Episodes

  • Home Depot: 56 Million Cards, One Vendor Password
    Jun 26 2026

    In 2014, attackers walked into Home Depot's network with a password stolen from a third-party vendor — and walked out with 56 million payment cards. The tool they used to move around inside was a genuine zero-day, the kind of flaw nation-states pay millions for. The harder part to explain is everything that was already wrong when they arrived: no multi-factor authentication, antivirus seven years out of date, the dedicated firewall switched off, and the card data moving in plain text. This episode walks through how the breach actually worked — and why the warnings that could have stopped it had already been sent, twice.

    (0:00) Intro
    (1:03) Home Depot and the payment rails
    (2:03) The way in: a vendor password
    (4:25) What a zero-day actually is
    (5:20) 7,500 registers and a watcher in memory
    (8:15) Five months of dwell time
    (9:55) How the banks found it first
    (11:23) Disclosure, response, and the bill
    (12:54) What was waiting: the warnings ignored
    (16:08) Defenses from the year of the iPhone
    (19:34) Chip-and-PIN, a CISO, and the unnamed
    (21:06) The distance between a warning and a check

    Free one-page technical breakdown PDF: zerodaylogs.com
    Sources are listed on the episode page at zerodaylogs.com.

    Show More Show Less
    22 mins
  • Pearson: The Patch That Sat Unapplied Six Months
    Jun 19 2026

    A critical security patch sat unapplied on a Pearson education platform for six months. By the time it was found, data on roughly 11.5 million student records across some 13,000 schools and universities had been taken — and Pearson described the breach to investors as a "hypothetical" risk. The SEC disagreed.

    This is the story of the distance between knowing and acting: a documented flaw, an available fix, and the gap in between.

    Chapters:
    (0:00) The Call From the FBI
    (1:14) Pearson and AIMSweb
    (2:38) What Remote Code Execution Means
    (3:40) The Patch That Was Never Applied
    (5:14) Inside the Breach
    (8:52) Four Months, Undetected
    (10:30) What "Material" Means to the SEC
    (12:01) The Notification Letters
    (13:07) "A Hypothetical Risk"
    (14:55) The Decade-Long Campaign
    (16:54) The SEC Charge
    (18:42) Knowing vs. Acting
    (19:22) Takeaways

    Free one-page technical breakdown: https://zerodaylogs.com
    Watch the full video version on YouTube: [video URL]

    Sources: SEC enforcement order (2021); DOJ indictment (2020); UK ICO penalty notice; Pearson Form 6-K (2019); state AG notifications.

    Show More Show Less
    20 mins
  • How Uber Hid a Breach of 57 Million People
    Jun 12 2026

    On November 14, 2016, two hackers told Uber they had the personal records of
    57 million users and drivers. What Uber did next wasn't a breach response — it
    was a cover-up: a $100,000 payment disguised as a bug-bounty reward, false NDAs,
    and a year of silence while a binding FTC order required disclosure. The breach
    itself was fixable. The concealment became the first criminal conviction of a
    chief security officer.

    (0:00) The hackers make contact
    (0:40) The break-in: reused passwords to 57M records
    (6:45) Disguising the ransom as a bug bounty
    (10:40) The FTC order that made silence a crime
    (13:27) The first criminal conviction of a CSO
    (17:05) The four controls that were missing

    Free one-page technical breakdown (timeline, attack path, the four missing
    controls): https://zerodaylogs.com

    Sources: U.S. FTC enforcement action and expanded consent decree; New York
    Attorney General settlement; U.S. DOJ charging documents and trial record,
    United States v. Sullivan; U.S. SEC filings.

    Zero Day Logs — the real anatomy of security breaches. Measured, sourced,
    no hype. https://zerodaylogs.com

    Show More Show Less
    20 mins
  • Yahoo: 3 Billion Accounts, Four Years Hidden
    Jun 5 2026

    Three billion user accounts. Two separate breaches. Four FSB-directed operatives. And nearly two years of silence between what Yahoo's security team knew and what the public was told.

    This episode traces the full operation from the spear phishing campaign that opened the door, through the forged authentication cookies that bypassed every login screen, to the SEC enforcement action that established a new category of regulatory risk: the failure to disclose a known breach.

    Chapters:
    0:00 — 3 Billion
    1:47 — The Spear Phishing Campaign
    3:26 — Inside Yahoo's Network
    5:39 — The Stolen Database
    7:28 — The Account Management Tool
    9:14 — The Hybrid Model: State + Criminal
    11:03 — The Silence
    13:23 — The Disclosures
    15:23 — The SEC Enforcement
    17:14 — The Indictment
    17:58 — Aftermath
    18:20 — The Pattern

    Sources: DOJ indictment (United States v. Dokuchaev et al.), SEC enforcement order (Altaba Inc.), Yahoo SEC filings, Verizon acquisition disclosures.

    Full technical breakdown and free PDF summary at zerodaylogs.com.

    Show More Show Less
    20 mins
  • Colonial Pipeline: From Legacy VPN to Bitcoin Seizure — The Complete Breakdown
    May 29 2026

    One leaked password. No multi-factor authentication. Nine days undetected.

    In May 2021, a compromised VPN credential — found on the dark web, tied to a former employee's account, protected by nothing more than a single password — gave DarkSide ransomware operators access to Colonial Pipeline's IT network. What followed: 100 gigabytes of stolen data, encrypted systems, a $4.4 million Bitcoin ransom, a six-day shutdown of 5,500 miles of fuel infrastructure, and a DOJ operation that clawed back 63.7 of the 75 Bitcoin using a method that remains partially redacted from the public record.

