The National Association of Insurance Commissioners (NAIC) says the ShinyHunters extortion group stole only publicly available data, outdated logs, and configuration files after breaching its systems by exploiting a zero-day vulnerability in an Oracle PeopleSoft server.

NAIC is a U.S. insurance regulatory organization present in all 50 states. The organization identified on June 11 that its PeopleSoft system had been accessed by an unauthorized party and discovered that “an unauthorized third party gained access to a portion of our IT systems.”

ShinyHunters claimed the attack and leaked the stolen data after the organization refused to pay a ransom.

NAIC responded to the threat actor’s leak and addressed some of the claims. The organization says that the hackers accessed and, in some cases, stole already publicly available statutory financial reports, credit rating agency data, outdated logs, and configuration information.

According to NAIC, the investigation found no evidence of personally identifiable information (PII) or financial data having been exposed and directly disputed the threat actor’s earlier claims that they compromised critical insurance regulatory platforms like SERFF (System for Electronic Rate and Form Filing), OPTins (Online Premium Tax for Insurance), and SBS (State-Based Systems).

The incident had operational consequences, with credit rating agencies temporarily suspending data feeds and the NAIC pausing investment designation work, but there are significant discrepancies between the hackers’ claims and the organization’s findings.

In an announcement updated on June 25, ShinyHunters claims to hold 3.1 TB of data corresponding to 105,000 files stolen from NAIC’s systems:

• INSData and Vision servers
• 264,000 insurer regulatory filing PDFs between 2017 and 2024
• 2,000 customer/order/payment records
• 45,000 rating agency files
• AWS infrastructure configs
• Stored credentials for SERFF, OPTins, and UCAA production environments

The hackers also noted in the update that a previous summary of the stolen data was exaggerated due to using AI hallucinations when evaluating the files.

However, according to the threat actor, the latest published inventory was validated by a human reviewer and should be considered accurate.

NAIC stated that all affected systems have now been remediated and that they are implementing additional defenses to prevent future attacks.

ShinyHunter’s hacking spree using the zero-day (CVE-2026-35273) in the PeopleSoft enterprise system has allegedly impacted more than 100 organizations.

BleepingComputer reported about the threat actor’s zero-day attacks before Oracle disclosed the security issue publicly. Both cloud and on-premises Oracle PeopleSoft customer instances were targeted in breaches that left behind extortion demands signed by ShinyHunters.

The hackers told us that most of the targeted organizations were in the education sector and had been previously extorted by the threat actor.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

WhatsApp username reservations are now open globally. While you still need a phone number to create an account, usernames let you start conversations without sharing your phone number. 

Claiming yours would take less than a minute, but only when you go in with all the details. 

What should you know before reserving your username?

Your username must be between 3 and 35 characters and must comply with WhatsApp’s policies. Beyond those limits, you’re mostly free to choose what you like.

WhatsApp has already reserved certain handles for top celebrities, VIPs, and verified organizations, so those names are locked. 

If nothing clicks, WhatsApp’s built-in generator can suggest unique handles.

How do you actually reserve your username?

Go to Settings > Account > Username on the latest version of WhatsApp. Thereafter, you can enter your desired username, and the app will tell you whether it is available. The app will also give you suggestions regarding available usernames. 

As seen in the screenshot, you can also use your Instagram or Facebook username. 

Once you select one, it will be linked to your WhatsApp account and will appear when the feature goes live later this year. If the option isn’t visible, hang tight. WhatsApp is rolling this out region by region and will notify you in the app when it arrives in your country. 

When it does, anyone messaging you for the first time won’t see your phone number, as long as you’ve enabled your username. For extra protection, you can also set an optional username key that contacts will need in addition to your handle to message you.

If you change your mind later, WhatsApp will also let you change or remove your username. 

The importance of usernames

WhatsApp usernames follow a pattern set by Signal, which added phone-number-free contact discovery in 2024. Telegram has also had this feature for years. 

The addition addresses one of WhatsApp’s longest-standing privacy gaps. Sharing your contact information in the app has always required handing over your phone number, making it harder to maintain separation among personal, professional, and public connections.

Apple’s iOS 26.5.2 update adds a variety of fixes to keep your data safe while browsing the web. Here’s what you need to know and why you should update.

