> 🎙️ This post was auto-generated from the [Tech Updates podcast](https://rss.com/podcasts/tech-updates-by-andres-sarmiento/2915597) episode.


    Six months into 2026, the breach scoreboard tells a story that should terrify every IT leader—and it's not the one the headlines are selling. We're not dealing with sophisticated zero-day exploits or nation-state tooling so advanced it baffles detection. Instead, we're looking at a string of massive compromises built on the oldest tricks in the book: a phone call to the help desk, a stolen token, and a door left wide open.

What This Episode Covers

  • The vishing wave: How groups like Scattered Spider and ShinyHunters breached Aflac, Carnival, Canvas, and Charter with nothing more than social engineering
  • Breach corrections: Why the OnlyFans breach narrative was recycled old data, and why the Charter breach numbers were vastly overstated
  • Nation-state activity: Salt Typhoon in the FBI’s surveillance systems, Russia-linked sabotage in Europe, and Volt Typhoon pre-positioned in US utilities
  • Supply-chain compromise: Poisoned development tools stealing API keys, OAuth grants, and CI/CD pipeline secrets
  • The five common failures: Social engineering vulnerability, missing MFA, non-human identity management gaps, exposed services, and flat network architecture
  • A practical 4-move Monday playbook: Concrete defensive actions your team can implement immediately

Deep Dive

The Vishing Wave: Low-Tech, High-Impact

The common thread across Aflac (22 million records), Carnival, Canvas, and Charter wasn’t sophisticated hacking—it was a phone call. Groups like Scattered Spider and ShinyHunters exploited one of the hardest vulnerabilities to patch: people.

Vishing (voice phishing) worked because help desk teams are trained to be helpful. An attacker calls claiming to be an employee locked out of their account. They have just enough social engineering ammunition—gleaned from LinkedIn, company websites, or earlier reconnaissance—to seem legitimate. The help desk resets credentials or issues temporary tokens. Game over.

This isn’t new, but it’s devastatingly effective. And it scales. One successful call gets you insider access. From there, lateral movement through flat network architectures is trivial.

Corrections to the Record

Not all breaches are created equal, and the narrative often diverges from reality. The podcast corrects two major stories: OnlyFans was not breached in 2026—the circulating data was recycled from years-old compromises. Similarly, the Charter breach was approximately 4.9 million records, not the 40 million figures that dominated headlines. These corrections matter because they affect risk assessments and resource allocation.

Nation-State Activity: A Different Threat Layer

While vishing attacks grab headlines, nation-state actors operate on a different timeline. Salt Typhoon’s presence in the FBI’s surveillance systems represents not just espionage, but operational risk to US law enforcement. Russia-linked sabotage in Europe and Volt Typhoon’s pre-positioned presence in US utility networks suggest adversaries are playing a longer game—positioning for potential operational disruption rather than immediate theft.

The distinction matters for your security posture: nation-state threats require different detection and response strategies than financially motivated cybercriminals.

Supply-Chain Compromise: The New Attack Vector

Poisoned development tools represent a particularly dangerous evolution. When a legitimate tool or library is compromised, it travels down your CI/CD pipeline into your production environment with implicit trust. Attackers aren’t just stealing API keys and OAuth grants—they’re capturing credentials that manage critical infrastructure access.

This is especially dangerous in organizations with immature secrets management practices or environments where API keys are hardcoded or logged.

The Five Failures Tying It All Together

These breaches share five structural weaknesses:

  1. Social engineering vulnerability: Help desks, employees, and contractors remain susceptible to well-executed vishing and pretexting
  2. Missing MFA: Too many critical systems still lack multi-factor authentication, making credential theft immediately exploitable
  3. Non-human identity gaps: Service accounts, API keys, and OAuth tokens lack proper visibility and rotation schedules
  4. Exposed services: VPNs, remote access portals, and management consoles accessible from the internet with weak authentication
  5. Flat network architecture: Once inside, attackers move freely between systems with minimal segmentation

The 4-Move Monday Playbook

While the podcast teases a concrete playbook, the framework is clear: audit identity access (human and non-human), implement MFA universally, segment your network, and establish incident response plans specifically for social engineering attacks. These aren’t flashy solutions, but they address the actual attack patterns we’re seeing.

Key Takeaways

  • Social engineering remains your highest-risk attack surface: Technical controls matter, but training, verification procedures, and help desk protocols are equally critical
  • MFA is non-negotiable: Every critical system, especially identity and access management tools, must require multi-factor authentication
  • Non-human identities need governance: API keys, service accounts, and OAuth tokens should be inventoried, rotated regularly, and monitored for unusual activity
  • Network segmentation stops lateral movement: Even if attackers gain initial access, properly segmented networks limit their ability to reach critical systems
  • Supply-chain risks demand scrutiny: Dependency scanning, signed commits, and software composition analysis should be standard practice

Why This Matters

For IT professionals and network engineers, the 2026 breach landscape is a reminder that complexity often masks simplicity. The most damaging compromises aren’t born from cutting-edge exploits—they come from predictable human and architectural failures. Your team likely has the tools to defend against these attacks. The question is whether you’re using them.

The rising sophistication of social engineering, combined with the reality that attackers now pre-position in critical infrastructure, means that breach response is no longer a theoretical exercise. Your incident response plans, your supply-chain vetting, and your network architecture decisions directly impact whether your organization ends up in next year’s breach hall of shame.

    ---

    🎧 Listen to the full episode on [Tech Updates](https://techupdates.it-learn.io) or wherever you get your podcasts.