Introduction

This week’s cybersecurity landscape was marked by a series of high-impact data breaches, sophisticated cyberattacks, critical vulnerabilities under active exploitation, and significant government policy shifts. The following review provides a comprehensive, source-verified summary of the most consequential events and trends from Tuesday, June 16 through Monday, June 22, 2026.

Major Data Breaches

Colossal Credential Data Leak: 24 Billion Records Exposed

A misconfigured Elasticsearch cluster belonging to a threat intelligence and breach monitoring platform was discovered publicly exposed, leaking over 24 billion records (8.3TB) containing usernames, email addresses, plaintext passwords, and login URLs. The majority of the data originated from infostealer malware logs, Telegram channels, and previous breach compilations. While the database is now offline, the scale of the leak means billions of accounts remain at risk, especially where password reuse is common. The exposed credentials spanned 36 sources, including several cybercrime-focused Telegram channels and “collections” of previously leaked data. The incident highlights the persistent risk posed by credential reuse and the aggregation of breach data by both legitimate and malicious actors1.

• Discovery date: June 12, 2026
• Data types: Usernames, emails, plaintext passwords, login URLs
• Impact: Billions of accounts at risk of takeover; unclear how many unique individuals affected
• Root cause: Misconfiguration during platform migration

Read more

Ransomware and Data Theft: ShinyHunters Campaign

The ShinyHunters ransomware group continued its aggressive campaign, targeting organizations across education, healthcare, and public sectors:

• Illinois Central College: Over 28GB of HR and payroll data stolen
• Sysco Corporation: 61 million Salesforce records, including employee and customer data, exfiltrated
• Houston City College: Hundreds of thousands of student records compromised
• Glendale Community College: 62GB of data, including 150,000 student records, stolen
• Moody Bible Institute: 23GB of data, including 46 million communication records and 2.2 million enrollment leads, exfiltrated
• Kodak: 2.2 million records, including customer PII and internal data, stolen
• Council of Europe: 297GB of HR, financial, and personal data exfiltrated

Many of these incidents are still under investigation, with the full scope of data exposure yet to be determined2.

Full breach list and details

Significant Cyberattacks

Texas Parks and Wildlife Department (TPWD) Breach

A cyberattack on the Texas Parks and Wildlife Department’s license system vendor resulted in the exposure of data belonging to over 3 million customers. Exposed information included driver’s license numbers, email addresses, phone numbers, passport numbers, and residential addresses. The breach underscores the risks associated with third-party vendors and the need for robust supply chain security2.

Brazil’s Civil Defense Alert System Compromised

Brazil’s Civil Defense reported a cyberattack on its official alert system, with the full extent of the incident and data exposure still under investigation. This attack highlights the vulnerability of critical public infrastructure to targeted cyber operations2.

Credential Harvesting Campaigns Targeting Fortinet Devices

A large-scale campaign, dubbed “FortiBleed,” systematically targeted Fortinet FortiGate firewall and SSL VPN devices worldwide. Over 80,000 devices were identified with working credentials, and attackers used automated tools to test and confirm access. The campaign, attributed to Russian-speaking threat actors, leveraged both previously leaked passwords and active credential harvesting from compromised devices3.

Critical Vulnerabilities

Fortinet FortiSandbox: Multiple Critical Flaws Under Active Exploitation

Three critical vulnerabilities in Fortinet’s FortiSandbox were actively exploited this week:

• CVE-2026-39813 (CVSS 9.1): Path traversal in JRPC API, allowing authentication bypass
• CVE-2026-39808 (CVSS 9.1): OS command injection, enabling unauthenticated code execution
• CVE-2026-25089 (CVSS 9.1): OS command injection in WEB UI, patched June 9, 2026

Attackers exploited these flaws to bypass authentication and execute arbitrary commands. Fortinet released patches in April and June, but exploitation continues, especially against unpatched systems. Organizations are urged to update immediately and review access logs for signs of compromise3​4.

Fortinet advisory

LiteSpeed cPanel Plugin: Privilege Escalation Vulnerability (CVE-2026-54420)

CISA added CVE-2026-54420 (CVSS 8.5) to its Known Exploited Vulnerabilities catalog, requiring urgent patching by June 18, 2026. The flaw allows users with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux or CageFS. Exploitation in the wild has been confirmed, and hosting providers are advised to upgrade to the latest plugin version and audit for unauthorized access5.

Read more

Cisco SD-WAN Manager: Zero-Day Path Traversal (CVE-2026-20262)

A zero-day vulnerability in Cisco Catalyst SD-WAN Manager (CVE-2026-20262) allows authenticated attackers to create or overwrite any file on the filesystem, potentially leading to remote code execution. The flaw is actively exploited, and Cisco has released urgent guidance for immediate patching6.

Official Cisco advisory

Government Responses

New White House Cybersecurity Directive for Classified Networks

On June 16, 2026, the White House issued a national security memorandum overhauling cybersecurity rules for classified and military networks. The directive establishes new baseline requirements for national security systems (NSS), mandates annual inventories, and empowers the NSA director to deploy technical defenses across government agencies. The policy replaces decades-old frameworks and aligns NSS requirements with the latest NIST standards, aiming to strengthen incident reporting and cloud security for sensitive government operations7.

Full policy details

CISA and FBI Joint Advisories

• Reducing Attack Surface for End-of-Support Edge Devices: CISA, FBI, and the UK’s NCSC urged organizations to harden edge devices (firewalls, VPNs, routers) that are no longer supported, as nation-state actors increasingly exploit these for initial access8.
• North Korean Kimsuky Spearphishing: The FBI warned of evolving spearphishing campaigns using malicious QR codes targeting US policy experts.
• ATM Jackpotting Surge: The FBI released technical details and IOCs related to a rise in malware-enabled ATM jackpotting attacks across the US.

See all recent advisories

Miscellaneous

Cybersecurity Conferences and Industry Events

The cybersecurity community is gearing up for a packed calendar of major conferences in 2026, including RSAC, Black Hat, DEF CON, and regional summits. These events are expected to drive industry collaboration, showcase new security tools, and set the agenda for the year ahead. Notably, Black Hat USA (August 1–6) and DEF CON (August 6–9) will feature high-profile vulnerability disclosures and hands-on workshops for practitioners9.

2026 conference calendar

Conclusion

The week of June 16–22, 2026, underscored the persistent and evolving nature of cyber threats, from record-breaking data leaks and ransomware campaigns to the exploitation of critical vulnerabilities and the introduction of new government security mandates. Organizations are urged to prioritize patching, review third-party risks, and stay informed through authoritative advisories as the threat landscape continues to shift.

All information in this review is sourced from trusted cybersecurity publications and official advisories. For further reading and technical details, please refer to the linked sources throughout the article.