3-b66b-4809-a240-8b7a23d3a02f_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!ExJK!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3a5dffe3-b66b-4809-a240-8b7a23d3a02f_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!ExJK!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3a5dffe3-b66b-4809-a240-8b7a23d3a02f_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!ExJK!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3a5dffe3-b66b-4809-a240-8b7a23d3a02f_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!ExJK!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3a5dffe3-b66b-4809-a240-8b7a23d3a02f_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!ExJK!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3a5dffe3-b66b-4809-a240-8b7a23d3a02f_1600x900.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/3a5dffe3-b66b-4809-a240-8b7a23d3a02f_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:62483,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/188637145?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3a5dffe3-b66b-4809-a240-8b7a23d3a02f_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!ExJK!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3a5dffe3-b66b-4809-a240-8b7a23d3a02f_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!ExJK!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3a5dffe3-b66b-4809-a240-8b7a23d3a02f_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!ExJK!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3a5dffe3-b66b-4809-a240-8b7a23d3a02f_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!ExJK!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3a5dffe3-b66b-4809-a240-8b7a23d3a02f_1600x900.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3><strong>Why This Case Matters Beyond the Headlines</strong></h3><p>The Ghandali case doesn&#8217;t exist in isolation. Less than a month ago, former Google engineer <strong>Linwei Ding</strong> was convicted for stealing thousands of Google&#8217;s confidential AI documents to build a startup in China. Now this.</p><p>Two separate insider theft cases. Two different nation-state destinations. Both targeting Google&#8217;s most strategically sensitive technologies.</p><p>The pattern forces a hard question: <strong>If Google &#8212; with its world-class security team, internal monitoring systems, and vast resources &#8212; can have trade secrets photographed off a screen and walked to Iran, what does that mean for everyone else?</strong></p><p>The answer is uncomfortable. Google&#8217;s systems <em>did</em> detect Samaneh Ghandali&#8217;s digital exfiltration. What they couldn&#8217;t fully prevent was the human workaround &#8212; the pivot to photographing screens, the signed false affidavit, the physical transport. No DLP system catches a phone camera aimed at a monitor.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Gga7!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96886319-5507-4190-9ed0-a1b90d8fb68d_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Gga7!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96886319-5507-4190-9ed0-a1b90d8fb68d_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!Gga7!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96886319-5507-4190-9ed0-a1b90d8fb68d_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!Gga7!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96886319-5507-4190-9ed0-a1b90d8fb68d_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!Gga7!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96886319-5507-4190-9ed0-a1b90d8fb68d_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Gga7!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96886319-5507-4190-9ed0-a1b90d8fb68d_1600x900.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/96886319-5507-4190-9ed0-a1b90d8fb68d_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:49071,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/188637145?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96886319-5507-4190-9ed0-a1b90d8fb68d_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Gga7!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96886319-5507-4190-9ed0-a1b90d8fb68d_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!Gga7!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96886319-5507-4190-9ed0-a1b90d8fb68d_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!Gga7!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96886319-5507-4190-9ed0-a1b90d8fb68d_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!Gga7!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96886319-5507-4190-9ed0-a1b90d8fb68d_1600x900.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3><strong>The Charges and What&#8217;s at Stake</strong></h3><p>Each defendant faces up to <strong>10 years per count</strong> of trade secret theft and up to <strong>20 years</strong> for the obstruction of justice charge, plus a $250,000 fine per count.</p><p>The trade secrets at the center of this case &#8212; Tensor processor security architecture and cryptographic implementations &#8212; are not abstract intellectual property. They are the technical foundation of how Google secures its hardware at the silicon level. In the wrong hands, that knowledge could inform attacks on Pixel devices at scale, or accelerate a foreign nation&#8217;s semiconductor development program.