Tools
Product updates, press coverage, and announcements from VaultTools.
Cybernews researchers found an unprotected Elasticsearch database belonging to Nextcloud GmbH holding roughly 367,000 records (8GB), including invoices, contracts, employee details, and client setup scripts. The exposure was disclosed publicly on July 8, 2026; even the company behind the self-hosted cloud got a hosting configuration wrong.
Tata Electronics confirmed a breach after the World Leaks ransomware gang published 204,341 files (630GB) allegedly stolen from the Apple and Tesla supplier, including manufacturing design specs, trade-secret drawings, and employee passport copies. Data was live on the dark web from at least June 10; Tata confirmed it June 22, 2026.
The Texas Parks and Wildlife Department disclosed a breach at its hunting and fishing license vendor that exposed driver's license information and passport numbers for 3,087,721 people. Texas Cyber Command found the intrusion; the vendor was not named. Disclosed June 18, 2026.
Security researcher Sammy Azdoufal found nearly 985,000 passports, national IDs and driver's licenses from the PuffPal cannabis club app sitting at predictable public web addresses with no password or access control. The system, built by Irish firm Nefos Solutions, held over 1 million member profiles. High Times reported the leak on June 17, 2026.
The University of Nottingham confirmed a cyber incident in its student record system on June 11, 2026. The ShinyHunters gang claims 40GB of data on 454,600 current and former students, including passport numbers, financial records, and campus portal exports. The records came from an Oracle PeopleSoft system breached in a wider campaign against 100-plus organizations.
The World Food Programme disclosed that its Self-Registration Application for Palestine was breached, exposing names, ID numbers, phone numbers, and location data of roughly 600,000 Gaza households. WFP detected the intrusion on May 14, 2026 and went public on May 31.
On June 5, 2026, researchers at the University of Duisburg-Essen's paluno institute revealed a method that uses WebAssembly's multi-memory feature to automatically isolate memory regions inside browser apps, blocking Heartbleed-style attacks with no measurable slowdown. The work strengthens the security foundation of in-browser, no-upload file processing.
On May 28, 2026, TechCrunch reported that UpGuard found a publicly accessible Microsoft Azure bucket belonging to prison phone vendor Pay Tel. It held 3.4 million files (1.1 TB) with no password, including more than 300,000 unredacted driver's license scans, legal documents, and family photos carrying GPS location data. The bucket had been open since 2018.
On May 28, 2026, Security Affairs reported a Mysterium VPN study that found 19.6 billion files exposed across 535,480 publicly listable cloud buckets, including more than a million files each named 'password' and 'passport.' The files were reachable by anyone, with no login. Browser-based tools never put a file in a bucket to begin with.
On May 27, 2026, TechCrunch reported that UK Visa Portal, a site not affiliated with the UK government, left at least 100,000 uploaded passports and identity selfies open in a misconfigured Amazon S3 bucket, with EXIF GPS in selfies exposing applicants' home addresses. Browser-based tools skip the upload entirely.
On May 15, 2026, TechCrunch reported that Japanese hotel check-in vendor Tabiq exposed more than 1 million passport scans, driver's licenses, and selfie verification photos via a publicly accessible Amazon S3 bucket. The lesson for file tools is structural.
ShinyHunters did not breach Vimeo. They breached Anodot, the analytics vendor sitting next to it, and walked out with 106 GB of customer data. The lesson lands on every SaaS that handles user files.
On April 22, 2026, France's national identity document agency ANTS (now branded France Titres) confirmed a data breach that exposed at least 11.7 million citizen records. Threat actors 'breach3d' and 'ExtaseHunters' claim 18 to 19 million records and are advertising the dataset on criminal forums. Document scans were not accessed; full names, dates and places of birth, addresses, phone numbers, and emails were.
On April 22, 2026, OpenAI released Privacy Filter, a 1.5B-parameter open-source model under Apache 2.0 that detects and masks eight categories of personal data on-device. It scores 96% F1 on the PII-Masking-300k benchmark, runs on a CPU with 4 to 8 GB of RAM, and is published on Hugging Face and GitHub.
A security researcher disclosed on April 16, 2026 that Fiverr stored user-uploaded PDFs on Cloudinary behind unauthenticated, non-expiring URLs. Tax forms, driver's licenses, health records, and admin credentials were indexed by Google Search. Fiverr was notified 40 days earlier and did not respond. The company denies it is a cyber incident.
Adobe patched CVE-2026-34621 on April 11, 2026, a prototype pollution vulnerability in Acrobat and Reader that allowed arbitrary code execution simply by opening a crafted PDF file. Exploitation had been active since at least December 2025. CISA added it to its Known Exploited Vulnerabilities catalog two days after the patch.
Check Point Research disclosed a vulnerability in ChatGPT's code execution sandbox that allowed uploaded files, conversations, and medical records to be silently exfiltrated through DNS queries. A separate flaw in OpenAI Codex enabled GitHub token theft via malicious branch names. Both were patched in February 2026.
A Fairlinked e.V. investigation published in April 2026 revealed that LinkedIn silently scans visitors' browsers for 6,167 Chrome extensions and collects 48 hardware fingerprinting attributes on every page visit, without disclosing the practice in its privacy policy. The scandal shows how browser-based surveillance can occur before any file is uploaded.
On March 31, 2026, Proton launched Proton Workspace, bundling Mail, Drive, Docs, Sheets, Calendar, VPN, Pass, and a new end-to-end encrypted video tool into a single business suite. The launch validates demand for privacy-first productivity tools, while highlighting the limits of any cloud-based approach.
WatchTowr researchers disclosed two chained vulnerabilities in Progress ShareFile on April 2, 2026, that allow unauthenticated attackers to execute code and exfiltrate all files stored on affected servers. Around 30,000 instances are exposed on the public internet.
