Cybersecurity Roundup: Zero-Days, Privacy Fines, AI Vulnerabilities, and Exposed Criminal Data
The past week brought significant developments in cybersecurity, from high-profile vulnerability discoveries to regulatory actions and AI-related risks.
Pwn2Own Automotive Uncovers 76 Zero-Days in EV Systems
The third annual Pwn2Own Automotive competition in Tokyo exposed 76 unique zero-day vulnerabilities across automotive software, including Tesla infotainment systems and EV chargers. A record 73 entries competed, with Trend Micro’s Zero Day Initiative awarding over $1 million in prizes. The winning team, Fuzzware.io, earned $215,500 and the Master of Pwn title after exploiting an out-of-bounds write flaw in the Alpitronic HYC50 EV charger. Other notable exploits included a Time-of-Check to Time-of-Use vulnerability in the same charger used to install Doom and a full takeover of Tesla’s infotainment system by Synacktiv. Automotive Grade Linux was also compromised via three separate flaws.
France Fines Unnamed Company €3.5M for GDPR Violations
French regulators imposed a €3.5 million fine on an undisclosed company for sharing customer loyalty data including email addresses and phone numbers with a social network for targeted advertising without explicit consent. The violations, spanning from February 2018 to December 2023, affected over 10.5 million Europeans across 16 countries. The National Commission on Informatics and Liberty cited breaches of both GDPR and France’s Data Protection Act but opted not to name the company, citing proportionality.
Google Gemini Vulnerability Exposed Calendar Data via Prompt Injection
Security firm Miggo identified a flaw in Google’s Gemini AI that could leak users’ private calendar details through malicious event invitations. By embedding a hidden prompt-injection payload in an event description, attackers could trick Gemini into summarizing confidential meetings into a new calendar entry potentially visible to the attacker in enterprise setups. Google patched the issue, but Miggo warned that AI systems introduce novel attack surfaces requiring dedicated security controls.
HackerOne Introduces Safe Harbor for AI Security Research
Bug bounty platform HackerOne released a Good Faith AI Research Safe Harbor framework to clarify rules for ethical AI testing. The guidelines protect researchers from legal action if they follow conditions such as avoiding data exfiltration, unnecessary damage, or competitive reverse-engineering. Organizations adopting the agreement commit to treating authorized AI research as legitimate, addressing ambiguity in traditional vulnerability disclosure models.
Cybercriminals’ Exposed Credential Database Highlights Persistent Risks
Researcher Jeremiah Fowler discovered a 96GB database containing 149 million unique login credentials including social media, banking, and government accounts left publicly accessible online. The data, likely harvested via infostealer malware, remained exposed for nearly a month before being secured. The incident underscores the ongoing threat of credential theft, even among malicious actors.
Source: https://www.theregister.com/2026/01/25/pwn2own_automotive_2026_identifies_76_0days/
Alpitronic cybersecurity rating report: https://www.rankiteo.com/company/alpitronic-srl
Coastal Automotive, LLC cybersecurity rating report: https://www.rankiteo.com/company/coastal-automotive-llc
"id": "ALPCOA1769923964",
"linkid": "alpitronic-srl, coastal-automotive-llc",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '10.5 million Europeans',
'industry': 'Loyalty/Retail',
'location': 'France (operations across 16 European '
'countries)',
'name': 'Unnamed company (GDPR fine)',
'type': 'Private company'},
{'industry': 'Automotive/EV',
'location': 'Global',
'name': 'Tesla',
'size': 'Large',
'type': 'Automotive manufacturer'},
{'industry': 'Automotive/Energy',
'name': 'Alpitronic',
'type': 'EV charger manufacturer'},
{'industry': 'Automotive/Technology',
'name': 'Automotive Grade Linux',
'type': 'Open-source software platform'},
{'industry': 'Technology/AI',
'location': 'Global',
'name': 'Google',
'size': 'Large',
'type': 'Technology company'},
{'customers_affected': '149 million unique credentials '
'exposed',
'industry': 'Malicious actors',
'name': 'Unknown (exposed credentials database)',
'type': 'Cybercriminals'}],
