Full Report
Plus: Major data breaches at a gym chain and hotel giant, a disruptive DDoS attack against Bluesky, dubious ICE hires, and more.
Analysis Summary
# Morning News Roll-up April 18, 2026
## Overview
This week's threat intelligence landscape is dominated by high-profile data breaches at major corporations, critical vulnerabilities in government-mandated infrastructure, and the continued evolution of AI-driven cybersecurity tools and threats. Significant focus is placed on the security failures of the EU's new age-verification app and the ongoing persistence of sanctioned criminal marketplaces on messaging platforms.
## Top Stories
### EU Age-Verification App Compromised Within Minutes
- Summary: Cybersecurity experts and whitehat hackers demonstrated that the European Commission's newly released open-source age-verification app can be compromised in less than two minutes. The flaws involve insecure storage of user PINs, potentially allowing attackers to hijack user profiles and bypass age restrictions entirely.
- Source: hxxps://www[.]politico[.]eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
### Major Data Breaches Hit Global Gym and Hotel Chains
- Summary: Significant data exfiltration incidents have been reported involving a major gym chain and a hotel giant (Choice Hotels). These breaches highlight ongoing vulnerabilities in large-scale consumer databases and the continued targeting of personal identifiable information (PII) by threat actors.
- Source: hxxps://www[.]wired[.]com/story/security-news-this-week-it-takes-2-minutes-to-hack-the-eus-new-age-verification-app/
### Telegram Continues to Host Sanctioned Crypto Marketplace Xinbi
- Summary: Despite UK government sanctions identifying Xinbi Guarantee as a $21 billion facilitator for human trafficking and crypto scams, the marketplace remains active on Telegram. Evidence shows over $500 million in transactions occurred in the 19 days following the official sanctioning.
- Source: hxxps://www[.]wired[.]com/story/telegram-is-still-hosting-a-sanctioned-21-billion-crypto-scammer-black-market/
# EU Age-Verification App Vulnerability
Critical security flaws discovered in the European Commission's official age-verification tool for social media and adult content.
## Key Points
- The app was intended to provide a standardized, privacy-preserving method for age verification across the EU.
- Independent security researcher Paul Moore demonstrated a full compromise of the app in under two minutes.
- A critical flaw exists in how the application manages and stores user-created PINs.
- These vulnerabilities undermine the European Commission's mandate for platforms to implement age-checking mechanisms.
## Threat Actors
- **Security Researchers/Whitehats:** Paul Moore and Baptiste Robert identified and disclosed the flaws.
- **Potential Exploiters:** Risk of exploitation by underage users attempting to bypass blocks or malicious actors seeking to hijack identity profiles.
## TTPs
- **Insecure Data Storage:** Improper handling of user-created PINs within the local application environment.
- **Authentication Bypass:** Leveraging the storage flaw to gain unauthorized access to the app profile ("Profile Takeover").
## Affected Systems
- **EU Age-Verification App:** All initial versions of the free, open-source application released by the European Commission.
- **Mobile Platforms:** iOS and Android devices where the app is installed.
## Mitigations
- **Immediate Review:** The European Commission must conduct an urgent security audit of the open-source codebase.
- **Patch Management:** Implementation of secure cryptographic storage for all local authentication tokens and PINs.
- **Platform Caution:** Social networks and pornography websites are advised to delay reliance on the app until a verified patch is issued.
## Conclusion
The rapid compromise of a government-mandated security tool highlights the dangers of rushing "silver bullet" software solutions for complex social problems. Until the European Commission addresses the fundamental authentication flaws in the app, it remains an unreliable mechanism for age verification that increases the attack surface for users' mobile devices.