Daily Breach Intelligence 13 April 2026 - Booking.com data breach; Rockstar Games supply chain hack; Adobe Acrobat zero-day & more - All Articles

CISO Breach & AI Threat Intelligence Report

For NAM CISOs and security leaders walking into the office this morning
Coverage window: incidents and vulnerabilities surfaced in roughly the last 24 hours (US & Canada–first, with global items that materially impact NAM exposure)
High-signal incidents, CVEs to watch, detections to run, and a D0/D3 action plan. Shared via CISO Platform.

Overall severity today: [Critical] — actively exploited zero-day fixes in widely used document software, major supply chain breaches affecting top-tier gaming and AI companies, and significant data exposure at a global travel platform.

HEADLINES SEVERITY: [Critical]

Booking.com confirms data breach forcing reservation PIN resets
Booking.com has confirmed unauthorized access to its systems, exposing sensitive reservation and user data, including full names, email addresses, phone numbers, and communications with property providers. The company has forced PIN resets for existing and past reservations and is notifying affected users individually. The breach raises significant phishing risks for travelers. (Source: BleepingComputer)
Rockstar Games and others hit in Anodot supply chain hack
The ShinyHunters hacking group breached business analytics firm Anodot, stealing authentication tokens that allowed them to access customer data stored in Snowflake cloud environments. Rockstar Games confirmed a "limited amount of non-material company information" was accessed. The hackers have issued a "pay or leak" extortion demand with an April 14 deadline. (Source: TechCrunch)
OpenAI impacted by North Korea-linked Axios supply chain attack
OpenAI revoked its macOS app-signing certificate after discovering that a malicious version of the Axios npm package (version 1.14.1) was pulled into its workflow. The supply chain attack, attributed to North Korean state-sponsored actors, injected credential-stealing malware. While OpenAI found no evidence of user data exposure, older macOS apps will stop working after May 8, 2026. (Source: SecurityWeek)

EXPLOITS & CVEs WATCHLIST [Critical]

1) CVE-2026-34621 — Adobe Acrobat Reader zero-day (active exploitation)

What it is: An improperly controlled modification of object prototype attributes (prototype pollution) vulnerability in Adobe Acrobat and Acrobat Reader.
Impact: Successful exploitation enables arbitrary code execution. Attackers can trigger the flaw simply by convincing a victim to open a malicious PDF document. Exploited in the wild since December 2025.
Action: Deploy Adobe's emergency out-of-band security updates immediately across all endpoints.
Source: HelpNetSecurity

2) CVE-2026-1340 — Ivanti EPMM code injection (CISA KEV — active)

What it is: A critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) added to CISA's Known Exploited Vulnerabilities (KEV) catalog on April 8, 2026.
Impact: Allows unauthenticated attackers to execute arbitrary code on vulnerable EPMM appliances, potentially leading to full system compromise.
Action: Apply the latest Ivanti patches immediately. Federal agencies are under a mandatory CISA directive to remediate.
Source: CISA

OTHER NOTABLE INCIDENTS

CPUID website hacked — trojanized CPU-Z & HWMonitor downloads: CPUID.com was compromised and download links for CPU-Z, HWMonitor, and PerfMonitor were replaced with trojanized executables delivering STX RAT malware. Users who downloaded tools from CPUID.com may be infected. (SecurityWeek)
Spring Lake Park Schools ransomware attack: All schools in Spring Lake Park, Minnesota were forced to close on April 13 due to a suspected ransomware attack disrupting all computer systems. (DataBreaches.net)
Silent Ransom Group (SRG) targeting law firms: The FBI-flagged SRG (also known as Luna Moth/UNC3753) has now listed approximately 38 law firms on its leak site. Recent victims include Orrick, Herrington & Sutcliffe LLP and Jones Day. The group uses data theft and phone-based extortion — no encryption. (DataBreaches.net)

DETECTIONS TO RUN TODAY

PDF execution telemetry: Alert on unexpected child processes spawned by Adobe Acrobat Reader (e.g., cmd.exe, powershell.exe) or unusual network connections originating from the reader process.
Supply chain monitoring: Scan development environments and CI/CD pipelines for the malicious Axios npm package (version 1.14.1) and monitor for unauthorized credential access.
Cloud storage access anomalies: Review Snowflake and other cloud data warehouse access logs for unusual queries, bulk data exports, or access from unexpected IP ranges, particularly using service account tokens.
Ransomware indicators: Hunt for IOCs associated with the Silent Ransom Group (Luna Moth/UNC3753), focusing on unusual data exfiltration patterns without accompanying encryption activity.

REGULATORY & POLICY UPDATES

SEC cyber incident rule under pressure: ICBA and financial industry groups are urging the SEC to rescind its cybersecurity risk management governance and incident disclosure rule (April 13, 2026). (Source: ICBA)
UK Cyber Essentials v3.3 — effective April 27, 2026: The updated standard tightens MFA, patching, and scope requirements. Any assessment account created on or after April 27 will use the new Danzell Question Set. (Source: NCSC)
FCC foreign router coverage expansion: The FCC updated its Covered List on March 23, 2026 to include all consumer-grade routers produced in foreign countries (except those with explicit conditional approval). (Source: FCC)
UK Cyber Security and Resilience Bill: The UK government is modernising cyber regulation with new mandatory incident reporting (24-hour initial report) and resilience requirements for critical infrastructure operators. (Source: UK Government)

COMMUNICATION NOTE

For execs / board (2–3 sentences):

"Today's priority risks include an actively exploited zero-day vulnerability in Adobe Acrobat Reader, a major supply chain breach affecting cloud data stores via a third-party analytics vendor, and a North Korean software tampering incident that impacted OpenAI. We are moving aggressively to patch vulnerable software, audit our cloud service provider access tokens, and enhance telemetry for early detection of exploit behavior."

For employees (1–2 sentences):

"Update your devices immediately, be extremely cautious when opening PDF documents, and watch out for highly convincing phishing emails related to travel bookings or reservations."

ACTION PLAN

D0–D1:

Deploy Adobe Acrobat Reader emergency patches enterprise-wide.
Audit and rotate authentication tokens provided to third-party cloud analytics and monitoring platforms.
Scan development environments for the compromised Axios npm package (v1.14.1).
Block or restrict use of vulnerable Ivanti EPMM appliances pending updates.

D2–D3:

Tune EDR/IDS rules for exploitation signatures related to the Adobe zero-day.
Run targeted threat hunts for unauthorized access to Snowflake or other cloud data warehouses.
Validate third-party and cloud partner notification timelines and incident response playbooks.

D4–D7:

Conduct tabletop exercises simulating a supply chain compromise of a trusted SaaS vendor.
Assess the impact of potential SEC regulatory changes regarding cyber incident reporting obligations.
Review compliance posture against the upcoming UK Cyber Essentials v3.3 Danzell requirements (effective April 27, 2026).

Forward this to your cybersecurity team / CISO if this daily brief helps them start the day with a clear action list.

All Articles