Weekly Threat Roundup: 56M Credentials Leaked (June 15-21)

This Week at a Glance

A massive stealer log dump exposed 56.3 million accounts, while Cisco, Joomla, and LiteSpeed vulnerabilities are being actively exploited in the wild. Security teams must prioritize patching these CVEs and scanning for credential exposure from the latest data leak.

Top Vulnerabilities

• CVE-2026-20262 (CVSS 6.5, Medium): An authenticated vulnerability in the Cisco Catalyst SD-WAN Manager web UI is being actively exploited. Cisco has released security updates. Full advisory

Data Breaches

• June 2026 Stealer Logs: 56.3 million accounts exposed, including 124 million passwords. The largest breach of the week. Full report
• JCPenney: 368,000 records exposed, including Social Security numbers and HR data. Full report
• Berkadia: 305,000 records leaked by threat actor ShinyHunters. Full report
• CFGI: 248,000 records exposed, including emails and addresses. Full report
• Operation Endgame 4.0: 154,000 emails and passwords exposed in a law enforcement operation. Full report

Threat Intelligence

• CISA added a Joomla JCE plugin flaw (allowing PHP code execution) to its Known Exploited Vulnerabilities catalog. Full report
• A critical LiteSpeed cPanel plugin flaw is being exploited for root privilege escalation. CISA has issued a warning. Full report
• Cisco confirmed active exploitation of the SD-WAN Manager flaw and released patches. Full report

Key Takeaway

The convergence of credential-stuffing attacks (from stealer logs) and web application exploits (Joomla, LiteSpeed, Cisco) signals a shift toward automated, multi-vector attacks. Security teams should prioritize MFA enforcement and web application firewall (WAF) rules, as attackers are chaining initial access from stolen credentials with unpatched vulnerabilities to move laterally.