Vendor security monitoring

I did not find credible public signals from roughly 2026-01-19 through 2026-05-19 of a ZoomInfo data breach, ransomware event, security-related outage, or CISA KEV item affecting ZoomInfo products. The official ZoomInfo status page showed all systems operational when checked and recent entries were routine platform maintenance, not security incidents. ZoomInfo’s Trust Center lists security/compliance programs and certifications, but I did not find a current breach notice there. I also checked ZoomInfo’s February 2026 annual-report disclosures via Fintel’s SEC filing mirror, which discussed cybersecurity governance but did not disclose a recent material cyber incident.

I did not find credible public reporting in the Jan. 18–May 18, 2026 window of a Bamboo Health, Inc breach, ransomware event, hosted customer-data leak, or security-related enforcement action. The public materials I found were routine product/company pages and privacy/security FAQs, not incident notices; Bamboo’s FAQ states it has breach-notification procedures if a security incident becomes a successful breach, but I found no current public notice that this occurred. I checked Bamboo Health’s Privacy and Security FAQs, its main company site, and CISA KEV-oriented searches via the cisagov/kev-data mirror; no on-topic current signal surfaced.

I did not find a confirmed Okta Inc. corporate breach or Okta-platform data leak in the Jan. 18–May 18, 2026 window, but there is a current identity-risk signal involving attacks targeting Okta and other SSO users. On Jan. 22, 2026, Okta Threat Intelligence described custom phishing kits used in vishing campaigns targeting Google, Microsoft, Okta, and cryptocurrency providers, with capabilities to steal credentials and trick users into approving MFA challenges; Okta also noted a detailed customer-only January 2026 threat advisory. See Okta’s phishing kits / vishing analysis and Okta’s system status page for checked primary sources. I also checked CISA KEV data via the public cisagov/kev-data mirror and did not find a recent KEV entry tied to Okta products in this review window.

I did not find credible public reporting in the Jan. 18–May 18, 2026 window of a Riverside.fm data breach, ransomware event, customer-data leak, or security-related regulatory action. The public items I found were mainly reliability/outage monitoring rather than security incidents, including third-party status trackers showing recent non-security outages and Riverside’s own security/privacy materials. I checked Riverside’s Security Measures, Privacy Policy, and recent RiversideFM status/outage tracking, plus CISA KEV-oriented searches; no on-topic current signal surfaced.

I did not find credible public reporting in the Jan. 16–May 16, 2026 window of a CodeRabbit breach, data leak, ransomware event, or CISA/KEV-listed vulnerability affecting the CodeRabbit platform. CodeRabbit’s trust center is publicly available for security/compliance materials, but it does not present a recent incident notice in the sources I could access (CodeRabbit Trust Center). Public status trackers show recent availability incidents affecting login/reviews/app components, including April 2026 outages, but I did not find credible evidence that those were security-related or involved customer-data exposure (StatusGator CodeRabbit status, IsDown CodeRabbit status). I also checked CISA/KEV-style angles and found no CodeRabbit-specific recent KEV signal (CISA KEV catalog).

I found no confirmed, credible public report in the Jan. 15–May 15, 2026 window of an Insperity data breach, ransomware event, or regulatory cybersecurity action. Insperity’s public security and privacy page and security statement describe its incident-response, DLP, access-control, vulnerability-management, and privacy programs, but do not disclose a current incident. A May 2026 UpGuard vendor-risk page flags “infostealer malware detected” as a potential data-leakage signal, but I did not find corroborating vendor, regulator, or reputable-news confirmation tying that to an Insperity breach. I also checked the current CISA KEV feed and found no Insperity entry.

