Thursday's Other Headlines: Microsoft Finally Patched the Defender Bug We Called Three Weeks Ago, Medtronic's Number Lands, and the 6.9M 'Medical' Breach That Isn't.
- Patrick Duggan
- a few seconds ago
- 4 min read
GhostLock was the flagship of the day and gets its own write-up. This is the rest of Thursday — the headlines that broke around it, and where we already had them. No victory lap, just the ledger, our date next to theirs.
Microsoft finally patched RoguePlanet. We called it exploit #8, unpatched, three weeks ago.
Microsoft shipped a fix today for a Defender zero-day called RoguePlanet. We have been writing about it since June 18, in a post titled "RoguePlanet Is Exploit #8 From the Researcher Microsoft Tried to Criminalize. They Still Haven't Patched It." That researcher — who goes by Nightmare Eclipse — is the same one who found BlueHammer and GreenPlasma, the Defender bugs Microsoft quietly patched in its record June Patch Tuesday after spending six weeks trying to ban him from GitHub and refer him to its crimes team. Today's patch closes a bug we flagged as live and unpatched twenty-one days ago, and it closes the loop on the argument we made then: you cannot criminalize the person doing your QA and expect the QA to improve. The credit for finding it is his. The three-week head start on knowing it was still open was ours to give readers, and we did.
Medtronic's number came in at 3.8 million. We published the attack-surface matrix six weeks before the breach.
Medtronic began notifying affected individuals this week, and the confirmed figure landed at 3.8 million — down from the nine million the threat actor originally claimed, which is the usual gap between an extortion headline and a notification letter. We are not going to pretend we called the exact count. What we did, on May 8, was publish a complete attack-surface matrix for the medical-device sector under the title "Warning: Eight Names On Our ShinyHunters Watch List" — six weeks before ShinyHunters disclosed the Medtronic theft. The watch list was not a lucky guess; it was the same crew, the same vish-into-Salesforce pattern, aimed at the same vertical we had been naming all year. The notification this week is the receipt maturing, not the news breaking.
The 6.9 million "medical" breach is not medical. It's auto insurance.
This one is a correction more than a receipt, and corrections matter. The nearly-seven-million-record breach making the rounds today is AssuranceAmerica, which disclosed that attackers accessed data on roughly 6.9 million drivers earlier this year. It is being filed by some readers under healthcare because the number is big and the timing lines up with a run of medical breaches, but the giveaway is in the noun: drivers, not patients. AssuranceAmerica is an auto-insurance company. No attacker has been named yet.
We do not have AssuranceAmerica by name, but it is not off our map either — it lands squarely in the insurance consent-leak vertical we have been documenting all year, the same shelf as Aflac's 22.7-million-person notification we wrote up in June. Insurance sits on enormous piles of identity data with a soft SaaS underbelly, and the vertical has been bleeding steadily. Just get the category right: this is an insurance breach the size of a state, not a hospital breach.
The quieter two: Oracle E-Business Suite, and a normal Thursday of ransomware.
Oracle E-Business Suite has a critical remote-code-execution flaw, CVE-2026-46817, reportedly exploited against roughly 950 internet-exposed instances — full ERP takeover for anyone who lands it. We have written the Oracle-EBS beat before (our January piece, "Larry Ellison's Two-Month Head Start (For the Attackers)", and the 2025 EBS bugs Cl0p rode into a dozen enterprises); this is a fresh CVE on a surface we already watch. If you run EBS on the internet, this is tonight's patch, not this quarter's.
And the ransomware board did what it does every day now: Qilin hit Accelirate, INC Ransom hit a medical imaging practice, DragonForce and Akira and Everest each posted their handful of victims. None of it is a single big story; all of it together is the story — a rented-out extortion economy running at a steady industrial hum, with healthcare still the sector taking the most hits. The one worth flagging for the vertical watchers: Aesthetic Surgical Images, claimed by INC Ransom, is another medical practice on the pile.
The through-line
Nothing here we broke. Microsoft's patch, Medtronic's letter, AssuranceAmerica's disclosure, Oracle's advisory — the primary work is other people's, and we say so. What a small shop that reads everything and remembers all of it actually does is get to the true version fast, keep the categories honest even when the crowd blurs them, and hand you the receipt with the date on it. Some of these we had weeks early. One of them we are just making sure you file under the right heading. Both of those are the job.
Held to about ninety-five percent confidence, as always. Attribution above belongs to the researchers, journalists, and companies who did the disclosing; our contribution is speed, memory, and getting the label right.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
