A critical security patch sat unapplied on a Pearson education platform for six months. By the time it was found, data on roughly 11.5 million student records across some 13,000 schools and universities had been taken — and Pearson described the breach to investors as a "hypothetical" risk. The SEC disagreed.

This is the story of the distance between knowing and acting: a documented flaw, an available fix, and the gap in between.

Chapters:
(0:00) The Call From the FBI
(1:14) Pearson and AIMSweb
(2:38) What Remote Code Execution Means
(3:40) The Patch That Was Never Applied
(5:14) Inside the Breach
(8:52) Four Months, Undetected
(10:30) What "Material" Means to the SEC
(12:01) The Notification Letters
(13:07) "A Hypothetical Risk"
(14:55) The Decade-Long Campaign
(16:54) The SEC Charge
(18:42) Knowing vs. Acting
(19:22) Takeaways

Free one-page technical breakdown: https://zerodaylogs.com
Watch the full video version on YouTube: [video URL]

Sources: SEC enforcement order (2021); DOJ indictment (2020); UK ICO penalty notice; Pearson Form 6-K (2019); state AG notifications.

On November 14, 2016, two hackers told Uber they had the personal records of
57 million users and drivers. What Uber did next wasn't a breach response — it
was a cover-up: a $100,000 payment disguised as a bug-bounty reward, false NDAs,
and a year of silence while a binding FTC order required disclosure. The breach
itself was fixable. The concealment became the first criminal conviction of a
chief security officer.

(0:00) The hackers make contact
(0:40) The break-in: reused passwords to 57M records
(6:45) Disguising the ransom as a bug bounty
(10:40) The FTC order that made silence a crime
(13:27) The first criminal conviction of a CSO
(17:05) The four controls that were missing

Free one-page technical breakdown (timeline, attack path, the four missing
controls): https://zerodaylogs.com

Sources: U.S. FTC enforcement action and expanded consent decree; New York
Attorney General settlement; U.S. DOJ charging documents and trial record,
United States v. Sullivan; U.S. SEC filings.

Zero Day Logs — the real anatomy of security breaches. Measured, sourced,
no hype. https://zerodaylogs.com

Three billion user accounts. Two separate breaches. Four FSB-directed operatives. And nearly two years of silence between what Yahoo's security team knew and what the public was told.

This episode traces the full operation from the spear phishing campaign that opened the door, through the forged authentication cookies that bypassed every login screen, to the SEC enforcement action that established a new category of regulatory risk: the failure to disclose a known breach.

Chapters:
0:00 — 3 Billion
1:47 — The Spear Phishing Campaign
3:26 — Inside Yahoo's Network
5:39 — The Stolen Database
7:28 — The Account Management Tool
9:14 — The Hybrid Model: State + Criminal
11:03 — The Silence
13:23 — The Disclosures
15:23 — The SEC Enforcement
17:14 — The Indictment
17:58 — Aftermath
18:20 — The Pattern

Sources: DOJ indictment (United States v. Dokuchaev et al.), SEC enforcement order (Altaba Inc.), Yahoo SEC filings, Verizon acquisition disclosures.

Full technical breakdown and free PDF summary at zerodaylogs.com.

One leaked password. No multi-factor authentication. Nine days undetected.

In May 2021, a compromised VPN credential — found on the dark web, tied to a former employee's account, protected by nothing more than a single password — gave DarkSide ransomware operators access to Colonial Pipeline's IT network. What followed: 100 gigabytes of stolen data, encrypted systems, a $4.4 million Bitcoin ransom, a six-day shutdown of 5,500 miles of fuel infrastructure, and a DOJ operation that clawed back 63.7 of the 75 Bitcoin using a method that remains partially redacted from the public record.

This episode traces the complete chain: the entry vector, the nine-day dwell time, the franchise model behind DarkSide, the IT/OT boundary decision that shut down physically intact infrastructure, the ransom payment calculus, and the regulatory reckoning that followed.

Primary sources: Senate testimony, CISA advisory, FBI seizure affidavit, GAO report.

Free PDF breakdown: https://zerodaylogs.com

00:00 — The Escalation
01:30 — Introduction
01:35 — What Is a VPN?
02:39 — The Forgotten Door
03:34 — One Password, No Second Factor
04:40 — DarkSide: Ransomware-as-a-Service
05:39 — Anatomy of the Attack
07:29 — 100 Gigabytes Out the Door
08:34 — Two Buildings, One Boundary
11:12 — Seventy Minutes
11:44 — The Shutdown Decision
13:08 — The $4.4 Million Question
14:02 — The Vault
15:10 — The DOJ Strikes Back
15:54 — Three Missing Controls
17:55 — Eleven Years Without an Update
18:21 — The Aftermath

On September 20, 2013, Target Corporation was certified compliant with the Payment Card Industry Data Security Standard. Eight weeks later, malware was running on nearly every cash register in the company's 1,793 stores.

This episode traces the full attack path — from a stolen HVAC contractor password to 40 million compromised payment cards — and examines why every control that could have stopped the breach already existed in published security guidance years before it happened.