New scanning obligations under the UK Online Safety Act took effect on January 8, 2026, requiring file-sharing and file-storage services to detect and remove illegal content. Ofcom has fined one service £20,000 and forced two others to deploy perceptual hash matching. Spring 2026 guidance will define which technologies qualify as compliant.
On March 24, 2026, attackers gained access to the European Commission's Amazon Web Services account hosting its Europa.eu infrastructure. The notorious ShinyHunters group claims 350 GB stolen, including mail server dumps, database exports, contracts, and internal documents. The Commission confirmed the attack three days later.
Two independent studies published in March 2026 confirm the browser has become enterprise security's weakest link. Employees are uploading sensitive files through it, attackers are exploiting it, and 85% of IT teams are now spending more to defend it.
ZIZIYI Office launched in early 2026 as a zero-upload alternative to cloud office tools, running ONLYOFFICE's document engines as WebAssembly inside the browser. It supports Word, Excel, and PowerPoint with no server contact and no account required.
CVE-2026-3909 and CVE-2026-3910 are confirmed exploited in the wild. CVE-2026-3910 targets V8, Chrome's JavaScript and WebAssembly runtime — the same engine powering every privacy-first, browser-based file processing tool. CISA patch deadline: March 27, 2026.
Mandiant's M-Trends 2026 report, built on 500,000 hours of incident response, finds the mean time to exploit vulnerabilities has hit -7 days. Cloud-hosted file tools land on infrastructure compromised before any fix is even available.
Resecurity discovered a sophisticated Windows backdoor that uses the legitimate PDF24 desktop application as its delivery vehicle via DLL side-loading. The malware successfully breached a Fortune 100 company and has since been adopted by ransomware groups including Qilin.
CVE-2026-25755 and CVE-2026-31938 expose a fundamental risk in JavaScript-based browser PDF generation: unsanitized user input flows directly into PDF streams. Patched in jsPDF 4.2.0 and 4.2.1.
A threat actor exploited an unpatched frontend vulnerability in LexisNexis's AWS infrastructure in February 2026, exfiltrating 2 GB of user data covering 400,000 accounts, including federal judges, DOJ attorneys, and SEC staff.
Two class-action lawsuits filed in December 2025 and February 2026 allege Adobe trained its SlimLM document-assistance AI on nearly 200,000 pirated books without consent. A March 2026 investigation found that a photographer who tried to stop Adobe from using his images for Firefly training was forced out of arbitration after Adobe demanded $24,000 in fees just to review his inability-to-pay motion.
Acting CISA director Madhu Gottumukkala uploaded at least four 'For Official Use Only' documents to public ChatGPT in 2025, triggering DHS cybersecurity alerts and an internal investigation. He was removed in February 2026. DHS has since banned ChatGPT, Claude, and all commercial AI tools for staff.
A campaign tracked as 'Zestix' used stolen infostealer credentials to walk into the ShareFile, Nextcloud, and OwnCloud instances of roughly 50 global enterprises in early 2026. No software vulnerabilities were needed. Only uploaded files and absent MFA.
After an FBI advisory identified fake online file conversion sites as active malware delivery tools, independent researchers confirmed specific malicious domains and a wave of institutional bans followed. A February 2026 ransomware attack on a major US newspaper chain is suspected to trace back to one.
The EDPB formally launched its 2026 enforcement action on March 19, targeting GDPR transparency obligations. Online file tools that collect user data are directly in scope.
Mozilla announced a free proxy VPN in Firefox 149, launching March 24. It hides your IP address. It does not stop cloud file tools from receiving, storing, and processing your documents.
Researchers at Noma Security disclosed 'GeminiJack' on December 8, 2025: a zero-click vulnerability in Google Gemini Enterprise that let attackers embed hidden instructions in a shared document, causing Gemini's AI to search and exfiltrate a target's entire Gmail, Docs, and Calendar corpus without any user action.
Microsoft's 2026 Data Security Index, based on 1,700 security leaders, found AI tool usage is a top driver of data incidents. The fix starts with keeping files off servers entirely.
Office.eu went live on March 4, 2026 as a fully European-owned alternative to Microsoft 365 and Google Workspace, storing all data exclusively in EU infrastructure. Gartner forecasts European sovereign cloud spending will nearly triple by 2027. The driver is a structural legal incompatibility between US cloud providers and GDPR.
In early 2026, Microsoft's OneDrive auto-activated on Windows machines, migrated files to the cloud without explicit consent, and deleted them when free storage ran out. Thousands of users reported data loss.
Researchers found 16 vulnerabilities in Foxit and Apryse PDF tools in February 2026, enabling account takeover and data exfiltration. The root cause is server-side file processing.
Three new state laws took effect January 1, 2026. With 20 states enforcing data minimization, browser-based file processing has moved from privacy preference to legal architecture.
The Bytecode Alliance released WASI 0.3 in February 2026, bringing native async/await to WebAssembly through the Component Model. The update makes Wasm viable for complex concurrent workloads without a server, accelerating the case for browser-based file processing as a production architecture.
Google's Threat Horizons H1 2026 report found that exploited software vulnerabilities now account for 44.5% of cloud intrusions, surpassing credential theft for the first time since the report began.
Spain's AEPD issued a €950,000 GDPR penalty against digital ID firm Yoti on March 10, 2026, for unlawful biometric processing, pre-ticked consent boxes, and retaining facial templates and location data far beyond stated purposes.
Hackers stole 15.8 million patient files and 165,000 doctor notes from Cegedim Santé's MonLogicielMedical cloud platform in early 2026, confirmed on March 3. The company had already been fined €800,000 by France's CNIL in 2024 for mishandling health data on the same system.
No news items match the selected filters.