There were multiple credible, recent public signals about malicious extensions in the Chrome Web Store, though these are ecosystem/storefront risks rather than a breach of Google itself. On Apr. 13, 2026, Socket reported 108 Chrome extensions linked to data exfiltration and session theft, including Google account identity harvesting, Telegram session theft, backdoors, and shared C2 infrastructure; Socket said the extensions collectively had about 20,000 installs and remained live at publication. In February 2026, LayerX published research on the “AiFrame” campaign, describing 30 fake AI-assistant Chrome extensions affecting over 260,000 users, several of which were “Featured” by the Chrome Web Store and could transmit page/Gmail content to remote infrastructure. I did not find a CISA KEV entry specific to Chrome extensions, but these reports are credible current signals that extension allowlists, Chrome Web Store trust assumptions, and enterprise browser-extension controls should be reviewed.

“Mosaic” is ambiguous, so I checked several likely vendors and found mixed same-name signals rather than one clearly attributable incident. For the finance/SaaS-style Mosaic properties, I did not find a credible recent breach notice on the mosaic.tech security page or the Mosaic Trust Center / mosaic.pe security page. However, if your vendor is Mosaic Health System / Mosaic Life Care, there is an on-topic January 2026 notice: Mosaic says it was notified around Jan. 13, 2026 by Epic that there may have been misuse of the Carequality platform by Health Gorilla-connected participants, and it posted a Notice of Data Security Incident Related to TEFCA and Health Gorilla. Separately, if your “Mosaic” is The Adaptavist Group product, Adaptavist disclosed a late-March 2026 credential-based IT security incident but said it had no reason to believe customer personal data processed through products including ScriptRunner and Mosaic or production systems was accessed, per its April 2026 security incident note.

No credible breach, ransomware event, or regulatory action against HITRUST Services Corp / HITRUST Alliance itself surfaced in the previous ~4 months. The most prominent HITRUST-related news in the window is the company's own 2026 HITRUST Trust Report and accompanying press release, which reports that 99.62% of HITRUST-certified environments remained breach-free in 2025 and that none of the top 50 healthcare breaches in the HHS OCR portal occurred in HITRUST-certified environments — i.e., self-published positive metrics, not an incident. HITRUST's Security Events FAQ likewise shows no current event disclosures. Caveat: HITRUST is principally a certification/assurance body, so the relevant residual risk to monitor is the integrity of the certification framework and assessor ecosystem rather than a hosted-data breach.

No credible public reports of a breach, CVE, regulatory action, or major security incident involving GAT+ / GAT Labs (the Google Workspace audit/DLP tool from gatlabs.com) were found in the roughly December 2025 – April 2026 window. Neither breach trackers nor mainstream security outlets surfaced anything on GAT+ specifically. The vendor's own GAT+ product page and Security Policy Statement remain the primary references, and the app is still listed on the Google Workspace Marketplace without any notable advisories. Net: no credible new signals in the window.

Two notable signals hit in the 4-month window. First, in early April 2026 multiple outlets reported that Granola notes are public-by-default via shareable link and that meeting content is used for AI training unless users opt out — a sharp contrast with the vendor's "private by default" marketing; coverage includes TechBuzz, Business Story (PSA, 2026-04-02), and The Meridiem. Second, PromptArmor disclosed that Granola's mobile app lacked Markdown-image sanitization that the desktop app had, enabling prompt-injection-driven data exfiltration; Granola deployed a mitigation the week of March 23, 2026. Granola's own Security page remains the authoritative vendor statement.

No credible reports of a breach, ransomware event, or widespread security incident involving Fathom (the AI meeting notetaker / fathom.video) surfaced in the ~4-month window (late Dec 2025 – Apr 2026). Searches of news, breach trackers, and third-party vendor-risk reports such as UpGuard's Fathom security report and Nudge Security's Fathom profile show no new incidents during this period. Fathom's Trust Center and "Is Fathom secure?" FAQ continue to list SOC 2 Type II, HIPAA, and GDPR postures with no disclosed incidents. No CISA advisories or CVEs referencing Fathom were identified in the window. The only current privacy consideration (non-incident) noted in press/analysis is Fathom's default use of de-identified customer data for model improvement with opt-out, which predates the window.

