Most people think a data breach starts with a hacker breaking into a system.
In reality, and in many cases, it starts with human error or oversight.
This week, cloud software giant ServiceNow disclosed that a software flaw allowed some customer data to be accessed without authentication, potentially exposing information that should never have been publicly available.
The incident is a reminder that your personal information can be put at risk even when cybercriminals aren’t directly responsible.
Here’s what happened and our other This Week in Scams news:
ServiceNow Bug Left Customer Data Exposed
ServiceNow, one of the world’s largest enterprise software providers, recently notified some customers that a software bug allowed unauthorized access to data stored on parts of its platform.
According to reporting by TechCrunch, the flaw could have allowed individuals to access customer data without needing credentials such as a username or password.
The company says the activity was identified by security researchers participating in vulnerability research rather than malicious hackers. ServiceNow told TechCrunch it found no evidence that bad actors were responsible for the observed activity and said researchers reported the issue through responsible disclosure channels.
The company patched affected systems on June 5 and launched an investigation into the scope of the exposure.
Why This Matters
For consumers, this story highlights an important cybersecurity reality: not every data exposure is the result of a criminal attack.
Sometimes information becomes accessible because of:
- Software bugs
- Misconfigured cloud systems
- Human error
- Security settings that fail to work as intended
In this case, ServiceNow says the issue stemmed from a platform vulnerability rather than a breach by threat actors.
However, the outcome can look similar from a customer’s perspective. Information that was intended to remain private may have been accessible to unauthorized parties.
That’s why it’s important to pay attention to security notifications from companies you do business with, even when reports emphasize there was “no hack.”
What You Should Do After Any Data Exposure
Whether a company reports a breach, a vulnerability, or an accidental exposure, the recommended steps are often similar:
- Watch for notifications from the affected company.
- Change passwords if requested.
- Enable multi-factor authentication where available.
- Monitor financial and online accounts for unusual activity.
- Be alert for phishing emails and scam calls referencing the incident.
Cybercriminals frequently use news of data exposures to launch follow-up scams targeting affected customers.
Tools like McAfee Identity Monitoring, Identity Theft Restoration and Cleanup, and Personal Data Cleanup help protect you before and after data breaches.
Other Scam News This Week
Here are some other pieces of cybersecurity news making headlines this week.
Veterans Warned About Fake Benefits Postcard Scam
The Department of Veterans Affairs is warning veterans about fraudulent postcards claiming recipients qualify for additional VA benefits, including healthcare, dental coverage, and other payments.
The postcards often create urgency, encouraging recipients to call within a few days. Once contact is made, scammers attempt to build trust and collect sensitive information such as Social Security numbers, bank account details, and other personal data.
The VA says veterans should avoid calling numbers listed on unsolicited mailers and should independently verify benefit information through official VA channels.
Childcare Providers Targeted by Fake Check Scam
The Federal Trade Commission has issued an alert to childcare providers about scammers posing as parents seeking urgent childcare services.
The scam follows a familiar pattern. The supposed parent sends a check in advance that exceeds the expected payment amount and then asks for the difference to be returned through a payment app, wire transfer, gift card, or another method.
The problem is that the original check is fake.
Even if the money initially appears in a bank account, the check can later be reversed, leaving the childcare provider responsible for the loss.
If someone sends a check and asks you to send part of the money back, that’s one of the clearest warning signs of a fake check scam.
Microsoft Investigates Open Source Supply Chain Attack
Microsoft temporarily removed dozens of open source repositories hosted on GitHub after discovering malicious code had been inserted into software projects used by developers.
According to reports, the malware was designed to steal passwords and other credentials from users working with AI development tools and cloud services.
Researchers describe the incident as a supply-chain attack, a type of compromise where attackers target trusted software that may later be downloaded by thousands of users.
Microsoft says it has notified a limited number of potentially affected customers.
McAfee Safety Tips This Week
Not every security incident starts with a hacker.
Sometimes it’s a bug. Sometimes it’s a fake postcard. No matter how a scam starts, here are a few ways to stay safer:
- Verify benefit and financial information through official channels.
- Be skeptical of urgent requests involving money or personal information.
- Avoid downloading software promoted through social media tutorials.
- Never send money back to someone who claims they accidentally overpaid you.
- Enable multi-factor authentication on important accounts.
- Watch for phishing emails following major breach or exposure announcements.
How McAfee Protects Your Identity and Privacy
McAfee is built to stop threats before your identity, accounts, or money are compromised.
McAfee+ Advanced includes multiple layers of protection:
Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage
Secure VPN keeps your data private, especially on public Wi-Fi
Web Protection helps block risky sites, even if you do accidentally click
Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
Device Security helps detect malicious apps or downloads
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from sites selling it.
Online Account Cleanup assists in taking down your old, forgotten accounts across the web
Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks
The common thread across nearly every scam is trust. Scammers count on people acting before they verify.
We’ll be back next week with more scams making headlines.
Stay Updated
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.