    This episode traces the complete chain: the entry vector, the nine-day dwell time, the franchise model behind DarkSide, the IT/OT boundary decision that shut down physically intact infrastructure, the ransom payment calculus, and the regulatory reckoning that followed.

    Primary sources: Senate testimony, CISA advisory, FBI seizure affidavit, GAO report.

    Free PDF breakdown: https://zerodaylogs.com


    00:00 — The Escalation
    01:30 — Introduction
    01:35 — What Is a VPN?
    02:39 — The Forgotten Door
    03:34 — One Password, No Second Factor
    04:40 — DarkSide: Ransomware-as-a-Service
    05:39 — Anatomy of the Attack
    07:29 — 100 Gigabytes Out the Door
    08:34 — Two Buildings, One Boundary
    11:12 — Seventy Minutes
    11:44 — The Shutdown Decision
    13:08 — The $4.4 Million Question
    14:02 — The Vault
    15:10 — The DOJ Strikes Back
    15:54 — Three Missing Controls
    17:55 — Eleven Years Without an Update
    18:21 — The Aftermath

    Show More Show Less
    20 mins
  • Target — Certified Compliant, Breached Eight Weeks Later
    May 22 2026

    On September 20, 2013, Target Corporation was certified compliant with the Payment Card Industry Data Security Standard. Eight weeks later, malware was running on nearly every cash register in the company's 1,793 stores.

    This episode traces the full attack path — from a stolen HVAC contractor password to 40 million compromised payment cards — and examines why every control that could have stopped the breach already existed in published security guidance years before it happened.

    We cover: the Fazio Mechanical entry point, the network segmentation gap, how BlackPOS exploited the moment card data exists as plaintext in RAM, why FireEye's alerts went unacknowledged for 12 days, the exfiltration architecture that moved stolen data through three countries during peak shopping hours, and the compliance paradox at the center of it all.

    Full technical breakdown: zerodaylogs.com

    Primary sources: U.S. Senate Commerce Committee "Kill Chain" analysis, Target SEC filings, multistate AG settlement, NIST and PCI-DSS standards.

    Show More Show Less
    27 mins
  • How Equifax Lost 147 Million Social Security Numbers
    May 15 2026

    A critical vulnerability was disclosed. A patch was released the same day. Equifax was warned directly. The patch was never applied. Two months later, attackers walked through the door — and spent seventy-six days inside a system holding 147 million Social Security numbers. Episode 5 covers the full 2017 Equifax breach — the Apache Struts vulnerability, the scanner that missed, the certificate that was blind for over a year, the breach response that made everything worse, and the PLA indictment that revealed what the stolen data was really for.

    0:00 — Introduction
    0:42 — What Is Equifax
    1:17 — The Data You Never Chose to Give
    1:42 — Growth vs. Security
    2:05 — ACIS: A 1970s System on the Public Internet
    2:25 — CVE-2017-5638: The OGNL Injection
    4:19 — The Missed Scan
    5:37 — The Honour System
    6:16 — CEO vs. Committee
    6:37 — May 13th: The Door Opens
    7:13 — No Walls: Lateral Movement
    8:20 — The Harvest: 147 Million Records
    9:31 — The Expired Certificate
    10:45 — Found by Accident
    11:09 — The Response Timeline
    12:35 — The Response That Made Everything Worse
    13:52 — Insider Trading
    14:28 — Executive Departures
    14:52 — The Settlement
    15:34 — PLA Attribution
    16:23 — The Intelligence Mosaic
    17:05 — Entirely Preventable
    17:47 — Closing

    Full technical breakdown: zerodaylogs.com

    Show More Show Less
    18 mins
  • The Twitter/X Breach — July 2020
    May 12 2026

    On July 15, 2020, the verified Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Apple, and Uber were hijacked simultaneously. Every account posted the same Bitcoin scam. The attacker was a 17-year-old in Tampa, Florida.

    This episode reconstructs how a series of phone calls defeated Twitter's multi-factor authentication through a real-time credential relay, how a single admin tool called Agent Tools gave unrestricted access to every account on the platform, and how the attack escalated from stealing OG usernames to hijacking the accounts of world leaders. The New York Department of Financial Services investigated and found five specific security controls that would have prevented the breach — all of which existed, were documented, and were available. None were deployed.

    Based on the NY DFS Report (October 14, 2020), United States v. Graham Ivan Clark, and Twitter's own incident disclosures.

    📄 Free technical breakdown PDF: zerodaylogs.com

    0:00 — Introduction
    0:50 — The Phone Call
    2:33 — Real-Time Credential Relay
    3:59 — Why MFA Failed
    6:04 — Agent Tools: The God Mode Panel
    7:06 — Inside the Admin System
    9:23 — Three Phases of the Attack
    12:22 — The Cascade: World Leaders Hijacked
    14:34 — Twitter Breaks Its Own Platform
    17:02 — The Damage Report
    17:47 — The Deeper Harm: Private Messages
    19:23 — Tracing the Attackers
    21:44 — Arrests and Sentencing
    24:38 — No CISO
    25:16 — Five Missing Controls
    28:44 — Why Security Controls Go Undeployed
    29:01 — Should Platforms Be Stress Tested?
    30:30 — What Twitter Changed After the Breach
    31:39 — The Pattern Repeats: MGM 2023
    32:33 — The Question That Remains

    #cybersecurity #twitter #databreach #infosec #zerodaylogs

    Show More Show Less
    34 mins