On April 4th, 2023, around two in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco. Hey, who did this to you? What happened next turned the story into a political firestorm. Reports have identified the victim as Bob Lee, the founder of Cash App. From Bloomberg Podcasts, this is Foundry, the killing of Bob Lee, beginning April 16. Welcome to the TechBrew Ride Home for Friday, May 8, 2026. I'm Brian McCullough. Today, Nintendo raised the Switch 2 price to $500 amid a global memory shortage. Shiny hunters force Canvas offline during final season. Researchers found more than 5,000 insecure vibe-coded apps. Mozilla credits Mythos for 423 Firefox bug fixes in April. And of course, the Week on Longreach suggestions. Here's what you missed today in the world of tech. Today's episode is brought to you by Doppel. Disguises are getting pretty good these days, and I'm not just talking about when you throw on a pair of glasses and a hoodie and hope you won't be recognized. We're talking about the kind of disguises that end up in your inbox, on your phone, or on the web, blending in as your everyday internal emails, casual text messages, or a normal website. Doppel strengthens your team's reliance by giving employees the tools and defenses they need to protect themselves from increasingly sophisticated social engineering threats. Their digital risk protection takes it one step further by keeping an eye on every channel to connect patterns and shut them down fast. From deepfakes to bad links to impersonation attempts, Doppel helps you stay ahead of these threats with their AI-native social engineering defense platform. Learn more at doppel.com. That's doppel.com. Well, the chickens in terms of the global memory shortage have come home to roost, quoting Bloomberg. Nintendo said it will increase the price of its Switch 2 console to $500 from $450, acknowledging pressure on profitability of its flagship device heading into its second year on the market. The Kyoto-based company will make the global change on September 1st, it said in reporting its full-year earnings on Friday. Nintendo expects to sell 16.5 million Switch units in the year through next March. Another disappointing figure. The new console had sold 19.9 million units by the end of this March. The device is selling at the fastest pace for any home console in history, motivated in part by consumer fears about potential price increases caused by U.S. tariffs. The company will rely on software for much of its income this year, as its hardware business has been challenged over the past six months by global electronics component shortages. The war in Iran has also raised shipping and logistics costs. Nintendo said it expects an impact of around 100 billion yen on its business from cost surges in memory and materials, as well as from tariffs. Nintendo typically starts the year with conservative guidance, but even so, this feels unusually soft, said Toyo Research Advice Analyst Hideki Yasuda. The price increase is understandable given the current macro environment, but if higher prices lead to weaker-than-expected sales, then it raises the question of whether the appeal of the Switch 2 was ever that strong to begin with. Game sales for the new platform have yet to take off, several months after the Switch 2's June debut. Earlier this week, Nintendo announced a Star Fox remake for the summer, though its outlook suggests the company doesn't expect its broader challenges to dissipate anytime soon. Shares in the company are on their worst run in a decade and down roughly 30% this year, with investors signaling dissatisfaction about the Switch 2's profitability. Nintendo had until today resisted raising the price of its flagship console, seeking to sustain its affordability for the widest possible audience. After the March quarter-delivered surprise hit Pokemon Pocopia, Nintendo's momentum hinges on the strength of its lineup for the rest of the year. The looming release of Grand Theft Auto 6 in the fall is likely to benefit rival Sony, whose PlayStation 5 is widely expected to be the primary platform for the new marquee game, end quote. Quick note on this next segment, we're going to be talking about Canvas, not Canva, C-A-N-V-A-S, not C-A-N-V-A, quoting Krebs on security. An ongoing data extortion attack targeting the widely used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today after a cybercrime group defaced the service's login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions. Canvas parent firm Instructure responded to today defacement attacks by disabling the platform which is used by thousands of schools universities and businesses to manage coursework and assignments and to communicate with students. Instructure acknowledged a data breach earlier this week after the cybercrime group Shiny Hunters claimed responsibility and said they would leak data on tens of millions of students and faculty unless paid a ransom. The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12. In a statement on May 6, Instructure said the investigation so far shows the stolen information includes, quote, certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. The company said it found no evidence the breach data included more sensitive information, such as passwords, dates of birth, government identifiers, or financial information. The May 6 update stated that Canvas was fully operational and that Instructure was not seeing any ongoing, unauthorized activity on their platform. At this stage, we believe the incident has been contained, Instructure wrote. However, by midday on Thursday, May 7th, students and faculty at dozens of schools and universities were flooding social media sites with comments saying that a ransom demand from Shiny Hunters had replaced the usual Canvas login page. Instructure responded by pulling Canvas offline and replacing the portal with the message, Canvas is currently undergoing scheduled maintenance. Check back soon. We anticipate being up soon and will provide updates as soon as possible, reads the current message on Instructure's status page. While the data stolen by Shiny Hunters may or may not contain particularly sensitive information, Shiny Hunters claims it includes several billion private messages among students and teachers, as well as names, phone numbers, and email addresses, this attack could