Aquahack Spree Hits 66 Targets; AI Agent Risks Dominate CTI Analysis
Summary
Today's threat landscape is defined by a single actor's massive, indiscriminate campaign and a growing consensus among researchers that AI agents represent a systemic vulnerability. The actor Aquahack claims responsibility for 66 events, targeting a diverse set of organizations across more than 20 countries, from telecoms in Italy to e-commerce in Taiwan and government bodies in Belgium. This volume suggests a broad, automated or opportunistic approach rather than a targeted campaign. Simultaneously, industry analysis from Microsoft and DTEX underscores that the integration of agentic AI into enterprise workflows is creating new, poorly understood failure modes -- from supply chain compromise to data exfiltration by authorized but compromised agents. Defenders must prioritize both the immediate volume of credential and access claims from prolific actors and the structural risks posed by AI tooling.
Today's developments
The dominant story today is the activity of the actor Aquahack, who claims to have breached 66 organizations. The alleged victims span a wide geography and industry vertical, including:
- Telecommunications: Euskaltel (Spain), Tiscali (Italy), Tarr Kft (Hungary), Webafrica (South Africa).
- E-commerce & Retail: Bic Camera (Japan), Sanborns (Mexico), Ruten and Buy123 (Taiwan), Privalia (Spain), eMAG Hungary, Materiel.net (France), Petz (Brazil), and others.
- Government & Public Sector: Competition Commission of Pakistan, Directorate-General for Identity and Citizens (Belgium), Jember Regency (Indonesia), and the Municipality of Mendoza (Argentina).
- Education & Research: University of Osnabruck (Germany), Egyptian Knowledge Bank, ETOOS EDU (South Korea), and multiple Indian institutions.
- Financial Services: Giropay (Germany).
The sheer volume and diversity of Aquahack's claims suggest a pattern of scanning for exposed databases or vulnerable web applications rather than deep, targeted intrusions. Security teams should treat these as potential credential stuffing or initial access vectors.
Beyond Aquahack, other notable incidents include:
- Escanors Files claims breaches of the Philippines' Games and Amusements Board, Iraq's State Company for Automotive Industry, and India's Policy Bazaar and Kaushal Bharat Portal, indicating a focus on government and financial data.
- EagleGodSEC claims to have breached the Royal Thai Army and a Thai dairy industry firm, continuing a pattern of targeting Southeast Asian government and critical infrastructure.
- ChimeraZ alleges a 66 GB data breach of French eyewear retailer Krys, a significant volume that warrants investigation.
- LauraAllen claims multiple breaches of French and US entities, including what is described as a "USA Forex Depositer Email Database" and a database related to Under Armour.
On the analysis front, Microsoft Security published an updated taxonomy of failure modes in agentic AI systems, based on a year of red teaming. They identify seven new failure modes, including supply chain compromise and goal hijacking, which are directly relevant as organizations deploy AI agents with access to sensitive data and systems. Separately, DTEX research highlights how AI agents can become the biggest insider threat, as their authorized access to data makes them a prime vector for exfiltration by malicious or careless users. These findings are reinforced by a report that a flaw in Anthropic's Claude Code GitHub Action could allow a single malicious GitHub issue to hijack repositories, demonstrating the concrete risks of AI supply chain dependencies.
In vulnerability news, Cisco has patched CVE-2026-20230, a server-side request forgery (SSRF) flaw in Unified Communications Manager. Exploit code is already public, and while Cisco has not observed active exploitation, the window for attackers is now open. On the policy front, CISA is expected to release a binding operational directive related to the AI executive order this week, focusing on vulnerability management. Separately, the Supreme Court upheld FCC fines against telecom giants for sharing customer location data, reinforcing the legal liability for data handling practices.
Threat landscape signals
The most actionable signal today is the concentration of claims from a single actor, Aquahack. While the veracity of each claim requires independent verification, the pattern indicates a possible commoditized access broker or a large-scale vulnerability scanning operation. Organizations in the retail, e-commerce, and telecommunications sectors -- particularly in Europe, Asia, and Latin America -- should check for exposed databases, weak authentication, or unpatched web applications.
The AI agent risk theme is not a one-off vulnerability but a structural shift. The combination of Microsoft's red team findings, the Claude Code action flaw, and DTEX's insider threat analysis points to a convergence of risks: AI agents are being deployed faster than their security postures can be validated. Security leads should immediately audit which AI agents have access to production data, enforce strict least-privilege policies, and implement runtime monitoring for anomalous agent behavior. The CISA directive expected this week may provide additional regulatory impetus.
Finally, the Cisco CVE-2026-20230 with public exploit code is a near-term priority. Any organization running Cisco Unified Communications Manager should prioritize patching, as the SSRF-to-root vector is a reliable path for network-based attackers to gain a foothold.