So your business doesn’t break while you’re busy running it.
A 5-minute weekly brief that tells you what to ignore, what to fix, and what can wait.

A developer exposed his API key (like a password for apps) by accident. Within days, he had a bill for tens of thousands of dollars. He had deleted the exposed file—but didn't know that the repository where he kept his code keeps permanent history. The key was still there. Bots found it within hours.

This kind of thing is happening constantly. This week covers what to do about it, a critical cPanel vulnerability hitting millions of small business sites, and what those random login alerts actually mean.

Let’s dive in 👇

If you…

Have a business website, especially if you manage your own hosting or use a smaller hosting provider.

Should you care?

✅ YES – urgently – CISA added a critical flaw in cPanel (a popular website control panel) to its 'known exploited' list this week. Attackers were hitting sites before the patch was even available.

🤷‍♀ MAYBE – worth checking – You have a website but aren't sure what powers it behind the scenes. Many small business sites use cPanel without the owner knowing. Worth a 5-minute check with your web person or hosting company.

❌ NO – low priority (for now) – Your website is fully managed by a large platform like Shopify, Wix, Squarespace, or WordPress.com (not self-hosted WordPress), and you don't have access to any "server" or "hosting control panel."

What’s happening (plain English)?

cPanel is like the dashboard for your website's behind-the-scenes plumbing—it's where you (or your web person) manage email accounts, databases, file uploads, and settings. Millions of small business websites use it because it makes server management easier.

This week, CISA flagged a serious security hole that lets attackers take over entire servers remotely—no password needed. It's rated 9.8 out of 10 for severity. Worse: hackers started exploiting it back in February, before cPanel released a fix in early May.

Some hosting companies like KnownHost and Namecheap saw attacks and scrambled to protect customers. Early victims are reporting ransomware demands up to $7,000. There are about 1.5 million cPanel systems visible online, powering tens of millions of websites—many belonging to small businesses.

Federal agencies have a deadline to patch. You may not have a legal requirement, but attackers don't check business size before striking.

Do this now

The bills tell the story: $55,444 from one student's exposed API key on GitHub. $12,000 lost over a weekend from another leaked OpenAI credential. Over 12 million IP addresses found with publicly accessible .env files containing database passwords, API keys, and cloud tokens.

GitGuardian's 2026 report found that 28.65 million new hardcoded secrets were added to public GitHub repositories in 2025 alone—a 34% increase from the year before. These aren't sophisticated breaches. They're accidental commits, repos that weren't actually private, and developers who didn't realize that deleting a file from Git doesn't delete the history.

Why it matters: AI coding tools have made it possible for anyone to build working automations and AI agents—including founders, marketers, and operations people who've never written code before. It's incredibly powerful. But it also means business-critical systems are being connected to AI tools by people who may not know what questions to ask about security.

The developer (or you!) building your AI agent might be doing everything that sounds right: storing credentials in a .env file instead of hardcoding them, using GitHub for version control, following tutorials from the AI. But they might not know that Git keeps permanent history even after files are deleted, that "private" repos aren't always configured correctly, or that exposed API keys need immediate rotation—not just deletion.

I’ll repeat that: Git history is permanent. Deleted doesn't mean gone. Every key that touches a public repository should be considered compromised.

If you do it, are you a terrible programmer? Judging by the number of posts starting with, “I accidentally pushed my .env file…”, I’d say no 😀 I have done it myself! Just know how to fix it and prevent it from happening again.

What you can do:

Whether you're building AI agents yourself or working with a developer, ask these questions:

Run through these five basics for keys and write up a short policy or checklist specific to your business:

If you or your developer are building with AI assistance, add this to your workflow: If credentials have ever been committed to version control—even briefly—treat them as compromised and rotate them immediately. You can ask the AI: "I accidentally pushed credentials to GitHub. Walk me through rotating every key and checking Git history." But verify the steps independently or with someone experienced in security.

Start with your highest-risk systems first: Anything connected to customer data, payments, or admin cloud access. Move those keys into a password manager or secrets vault instead of leaving them in files that could accidentally get uploaded, shared, or backed up.

