A critical security patch sat unapplied on a Pearson education platform for six months. By the time it was found, data on roughly 11.5 million student records across some 13,000 schools and universities had been taken — and Pearson described the breach to investors as a "hypothetical" risk. The SEC disagreed.

This is the story of the distance between knowing and acting: a documented flaw, an available fix, and the gap in between.

Chapters:
(0:00) The Call From the FBI
(1:14) Pearson and AIMSweb
(2:38) What Remote Code Execution Means
(3:40) The Patch That Was Never Applied
(5:14) Inside the Breach
(8:52) Four Months, Undetected
(10:30) What "Material" Means to the SEC
(12:01) The Notification Letters
(13:07) "A Hypothetical Risk"
(14:55) The Decade-Long Campaign
(16:54) The SEC Charge
(18:42) Knowing vs. Acting
(19:22) Takeaways

Free one-page technical breakdown: https://zerodaylogs.com
Watch the full video version on YouTube: [video URL]

Sources: SEC enforcement order (2021); DOJ indictment (2020); UK ICO penalty notice; Pearson Form 6-K (2019); state AG notifications.

On November 14, 2016, two hackers told Uber they had the personal records of
57 million users and drivers. What Uber did next wasn't a breach response — it
was a cover-up: a $100,000 payment disguised as a bug-bounty reward, false NDAs,
and a year of silence while a binding FTC order required disclosure. The breach
itself was fixable. The concealment became the first criminal conviction of a
chief security officer.

(0:00) The hackers make contact
(0:40) The break-in: reused passwords to 57M records
(6:45) Disguising the ransom as a bug bounty
(10:40) The FTC order that made silence a crime
(13:27) The first criminal conviction of a CSO
(17:05) The four controls that were missing

Free one-page technical breakdown (timeline, attack path, the four missing
controls): https://zerodaylogs.com

Sources: U.S. FTC enforcement action and expanded consent decree; New York
Attorney General settlement; U.S. DOJ charging documents and trial record,
United States v. Sullivan; U.S. SEC filings.

Zero Day Logs — the real anatomy of security breaches. Measured, sourced,
no hype. https://zerodaylogs.com

Three billion user accounts. Two separate breaches. Four FSB-directed operatives. And nearly two years of silence between what Yahoo's security team knew and what the public was told.

This episode traces the full operation from the spear phishing campaign that opened the door, through the forged authentication cookies that bypassed every login screen, to the SEC enforcement action that established a new category of regulatory risk: the failure to disclose a known breach.

Chapters:
0:00 — 3 Billion
1:47 — The Spear Phishing Campaign
3:26 — Inside Yahoo's Network
5:39 — The Stolen Database
7:28 — The Account Management Tool
9:14 — The Hybrid Model: State + Criminal
11:03 — The Silence
13:23 — The Disclosures
15:23 — The SEC Enforcement
17:14 — The Indictment
17:58 — Aftermath
18:20 — The Pattern

Sources: DOJ indictment (United States v. Dokuchaev et al.), SEC enforcement order (Altaba Inc.), Yahoo SEC filings, Verizon acquisition disclosures.

Full technical breakdown and free PDF summary at zerodaylogs.com.