On Monday, just under a month after releasing iOS 26.5.1, Apple made iOS 26.5.2 available for download. The update contains more than 25 different security enhancements, and over 15 of them are related to WebKit.

Notably, Apple patched two WebKit vulnerabilities that used maliciously crafted web content to disclose sensitive information. One of the vulnerabilities, a cross-origin issue, was resolved with improved tracking of security origins, while the other security issue was addressed with validation improvements.

iOS 26.5.2 also prevents sensitive data from being leaked when an iOS user visits a webpage. Apple addressed a permissions issue with additional restrictions. Similarly, Apple has added enhanced checks to prevent malicious websites from processing restricted web content outside the sandbox.

Another now-patched WebKit Storage vulnerability let malicious websites silently hijack clipboard data, affecting the text users were copying and pasting. iOS 26.5.2 resolves this issue through improvements to state management.

Multiple now-resolved WebRTC and WebKit issues allowed maliciously crafted websites to cause unexpected Safari and process crashes, along with memory corruption. All of these vulnerabilities have been addressed with the iOS 26.5.2 update.

Additionally, Apple fixed three kernel-related issues. One of the vulnerabilities, which was addressed with improvements to input sanitization, let apps leak sensitive kernel states. The other two kernel-related issues let apps cause an unexpected system termination and let them write or corrupt kernel memory.

Overall, though, iOS 26.5.2 mostly includes WebKit-related fixes, which will undoubtedly make web browsing safer on an iPhone. Unlike other iOS releases, Monday’s software update doesn’t include fixes for vulnerabilities that were used in targeted attacks.

Even so, AppleInsider recommends installing the iOS 26.5.2 update to ensure your devices have the latest security enhancements. Unlike the iOS 27 developer betas, which may contain bugs, glitches, and performance issues, iOS 26.5.2 is an update that should be installed by all users.

Arena, the crowdsourced AI leaderboard that started as a UC Berkeley research project in 2023, has reached 100 million dollars in annualized revenue just eight months after launching its first commercial product. The platform is best known for letting users compare two anonymous AI model responses side by side and vote on which is better. More than 10 million of those evaluations have now been submitted.

The revenue comes from AI Evaluations, a paid service Arena introduced in September that gives model labs and enterprises detailed performance analytics drawn from its community of users. By December, the service had reached 30 million dollars in annualized revenue. It has more than tripled since then.

There is a caveat in the headline number. While Arena describes the figure as ARR, CEO Anastasios Angelopoulos told TechCrunch that customers pay for consumption, meaning the revenue is not recurring in the traditional SaaS sense. “A lot of people don’t even understand that our business is making any money at all, they still see us as like an open-source project,” he said.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

Arena has no direct competitor left standing. Yupp, the only other crowdsourced AI model-picking startup, shut down in March after raising 33 million dollars from a16z crypto’s Chris Dixon. Angelopoulos said Arena competes “for the same dollar” as human labeling companies like Mercor, Surge, and Scale AI, all of which help model makers refine their AI during post-training.

That market is growing fast. Handshake’s annualized revenue from AI training nearly doubled from 550 million dollars in January to nearly one billion dollars by April, according to The Information. Mercor’s annualized revenue also topped one billion dollars earlier this year, though a supply chain breach has since complicated its relationship with key clients including Meta.

Arena was co-founded by Angelopoulos and Wei-Lin Chiang, both postdoctoral researchers at UC Berkeley, along with Ion Stoica, the UC Berkeley professor and Databricks co-founder who advised the project before it incorporated in April 2025. The company raised 150 million dollars in a Series A round in January at a valuation of nearly two billion dollars, bringing its total funding to 250 million dollars from investors including Felicis, Andreessen Horowitz, Kleiner Perkins, and Lightspeed.

The platform now ranks AI models across text, coding, vision, and image generation, as well as complex agent workflows through a recently introduced Agent Mode. Its leaderboard has become the de facto scorecard for frontier AI models, with labs from OpenAI to Anthropic to Google routinely citing Arena rankings in their own launch announcements. Turning that influence into a 100 million dollar business in under a year suggests that evaluating AI may be nearly as lucrative as building it.