We cover: the Fazio Mechanical entry point, the network segmentation gap, how BlackPOS exploited the moment card data exists as plaintext in RAM, why FireEye's alerts went unacknowledged for 12 days, the exfiltration architecture that moved stolen data through three countries during peak shopping hours, and the compliance paradox at the center of it all.

Full technical breakdown: zerodaylogs.com

Primary sources: U.S. Senate Commerce Committee "Kill Chain" analysis, Target SEC filings, multistate AG settlement, NIST and PCI-DSS standards.

A critical vulnerability was disclosed. A patch was released the same day. Equifax was warned directly. The patch was never applied. Two months later, attackers walked through the door — and spent seventy-six days inside a system holding 147 million Social Security numbers. Episode 5 covers the full 2017 Equifax breach — the Apache Struts vulnerability, the scanner that missed, the certificate that was blind for over a year, the breach response that made everything worse, and the PLA indictment that revealed what the stolen data was really for.

0:00 — Introduction
0:42 — What Is Equifax
1:17 — The Data You Never Chose to Give
1:42 — Growth vs. Security
2:05 — ACIS: A 1970s System on the Public Internet
2:25 — CVE-2017-5638: The OGNL Injection
4:19 — The Missed Scan
5:37 — The Honour System
6:16 — CEO vs. Committee
6:37 — May 13th: The Door Opens
7:13 — No Walls: Lateral Movement
8:20 — The Harvest: 147 Million Records
9:31 — The Expired Certificate
10:45 — Found by Accident
11:09 — The Response Timeline
12:35 — The Response That Made Everything Worse
13:52 — Insider Trading
14:28 — Executive Departures
14:52 — The Settlement
15:34 — PLA Attribution
16:23 — The Intelligence Mosaic
17:05 — Entirely Preventable
17:47 — Closing

Full technical breakdown: zerodaylogs.com

On July 15, 2020, the verified Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Apple, and Uber were hijacked simultaneously. Every account posted the same Bitcoin scam. The attacker was a 17-year-old in Tampa, Florida.

This episode reconstructs how a series of phone calls defeated Twitter's multi-factor authentication through a real-time credential relay, how a single admin tool called Agent Tools gave unrestricted access to every account on the platform, and how the attack escalated from stealing OG usernames to hijacking the accounts of world leaders. The New York Department of Financial Services investigated and found five specific security controls that would have prevented the breach — all of which existed, were documented, and were available. None were deployed.

Based on the NY DFS Report (October 14, 2020), United States v. Graham Ivan Clark, and Twitter's own incident disclosures.

📄 Free technical breakdown PDF: zerodaylogs.com

0:00 — Introduction
0:50 — The Phone Call
2:33 — Real-Time Credential Relay
3:59 — Why MFA Failed
6:04 — Agent Tools: The God Mode Panel
7:06 — Inside the Admin System
9:23 — Three Phases of the Attack
12:22 — The Cascade: World Leaders Hijacked
14:34 — Twitter Breaks Its Own Platform
17:02 — The Damage Report
17:47 — The Deeper Harm: Private Messages
19:23 — Tracing the Attackers
21:44 — Arrests and Sentencing
24:38 — No CISO
25:16 — Five Missing Controls
28:44 — Why Security Controls Go Undeployed
29:01 — Should Platforms Be Stress Tested?
30:30 — What Twitter Changed After the Breach
31:39 — The Pattern Repeats: MGM 2023
32:33 — The Question That Remains

#cybersecurity #twitter #databreach #infosec #zerodaylogs

In the spring of 2020, up to 18,000 organizations installed a software update from a trusted vendor. It was signed. It was verified. Every security check said it was clean. Every one of those checks was correct. What they couldn't verify was what was inside the package before the seal was applied.

This is the full story of SUNBURST — how Russia's SVR compromised SolarWinds' build pipeline, turned a routine software update into a backdoor, and spent nine months reading emails inside the U.S. Treasury, the Department of Homeland Security, the State Department, and dozens of Fortune 500 companies. How FireEye discovered it by investigating their own breach, burned their own toolkit to stop it, and exposed one of the largest intelligence operations in history — in a single day.

Zero Day Logs is an investigative audio documentary built entirely from the public record: official security advisories, customer post-incident reports, court documents, and verified forensic findings. Every breach. One episode. Real consequences.

Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review.

____________________

CHAPTERS
00:00 Cold Open — In 2020, They Were Invited
00:41 The Routine Update
01:14 18,000 Organizations
02:07 What Orion Could See
03:58 Inside the Treasury
05:46 Why Every Security Scan Passed
09:16 The Build Pipeline
10:10 Code Signing: The Wax Seal
11:31 The Printing Press Analogy
12:16 Inside the Build Pipeline
14:51 Sunburst Activates
16:52 The DNS Covert Channel
19:36 100 Out of 18,000
19:57 Hands-On Access
25:54 Nine Months of Access
28:03 FireEye's Response
28:44 Pulling the Thread
29:53 December 13, 2020
34:09 Attribution and Sanctions
36:53 The solarwinds123 Password
39:18 The Three Missing Controls
42:32 Defense in Depth
43:08 The Cost of Remediation
48:49 Trust and Verification
54:24 Technical Breakdown + Resources
54:41 Next on Zero Day Logs