Broader point: AI coding tools are transforming who can build software—founders are shipping products, operations people are automating workflows, and marketers are building data pipelines. That's genuinely exciting. But the 34% year-over-year increase in leaked secrets shows we're in a learning curve. The tools are optimized to help you build fast, not necessarily to help you secure correctly. Most incidents don't start with sophisticated attacks—they start with an accidental commit, a reused admin key, or someone (even experienced developers) who didn't know that "deleted" files live forever in Git history. If you're building with AI or working with someone who is, you're doing real work with real access to real business systems. That means asking basic questions about where your keys live, who can access them, and what happens when something goes wrong—even if the answers sound technical at first. The questions themselves are simple. The consequences of not asking them are not.

Yes — take them seriously. A login alert you didn't cause is either someone actively trying to get in, or proof that your credentials have already been exposed somewhere. Neither is something to ignore.

Here's what's actually happening:

Most login alerts for small business accounts fall into one of two categories. The first is credential stuffing — automated bots cycling through email and password combinations stolen from unrelated data breaches (think: a hotel loyalty program or an old retail site you signed up for years ago). If you've ever reused a password across accounts, those bots are testing it on your business email, your bank portal, your cloud storage — everything. The second is targeted probing — someone who already has partial information about you and is trying to get the rest.

Either way, a login alert is a signal. Not necessarily a crisis yet. But it means the door is being rattled.

Do this right now:

Check where the alerts are coming from. Each platform has a built-in way to see login activity:

What to look for: Logins from locations you don't recognize, devices you don't own, or times when you were definitely not working. Even a single successful login from an unfamiliar city is a red flag.

Change your password immediately — starting with your email. Your email account controls access to almost everything else (password resets, invoices, payroll). If that falls, everything connected to it is at risk.

Sign out of all active sessions. Most platforms have a "sign out everywhere" or "revoke all sessions" button. Use it after changing your password so any active unauthorized session gets cut off.

Check for hidden mailbox rules. This is one of the first things attackers do after getting into an email account: they create rules to auto-forward emails, hide bank notifications, or archive invoice messages so you don't notice the fraud happening. In Gmail: Settings → See all settings → Filters and Blocked Addresses. In Outlook: Settings → Mail → Rules.

Turn on MFA if you haven't already. Multi-factor authentication blocks the vast majority of credential-based attacks. An attacker with your password still can't get in without the second factor. Set it up on email first, then banking, then payroll and cloud storage. Authenticator apps (Google Authenticator, Microsoft Authenticator) are more secure than SMS text codes.

Run a quick breach check. Go to haveibeenpwned.com and enter your business email address. If it shows up in a known data breach, you'll know where the credentials likely came from — and which password to stop using everywhere.

The honest answer: If you're getting login alerts, your credentials are probably circulating somewhere — either from a breach at another site you used the same password on, or from a phishing attempt that grabbed them. This is common, though unsettling. The alerts are actually your security systems working. The mistake is dismissing them as "probably nothing." Treat every alert as real until you've checked the logs, confirmed the location and device, changed your password, and turned on MFA. That whole process takes about 20 minutes and could save you from a breach that takes weeks to recover from.

Your ransomware negotiator might be working for the other side
A 41-year-old Florida man who worked as a ransomware negotiator at cybersecurity firm DigitalMint, pleaded guilty to secretly working for the BlackCat/ALPHV ransomware gang while being paid to help victims. He fed attackers his clients' insurance policy limits and internal negotiation strategies, helping the criminals maximize ransoms. His accomplices helped extort a combined $75.3 million from victims across hospitality, healthcare, retail, and nonprofits—including a single nonprofit that paid nearly $26.8 million. He faces up to 20 years in prison. This is the third ransomware negotiator in the past year to face jail for the same scheme. (Same for “I’ve been hacked” companies.)

Fix: If you ever need to hire someone to help with a ransomware incident, vet them carefully. Ask your cyber insurance provider or attorney for a referral rather than searching online. (In fact your insurance policy may require that you use their resources.) Verify the firm's reputation independently, check for any regulatory filings or complaints, and never share your full insurance policy limits with a negotiator upfront. Consider having your attorney present throughout any negotiations.