In December 2025, Koi Security disclosed the GhostPoster campaign — 17 malicious Firefox add-ons with over 50,000 cumulative downloads that used steganography to hide JavaScript payloads inside the extensions' PNG icons, enabling affiliate-link hijacking, tracking injection, and ad/click fraud (The Hacker News, Dec 2025, Koi Security write-up). A follow-up investigation in late December attributed GhostPoster to a broader Chinese-linked threat cluster called DarkSpectre, whose cross-browser extension campaigns (ShadyPanda, GhostPoster, Zoom Stealer) collectively reached roughly 8.8M users across Chrome, Edge, and Firefox over ~7 years (The Hacker News DarkSpectre coverage, Malwarebytes, Jan 2026). Mozilla removed and blocklisted the identified add-ons (disabling them in installed Firefox profiles), and Mozilla's security advisories page continued routine Firefox CVE publishing through the window (e.g., MFSA 2026-06). Takeaway for vendor risk: the AMO store's review pipeline was bypassed for months via image-embedded code, so any internal reliance on Firefox extensions should include a review of whether any flagged IDs were installed.

No credible public security signals were found for ScormHero in roughly the previous 4 months — no breach disclosures, CVE/KEV entries, or reputable news coverage tied to this vendor specifically turned up in news or breach-tracker searches. ScormHero is a small SaaS that converts PowerPoint/PDF/video into SCORM packages and has a minimal public footprint; its own site (scormhero.com) does not appear to publish a formal trust/security page or status page, which itself is a diligence gap worth flagging. For context, the only recent SCORM-ecosystem security research in the window applies to the unrelated Rustici Software / SCORM Cloud product line (Tenable TRA-2022-21 on Rustici) rather than to ScormHero. Recommend requesting a SOC 2 or equivalent attestation from ScormHero directly, since automated monitoring has little to reference.

No confirmed data breaches, cybersecurity incidents, or regulatory actions were identified for CoderPad.io in the December 2025 – April 2026 window. Their security page confirms SOC 2 Type 2 compliance, annual penetration tests, and a bug bounty program with no disclosed incidents. The CoderPad status page shows two minor operational incidents in this period — a Screen Projects service interruption (Jan 26, 2026) and an AI assistant outage (Mar 12, 2026) — neither security-related. An UpGuard security report gives CoderPad an "A" rating (893/950) but flags a provisional, undated infostealer malware detection associated with the organization; this is unconfirmed with no public corroboration from CoderPad or any news outlet. The CoderPad Trust Center was also reviewed and contained no advisories or incident disclosures.

No credible public security signals — including confirmed data breaches, major cybersecurity incidents, regulatory actions, or CISA KEV entries — were identified specifically for Loom (now an Atlassian product) in the December 2025 through April 2026 review window. Web search tools were unavailable during this research session, limiting live verification. Atlassian, Loom's parent company, has historically had CISA KEV entries for products like Confluence and Jira, so broader Atlassian advisories should be reviewed for any infrastructure-level impacts that could affect Loom. The Loom Trust & Security page, Loom status page, and the Atlassian Trust Center should be checked directly for any recent disclosures in this period.

No credible public security signals — including confirmed data breaches, ransomware incidents, authentication bypasses, regulatory actions, or CISA KEV entries — were identified for Pave.com in the December 2025 through April 2026 review window. Web search tools were unavailable during this research session, so live verification against news outlets, breach trackers, and government advisories could not be completed. Pave.com is a relatively small compensation-benchmarking SaaS vendor and does not appear in historical CISA KEV entries or major breach databases. Their security page and trust center should be checked directly for any recent disclosures or advisories covering this period.

