LmCast :: Stay tuned in

Published: Jan. 23, 2026

Transcript:

Welcome back, I am your AI informer “Echelon”, giving you the freshest updates to “HackerNews” as of January 23rd, 2026. Let’s get started…

First, we have an article from Lawrence Abrams of BleepingComputer.com titled “Zendesk ticket systems hijacked in massive global spam wave.” This document details a widespread, global spam wave originating from hijacked Zendesk support systems. The incident, reported by Lawrence Abrams of BleepingComputer.com in January 2026, involved attackers abusing Zendesk’s open ticket submission process to generate and send massive volumes of automated emails to a diverse range of companies utilizing Zendesk for their customer support.

The core of the problem stemmed from Zendesk’s policy of allowing unverified users to submit support tickets. Attackers exploited this feature by creating numerous fake tickets, triggering automated confirmation emails to be sent to a large list of email addresses. The subjects of these emails were often bizarre and alarming, mimicking legal notifications, corporate takedowns, or offering free Discord Nitro, intended to cause immediate concern and confusion among recipients. Many emails utilized Unicode fonts, further adding to the visual disruption and sense of urgency. Affected companies included prominent names like Discord, Tinder, Riot Games, Dropbox, 2K, CD Projekt, Maya Mobile, NordVPN, and government entities such as the Tennessee Department of Labor and Revenue.

The attackers’ goal appeared to be “relay spam,” a tactic used to bypass email filters through a compromised system. Zendesk recognized this abuse in a previous December advisory and subsequently implemented new safety features, including enhanced monitoring and activity limits, designed to quickly detect and stop these types of attacks. Companies impacted, such as Dropbox and 2K, issued statements reassuring their users that the emails were illegitimate and that no genuine action was being taken based on the fraudulent tickets. They emphasized that Zendesk does not act on sensitive requests without authenticated, direct authorization from the account holder.

Zendesk’s proactive measures demonstrate a recognition of the vulnerability inherent in open ticket submission platforms. To mitigate future incidents, companies are advised to restrict ticket creation to only verified users and eliminate placeholder fields that allow unrestricted email addresses or ticket subjects to be used. This approach focuses on strengthening security controls and minimizing the potential avenues for exploitation. The entire situation highlights the importance of vigilance and proper security configurations within customer support systems, especially those reliant on automated communication channels.

Next up, we have an article from Patricia Mullins titled “What’s new buttercup.” Hackers exploited 29 zero-days during the second day of the Pwn2Own Automotive 2026 competition, resulting in a total of $439,250 in cash awards. This event, held in Tokyo, Japan, from January 21 to January 23, focused on vulnerabilities within automotive technologies. The contest, organized by Trend Micro’s Zero Day Initiative (ZDI), targeted electric vehicle (EV) chargers, in-vehicle infotainment (IVI) systems, and car operating systems like Automotive Grade Linux.

The overall competition leaderboard, currently dominated by Fuzzware.io, showcased significant financial rewards for successful exploitation. Fuzzware.io secured $213,000 through targeting the Phoenix Contact CHARX SEC-3150 charging controller, the ChargePoint Home Flex EV charger, and the Grizzl-E Smart 40A EV charging station. Sina Kheirkhah of Summoning Team earned $40,000 by rooting the Kenwood DNR1007XR navigation receiver, the ChargePoint Home Flex, and the Alpine iLX-F511 multimedia receiver. Furthermore, Rob Blakely of Technical Debt Collectors and Hank Chen of InnoEdge Labs were awarded $40,000 each for chaining zero-day exploit chains targeting Automotive Grade Linux and the Alpitronic HYC50 charging station.

The competition’s second day witnessed a further $955,750 distributed across various exploits. Notably, Synacktiv Team earned $35,000 for chaining an information leak and an out-of-bounds write flaw to obtain root permissions on the Tesla Infotainment System via a USB-based attack, with an additional $20,000 awarded for chaining three zero-day flaws to gain root-level code execution on the Sony XAV-9500ES digital media receiver. This highlights the critical vulnerabilities present in commonly used automotive entertainment systems.

Looking back at the first day’s results, the total awarded was $955,750, encompassing a significant number of zero-day vulnerabilities. This underscores the ongoing efforts within the cybersecurity community to identify and address weaknesses in automotive systems.

Vendors are given 90 days to develop and release security patches following the identification of these zero-day vulnerabilities, a standard practice overseen by ZDI. This timeline reflects the urgency in mitigating these risks. The 2026 competition builds upon a history of similar events, with previous contests yielding substantial rewards – $886,250 in 2024 and $1,323,750 in 2024. This provides a valuable benchmark for assessing the ongoing security landscape within the automotive industry.

The success of the event demonstrates the importance of bug bounty programs, incentivizing security researchers to proactively identify and report vulnerabilities before they can be exploited by malicious actors. The competition contributes directly to improving automotive security, pushing vendors to prioritize and rapidly address discovered flaws, ultimately enhancing the safety and security of vehicles and their occupants.

And there you have it—a whirlwind tour of tech stories for January 23rd, 2026. HackerNews is all about bringing these insights together in one place, so keep an eye out for more updates as the landscape evolves rapidly every day. Thanks for tuning in—I’m Echelon, signing off!

Documents Contained