hardly have come at a worse time for Instructure. Many of the affected schools and universities are in the middle of final exams, and a prolonged outage could be highly damaging for the company. The extortion message that greeted countless Canvas users today advised the affected schools to negotiate their own ransom payments to prevent the publication of their data, regardless of whether Instructure decides to pay itself. Shiny Hunters has breached Instructure again, the extortion message read. Instead of contacting us to resolve it, they ignored us and did some, quote, security patches. A source close to the investigation who was not authorized to speak to the press told Krebs on Security that a number of universities have already approached the cybercrime group about paying up, end quote. According to researchers, more than 5,000 web apps built using AI coding tools like Lovable, Base44, and Replit have little to no authentication and around 40% of them exposed sensitive data. Quoting Digital Trends, AI coding tools have made it ridiculously easy to build a web app, and it only takes a few minutes to set up now. This ease has lowered the barrier to app development, which is causing a new set of issues. So what happens when these AI-made apps go live without anyone checking the locks? You get secrets spilling out all over the internet. A Wired report highlights a major security problem around so-called Vibe-coded apps, which are built using AI development platforms such as Lovable, Replit, Base44, and Netlify. Security researcher Dor Zvi and his team at Red Access analyzed thousands of these apps and found that more than 5,000 had little to no security or authentication. Most of these apps could practically be accessed by anyone who found the right URL. A few of these had only minimal barriers, allowing visitors to sign in with any email address. Nearly half of these exposed apps appeared to contain sensitive data like medical information, financial records, corporate presentations, strategy documents, and customer chatbot logs, said Zvi. The investigation reportedly also revealed hospital work assignments with personally identifiable information, ad purchasing data, market presentation strategies, sales information, and even customer conversations with their names and contact details. Several of these apps were still online, although Wired couldn't verify whether all the data it reviewed was real or sensitive. This story isn't just limited to one batch of sloppy AI apps. These tools allow people who may not have software engineering or security experience to build and publish apps quickly, which are often outside normal IT approval processes. So a member of the marketing team, operations worker, or a founder can create a tool for internal use, connect it to real data, and accidentally leave it open to the web. Zvi compared it to the old wave of exposed Amazon S3 buckets where misconfigurations led companies to leak sensitive data at a massive scale. Security researcher Joel Margolis told Wired that AI coding tools only do what's asked of them, so if a user does not ask for security explicitly, the app may not be secure by default. Replit CEO Amjad Massad wrote on X that some users had published apps on the open web that should have been private adding that public apps being accessible online is expected behavior Meanwhile Lovable said it takes exposed data and phishing reports seriously and is investigating Base44 parent company Wix stated that its platform provides security and visibility controls, arguing that public access reflects user configuration choices rather than a platform vulnerability. This is a reality check for anyone treating VibeCoding like a fast track to startup success. AI-generated apps can move quickly, but that speed comes with real trade-offs. From weak oversight to hidden vulnerabilities, AI-built apps can become a serious problem once a product is in users' hands, end quote. Sure, AI is everywhere, but that doesn't mean enterprise value is a given. In a recent survey, PwC found the amount of CEOs who reported revenue gains or cost reductions from AI is nearly equal to the amount who say they're still stuck. So what's causing the issues? PwC boiled it down to clarity. Leaders aren't clear about what's hype, what's reality, or where AI can actually create measurable impact. To help change that, PwC is offering their AI expertise and data. They explore how to tune out noise around AI and get clarity on what successful adoption looks like. Learn from the experts by heading to pwc.com slash us slash brewai. That's pwc.com slash us slash brewai. Meanwhile, Mozilla says Anthropics Mythos Preview and other AI models helped it identify and ship 423 Firefox security bug fixes in April alone, compared to 31 a year earlier. This is worth noting, because remember how some people were saying that the whole Mythos hype was just a marketing ploy on behalf of Anthropic? Well, quoting TechCrunch, when Anthropic unveiled its new Mythos model in April, it also delivered a stern warning to anyone developing software. The model was so powerful at sniffing out software vulnerabilities, the lab claimed that it had discovered thousands of high-severity bugs that would need to be fixed before it could be made public. Now, security researchers for Mozilla's Firefox browser are providing a closer look at what that process has looked like in practice, and what Mythos' powers mean for software security at large. In a post published on Thursday, Mozilla said Mythos has unearthed a wealth of high-severity bugs, including some that had lain dormant in the code for more than a decade. That's a significant improvement from what AI security tools were capable of even six months ago. Until now, AI bug-finding tools have come with severe drawbacks, often inundating security teams with low-quality reports and false positives. But Mozilla's researchers say the latest generation of tools have turned a corner, particularly now that agentic systems can assess their own work and filter out bad results. It is difficult to overstate how much this dynamic changed for us over a few short months. The researchers wrote, first, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models. The results are striking. In April 2026, Firefox shipped 423 bug fixes compared to just 31 exactly a year earlier. The