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!a7Z6!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d6e47fc-b01a-4a25-81f7-d27c080b0fd5_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!a7Z6!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d6e47fc-b01a-4a25-81f7-d27c080b0fd5_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!a7Z6!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d6e47fc-b01a-4a25-81f7-d27c080b0fd5_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!a7Z6!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d6e47fc-b01a-4a25-81f7-d27c080b0fd5_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!a7Z6!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d6e47fc-b01a-4a25-81f7-d27c080b0fd5_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!a7Z6!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d6e47fc-b01a-4a25-81f7-d27c080b0fd5_1600x900.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/9d6e47fc-b01a-4a25-81f7-d27c080b0fd5_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:103396,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/188637145?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d6e47fc-b01a-4a25-81f7-d27c080b0fd5_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!a7Z6!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d6e47fc-b01a-4a25-81f7-d27c080b0fd5_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!a7Z6!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d6e47fc-b01a-4a25-81f7-d27c080b0fd5_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!a7Z6!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d6e47fc-b01a-4a25-81f7-d27c080b0fd5_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!a7Z6!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d6e47fc-b01a-4a25-81f7-d27c080b0fd5_1600x900.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><blockquote><p><strong>CodeAIntel Insight:</strong> <em>The analog pivot is the most chilling detail in this indictment. These defendants got caught digitally &#8212; and responded by picking up a phone and photographing screens. That is a threat vector that lives entirely outside the reach of most enterprise DLP, CASB, and endpoint monitoring tools. The lesson for security leaders: insider threat programs can&#8217;t stop at the network edge. Physical data exfiltration &#8212; cameras, printed documents, verbal disclosure &#8212; requires a different detection model entirely. The fact that a signed false affidavit almost worked as a cover story suggests the human element of your insider threat program matters as much as the technical one. Who is reviewing those exit certifications? Who is cross-referencing them against behavioral anomalies?</em></p></blockquote><p></p><p><em>Sources:</em></p><p><em>https://www.courtlistener.com/docket/72303995/united-states-v-ghandali-etal/ </em></p><p><em><a href="https://thehackernews.com/2026/02/three-former-google-engineers-indicted.html">The Hacker News</a> </em></p><p></p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/p/googles-tensor-secrets-were-in-tehran?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/p/googles-tensor-secrets-were-in-tehran?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.codeaintel.com/p/googles-tensor-secrets-were-in-tehran?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p></p><p></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[PayPal’s Silent Six Months: The Breach That Hid in the Code]]></title><description><![CDATA[A software error, a loan app, and Social Security numbers sitting exposed for 165 days. PayPal had a problem &#8212; and its customers were the last to know.]]></description><link>https://www.codeaintel.com/p/paypals-silent-six-months-the-breach</link><guid isPermaLink="false">https://www.codeaintel.com/p/paypals-silent-six-months-the-breach</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Fri, 20 Feb 2026 14:58:40 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Jsl3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Jsl3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Jsl3!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!Jsl3!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!Jsl3!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!Jsl3!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Jsl3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:88723,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/188619604?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Jsl3!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!Jsl3!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!Jsl3!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!Jsl3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b2b5739-1c72-4c48-8d85-c1cddadd00a2_1600x900.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h1></h1><p>PayPal has disclosed a data breach that is, in many ways, more alarming than a headline-grabbing hack. There was no sophisticated adversary. No nation-state exploit. No dark web auction. Just a <strong>software bug in a loan application</strong> that quietly exposed the sensitive personal information of small business customers for nearly <strong>six months</strong> before anyone noticed.