DentaQuest Data Leak, Cisco Patch Pending, Instagram Security Bug – Cybersecurity News [June 01, 2026]

Here’s your quick roundup of the most important cybersecurity stories from the past week, highlighting data risks, major breaches, and significant developments shaping the cybersecurity space. ShinyHunters struck again, this time targeting a major U.S. dental benefits administrator, while the FBI sounded the alarm over World Cup fraud. A Cisco zero-day left enterprise networks exposed with no patch in sight, Instagram suffered an embarrassing security slip-up, and Chinese intelligence services were caught running fake job recruitment operations against Western military and government personnel.

ShinyHunters leaks 234 GB of DentaQuest health data, exposing 2.6 million patients!

DentaQuest, one of the largest dental and vision benefits administrators in the United States, confirmed unauthorized network access on June 2, 2026, after the prolific cybercriminal group ShinyHunters leaked more than 234 gigabytes of allegedly stolen data. The breach is impacting approximately 2.6 million individuals.

The incident began in May 2026, when ShinyHunters claimed responsibility for the attack after exfiltrating and publicly leaking highly sensitive personally identifiable information and protected health information, including names, dates of birth, email addresses, phone numbers, home addresses, genders, government-issued IDs, health insurance information, and Medicaid IDs.

ShinyHunters posted on their dark web leak site that DentaQuest “failed to reach an agreement” despite repeated offers and patience” meaning the extortion attempt collapsed and the data was published in full. DentaQuest manages dental and vision benefits plans for Medicaid, Medicare Advantage, and individual customers across all 50 states, making this one of the most significant healthcare breaches of 2026.

Cisco discloses 7th SD-WAN zero-day of 2026” and there’s still no patch!

Cisco informed customers of yet another SD-WAN vulnerability being exploited in the wild, the seventh such flaw whose exploitation was detected in 2026. Tracked as CVE-2026-20245, it affects the command-line interface of Cisco Catalyst SD-WAN Manager and allows an authenticated local attacker to execute arbitrary commands as root via specially crafted uploaded files.

Cisco’s PSIRT became aware of the exploitation in June after Google Cloud’s Mandiant reported the flaw. Cisco has observed limited cases where exploitation of the bug resulted in unauthorized configuration changes being pushed to edge devices.

No patch is currently available, and Cisco has identified no workarounds. To exploit this vulnerability, an attacker must already have netadmin privileges, which can be obtained through valid stolen credentials or by chaining previously disclosed SD-WAN flaws. Organizations are being advised to restrict CLI access, audit all netadmin accounts, and monitor system logs for anomalous file upload activity.

Instagram’s password reset bug leaks Mark Zuckerberg’s phone number” and thousands more!

A critical logic flaw in Instagram’s web-based password reset flow exposed unredacted email addresses and phone numbers linked to user accounts on June 6, 2026, including contact data associated with Meta CEO Mark Zuckerberg. Meta deployed an emergency hotfix within hours of disclosure, but proof-of-concept screenshots had already circulated widely across social media.

The vulnerability resided in Instagram’s account recovery interface, where a logic error caused the system to return fully visible email addresses and phone numbers to any party who simply initiated a password reset” rather than displaying the partially redacted versions the system was designed to show.

Meta confirmed the patch was applied rapidly, stating: “We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems.” However, the incident raised serious concerns about data minimization practices and potential GDPR violations under Article 25.

Five Eyes alliance warns: Chinese spies are posing as job recruiters to steal military secrets!

A joint bulletin titled “Safeguarding Our Secrets” was published on June 3, 2026, by intelligence agencies from Australia, Canada, the United States, the United Kingdom, and New Zealand” the Five Eyes. The bulletin warned that Chinese military intelligence officers and their affiliates are posing as employees of private consultancies, think tanks, and HR firms, posting online job advertisements for foreign policy and defence analysts.

Using fake job announcements on professional networking sites and recruitment platforms, the operatives impersonate legitimate employers and pressure candidates into revealing classified or privileged information. “China’s military intelligence services ultimately seek to acquire privileged military, political and economic intelligence that can provide China with a strategic and tactical advantage over the Five Eyes,” the alert reads.

According to the warning, threat actors are active on platforms such as LinkedIn, Indeed, and Upwork, where they create fake profiles and inspect applicants’ CVs to determine what sensitive information they may be able to extract. Anyone working in defence, government, or national security roles is urged to verify the legitimacy of any recruiter before engaging with unsolicited job offers.

Magecart campaign turns Stripe into a secret credit card theft server!

A new Magecart campaign is using Stripe’s API infrastructure to host credit card-stealing payloads and exfiltrate stolen data from online checkout pages. The entire operation relies on Google Tag Manager and Stripe domains” googletagmanager.com and api.stripe.com” which are trusted implicitly by online stores, allowing the skimmer to slip past content security policies and network filters.

Analysts at ecommerce security firm Sansec identified the malware family and published their findings on June 4, 2026. The attacker stores card-stealing code inside a Stripe customer’s metadata, then runs it on checkout pages before writing stolen card numbers back into the same account disguised as fake customers.

The card skimmer targets Magento and Adobe Commerce checkout pages, capturing payment data including credit card numbers, expiration dates, CVV codes, customer names, billing addresses, and phone numbers. Online store operators are urged to audit all active Google Tag Manager containers, review third-party tag activity, and scan for unauthorized JavaScript injections immediately.

IronWorm supply chain attack infects 36 npm packages to steal developer credentials!

