Club Penguin Fans Hack Disney Server, Steal 2.5GB of Corporate Data

A group of Club Penguin fans hacked into a Disney Confluence server, intending to access information about the defunct online game, but instead made off with 2.5GB of internal corporate data. The stolen data includes documents on Disney's corporate strategies, advertising plans, Disney+, internal developer tools, business projects, and internal infrastructure, some of which dates back to 2022. The breach was reportedly carried out using previously exposed credentials, and the data was shared on Discord and 4Chan message boards. Disney has yet to comment on the incident.

Microsoft Makes Changes to Controversial Screenshot Feature After Privacy Concerns

Microsoft has announced changes to its "Recall" feature, a screenshot tool announced for its new AI-powered PCs, after privacy concerns were raised. The feature, which captures and stores screenshots of desktop activity, will now be opt-in instead of default, and users will need to use Windows' "Hello" authentication process to enable it. The changes come after critics warned that hackers could misuse the tool and its saved screenshots. The UK's data watchdog, the Information Commissioner's Office (ICO), had also expressed concerns about the feature. Microsoft's updates will be implemented before the launch of Copilot+ PCs on June 18.

Critical PHP Vulnerability Exploited in the Wild

A critical vulnerability in PHP (CVE-2024-4577) has been discovered, allowing attackers to execute malicious code on Windows devices. The bug is easily exploitable and has been observed being exploited in the wild, with proof-of-concept code available. The vulnerability affects PHP versions 8.3-5 and is caused by errors in Unicode character conversion. Patching is recommended immediately, especially for servers using PHP in CGI mode. Mitigation measures, such as rewrite rules, are available for unsupported versions. XAMPP for Windows is vulnerable by default, but disabling PHP CGI can temporarily mitigate the issue.

New York Times Investigates Source Code Leak

The New York Times is investigating a leak of its source code, which was posted on 4chan. The leak includes 270 GB of data, reportedly containing 5,000 repositories and 3.6 million files, including code for games like Wordle. The exposed data also allegedly includes user information, authentication URLs, API tokens, and secret keys. The Times confirmed the breach occurred in January 2024 due to a exposed credential on a cloud-based platform, but stated that there is no evidence of unauthorized access to their systems or impact on operations. The incident is under investigation.