This week’s coverage spans identity, patching, exposed infrastructure, and aging systems. A fintech breach traced back to phished SSO accounts exposed nearly a million records, while researchers pointed out that known vulnerabilities are still doing most of the damage. An exposed backend service leaked traveler data, and widely used enterprise tools landed on CISA’s exploited list.

Key Takeaways:

Nearly 1 Million User Records Compromised in Figure Data Breach, Security Week

• What Matters: Attackers used social engineering to compromise SSO accounts at fintech firm Figure, exposing nearly a million customer records. Identity is prime real estate, so phishing against SSO remains a high-return move. This was not centralized identity collapsing, but a reminder that when SSO becomes the front door, configuration and monitoring have to be tight.
• What’s Overhyped: This was not a platform-level collapse. The identity provider was not breached; attackers phished users who happened to rely on it.

Forget Zero-Days - 'N-days' Could Be the Most Worrying Threat, TechRadar

• What Matters: Reporting highlights that most exploited vulnerabilities are known and patchable, not zero-days. Known bugs keep landing because patching processes are still broken. Weak asset data and fragile update cycles leave old flaws exposed longer than anyone intends.
• What’s Overhyped: There is no sudden pivot toward n-days. Known, patchable flaws have driven exploitation for years, so the surprise factor is overstated.

Huge OneFly Data Breach Sees Traveler IDs and Payment Details Leaked, TechRadar

• What Matters: An unsecured Elasticsearch instance tied to internal services exposed traveler IDs, payment data, and authentication tokens. An internal system reachable from the internet points to gaps in testing or segmentation. As APIs and backend services multiply, those gaps become easier to miss.
• What’s Overhyped: The focus on “clear text” data implies encryption alone would have prevented this. However, the real issue was an exposed service, not a failure to sprinkle cryptography everywhere.

CISA warns of actively exploited enterprise software vulnerabilities for SolarWinds, Notepad++, Security Week

• What Matters: CISA added several widely used enterprise tools, including SolarWinds and Notepad++, to its Known Exploited Vulnerabilities (KEV) list. When monitoring and management systems show up there, it matters because those tools sit at the center of enterprise visibility and control, and access in that layer can ripple outward fast.
• What’s Overhyped: Landing on the exploited list does not automatically make a tool uniquely unsafe. Widely deployed enterprise software becomes a target simply because it is everywhere.

Hackers Actively Scan Citrix NetScaler Infrastructure, Cybersecurity News

• What Matters: Researchers observed large-scale internet scanning targeting exposed Citrix login portals as part of pre-exploitation reconnaissance. Internet-facing login pages will be scanned nonstop, which makes forgotten or misconfigured assets the real risk. Exposure that lingers longer than intended is usually an inventory and lifecycle problem.
• What’s Overhyped: Large-scale scanning of exposed portals is routine background noise. Seeing probes in your logs does not mean something new just started.

Zombie Projects Rise Again to Undermine Security, Dark Reading

• What Matters: Abandoned or poorly maintained legacy systems continue to introduce risk, especially in complex environments with deep software dependencies. Software ages poorly, and ownership often fades over time. Without clear accountability and end-of-life planning, those systems persist and accumulate risk quietly.
• What’s Overhyped: Older systems are not inherently negligent. In many industries, long lifecycles are expected; unmanaged ownership is the real failure.

Chinese Bots Drive Traffic Surge to Lanzhou Website, The Cyber Express

• What Matters: Reporting described a surge of automated traffic attributed to bot activity, doubling activity on niche Chinese-language sites. A traffic spike should trigger analysis, not panic, because noise in one area can mask activity somewhere else. Defenders need enough visibility to avoid overcommitting to the loudest signal in the room.
• What’s Overhyped: The reported spike was limited and tied to niche sites. This surge looks more like tool testing rather than launching a large-scale campaign.