A new supply chain attack has infected 36 packages on the Node Package Manager index with infostealer malware called IronWorm. The malware targets 86 environment variables and 20 credential files that may contain OpenAI, AWS, Anthropic, and npm credentials, vault configuration files, SSH keys, and Exodus cryptocurrency wallet files.

Security vendor JFrog, which identified the campaign, described IronWorm as a “custom, carefully built implant” written in Rust that harvests a wide range of developer secrets” including API keys, cloud credentials, and npm publishing tokens” and reuses them to spread further across the software supply chain. The malware communicates with its operator over the Tor network.

JFrog also noted that the attacker backdated malicious code changes across repositories belonging to nine organizations in an attempt to obscure the timeline of compromise and complicate forensic investigation. Developers are advised to audit all npm package dependencies and immediately rotate any API keys or credentials that may have been exposed.

UN World Food Programme’s Gaza aid registration app breached, exposing Palestinian civilians’ data!

The United Nations’ World Food Programme, the world’s largest humanitarian organization, revealed that its self-registration application for Palestine was breached. The unauthorized access exposed names, identification numbers, phone numbers, and location details for aid applicants in Palestine. Investigators will need to preserve application access logs, registration database snapshots, and containment records to determine the entry point, dwell time, and whether data was copied or merely viewed.

The breach is particularly concerning given the sensitive nature of the data” individuals registered for humanitarian aid in an active conflict zone. The WFP has confirmed it is investigating the incident and has been working to contain the damage and secure the affected application.

RCI Hospitality Holdings confirms data breach affecting 40,000 customers!

Adult nightclub giant RCI Hospitality Holdings has informed authorities that a data breach affects roughly 40,000 individuals. The company detected a network intrusion in March and an investigation confirmed that some files were stolen during the attack.

RCI Hospitality is one of the largest adult entertainment venue operators in the United States, with its portfolio including sports bars and dance clubs. While the company has not publicly disclosed the exact nature of the files stolen, notifications have been sent to affected individuals. The incident serves as a reminder that organizations of all kinds” including those in the entertainment sector” remain attractive targets for threat actors seeking personally identifiable information that can be monetized or used in follow-on attacks.

China-linked OP-512 espionage group targets Microsoft IIS web servers with custom web shells!

Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 that has been targeting Microsoft Internet Information Services servers to deploy a custom web shell framework. ReliaQuest has assessed with moderate-to-high confidence that the espionage-focused activity is linked to China. OP-512 is the fourth China-aligned group to single out IIS web servers over the past 12 months.

The group appears to focus on organizations whose sector and geography align with Chinese intelligence priorities, though no overlaps have been found with other known China-aligned adversaries such as CL-STA-0048, DragonRank, or GhostRedirector. Organizations running IIS servers are urged to audit their web server deployments, monitor for unusual web shell activity, and apply available security patches without delay.

Smart TV apps turn living room devices into a secret proxy network” without users knowing!

Security researchers from Include Security and an independent researcher found that free apps available on smart TV platforms contain an SDK described as a “consent-sourced” residential proxy pool of over 150 million IPs. The data scraping occurs from the user’s home IP address” not the customer’s” meaning the home connection and its bandwidth are being used as someone else’s scraping infrastructure.

The affected apps are available on Samsung, LG, Roku, and other major smart TV platforms. Free apps available on Samsung, LG, Roku, and other major smart TV platforms have been quietly enrolling millions of living room devices into a proxy network. Users are encouraged to review the apps installed on their smart TVs and to check whether any unfamiliar applications have been granted broad network permissions.

Dashlane targeted in coordinated vault-harvesting attack” but defences held!

Dashlane’s security systems automatically locked accounts to protect them against hacking attempts on June 2, 2026. Attackers mounted a coordinated campaign against a large base of Dashlane users in an attempt to recover as many encrypted password vaults as possible. The threat actor abused the mechanism that allows Dashlane users to add new devices to their accounts” and fewer than 20 personal user vaults were downloaded before the operation was shut down.

While Dashlane’s quick response limited the damage, the incident highlights the growing interest threat actors have in targeting password managers as a high-value single point of entry. Users of password managers are advised to enable two-factor authentication on their vaults and to monitor for any unauthorized device additions to their accounts.

SolarWinds Serv-U vulnerability added to CISA’s actively exploited vulnerabilities list!

CISA added a high-severity security flaw impacting SolarWinds Serv-U multi-protocol file server software to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-28318 with a CVSS score of 7.5, is a denial-of-service bug that causes the service to crash under certain conditions.

SolarWinds has had a turbulent few years in the cybersecurity spotlight, and this latest addition to CISA’s KEV catalog is a reminder that its products continue to be actively targeted by threat actors. Organizations using SolarWinds Serv-U are urged to apply available patches immediately and to treat any unexpected service crashes as a potential indicator of exploitation.

Hola Browser supply chain attack delivers a hidden cryptocurrency miner to users!

The Windows version of the Hola Browser was compromised in a supply chain attack that delivered an undeclared executable identified by researchers as a cryptocurrency miner.

Hola Browser, which markets itself as a privacy-focused browser with built-in VPN features, has a large global user base. The covert delivery of crypto-mining software through a trusted software update represents a serious breach of user trust and highlights the ongoing risks posed by supply chain attacks targeting popular consumer applications. Users who have Hola Browser installed on Windows are strongly advised to uninstall the application and run a full malware scan on their systems.