News & Commentary

Workday breach shows social engineering is growing more sophisticated 🔐

HR software company Workday recently disclosed a security breach after threat actors leveraged voice-based social engineering tactics to gain access to user data stored in a third-party CRM platform. While no internal systems or sensitive HR data (like payroll or SSNs) were exposed, attackers did make off with basic contact info: names, emails, and phone numbers. Not super sensitive info, but still just enough fuel for additional phishing, vishing, and impersonation attacks.

The breach appears to be part of a broader campaign targeting Salesforce-based CRMs, with cybercrime groups like ShinyHunters and Scattered Spider linked to similar incidents involving Google, Adidas, and others. The method? OAuth phishing and old-school trust exploitation.

Notably, Workday’s public post about the breach included a “noindex” tag, effectively telling search engines to ignore the news. That definitely flung up some red flags for folks as far as transparency is concerned.

Bottom line? Even with MFA and strong security controls, if your users are tricked into giving access away, the defenses crumble. This is a wake-up call to double down on user training, scrutinize your third-party integrations, and treat “basic” contact info like it’s gold…because in the hands of attackers, it is.

More bad news for McDonald’s: Full-scale access risks 🍔

Between the McHire Bot story we talked about last month and now this, McDonald’s can’t catch a break. 😅

Just like any good tale, this story begins with a man who wanted free nuggs.

A researcher known as BobDaHacker (👍) discovered serious vulnerabilities in McDonald’s internal staff portals, all while trying to redeem free McNuggets. By simply changing "login" to "register" in a URL, he created a new account and received a plain-text password by email.

From there, things got worse. Bob found hardcoded API keys in JavaScript, global employee directories exposed to low-privilege users, and the ability to inject arbitrary HTML into corporate sites.

Despite responsibly reporting the flaws, our McNugget Crusader struggled to reach the right people. McDonald’s had no security.txt, no formal disclosure program, and allegedly, supposedly even fired an internal contact who helped. 😅

To me, what’s wild is how this underscores just how fragile internal platforms can be when basic hygiene gets overlooked. No rate-limiting, plain-text passwords, public API keys — nothing fancy, just basic cyber hygiene. It’s a reminder that even massive global brands can have brittle systems behind the curtain. And when researchers have to go full detective mode just to report the issues? That…is very concerning.

HTTP/2’s new (and serious) flaw: “MadeYouReset” 🛜

Remember the Rapid Reset DDoS exploit from 2023? That one let attackers hammer servers by abusing how HTTP/2 handles canceled requests. Well, now researchers from Tel Aviv University have discovered a new trick — “MadeYouReset” — that bypasses those earlier fixes and could again impact up to one-third of the internet.

Instead of client-side request spam, MadeYouReset abuses server-side stream cancellations by injecting invalid control messages, tricking the system into a never-ending stream reset loop. It’s tracked as CVE-2025-8671 and received a 7.5 CVSS score.

While some vendors like Cloudflare were already fortified, others had to patch up fast. Still, not every vendor saw eye-to-eye on who’s responsible. Some rely on external protocol libraries, leading to finger-pointing and patch delays.

MadeYouReset proves that protocol-level flaws don’t just need patches; they need rethinks. When server-side behavior can be gamed with crafted control frames, that’s a systemic risk — and it doesn’t help when vendors get caught up in the blame game. For defenders, this is a clear call: Don’t trust default limits, audit your HTTP/2 stacks hard, and make DDoS resilience part of your day-one planning rather than a post-incident scramble.

Sponsor

The MCP Security Guide for Early Adopters

Is your team exploring MCP integrations?

The Model Context Protocol (MCP) is quickly emerging as the go-to standard for connecting LLMs to external tools and data. But as adoption picks up, many teams are implementing MCP without a clear security playbook.

This new guide from Wiz can help: The Hidden Risks Behind the Magic: Securing the Model Context Protocol (MCP). It shares early research and practical guidance to help security teams evaluate and secure MCP in real-world environments.

Inside the guide:

• Key risks with local and remote MCP servers

• Real-world threats like prompt injection and supply chain compromise

• Actionable steps for safely using MCP tools

Download the guide to get smart on securing MCP as adoption grows.

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-015.

(And as always, thanks for nothing, Clippy. 💙)

Just Hacking Training 🤓
August Announcements

August Course Launch: Incident Response (IR)!

You’ve done your time as a Junior SOC Analyst, and you’re ready to advance your cybersecurity career. Enter IR! Our new Incident Response 101 course by Ali Hadi introduces students to the fundamentals of IR in a large cyber range of 8 VMs to learn in a very hands-on, practical manner.

Designed for entry-level analysts, SOC team members, and security professionals, this course focuses on developing structured response strategies, handling evidence correctly, and communicating findings clearly. Only $80 until August 31 with 20% launch discount code IRLaunch20.

JHT @ DEF CON: The Party Continues!

☠️ DEF CON Discount ☠️ — 20% off with code DEFCON20*!

Try our free stuff. Like what we do? We'd love your learning journey to continue with JHT.

^{*Excludes already discounted Bundles. Expires August 31 @ midnight ET. One (1) code at a time.}

🚨 New Product Alert = UCx! 🚨

JHT is proud to sponsor the IoT Village. Now that DEF CON is behind us, we’re thrilled to release 2 IoTV exclusives to the rest of the world as a new product type. And they’re FREE!

• UCx – Router Ruh Roh

• UCx – MQTT: Talk to Your “Things”

What’s an Extended Upskill Challenge (UCx)?

As you know, our free Upskill Challenges (UCs) are bite-sized lessons meant to be short and to the point. UCs focus on a single tool or concept and are helpful in quickly providing useful skills in less than 30 minutes of student time and have no VMs.

To accommodate more detailed topics and virtual environments, JHT has released a new product, the Extended UC (or UCx). A UCx can be 30–120 minutes of student time, include VMs and videos, and an optional Capstone Challenge. A UCx is a Name Your Price item with $0 as the lowest accepted cost. That’s right… FREE!

Just Hacking Training is a platform providing "Focused Technical Training for All Levels" with 60+ affordable, hands-on options in four categories: Courses, Free Upskill Challenges, Hack-Alongs, and CTFs. With new content released twice a month throughout 2025, bi-monthly livestreams with me and our All-Star contributors, and even some “Name Your Price” options, JHT will advance your career regardless of experience level or budget.

Come hang out with us hackers in Discord and engage with me, our All-Star instructors, students, and the rest of our community.

Where do I even begin?!

With Black Hat, I guess? 😅

Was stoked to be there with the Huntress crew to celebrate a few key milestones (Huntress turning 10 and welcoming Jen Easterly to our Strategic Advisory Board!) … and (of course) to do typical nerdy Black Hat shenanigans.

As soon as Black Hat wrapped up, we embarked on DEF CON. 🤓

A few highlights include village parties (so many village parties), catching up with old friends and meeting new friends, a few speaking engagements, and, um, a John Hammond lookalike contest? 🫣 No visual evidence will be included in this email. 😆

Oh, and remember that supersecretextraspecial guest I mentioned in last month’s Shenanigans? ‘Twas none other than Network Chuck himself. 😎 We kicked off DEF CON together with a quick Q&A.

Just an absolute blast all-around. I even had some folks make the time at these insanely busy conferences to come say hi, and it’s really cool to be able to meet folks from this community we’ve built together. Thank you!

Feels like we’re in a groove with this thing! I invite you to help me shake it up.

Please reply to this email and let me know what you’re loving — and what you’d love to see in the next edition.

Thank you!