If the first two months of 2026 are any indication, the “slow and steady” era of cybersecurity is officially dead. We’ve seen a massive shift toward AI-native threats—attacks that don’t just use AI as a gimmick, but rely on it to function.
From $25 million deepfake heists to a “stealth” breach at PayPal that sat undiscovered for months, here is your human-friendly breakdown of the latest in online security.
1. The $25 Million “Video Call” Nightmare
In a story that sounds like a sci-fi thriller, a finance worker at the engineering firm Arup was tricked into sending $25 million to scammers.
How? He attended a video call where everyone else on the screen—including his own CFO—was an AI-generated deepfake. They looked like his colleagues, sounded like them, and even referenced internal projects.
- The Lesson: “Seeing is believing” is no longer a safe rule. If a request involves big money or sensitive data, verify it through a second, completely different channel (like a quick text or a physical phone call).
2. The PayPal “Six-Month” Glitch
We recently learned that PayPal dealt with a quiet but serious data exposure that lasted from July 2025 all the way through December. The issue was finally disclosed to users in February 2026.
- What happened: A simple “code change” in their loan application process accidentally left the door open for hackers to see names, Social Security numbers, and birthdays.
- The Catch: While only about 100 people were directly “hacked,” the incident highlights how even the biggest tech giants can have a “blind spot” for months at a time.
3. Meet the New Villains: “LunaLock” and “PromptLock”
Ransomware has evolved. Two new types of AI-driven malware dominated the headlines this month:
| Threat | What it does |
| LunaLock | Uses AI to “hunt” through your files. It doesn’t just lock everything; it finds your most embarrassing or valuable data first to make sure you have to pay. |
| PromptLock | This targets AI tools themselves (like ChatGPT or corporate bots). It tries to “poison” the AI’s brain or steal the secret data it was trained on. |
4. The “Patch Tuesday” Cleanup
Microsoft and Google had a busy February. Microsoft fixed 59 different holes in their software, including several that hackers were already using to break into Windows computers.
- Action Item: If your computer has been nagging you to “Restart to Update,” do it today. Those updates contain the “vaccines” for the specific bugs (like CVE-2026-21513) that are currently making the rounds.
5. New Rules of the Road
The government is finally catching up. As of January 1, 2026, the EU’s new GDPR Procedural Regulation kicked in. It’s designed to make it faster and easier for you to complain if a company mishandles your data.
Additionally, the EU AI Act released new guidelines in February. Any AI used for “high-risk” stuff—like deciding who gets a job or a loan—now has to be way more transparent about how it works.
The Bottom Line
The “bad guys” are getting faster thanks to AI, but the tools to catch them are getting smarter, too. The theme for 2026 is Verification. Don’t trust an urgent email, a weird video call, or a “too good to be true” offer without checking it out first.
Leave a Reply