AUSCERT Week in Review for 20th February 2026

Greetings,

Australian fintech platform YouX has confirmed a significant data breach after a hacker released sensitive information online, exposing the personal and financial details of hundreds of thousands of Australians. The Sydney based company, which provides technology for finance brokers and lenders to process loan applications, said it first became aware of a potential cyber incident last week. Subsequent investigations revealed that a threat actor had gained unauthorised access to its systems and published a large dataset claimed to have been stolen during the intrusion.

According to early analysis, the exposed data includes up to 629,597 loan applications, 607,822 residential addresses and 444,538 sets of personal details, including names and phone numbers. The hacker also claims to have accessed 229,236 driver’s licences, as well as information belonging to 797 broker organisations and more than 90 downstream lenders, including major banks.

In a public statement, YouX said it has notified the Office of the Australian Information Commissioner (OAIC) and begun regulatory notifications to affected individuals. The company has implemented enhanced security and monitoring measures while external cybersecurity specialists investigate the full scope of the incident.

Separate cyber security reporting suggests the compromised database may have been left exposed for months, with the attacker obtaining approximately 141GB of highly sensitive material. The incident poses heightened risks of identity theft, financial fraud and sophisticated phishing attempts, given the volume and sensitivity of the leaked data.

Chrome 145 Patches 11 Vulnerabilities
Date: 2026-02-13
Author: Security Week

Google on Tuesday announced the release of Chrome 145 to the stable channel with fixes for 11 vulnerabilities, including three high-severity bugs.
First in line is CVE-2026-2313, a high-severity use-after-free issue in CSS that earned the reporting researchers an $8,000 bug bounty reward.

Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging
Date: 2026-02-15
Author: The Hacker News

Microsoft has disclosed details of a new version of the ClickFix social engineering tactic in which the attackers trick unsuspecting users into running commands that carry out a Domain Name System (DNS) lookup to retrieve the next-stage payload.
Specifically, the attack relies on using the "nslookup" (short for nameserver lookup) command to execute a custom DNS lookup triggered via the Windows Run dialog.

Microsoft says bug causes Copilot to summarize confidential emails
Date: 2026-02-18
Author: Bleeping Computer

Microsoft says a Microsoft 365 Copilot bug has been causing the AI assistant to summarize confidential emails since late January, bypassing data loss prevention (DLP) policies that organizations rely on to protect sensitive information.

API Threats Grow in Scale as AI Expands the Blast Radius
Date: 2026-02-17
Author: Security Week

Application Programming Interfaces (APIs) remain an attacker-favored exploit route. Aggressors continuously target common failures in identity, access control and exposed interfaces – often at scale and machine speed. AI is increasing the threat surface.
In an analysis of more than 60,000 published vulnerabilities disclosed in 2025, Wallarm found more than 11,000 (17%) were API-related. A concurrent analysis of CISA KEV Catalog additions for 2025 found 43% of exploited vulnerabilities were API-related.

Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers
Date: 2026-02-16
Author: The Hacker News

A new study has found that multiple cloud-based password managers, including Bitwarden, Dashlane, and LastPass, are susceptible to password recovery attacks under certain conditions.
"The attacks range in severity from integrity violations to the complete compromise of all vaults in an organization," researchers Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth G. Paterson said. "The majority of the attacks allow the recovery of passwords."

ESB-2026.1677 – Inetutils

Kyu Neushwaistein discovered that telnetd in Inetutils incorrectly handled certain environment variables. A remote attacker could use this issue to bypass authentication and open a session as an administrator.

ESB-2026.1643 – Splunk Enterprise

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.0.3, 9.4.8, 9.3.9, 9.2.12, and higher.

ESB-2026.1590 – Tenable Security Center

A Command Injection vulnerability exists where an authenticated, remote attacker could execute arbitrary code on the underlying server where Tenable Security Center is hosted.

ESB-2026.1589 – Atlassian Products

The vulnerabilities reported in this Security Bulletin include 13 high-severity vulnerabilities and 3 critical-severity vulnerabilities.

Stay safe, stay patched and have a good weekend!

The AUSCERT team