Licence for the Internet? Age Verification, Dark Web Disruption & Root-Level RCE.

A total of 16 breach events were found and analysed resulting in 79,829,944 exposed accounts containing a total of 27 different data types of personal datum. The breaches found publicly and freely available included WorldWide Spam Database, Carousell Singapore, Brillen, Cegedim-Sante and Fun 22 - Thailand. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

From the WorldWide Spam Database to Carousell Singapore and healthcare related leaks like Cegedim-Santé, it’s clear no sector is off-limits. Third party organisations should take note, your team’s data could easily be swept up in someone else’s mess. And for the individuals affected? That’s a whole lot of opportunity for scammers, phishers, and digital mischief-makers. The takeaway? Even when the breach isn’t yours, the fallout might be.

Cyber Update

The age of internet anonymity, at least for everyday users, may be edging closer to the museum exhibit.

In the United States, Senator Matt Ball of Colorado and Representative Amy Paschal are backing a proposed bill titled the “Age Attestation on Computing Devices Act.” If passed, it would require operating system providers to build age verification directly into account setup. In plain English? Before you even finish setting up your laptop or phone, you may need to prove how old you are.

Supporters frame it as child protection. Critics see something rather more structural: the early architecture of a “licence for the internet”, or perhaps more accurately, a licence to use a computer at all.

Interestingly, this line of thinking isn’t confined to Capitol Hill. Mark Zuckerberg has echoed similar sentiments, particularly as the European Union continues to hand out heavyweight fines to social media platforms over hate speech and regulatory breaches. Strategically, shifting age verification responsibilities to operating system providers would move a sizeable chunk of regulatory heat away from Meta and onto platform-level infrastructure.

From a corporate chess perspective, it’s a tidy move. Why fight the regulators when you can redesign the board?

Meanwhile, Apple isn’t waiting around. The company has expanded age verification measures under the global banner of “child safety.” Certain 18+ apps are now blocked in specific jurisdictions, and just days ago Apple began restricting users in Australia, Brazil and Singapore from accessing parts of the App Store until they verify their age. Coincidence? Unlikely.

Each week brings another age verification law, another compliance update, another “safety-first” framework. Viewed collectively, it feels less like isolated national policy and more like a coordinated global regulatory shift toward stronger identity binding online.

Less pseudonymity. More proof-of-personhood. The philosophical question underpinning all of this: Can you have an open internet if access requires formal identification at the operating system level? We’re about to find out.

While lawmakers debate identity frameworks, one of the more notorious dark web forums remains offline, and not in a “routine maintenance” sort of way. Its clearnet site has been down for several days. Its onion site? Also offline. Telegram has reportedly banned several of its associated channels, cutting off key communication routes while the forum struggles to resurface.

There have been persistent rumours, circulating for over a month, that the forum’s administrator was arrested by Indonesian authorities and potentially turned into an informant. To be clear, none of these claims have been independently confirmed. In the cybercrime ecosystem, rumour is currency and misinformation spreads fast.

What is confirmed, however, is sustained disruption. Whether this is coordinated takedown pressure, internal instability, or something more strategic remains unclear. But when both the front door and the back door are shut, and the Telegram megaphone goes quiet, it’s rarely a good sign.

From age-gated operating systems to dark web blackout seasons, the theme this week is unmistakable:
Identity up front. Anonymity on notice. The internet isn’t ending. It’s just being asked for ID.

Software Vulnerabilities

Cisco Catalyst SD-WAN, CVE-2026-20127 (auth bypass) + CVE-2022-20775 (path traversal), KEV
Cisco SD-WAN gear has been getting treated like a VIP entrance: skip the queue, stroll in, and start making “rogue peer” friends. CISA didn’t just add these to KEV it dropped an Emergency Directive (ED 26-03), which is basically the federal version of shouting “PATCH. NOW.”
Do this now: patch/upgrade immediately, hunt for persistence (rogue peers, odd NETCONF activity), and assume any internet-facing controller is a high-value snack.

Soliton FileZen, CVE-2026-25108 (OS command injection), KEV
File transfer platforms remain the industry’s favourite “please run my commands” button. This one needs auth, but if creds exist (phished, reused, lifted), it’s a tidy runway to arbitrary command execution.
Do this now: patch FileZen, review who can access it (and from where), and check whether “virus check”/related features are enabled if that’s part of your setup.

Juniper PTX (Junos OS Evolved), CVE-2026-21902 (unauth RCE as root)
This is the sort of bug that makes network engineers go quiet and start cancelling weekend plans. An unauthenticated attacker with network reach can get root on certain PTX routers due to a service that shouldn’t be externally reachable… but is.
Do this now: confirm exposure, apply Juniper’s out-of-cycle fixes, and add tight filtering around management/control-plane access.

Apache ActiveMQ, CVE-2023-46604 (RCE)
Not new, still nasty, and now back in the headlines because attackers keep turning “message broker” into “ransomware delivery mechanism.” If you’ve still got an exposed, unpatched instance, you’re basically running a community outreach programme for criminals.
Do this now: patch/upgrade ActiveMQ, remove internet exposure, and look for post-exploit tooling (downloaders, stagers, lateral movement).

Operational note (because it’s 2026 and nothing is ever simple): “KEV = triage fuel”
This week’s KEV adds are a reminder: when CISA says “exploited,” it’s not a vibe, it’s a timetable. If your vuln management queue is a graveyard of “later,” treat KEV entries as your resuscitation list.

Data & Privacy Headlines

UK ICO fines Reddit ~£14.5m for children’s privacy failures. The ICO basically said: “Self-declared age checks don’t count when kids are involved.” Biggest UK children’s privacy fine to date, and a loud signal that “we’ll fix it later” is no longer a strategy, it’s evidence.
Takeaway: if you’ve got minors anywhere near your product, your DPIA and age-assurance story needs to be real, not vibes.

Apple turns the App Store into an age checkpoint (in multiple regions). Apple rolled out updated “age assurance” tooling and began blocking downloads of 18+ apps in places where adult confirmation is required. Love it or hate it, the platform layer is becoming the enforcement layer.
Takeaway: app teams should prepare for more “age signals,” more compliance hooks, and more awkward questions from legal.

Discord hits pause on age verification after backlash. Discord slowed its rollout and promised more transparency and options after privacy concerns, made spicier by the general public’s newfound fear of uploading their face to the internet (fair).
Takeaway: biometrics + ID checks are a trust grenade. If you pull the pin, you’d better have airtight comms, vendor scrutiny, and deletion controls.

Discord also ditches a verification vendor amid surveillance concerns. The “who’s holding the IDs?” question is now front-page drama. Discord ending a vendor relationship mid-saga is a reminder that third parties don’t just add capability, they add blast radius.
Takeaway: vendor due diligence is no longer a procurement checkbox. It’s product safety.

61 data protection authorities issue a joint warning on AI-generated imagery. Global regulators essentially said: AI-generated realistic imagery of identifiable people (especially children) is a privacy hazard, and “cool tech” doesn’t excuse sloppy safeguards.
Takeaway: if you build or deploy gen-AI imagery/video features, expect serious scrutiny on consent, transparency, removals, and misuse prevention.

Smarter Protection Starts with Awareness

Third-party exposure is now a first-order risk. You can’t patch what you can’t see.
Free Data Breach Exposure Scan: Check any domain in seconds: https://breachaware.com/scan