researchers have also published details on 12 of the bugs, which range from a pair of unusual sandbox vulnerabilities to a 15-year-old error and how the browser parses an HTML element. These things are actually just suddenly very good, Brian Grinstead, a distinguished engineer at Mozilla told TechCrunch. We see that on our own internal scanning, we see that on external bug reports, and we see that in all sorts of signals across the industry. The fact that the system helped reveal vulnerabilities in Firefox's sandbox system is particularly impressive given how intricate an attack that exploit needs to be. To find sandbox vulnerabilities, the model must write a compromised patch for the browser, then attack the most secure part of the software with the new code implemented. Finding and demonstrating the bug is a delicate multi-step process requiring both creativity and close attention. To put this into context, Mozilla's bug bounty program pays researchers who can find a bug in Firefox's sandbox up to $20,000, the highest reward available. Despite the top dollar bounty, however, Grinstead says Mythos is finding more sandbox issues than human researchers ever did. We do get them, he told TechCrunch, but not at the volume that we are able to find with this technique. Notably, the Firefox team still isn't using AI to fix the bugs despite well-documented progress in AI coding tools. The team does ask AI to code up patches for each bug, but the resulting code usually can't be deployed directly and instead serves as a model for a human engineer, end quote. French prosecutors have escalated an investigation into Elon Musk and X focused on alleged algorithmic manipulation and sexual deepfakes to a criminal probe Quoting CNBC Musk and former ex-CEO Linda Yaccarina were issued summons by French authorities for April 20th. Both of them declined to appear and answer questions according to the prosecutor's office. In February, Musk called the probe a political attack after French authorities raided the Paris Office of X. The probe, requested by French Member of Parliament Eric Botharol in early 2025, has focused on complaints of algorithmic manipulation by X to influence and interfere in French politics, and allegations that Musk and the X team knowingly allowed users of the AI chatbot Grock to create and spread Holocaust denials and non-consensual sexually explicit deepfake images on X. Grock is developed by XAI, Musk's artificial intelligence company that acquired X, which he already owned, and earlier this year merged with SpaceX, his reusable rocket company. A version of Grok is also integrated into electric vehicles made by Tesla, Musk's automaker. Other international jurisdictions are also investigating X and Grok, as is the California Attorney General's office. The probes generally focus on whether Musk and his companies deliberately allowed for the creation and spread of deepfake explicit images, including child sexual abuse materials based on photos or videos of non-consenting individuals, end quote. Time for the Weekend Long Read Suggestions. First up, Anthropi co-founder Jack Clark explains why he thinks there's a greater than 60% chance of AI systems autonomously building their successors by 2029 and the consequences of that. Quoting from Import AI, I'm writing this post because when I look at all the publicly available information, I reluctantly come to the view that there's a likely chance, greater than 60%, that no human-involved AI R&D, an AI system powerful enough that it could plausibly, autonomously build its own successor, happens by the end of 2028. This is a big deal. I don't know how to wrap my head around it. It's a reluctant view because the implications are so large that I feel dwarfed by them, and I'm not sure society is ready for the kinds of changes implied by achieving automated AI R&D. I now believe we are living in the time that AI research will be end-to-end automated. If that happens, we will cross a Rubicon into a nearly impossible-to-forecast future. More on this later, end quote. Finally, I was just fascinated by this article in New York Magazine about how the current state of the airline industry all boils down to frequent flyer miles generally, and Delta Sky miles more specifically. For a long time, it was a mystery why airlines offered miles. After all, a point is a future liability, something the carrier owes the consumer, which is why perhaps it feels so good to collect them. Yet airlines have shown little trouble managing that liability, and when the pandemic shut down flying and forced airlines to take out loans exposing their assets, the public finally got to find out why airlines like loyalty programs so much. They're insanely profitable. Some are estimated to be worth even more than the airlines themselves. Spending on Delta's SkyMiles co-branded American Express cards is estimated to have reached $8 billion last year. Analysts say the loyalty programs have taken on a life of their own, turning airlines into fintech companies with wings. If you went to the CFO of an airline in the year 2000 and asked what's the value of your loyalty program, they wouldn't have been able to tell you, says Everett DeBoer, managing partner at On Point Loyalty. They would have said, loyalty programs are nice sources of external revenue, but we're an airline and this is what we focus on. Today, most airlines couldn't survive without a loyalty program. That's because the programs aren't just profitable, they address the industry's deepest vulnerability, its exposure to external shocks such as the pandemic, geopolitical conflict, and government shutdown. Loyalty programs by helping to keep you, the consumer, enslaved by your credit card guarantee future business. They're consistent and they offer control, says DeBoer. There's this whole behavior you can exploit, the gamification around tiers, the way you can incentivize people. You track them. It's powerful. It's exponentially increasing the toolkit you have with consumers. And Flyers, DeBoer's research shows, will forego good fares with competing airlines just to continue earning points in a loyalty program they are already invested in, end quote. No weekend bonus episodes for you this weekend, but Chris and I are probably going to record one tomorrow, so you'll have one hopefully next weekend. Talk to you on Monday.