</p><p>The affected product is <strong>PayPal Working Capital (PPWC)</strong> &#8212; a financing tool designed to give small businesses fast access to cash. The window of exposure: <strong>July 1 to December 13, 2025</strong>. PayPal discovered the issue on December 12th and reversed the faulty code change the following day. The data left in the wind: <strong>names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth</strong>.</p><p>For the people affected, that is essentially the full identity theft starter pack.</p><p></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!xRH4!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fed1b71-d1d4-4832-806e-af2f4b32d4f8_871x820.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!xRH4!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fed1b71-d1d4-4832-806e-af2f4b32d4f8_871x820.png 424w, https://substackcdn.com/image/fetch/$s_!xRH4!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fed1b71-d1d4-4832-806e-af2f4b32d4f8_871x820.png 848w, https://substackcdn.com/image/fetch/$s_!xRH4!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fed1b71-d1d4-4832-806e-af2f4b32d4f8_871x820.png 1272w, https://substackcdn.com/image/fetch/$s_!xRH4!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fed1b71-d1d4-4832-806e-af2f4b32d4f8_871x820.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!xRH4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fed1b71-d1d4-4832-806e-af2f4b32d4f8_871x820.png" width="871" height="820" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/4fed1b71-d1d4-4832-806e-af2f4b32d4f8_871x820.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:820,&quot;width&quot;:871,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:100892,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/188619604?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fed1b71-d1d4-4832-806e-af2f4b32d4f8_871x820.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!xRH4!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fed1b71-d1d4-4832-806e-af2f4b32d4f8_871x820.png 424w, https://substackcdn.com/image/fetch/$s_!xRH4!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fed1b71-d1d4-4832-806e-af2f4b32d4f8_871x820.png 848w, https://substackcdn.com/image/fetch/$s_!xRH4!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fed1b71-d1d4-4832-806e-af2f4b32d4f8_871x820.png 1272w, https://substackcdn.com/image/fetch/$s_!xRH4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fed1b71-d1d4-4832-806e-af2f4b32d4f8_871x820.png 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3><strong>The Anatomy of the Exposure</strong></h3><p>This wasn&#8217;t a smash-and-grab. It was a door left quietly ajar.</p><ul><li><p><strong>The Root Cause:</strong> An error introduced through a code change made the PII of a &#8220;small number&#8221; of PPWC customers visible to unauthorized parties.</p></li><li><p><strong>The Duration:</strong> 165 days. Five and a half months of exposure before PayPal&#8217;s own systems flagged it.</p></li><li><p><strong>The Damage:</strong> PayPal confirmed unauthorized transactions occurred on a subset of affected accounts as a <strong>direct result</strong> of the incident and has issued refunds to those customers.</p></li><li><p><strong>The Response:</strong> The faulty code was rolled back within 24 hours of discovery. Affected users are being offered two years of free three-bureau credit monitoring and identity restoration services through Equifax, with enrollment required by June 30, 2026.</p></li></ul><p>PayPal stated it has not delayed notification due to a law enforcement investigation &#8212; which is notable, suggesting no criminal referral is currently in play.</p><p></p><h3><strong>This Is Not PayPal&#8217;s First Rodeo</strong></h3><p>Context matters here. This breach doesn&#8217;t exist in a vacuum.</p><p>In <strong>December 2022</strong>, PayPal suffered a large-scale credential stuffing attack exposing roughly 35,000 accounts &#8212; including Social Security numbers and tax identification data. That incident eventually cost the company a <strong>$2 million settlement</strong> with the New York State Department of Financial Services in January 2025 for failing to comply with cybersecurity regulations. The DFS found that PayPal lacked proper CAPTCHA protections, rate limiting, and mandatory multi-factor authentication at the time.</p><p>Now, less than a year after that settlement was announced, PayPal is back in breach territory &#8212; this time not from an external attacker exploiting weak controls, but from <strong>an internal code change that bypassed its own data protection framework</strong>.</p><p>The pattern is hard to ignore: PayPal keeps putting sensitive data at risk through process failures, not just external threats.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!TaYj!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8df349bf-5b77-4d46-9bcd-ef8c385dfff3_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!TaYj!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8df349bf-5b77-4d46-9bcd-ef8c385dfff3_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!TaYj!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8df349bf-5b77-4d46-9bcd-ef8c385dfff3_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!TaYj!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8df349bf-5b77-4d46-9bcd-ef8c385dfff3_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!TaYj!