OS PLATFORMS

Polished Mandriva descendant still makes room for PCs the 64-bit world has left behind

Mageia 10 marks 15 years since the distribution’s first release in June 2011. The project began the previous year as a fork of Mandriva, itself formerly known as Mandrake Linux. We last looked at Mageia alongside the other Mandrake descendants in 2022.

What sets Mageia apart from OpenMandriva Lx, PCLinuxOS, and Russia’s ROSA Linux is its continued support for 32-bit x86 PCs. Its GNOME and KDE Plasma live images are available only for x86-64, while the Xfce edition comes in both x86-64 and x86-32 versions.

There is also a “Classic Installer” ISO, which lets you choose your own desktop from nine different desktop environments, plus another 16 window managers, as detailed in the release notes. Both the standard GNOME session and GNOME Classic are available, while Liquidshell provides a lightweight alternative to KDE Plasma.

Mandrake Linux started out in 1998 as an easier version of Red Hat Linux using the new KDE desktop, which, at that time, Red Hat refused to incorporate due to concerns over the licence of KDE’s Qt toolkit. Nearly three decades later, Mageia remains an RPM-based distro. Version 10 offers two RPM package-management tools: Mageia’s urpmi command and DNF. urpmi also has its own graphical wrapper called Rpmdrake, but Fedora’s dnfdragora is an optional install. Since RHEL and the RHELatives, Fedora, SUSE and openSUSE all use RPM as well, packages of big-name apps such as Google Chrome are available – but Mageia is a different distro, whose common ancestry dates back more than 25 years, and packages for Fedora or openSUSE may not install or work correctly. It comes with Flatpak preinstalled, although no Flatpak applications are installed by default. As with other niche distros, Flatpak may help when you can’t find a native package of something. For those with the 32-bit edition, though, we suspect that few Flatpaks support that architecture.

Mageia 10 is a polished, friendly graphical Linux, built from recent components such as kernel 6.18. True, it does feel a little old-fashioned in some ways: for instance, it uses separate root and user accounts – although sudo is installed, it’s not configured for use. However, it’s a solid choice if you want to get away from the Debian/Fedora mainstream – and if you have a capable 32-bit machine, like a Windows 10 32-bit box, or some other need to run a 32-bit OS such as specific hardware support, then this is one of the best choices around today.

The Welcome screen is rich and very helpful, offering the ability to install extra apps, switch repositories, and more. Alongside it is the Mageia Control Center, which can manage most aspects of the OS without going near a command line. The distro is also well documented, with a substantial Mageia wiki.

It does use systemd, but, even so, it’s relatively lightweight. In our testing on a 32-bit VirtualBox VM, the Xfce edition used just 633 MB of RAM at idle, which is low by modern standards, and 7.8 GB of disk space. If you choose the KDE Plasma desktop, you get Plasma 6.5.5 with a choice of X11 or Wayland. The installation occupies about the same amount of disk space, although the RAM usage rises sharply: about 1.7 GB at idle. Xfce has an unusual GNOME 2-style two-panel setup, while the Plasma layout is clean and simple. We installed the Liquidshell desktop to have a look, but it’s very basic and rather clunky. 

Mageia forked from Mandriva in 2011, before the company closed down, while OpenMandriva did so afterwards. They are still quite similar distributions, though, and we really wish that the two teams could settle their differences and merge the distros. Either way, Mageia’s 32-bit edition is an increasingly rare offering in an increasingly 64-bit world, which might win it some new admirers. ®

Waymo robotaxis are no longer available on Uber’s ride-hail app in Phoenix, Arizona, ending a nearly three-year partnership in the city, both companies confirmed to TechCrunch on Monday.

Uber said it is readying the launch of a separate autonomous vehicle partnership in the city, but did not name the partner. Waymo told TechCrunch that the vehicles Uber used for this “pilot” program have already been integrated into its own Phoenix fleet, available through its app. Waymo users started noticing that the company’s vehicles were absent from Uber’s network in recent days. Waymo’s vehicles are still available on Uber in Austin and Atlanta, for instance.

