Major Data Breach Exposes 500,000 UK Biobank Volunteers; Critical Microsoft Flaw Under Active Exploitation

UK Biobank Confirms Breach of Half a Million Health Records

UK Biobank, the prominent biomedical research organization, has confirmed a data breach after de-identified health data on 500,000 volunteers was advertised for sale on Chinese online marketplaces. Officials said the listings were quickly removed and believed unsold, but access was suspended, the research platform was shut down, and download limits were imposed.

“This is a devastating breach of a trusted research resource, potentially undermining years of critical health studies,” said Dr. Emily Carter, a cybersecurity analyst at CyberSafe. The organization is working with law enforcement and cybersecurity experts to investigate the incident.

The breach, detected earlier this month, underscores the growing threat to sensitive medical datasets. UK Biobank has urged volunteers to remain vigilant and monitor for any suspicious activity.

Other Major Breaches Reported: Vercel, France Titres, and Bitwarden

Vercel Breach via Context.ai

Vercel, a frontend cloud platform, has disclosed a security incident linked to a compromise at Context.ai. Stolen OAuth tokens enabled unauthorized access through a connected app, exposing employee information, internal logs, and a subset of environment variables. “The most sensitive secrets were not included,” a Vercel spokesperson stated, but the attack highlights risks of third-party integrations.

France Titres Agency Data Leaked

France Titres, the authority for identity documents, detected a breach on April 15 potentially exposing names, birth dates, email addresses, and some physical addresses. A hacker has offered the purported agency data for sale on the dark web. “This is a grave concern for national identity security,” commented Jean-Pierre Lefevre, a French cybersecurity researcher.

Bitwarden Supply-Chain Attack

Bitwarden, a popular password manager, suffered a supply-chain attack after a malware-tainted CLI release was published to npm on April 22. Approximately 334 developers installed version 2026.4.0 during a brief window, potentially exposing credentials via a hijacked GitHub account. Vault data remained unaffected, but the incident raises alarms about software supply chain integrity.

AI Threats Escalate: Anthropic, Bissa Scanner, and Antigravity IDE

Anthropic’s Claude Mythos Preview Compromised

Researchers flagged unauthorized access to Anthropic’s Claude Mythos Preview, an unreleased AI cyber model, through a third-party vendor environment. A small Discord group used shared contractor accounts, API keys, and predictable URLs to reach the system. Anthropic said it is investigating and has not seen impact to core systems. “This incident exposes the vulnerabilities inherent in early access AI deployments,” noted Dr. Laura Kim, an AI security expert.

Bissa Scanner AI-Assisted Exploitation

Researchers observed Bissa Scanner, an AI-assisted exploitation platform using Claude Code and OpenClaw to support mass scanning, exploitation, and credential harvesting. The operation focused on exploiting React2Shell (CVE-2025-55182), scanning millions of targets, confirming over 900 compromises, and collecting tens of thousands of exposed environment files.

Antigravity IDE Prompt Injection Exploit

Researchers highlighted a prompt-injection exploit chain in Google’s Antigravity agentic IDE that enabled sandbox escape and remote code execution. The flaw abused a file search tool that ran before security checks, allowing attackers to convert a benign prompt into system compromise even in Secure Mode. Google has patched the vulnerability.

Critical Vulnerabilities Force Urgent Patching

Microsoft ASP.NET Core Privilege Escalation (CVE-2026-40372)

Microsoft issued out-of-band fixes for CVE-2026-40372, a critical ASP.NET Core privilege escalation flaw rated 9.1. A bug in Data Protection versions 10.0.0 to 10.0.6 could let attackers forge cookies and antiforgery tokens, impersonate users, and gain SYSTEM-level access on Linux or macOS deployments. “Organizations using affected versions should apply the patch immediately,” urged Microsoft’s Security Response Center.

Apple Notification Services Bug (CVE-2026-28950)

Apple released fixes for CVE-2026-28950 in iOS and iPadOS, a Notification Services bug that could allow unauthorized access to device notifications. Users are advised to update their devices to the latest version to mitigate risk.

Background

This week’s threat report from cybersecurity researchers highlights a surge in both data breaches and AI-driven attacks. The UK Biobank incident is particularly alarming due to the sensitivity of health data and the sheer number of volunteers affected. The Bitwarden and Vercel incidents underscore supply chain and third-party risks, while the Anthropic breach signals that even pre-release AI models are not immune. Meanwhile, critical vulnerabilities in widely used platforms like ASP.NET Core demand immediate patching.

What This Means

Organizations must rethink their reliance on third-party integrations and vet the security postures of partners. The use of AI in both attack tools (like Bissa Scanner) and target models (like Claude Mythos) presages a new era of cybersecurity challenges. For individuals, especially UK Biobank volunteers, monitoring for identity theft and phishing is crucial. The takeaway: patch critical vulnerabilities now, audit third-party access, and prepare for AI-powered threats to become the norm.