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8df349bf-5b77-4d46-9bcd-ef8c385dfff3_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!TaYj!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8df349bf-5b77-4d46-9bcd-ef8c385dfff3_1600x900.png" width="725" height="407.8125" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/8df349bf-5b77-4d46-9bcd-ef8c385dfff3_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:725,&quot;bytes&quot;:61862,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/188619604?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8df349bf-5b77-4d46-9bcd-ef8c385dfff3_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!TaYj!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8df349bf-5b77-4d46-9bcd-ef8c385dfff3_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!TaYj!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8df349bf-5b77-4d46-9bcd-ef8c385dfff3_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!TaYj!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8df349bf-5b77-4d46-9bcd-ef8c385dfff3_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!TaYj!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8df349bf-5b77-4d46-9bcd-ef8c385dfff3_1600x900.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3><strong>What Small Business Owners Need to Do Now</strong></h3><p>If you use or have used <strong>PayPal Working Capital</strong>, treat this as a confirmed identity risk:</p><ul><li><p><strong>Enroll immediately</strong> in the Equifax credit monitoring offer PayPal is providing. Do not wait.</p></li><li><p><strong>Place a fraud alert</strong> or credit freeze with all three bureaus (Equifax, Experian, TransUnion) if you want to go further.</p></li><li><p><strong>Monitor your business and personal accounts</strong> for unauthorized transactions &#8212; PayPal has already confirmed some accounts were fraudulently accessed.</p></li><li><p><strong>Watch for follow-on phishing.</strong> Attackers who obtained this data now have everything they need to craft highly convincing impersonation attempts. PayPal will never ask for your password, one-time codes, or authentication credentials via phone, text, or email.</p></li><li><p><strong>File with the FTC</strong> at IdentityTheft.gov if you believe your Social Security number has been misused.</p></li></ul><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!5TRZ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7e96c16-f4b0-4c4c-827e-c952488ad73b_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!5TRZ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7e96c16-f4b0-4c4c-827e-c952488ad73b_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!5TRZ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7e96c16-f4b0-4c4c-827e-c952488ad73b_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!5TRZ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7e96c16-f4b0-4c4c-827e-c952488ad73b_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!5TRZ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7e96c16-f4b0-4c4c-827e-c952488ad73b_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!5TRZ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7e96c16-f4b0-4c4c-827e-c952488ad73b_1600x900.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/b7e96c16-f4b0-4c4c-827e-c952488ad73b_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:79814,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/188619604?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7e96c16-f4b0-4c4c-827e-c952488ad73b_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!5TRZ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7e96c16-f4b0-4c4c-827e-c952488ad73b_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!5TRZ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7e96c16-f4b0-4c4c-827e-c952488ad73b_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!5TRZ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7e96c16-f4b0-4c4c-827e-c952488ad73b_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!5TRZ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb7e96c16-f4b0-4c4c-827e-c952488ad73b_1600x900.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><blockquote><p><strong>CodeAIntel Insight:</strong> <em>The 165-day exposure window is the real story here. Modern breach detection should catch anomalous data access in hours or days &#8212; not months. The fact that a code-level error in a loan application could silently expose Social Security numbers for five and a half months points to a deeper problem: insufficient data-access monitoring at the application layer. For enterprises, the lesson is not &#8220;don&#8217;t write buggy code&#8221; &#8212; that&#8217;s a given. The lesson is: if sensitive PII is being touched by any application, you need runtime visibility into who is accessing it, when, and whether that access pattern looks normal. PayPal didn&#8217;t have that. Do you?</em></p></blockquote><p></p><p><em>Sources: </em></p><p>https://www.bleepingcomputer.com/news/security/paypal-discloses-data-breach-exposing-users-personal-information/</p><p><em>https://www.documentcloud.org/documents/27345193-paypal-february-2026-breach-notification/</em></p><p></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p>]]></content:encoded></item></channel></rss>