AI Tool Bleeds Your Secrets & Zara Leaks 197K Shoppers' Data

Two stories from today's threat landscape highlight a familiar lesson: the tools you trust the most — whether it's the AI you run internally or the retailer you shop with — can quietly become your biggest liability. Here's what happened and why it matters to you.

Your "Private" AI Chatbot Might Be Bleeding Secrets

Security researchers at Cyera discovered a critical flaw (CVE-2026-7482) in Ollama, one of the most popular tools companies use to run AI models locally — think of it as the engine behind many in-house ChatGPT-style assistants. The bug lets attackers anonymously dump a server's memory in just three API calls, walking away with API keys, customer contracts, proprietary source code, and private prompts.

What makes this scary is the scale: Ollama powers more than 300,000 publicly exposed servers and has been downloaded over 100 million times. If your company stood up an internal AI tool quickly to keep data "private," there's a real chance it's actually broadcasting your secrets to anyone who knows how to ask. Patch immediately, and audit which Ollama instances are reachable from the internet.

Read more about the Ollama vulnerability

Zara Customers Caught in a 197K-Person Data Spill

Fashion giant Zara confirmed that the personal information of 197,000 customers was exposed after a former tech provider's databases were breached. The leaked data includes email addresses, locations, purchase histories, and support ticket details — a tidy package for phishing scammers who want to impersonate Zara and trick you into clicking malicious "order update" links.

The notorious ShinyHunters gang has taken credit, claiming they got in through a stolen Anodot authentication token. The bigger takeaway for everyone: your data is only as safe as the weakest vendor in your favorite brand's supply chain. If you're a Zara shopper, be extra skeptical of unexpected emails about your account, and consider changing passwords if you reuse them across sites.

Read more about the Zara breach

Stay ahead of threats with GOCO Security at gocosecurity.com.