'attack_vector': ['Exploiting software flaws',
'Unauthorized data sharing',
'Prompt injection',
'Infostealer malware'],
'data_breach': {'number_of_records_exposed': ['10.5 million (GDPR violation)',
'149 million (exposed '
'credentials database)'],
'personally_identifiable_information': 'Yes (email addresses, '
'phone numbers, login '
'credentials)',
'sensitivity_of_data': 'High (PII, financial, government '
'accounts)',
'type_of_data_compromised': ['Customer loyalty data (email '
'addresses, phone numbers)',
'Login credentials (social '
'media, banking, government '
'accounts)',
'Private calendar details']},
'description': 'The past week brought significant developments in '
'cybersecurity, from high-profile vulnerability discoveries to '
'regulatory actions and AI-related risks, including zero-day '
'exploits in automotive systems, GDPR fines, AI prompt '
'injection vulnerabilities, and exposed cybercriminal '
'credential databases.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'unnamed GDPR-violating company and '
'Google Gemini',
'data_compromised': ['Customer loyalty data (email addresses, '
'phone numbers)',
'149 million unique login credentials (social '
'media, banking, government accounts)',
'Private calendar details (via AI prompt '
'injection)'],
'financial_loss': '€3.5 million fine',
'identity_theft_risk': 'High (exposed credentials database)',
'legal_liabilities': 'GDPR violations (€3.5M fine), potential '
'legal risks for AI prompt injection '
'vulnerability',
'systems_affected': ['Tesla infotainment systems',
'EV chargers (Alpitronic HYC50)',
'Automotive Grade Linux',
'Google Gemini AI']},
'investigation_status': 'Ongoing (for exposed credentials database), Resolved '
'(for patched vulnerabilities)',
'lessons_learned': ['Automotive systems are increasingly vulnerable to '
'zero-day exploits',
'AI systems introduce novel attack surfaces requiring '
'dedicated security controls',
'Credential theft remains a persistent threat even among '
'malicious actors',
'Ethical AI research needs clear legal protections'],
'motivation': ['Financial gain (bug bounty)',
'Regulatory violation (GDPR)',
'Data theft',
'Malicious credential harvesting'],
'post_incident_analysis': {'corrective_actions': ['Patch zero-day '
'vulnerabilities in '
'automotive systems',
'Implement stricter AI '
'security controls',
'Adopt safe harbor '
'frameworks for ethical '
'research',
'Secure credential '
'databases with proper '
'access controls'],
'root_causes': ['Lack of explicit customer consent '
'for data sharing (GDPR violation)',
'Unpatched zero-day '
'vulnerabilities in automotive '
'systems',
'Insufficient AI security controls '
'(prompt injection)',
'Poor credential database security '
'(exposed for nearly a month)']},
'recommendations': ['Implement robust security testing for automotive '
'software and EV systems',
'Enhance AI security controls to prevent prompt injection '
'attacks',
'Adopt safe harbor frameworks for ethical AI research',
'Monitor and secure credential databases to prevent '
'exposure'],
'references': [{'source': 'Pwn2Own Automotive Competition'},
{'source': 'National Commission on Informatics and Liberty '
'(CNIL)'},
{'source': 'Miggo (Google Gemini vulnerability report)'},
{'source': 'HackerOne Good Faith AI Research Safe Harbor'},
{'source': 'Jeremiah Fowler (exposed credentials database)'}],
'regulatory_compliance': {'fines_imposed': '€3.5 million',
'regulations_violated': ['GDPR',
'France’s Data Protection '
'Act']},
'response': {'containment_measures': ['Google patched the Gemini AI prompt '
'injection vulnerability',
'Exposed credentials database secured '
'after nearly a month'],
'remediation_measures': ['HackerOne introduced Good Faith AI '
'Research Safe Harbor framework',
'Trend Micro’s Zero Day Initiative '
'awarded prizes for zero-day '
'discoveries']},
'threat_actor': ['Fuzzware.io', 'Synacktiv', 'Unknown cybercriminals'],
'title': 'Cybersecurity Roundup: Zero-Days, Privacy Fines, AI '
'Vulnerabilities, and Exposed Criminal Data',
'type': ['Zero-Day Vulnerabilities',
'GDPR Violation',
'AI Vulnerability',
'Data Exposure'],
'vulnerability_exploited': ['Out-of-bounds write flaw in Alpitronic HYC50 EV '
'charger',
'Time-of-Check to Time-of-Use vulnerability in '
'Alpitronic HYC50 EV charger',
'Three separate flaws in Automotive Grade Linux',
'Full takeover of Tesla’s infotainment system']}