The quiet end to this partnership in Phoenix, which Waymo said happened in May, comes as the Alphabet-owned company is starting to put its newest robotaxis — the Zeekr-made van it calls Ojai — on the road. It’s also happening as the Uber-Waymo relationship appears to be wearing in some places, with the two companies poised to directly compete against each other in London as early as this year.

Still, both companies praised the collaboration in Phoenix as a successful jumping-off point for their respective robotaxi plans, which have gotten increasingly ambitious since 2023.

“This was a productive pilot that paved the way for future expansions and partnerships across the globe. After hundreds of thousands of trips with Uber, we have integrated these vehicles back into our Phoenix fleet, where they will continue to serve riders through Waymo, including our public transit integration with Via, and delivery with DoorDash,” Waymo told TechCrunch. “We’re grateful to all of the Uber customers who took fully autonomous trips with us, and we look forward to continuing to serve the Phoenix community.”

“Phoenix was our first pilot market with Waymo and was an intentionally limited deployment, reaching just over a dozen vehicles dedicated to the program. We learned a lot from that collaboration, which helped us to quickly scale Austin and Atlanta, where hundreds of Waymo AVs are available exclusively on Uber and our coverage area continues to expand,” Uber said.

The robotaxi landscape looks much different than it did when these two companies kicked off this collaboration in 2023. Back when it was first announced, the idea of Uber and Waymo partnering up still seemed unlikely given their messy legal battle that ended in a settlement in 2018. Robotaxis as a technology were in a far more uncertain place, as no operator had reached scale yet. Cruise was still seen as a viable competitor, as it had not yet gone through its own scandal and been absorbed into General Motors.

In the three years since, Waymo has grown its fleet to around 4,000 vehicles, and Uber has inked deals to add dozens of autonomous vehicle partners to its network.

This Phoenix partnership remained an unusual one, as it was the only city where Waymo operated directly and through Uber. Waymo is in the process of launching in around 20 new cities this year, is operating in 11 major U.S. metro areas, and the company offers more than 500,000 trips every week.

On June 28, the International Society for Transforming Education — the organization behind the editorially independent news site EdSurge — released an expanded version of its “Profile of an AI-Ready Graduate,” a framework designed to help K-12 educators teach students how to work with artificial intelligence.

The updated framework, designed with support from the nonprofit Britebound, goes beyond basic literacy to higher-order skills. It identifies six roles the organization says students should fill when using AI tools: Learner, Researcher, Synthesizer, Problem Solver, Connector and Storyteller.

“Today, we are releasing a fully fleshed out version, 30 skills aligned with each of these roles to help model using AI to support our uniquely human skills,” said Richard Culatta, CEO of the organization. “Humans have always used tools to accomplish human tasks. AI is no different, but when we teach AI as a way to support us being better at being human, it is far more relevant and far more meaningful than when we just talk about what AI is.”

The announcement was made at the organization’s annual conference in Orlando, Florida, one year after the initial rollout of the Profile. While the original framework focused on basic technical understanding of AI, the updated version shows what those skills look like in practice — with role-by-role descriptions, classroom examples and articulations for middle and high school. 

The framework is intended to layer on to the work educators are already doing and aligns with the International Society for Transforming Education’s existing student standards and “Transformational Learning Principles.”

The updated Profile of an AI-Ready Graduate is available as a free download here.

(Editor’s note: EdSurge is an editorially independent newsroom of the International Society for Transforming Education.)

It’s time to update your Mac, iPhone, and iPad, as Apple has released a new trio of security patches for its operating systems.

Apple pushed out three new updates on Monday in an effort to patch an apparent security flaw. As of publication, Apple has not specified what issue the patch is meant to fix.

Because Apple has not announced what is in the update, it is also possible that it contains bug fixes as well.

To update, you can follow the steps below.

How to update to 26.5.2 on iPhone and iPad

1. On your iPhone or iPad, open the Settings app
2. Tap General
3. Tap Software Update
4. Tap Update Now

How to update to macOS 26.5.2

1. On your Mac, click the Apple Menu
2. Click System Settings
3. Click Software Update
4. If available, click Update Now or schedule an update with Update Tonight

AppleInsider and Apple suggest installing these kinds of minor patches. Security patches are essential for keeping your device safe and operational.