Breach

• LAPSUS$ Is Back. This Time It's Pharma. March 26, 2026

  A threat actor identifying itself as LAPSUS$ is claiming a breach of AstraZeneca, with 3GB of alleged source code, CI/CD secrets, and contractor access data up for private sale. AstraZeneca has not confirmed or denied. Here's what the sample data suggests, and why the engineering risk extends well beyond the initial target.

• HackerOne Employee Data Exposed via BOLA Flaw in Benefits Provider Navia March 25, 2026

  A BOLA vulnerability in Navia Benefit Solutions exposed data on almost 300 HackerOne employees over 24 days. HackerOne is publicly criticising Navia's slow disclosure -- an irony worth sitting with, given that responsible disclosure is HackerOne's entire reason for existing.

• Crunchyroll Breached via BPO Partner: 100GB Allegedly Stolen, Still No Disclosure March 23, 2026

  A threat actor claims to have exfiltrated 100GB of customer data from Crunchyroll after compromising a Telus BPO employee on March 12, 2026. Eleven days later, Crunchyroll has made no public disclosure -- raising serious questions about GDPR compliance and third-party vendor risk.