Nearly half of UK businesses got breached last year — and phishing did most of the work
The UK government's 2026 Cyber Security Breaches Survey found that 43% of businesses and 28% of charities reported a cyber incident in the past year — roughly 612,000 UK businesses — and the numbers have barely moved in years. Phishing was responsible for 85% of those breaches, usually through impersonation emails that send employees to fake login pages. While the data is UK-specific, the pattern maps directly to what's happening in the US: the basics work, they're just not applied everywhere they should be.

Fix: Phishing doesn't require sophistication. It requires one employee clicking one email. Run a 10-minute training session with your team and repeat regularly: show them what a fake login page looks like, remind them to verify requests directly (never via the link in the email), and turn on MFA everywhere. That combination stops the vast majority of what's in that 85%.

That "free software" download may not be what you think
A new analysis from HackRead warns that unofficial download sources remain one of the most overlooked entry points for malware in 2026. The danger isn't always dramatic—it's often a third-party mirror, an outdated repost, or a search result that looks just close enough to the real thing. This matters especially for security software: a VPN, antivirus, or password manager downloaded from the wrong source can introduce the exact risk you were trying to prevent.

Fix: Always download software directly from the vendor's official website—not from a search result, a third-party directory, or a link in a forum thread. If a page looks "close enough," that's not good enough. Type the vendor's URL directly into your browser. This applies doubly to anything your team is downloading for security purposes. (Gaming “cheats” are also a big source of info stealer malware, btw.)

Finance company stored all its database credentials in a helpfully labeled spreadsheet
A software auditor at a fintech startup—one that had invested over $1 million in "military-grade" security—found a file on the company's shared intranet called Prod_DB_Root_Creds_DO_NOT_SHARE.xlsx. It was password-protected. The password was the company name plus the year. The file had been sitting there for eight months because the internal team and an outside contractor couldn't agree on which password manager to use.

You may laugh, but this happens all the time. That passwords.txt file? Yeah, we’ve seen those before.

Fix: This is a people and process problem, not a technology one. If your team is storing sensitive credentials anywhere other than a dedicated password manager—spreadsheets, email, Slack, sticky notes—fix that today. 1Password, Bitwarden, and similar tools exist specifically to solve this problem. Not being able to decide which tool to use should never result in using no tool at all.

Spyware can read your encrypted messages — and this leak proves it
Researcher Jeremiah Fowler discovered 86,859 images, chat screenshots, and private messages leaked from a misconfigured stalkerware server with no password protection. The files captured private conversations from WhatsApp, Instagram, Facebook, and TikTok—platforms that use end-to-end encryption. The catch: spyware doesn't intercept messages in transit. It takes screenshots of your screen after decryption, making encryption irrelevant once a device is compromised. The spyware operator had stored everything in a public database and simply forgot to add a password.

Fix: "Encrypted" doesn't mean "safe from spyware." If your phone battery drains unusually fast, the device runs hot, or you notice apps you didn't install—run a full antivirus scan and check your device's accessibility permissions and administrator settings. If you suspect spyware, a factory reset is the most reliable way to remove it. Never hand your unlocked phone to someone you don't fully trust.

You don’t need to act on these unless they apply to you.

I literally needed to look at my calendar; the week has been a complete blur. Meetings and Marching Band Camp for kid and AI AI AI AI. I’m late with this newsletter. I’m trying to decide what to focus on for the blog this week. Phew.

One thing I did do thanks to my accountability partner, Harry, was start recording videos for my YouTube channel. (Recorded, not posted. Yet.) I’m determined to kick that off. In 2024, I started my blog. 2025, this newsletter. 2026 is the year of video. I’m grateful for creators who re-post their early videos to show where they started! Stay tuned. I’m publishing something by Mother’s Day (US, next Sunday.)

I’m about to go mow the lawn just to get some sun and fresh air and look at something other than a screen. Burnout is real. Take care of yourself however you need to.

If this helped you spot something before it became a problem, forward it to someone else who'd benefit.