TechCrunch says Microsoft has acknowledged that "a limited number" of Redmond's web-mail service users had their accounts compromised. The incident, which occurred between January 1st and March 28th, arose when a customer support agent's credentials to a support portal were compromised. Microsoft advises affected users (whom it's notified) to change their passwords. The breach carries with it the usual attendant risk of derivative phishing.
Researcher John Page released a proof-of-concept Internet Explorer zero-day after Microsoft declined to patch it, deferring corrective action until some unspecified later time. ZDNet reports that the vulnerability could enable file exfiltration.
On Friday CISA announced that CERT/CC, the CERT Coordination Center, had issued a warning about vulnerabilities in widely used Virtual Private Network (VPN) applications. CERT/CC says the applications "store the authentication and/or session cookies insecurely in memory and/or log files."
Facebook, Instagram, WhatsApp, and Messenger were down for several hours yesterday, the second major disruption the social network has suffered in roughly a month, the third so far this year. Mashable and others quote the only explanation Facebook has so far offered: "The issue has since been resolved; we're sorry for any inconvenience."
Today is tax day, and as the dazed, confused, or dilatory scramble to file, Consumer Affairs warns that scammers are prepared to take advantage of the procrastinators' reduced capacity to set the phishhook. Zscaler shares some eleventh-hour advice: beware of "'IRS login' phishing," "fake 'Apply for EIN' scam and Google SEO poisoning," and (in the UK) the "tax refund phishing campaign."