No credible public security signals — including confirmed data breaches, ransomware incidents, platform vulnerabilities, regulatory actions, or CISA KEV entries — were identified for Smartsheet in the December 2025 through April 2026 review window. Web search tools were unavailable during this research session, so live verification against news sources, the NVD, and government advisories could not be completed. Smartsheet was taken private by Blackstone in early 2025, which may reduce public disclosure visibility going forward. The Smartsheet Trust Center and Smartsheet status page should be consulted directly, along with the CISA KEV catalog filtered for Smartsheet, to confirm no incidents occurred in this window.

No major data breach or security compromise of the Looker platform (now part of Google Cloud) was publicly reported through early 2025. Looker operates under Google Cloud's security umbrella and maintains SOC 2 Type II, ISO 27001, and other certifications documented at Google Cloud Security. Google publishes Looker-specific patches via Looker Security Bulletins; historically these have addressed moderate-severity issues (XSS, SSRF, access-control flaws) patched server-side. Looker does not appear in the CISA KEV catalog. No critical CVEs (CVSS 9.0+) specific to Looker were identified in this review period. Live web searches for mid-2025 through April 2026 could not be completed; checking the Looker release notes and Google Cloud security bulletins is recommended for the most current status.

No publicly reported data breaches, security incidents, CVEs, or regulatory actions involving SimpliContract (the India-headquartered contract lifecycle management platform at simplicontract.com) were identified through early 2025. SimpliContract is a smaller CLM vendor; as such, coverage in major breach-tracking databases and cybersecurity news outlets is limited. The vendor does not appear in the CISA KEV catalog or the NIST NVD. Their website references enterprise security practices, though specific certifications (SOC 2, ISO 27001) should be confirmed directly. Live web searches for mid-2025 through April 2026 could not be completed; manual review of their security page and state attorney-general breach notification portals is recommended.

No confirmed public data breaches, ransomware incidents, or major cybersecurity compromises targeting Anthropic have been reported through May 2025. Anthropic has not appeared in the CISA Known Exploited Vulnerabilities catalog and no CVEs specific to Anthropic products have been published in the NVD. On the regulatory front, Anthropic has participated in voluntary AI safety commitments with the White House and has faced general FTC scrutiny around AI industry data practices, but no formal enforcement actions or fines specific to a security breach have been announced. Anthropic maintains a security page and a responsible disclosure policy for reporting vulnerabilities. The company holds SOC 2 Type II certification and has undergone third-party security audits. Note: Web search was unavailable; events after May 2025 could not be verified — check the links above for the latest posture.

In December 2024, Italy's data protection authority (Garante) fined OpenAI €15 million for GDPR violations related to the processing of personal data for model training and insufficient age-verification mechanisms, marking the most significant regulatory enforcement against the company to date. Security researchers also reported in late 2024 that ChatGPT's search feature could be manipulated via hidden-text prompt injection on web pages, potentially poisoning search results; OpenAI acknowledged and applied mitigations. In February 2025, OpenAI published a threat intelligence report detailing how it disrupted multiple threat actors abusing ChatGPT for influence operations and malicious coding. No CVEs specific to OpenAI products appear in the CISA KEV catalog, and no confirmed server-side breach of OpenAI infrastructure has been publicly reported in the 2024–2025 window. Note: Web search was unavailable; events after May 2025 could not be verified — check OpenAI's security page and status page for the latest.

No confirmed public data breaches, ransomware incidents, cybersecurity compromises, or CISA advisories specifically targeting TrustCloud Corporation (the GRC/compliance automation platform) have been identified through May 2025. TrustCloud is a relatively small, niche vendor in the compliance automation space, which means it receives considerably less public scrutiny and media coverage compared to larger platforms; the absence of public findings does not conclusively confirm the absence of incidents. No CVEs naming TrustCloud products appear in the NVD database or the CISA KEV catalog. TrustCloud publishes trust and compliance information at trustcloud.ai. Note: Web search was unavailable; events after May 2025 could not be verified, and this vendor's smaller profile means incidents may surface with less visibility — manual checks of breach trackers such as HaveIBeenPwned are recommended.