The Tuesday Briefing — Jul 14, 2026

The Big Picture
One security company found a single attacker used AI to run over 5,300 automated hacking commands against government targets — without lifting a finger after hitting "go." At the same time, a survey found that 7 out of 10 companies let every AI tool share the same login credentials, meaning one bad tool can open every door at once. This week is less about a single scary headline and more about a pattern: businesses are plugging AI tools into everything without asking what those tools can actually reach.
This Week's Top 5
1. Microsoft Says You Now Have 3 Days to Patch, Not 30
What happened: Microsoft confirmed that AI tools are now being used by attackers to find and exploit Windows security flaws within hours of them becoming public. Because of this, Microsoft is telling businesses to fix critical flaws within 3 days instead of the usual 30.
Why it matters to your business: If your business still waits for a monthly "patch day" to update computers, that habit is now dangerously slow. A gap of even a week can be enough time for an attacker's automated tools to get in.
What to do: Ask your IT provider how quickly critical Windows updates get installed across your company's computers — if the answer is "at the next scheduled maintenance window," ask them to shorten that window for anything marked "critical."
2. Nearly 70% of Companies Let All Their AI Tools Share One Login
What happened: A new survey found that 69% of businesses let multiple AI tools share the same set of login credentials, so if one tool gets hacked, the attacker can use its access to reach everything else connected to it — customer data, email, cloud storage, and more.
Why it matters to your business: Small businesses often set up AI tools quickly, using one shared password or key across several tools to save time. That convenience is exactly what turns a small breach into a company-wide one.
What to do: Ask whoever manages your AI tools (chatbots, coding assistants, automation tools) whether each one has its own separate login, or whether they all share one. Separate logins should become standard practice.
3. A Massive Leak of 24 Billion Stolen Passwords Surfaced Online
What happened: Researchers found a giant collection of roughly 24 billion stolen usernames and passwords, gathered from years of previous breaches and malware infections, now compiled in one place for criminals to use.
Why it matters to your business: If any employee has ever reused a personal password for a work account, there's a real chance it's sitting in this pile right now. Attackers use these massive leaks to try old passwords on new accounts automatically, at huge scale.
What to do: Require every employee to use a different, unique password for work accounts (a password manager makes this easy), and make sure multi-factor authentication — a second login step beyond just a password — is turned on everywhere it's available.
4. One of Elon Musk's AI Company Tools Was Quietly Uploading Private Code to the Public Internet
What happened: A coding tool from xAI (Elon Musk's AI company), called Grok Build, was found to be secretly copying entire private code projects — including passwords and secret keys buried inside them — to a storage location anyone on the internet could access.
Why it matters to your business: If your developers or contractors use any AI coding tool, you're trusting it not to leak your business's private code and secrets somewhere public. This shows that trust can be misplaced even with major, well-funded AI companies.
What to do: Ask your developer or IT contractor which AI coding tools are in use, and specifically ask: "Has anyone checked whether this tool sends our code anywhere outside our own systems?"
5. A Widely Used AI Building-Block Tool (CrewAI) Had a Flaw That Let Attackers Reach Internal Systems
What happened: A security flaw was found in CrewAI, a popular tool developers use to build AI-powered automation, that could let an attacker trick it into reaching internal systems it shouldn't be able to touch. A similar flaw exposed secret AI access keys in another popular tool called 9Router.
Why it matters to your business: Many small businesses now use AI automation built by a developer or agency using tools like this one, often without knowing the specific building blocks involved. A flaw in a popular tool can quietly affect many businesses that never chose that tool directly.
What to do: If a developer or agency built custom AI automation for your business, ask them directly: "Does this use CrewAI or 9Router, and if so, has it been updated to the latest version?"
Quick Hits
-
Singapore became the first country to launch a national rulebook specifically for AI agents — a sign that similar rules are likely coming to the US and Europe, so it's worth getting ahead of governance now rather than later.
-
A security industry group (OWASP) published an official "top 10 list" of AI agent risks, similar to a well-known list they've kept for websites for years — useful if you ever need to explain your AI risk in plain terms to a customer or partner.
-
The government cybersecurity agency (CISA) admitted its own secret data was sitting exposed on a public code-sharing site for months — a reminder that even security experts get basic hygiene wrong sometimes.
-
A survey found the number of security teams using AI to test their own defenses nearly doubled in the past year — a sign that "AI attacking AI" is becoming the normal way security testing works.
-
SAP patched two serious flaws in its Approuter and Commerce Cloud products, including one where leaked sample login credentials were left active — if your business uses SAP software, ask your IT contact to confirm patches are applied.
-
Criminal phishing kits that steal Microsoft 365 logins by tricking employees into approving a "device code" are now being sold cheaply to any criminal, not just sophisticated hackers — a trend to reinforce with your team alongside last week's warning.
One Thing to Do This Week
Make a simple list of every AI tool connected to your business, and who set it up. Not the technical details — just the names: your chatbot, your AI coding assistant, any automation tool, any AI feature built into software you already use. Next to each one, write down whether it has its own separate login or shares one with other tools. This takes about 30 minutes and one conversation with whoever manages your technology. Given this week's finding that 7 in 10 companies share logins across AI tools, this simple list is often the first time a business owner discovers how tangled their AI setup really is — and it's the first step toward fixing it.
Worth Reading
-
99.9% of Fixable AI Vulnerabilities Remain Unpatched — A short report showing that even when a fix exists for an AI tool's security flaw, almost nobody installs it.
-
69% of Enterprises Share AI Agent Credentials — The full survey behind this week's shared-login finding, with more detail on the risk.
-
Device Code Phishing Kits Go Mainstream — Explains how this scam works and why it's now cheap and common enough for any criminal to use.
-
The 24 Billion Credential Leak, Explained — A plain breakdown of what this leak actually contains and why size alone makes it dangerous.
Related Posts
The Tuesday Briefing — Jul 7, 2026
Weekly security intelligence for SMBs. Top threats, quick hits, and one action to take now.
The Tuesday Briefing — Jun 30, 2026
Weekly security intelligence for SMBs. Top threats, quick hits, and one action to take now.
The Tuesday Briefing — Jun 23, 2026
Weekly security intelligence for SMBs. Top threats, quick hits, and one action to take now.