In today’s cybersecurity news…
Brute forcing phone numbers linked to Google accounts
The security researcher known as brutecat published details about how they were able to obtain the recovery phone number attached to Google accounts due to an error in the account recovery process. Brutecat first noticed this when he found the account recovery page still worked even with JavaScript disabled in the browser. The researcher paired two HTTP requests to verify if a recovery email or phone number with a display name, IPv6 address rotation to avoid rate limiting, and pasting in a botguard token with JavaScript disabled to be able to create an attack chain for a brute force attack. The process to hit a specific number for an account varied from 20 minutes in the US to about 5 seconds in Singapore. After disclosing the flaw, Google deprecated the username recovery form used in the attack.
The Guardian launches Secure Messaging service
The UK publication partnered with the University of Cambridge to launch this new Secure Messaging service, offering encrypted messaging directly to journalists from within its app. Journalists have long used end-to-end encrypted messaging to communicate with sources. But, Secure Messaging is designed to provide “strong plausible deniability by making every instance of the news organisation’s public mobile app behave the same way, whether it is used for secure communication or for normal news consumption” using a backend called CoverDrop. The Guardian published the source code on GitHub so other organizations can adopt it.
United Natural Foods hit by cyberattack
The company confirmed it discovered a cyberattack on June 5, 2025, according to an 8-K filing with the US SEC. United Natural Foods is North America’s largest publicly traded wholesale food distributor, with 53 distribution centers. The company proactively took some systems offline due to the attack, disrupting customer orders. At the same time, anecdotal posts on social media mention some worker shifts cancelled as well. No ransomware group took credit for the attack, and the company has not released further details about any data loss or what systems the attacker accessed.
PathWiper hits Ukrainian critical infrastructure
Researchers at Cisco Talos identified a new wiper malware hitting Ukraine tied to Russian APTs dubbed PathWiper. The malware was initially deployed using an endpoint administration framework, executing a VBScript file. Once running, PathWiper maps all attached storage using system APIs. From there, it creates threads for each volume to overwrite filesystem components, including master boot records. Talos researchers say PathWiper resembles a 2022 wiper linked to the Russian Sandworm group called HermeticWiper, although PathWiper shows more sophisticated targeting.
Huge thanks to our sponsor, Vanta
With Vanta, GRC can be so. much. easier—while also strengthening your security posture and driving revenue for your business. Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information.
The impact is real: A recent IDC analysis found that compliance teams using Vanta are one hundred and twenty nine percent more productive.
Get back time to focus on strengthening security and scaling your business. Get started at Vanta.com/headlines.
Russian companies hit with LockBit
You don’t tug on Superman’s cape, you don’t spit into the wind, you don’t pull the mask off of old Lone Ranger, and you don’t have your ransomware affiliates attack Russia. Those used to be the rules. However, the Russian cybersecurity firm Positive Technologies identified a financially motivated group called DarkGaboon that was doing just that: deploying LockBit 3.0 ransomware. Unlike typical LockBit affiliates, DarkGaboon seems to operate entirely independently, using Russian-language phishing emails with malicious attachments claiming to have legitimate financial documents. Researchers say the group has appeared to operate since at least 2023, but its use of open-source tools in other parts of its attack chain made attribution difficult.
FBI keeps Leatherman in its back pocket
FBI Director Kash Patel named agency veteran Brett Leatherman as assistant director and head of the Cyber Division. During his 22-year career, Leatherman served as section chief for cyber investigations and deputy assistant director for the last three years and has been the FBI’s public face for communications on major cyber incidents going back to the Colonial Pipeline attack. He takes over for Bryan Vorndran, who left the FBI to work as Microsoft’s deputy CISO. Given the number of personnel shakeups across government cybersecurity posts since January, this is a notable bit of continuity.
NHS out for blood after cyberattack
On June 9th, the UK’s National Health Service called for people to donate blood, with supplies still disrupted from a ransomware attack against the pathology services provider Synnovis last year. That attack disrupted the ability for healthcare organizations to quickly match blood types, resulting in increased usage of O-type stocks. Because the blood supply is maintained by a relatively small number of consistent donors, stocks have remained “in a very fragile position” ever since, especially for the universal donor O-type. Recorded Future News reported that impacted patients were still not notified of what data was exposed in the attack as of May.
Cloudflare creates OAuth library with Claude
Last week, Cloudflare published the open-sourced OAuth 2.1 library, which was written almost entirely by Anthropic’s Claude LLM. Notably, the company also published comprehensive documentation of the process, including a full prompt history. Due to the sensitive nature of the library, this wasn’t an exercise in vibe coding, with human review in all parts of the process. Software developer Max Mitchell reviewed the process, finding the LLM excelled when given a substantial code block to work off of, with clear context and explanation of what needed to be changed. In all instances, the LLM excelled at generating documentation. However, the code needed human intervention for styling and other housekeeping tasks. Mitchell suggested looking at this the same as collaborating with a human developer, expect a back and forth rather than one-off prompting success. Cloudflare tech lead Kenton Varda, who oversaw the project, came into it with a healthy dose of skepticism, but ended up saying, “I was trying to validate my skepticism. I ended up proving myself wrong.”