If you’re a LastPass user, congratulations — you’ve just been personally invited to the latest phishing extravaganza making the rounds across inboxes everywhere. Starting January 19th, threat actors kicked off a fresh campaign blasting out emails that look so official you might wonder if LastPass hired a new copywriter with a caffeine addiction and a flair for corporate urgency.

There are certain word combinations you never want to see in a security headline.

“High‑severity” and “2FA bypass” are definitely on that list — somewhere between “ransomware weekend” and “production database accidentally deleted.”

But here we are.

GitLab has released a patch for a two‑factor authentication bypass that, in plain English, basically said:

“If you know the account ID, come on in — we’re not checking your ID at the door.”

Why Chrome’s “Turn Off Enhanced Protection” Option Is a Terrible Idea (Delivered With Love and Mild Sarcasm)

Every so often, Google rolls out a feature that makes the entire cybersecurity community collectively tilt its head like a confused golden retriever. The latest? Chrome now lets you turn off the on‑device AI model that powers its Enhanced Protection feature.

WordPress is incredible. It’s flexible, customizable, and powers a massive chunk of the internet. But that popularity comes with a catch: attackers love it too. Not because WordPress is “insecure,” but because its plugin ecosystem is a goldmine of vulnerabilities. One outdated plugin, one sloppy configuration, one overlooked setting — and suddenly your site is starring in a hacker’s highlight reel.

Over the past year, we’ve seen everything from full site‑takeover flaws to authentication bypasses to plugins leaking private data. Some vulnerabilities affected tens of thousands of sites. Others opened the door to complete administrative control. And in one particularly chaotic stretch, attackers launched tens of millions of automated attacks in under 48 hours.

If that makes your stomach drop a little, good. It means you understand the stakes. And it’s exactly why we built WordPress Risk Spotlight.

Why Fortinet vulnerabilities keep showing up like recurring characters in a long‑running TV show—and what your business should do about it.

If you’ve been following the Actionable Security blog for any length of time, you already know one thing: Fortinet is basically a recurring character in our vulnerability coverage. At this point, they’re less “special guest appearance” and more “series regular who keeps getting dramatic story arcs.”