RSS

AI may be good at finding security vulnerabilities but cant beat human stupidity

Bender1 pts0 comments

AI may be good at finding security vulnerabilities, but it can't beat human stupidity

Jump to main content

Search

REG AD

security

AI may be good at finding security vulnerabilities, but it can't beat human stupidity

You don't need Mythos or GPT-5.5-Cyber to find a vuln to exploit when the world's password habits are so sloppy

Brandon Vigliarolo

Brandon<br>Vigliarolo

Published<br>mon 29 Jun 2026 // 14:45 UTC

KETTLE AI commands all the headlines nowadays, but the biggest security story of the week is all about human laziness and poor password habits – just like the good old days.

This week on the Kettle, host Brandon Vigliarolo is joined by US editor Avram Piltch and security editor Jessica Lyons to talk about the Klue breach, which was blamed on a "compromised legacy credential" that ought to have been deleted a while ago. The hole allowed cybercriminals to access the SalesForce environments of hundreds of companies, say researchers. The incident has caused trouble for security firm Huntress, which admitted to the breach early on, and the situation over there wasn't caused by AI either.<br>That said, AI is playing a role in what's being described as "the summer from hell" by one security professional, but while top-tier AI models are spotting troublesome vulnerabilities, the amount of damage they've managed to cause pales in comparison to what one lazy sysadmin can cause by poorly managing passwords.

You can listen to the latest episode of The Kettle by clicking on the player above, as well as on Spotify, Apple Music, or YouTube, or read the transcript of the latest episode below. It's been lightly edited for clarity.

REG AD

Brandon (00:01)

REG AD

Welcome to the latest episode of The Register's Kettle Podcast. I'm your host, Brandon Vigliarolo, and this week we have some rather interesting security stories to talk about concerning yet another Salesforce data breach affecting a whole bunch of companies, the new extortion gang behind them, and the trouble the whole thing has spelled for one of the first companies to point the whole thing out. This week I'm joined by US editor Avram Pilch and security editor Jessica Lyons to talk about this whole mess and more. Welcome to you both.<br>Jessica Lyons (00:29)<br>Good to be here.<br>Avram Piltch (00:30)<br>Hey.<br>Brandon (00:30)<br>Jess, let's start with that Salesforce supply chain attack that you wrote about this week. I understand there was a market intelligence connector of some sort that was behind the incident, right?<br>Jessica Lyons (00:41)

REG AD

Right. So there's this company named Klue, and they provide market intelligence to more than 250,000 users worldwide. And they integrate with Salesforce. And so apparently what happened, on around June 11th, somebody used compromised legacy credentials linked to the Salesforce integration, and then by that they were able to obtain OAuth tokens and then were able to access customers' Salesforce data, Klue customers' Salesforce data from that.<br>Brandon (01:21)<br>Okay, was it data that Klue had on their customers in their Salesforce environment, or they pivoted to the customers' environments as well?<br>Jessica Lyons (01:29)<br>It was through the integration with the Salesforce databases.<br>Brandon (01:34)<br>That's not great. A lot of companies were exposed, and a lot of them in your article you mentioned were security companies. Is that right?<br>Jessica Lyons (01:42)

REG AD

There were a ton of security ones, and then LastPass, this huge password manager. We don't know how many; Klue didn't say. Huntress, which is one of the security companies who was involved in this and who came out on the forefront and said, "Yeah, we were one of the compromised organizations," said it was hundreds. And out of 250,000 users, it could be pretty comprehensive.<br>Avram Piltch (02:12)<br>Do you think this makes Huntress look good?<br>Jessica Lyons (02:17)<br>I think it was admirable that they came out, especially as a security company, and said "we were one of the companies who were victimized." I think that's how any company should respond if they're among the companies affected. Especially if you're a security firm, you have an obligation to be transparent and tell your customers what happened.<br>Brandon (02:43)<br>Legally, in the United States at least, if you've got a breach, you've got to report these things to the government. There's all kinds of cybersecurity reporting standards in place. They are contradictory and overlapping sometimes, but they're there. What kind of data was exposed, Jess?<br>Jessica Lyons (02:57)<br>It was basically CRM data. It wasn't any of the companies' internal IP or anything like that. It was CRM data for pretty much every single company involved across the board. The cybercrime group behind this hack did leak the Huntress data a few days later.<br>And we've heard that they're actually deleting the stolen data from LastPass. That's what LastPass is saying. We don't know if this data is actually not going to exist anymore or if they're just handing...

security data brandon salesforce companies jessica

Related Articles

(no title)

Risse50 ptstitle

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Italy's Meloni says Trump 'made up' story that she 'begged' him for photo at G7

root-parent13 ptsmeloni trump italy said italian begged
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.