Here are today’s top cybersecurity stories for Monday, April 27, 2026.
ShinyHunters Breaches ADT, Exposing 5.5 Million Customers
Home security giant ADT confirmed a data breach after ShinyHunters stole personal information belonging to 5.5 million individuals. The group gained access by compromising an employee’s Okta SSO account through a voice phishing attack, then exfiltrated data from ADT’s Salesforce instance including names, phone numbers, addresses, and in some cases dates of birth and partial Social Security numbers. ShinyHunters issued a final ransom deadline of April 27 before publishing the stolen 11GB archive. BleepingComputer
Toronto Police Make Canada’s First SMS Blaster Arrests in Project Lighthouse
Toronto police arrested three individuals and charged them with 44 combined offences after seizing SMS blasters — devices that mimic cell towers to intercept connections and deliver fraudulent text messages. The operation, dubbed Project Lighthouse, uncovered 13 million network disruptions across the Greater Toronto Area and found the devices interfered with emergency 911 service. Three men from Hamilton and Markham face charges including fraud and mischief endangering life. CBC News
BlackFile Extortion Group Targets Retail and Hospitality with Vishing and Seven-Figure Ransoms
Palo Alto Unit 42 researchers documented a financially motivated extortion group called BlackFile — also tracked as UNC6671 and Cordial Spider — that has conducted data theft attacks against retail and hospitality organizations since February 2026. The group impersonates IT helpdesk staff via spoofed VoIP calls to steal credentials and bypass MFA, then exfiltrates files from Salesforce and SharePoint. Victims have also been subjected to swatting attacks targeting senior executives. BleepingComputer
Utility Giant Itron Discloses Cyberattack on Internal Systems
Itron, a Washington-based company providing technology for energy and water utilities serving 7,700 customers across 100 countries, disclosed a breach of its internal IT systems detected April 13. The company filed an 8-K with the SEC confirming unauthorized access to part of its IT environment, though it said customer systems and operations remained unaffected. No ransomware group has claimed the attack. TechCrunch
CISA Adds Four Exploited Vulnerabilities to KEV: SimpleHelp, Samsung MagicINFO, D-Link
CISA added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog with a May 8 federal remediation deadline. Two SimpleHelp flaws — CVE-2024-57726 (CVSS 9.9) and CVE-2024-57728 (CVSS 7.2) — are being weaponized as ransomware precursors by the DragonForce operation. Samsung MagicINFO CVE-2024-7399 and D-Link DIR-823X CVE-2025-29635 are under active exploitation by Mirai botnet variants. The Hacker News
Bitwarden CLI Compromised in Shai-Hulud npm Supply Chain Attack
Researchers at JFrog and Socket discovered a malicious version of Bitwarden CLI (v2026.4.0) distributed via npm for approximately 90 minutes on April 22, exposing 334 developers. The malware harvested GitHub and npm tokens, SSH keys, environment variables, shell history, and cloud credentials at install time by abusing a GitHub Actions workflow in Bitwarden’s CI/CD pipeline. The incident carries links to the broader Shai-Hulud supply chain campaign. The Hacker News
SentinelOne Uncovers Fast16: A Pre-Stuxnet Sabotage Malware From 2005
SentinelOne Labs published research on Fast16, a Windows malware sample dated to August 2005 — five years before Stuxnet — designed to sabotage precision engineering and simulation software. The malware is the first known Windows strain to embed a Lua scripting engine and introduced systematic calculation errors into tools including LS-DYNA and PKPM. SentinelOne assessed with moderate confidence it shares authorship with Stuxnet. SentinelOne Labs
Trump FY2027 Budget Proposes $707 Million Cut to CISA, Eliminates 860 Positions
The Trump administration’s fiscal 2027 budget proposal would reduce CISA’s funding from roughly $3 billion to just over $2 billion, eliminating approximately 860 staff positions. The proposal would shut down CISA’s Elections Infrastructure Information Sharing and Analysis Center and scale back stakeholder engagement and international affairs functions. Security experts warn the agency is already significantly weakened after a year of layoffs and prior cuts. CyberScoop
CISA Directs Federal Agencies to Remove Unsupported Edge Devices
A new CISA directive requires US federal agencies to inventory all edge devices — including firewalls, routers, and VPN appliances — no longer supported by manufacturers within three months, and replace them within one year. The order follows a series of nation-state campaigns exploiting end-of-life network equipment and aligns with efforts to eliminate known internet-exposed infrastructure risk. CyberScoop
Stay tuned for today’s in-depth analysis posts.
