Travel scams are everywhere. Here’s how to avoid them

Planning a holiday should be exciting, fun, and not a cybersecurity risk. But booking flights, hotels, and rental properties often means sharing sensitive personal and financial information across multiple platforms. Combined with frequent travel scams and recurring data breaches in the travel an...

WordPress WPQA <5.5 - Improper Access Control

WordPress WPQA plugin before 5.5 is susceptible to improper access control. The plugin lacks authentication in a REST API endpoint. An attacker can potentially discover private questions sent between users on the site. id: CVE-2022-1598 info: name: WordPress WPQA 5.5 - Improper Access Control...

Sharp Multifunction Printers - Cookie Exposure

It was observed that Sharp printers are vulnerable to a listing of session cookies without authentication. Any attacker can list valid cookies by visiting a backdoor webpage and use them to authenticate to the printers. id: CVE-2024-33610 info: name: Sharp Multifunction Printers - Cookie Exposure...

Keycloak < 24.0.5 - Broken Access Control

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. id: CVE-2024-3656 info...

A week in security (May 25 &#8211; May 31)

Last week on Malwarebytes Labs: Payment apps are watching what you say Lock and Code S07E11 Scammers pretending to be Microsoft had help from US executives 700+ education and tech websites hijacked in huge ClickFix malware campaign Fake software on GitHub and SourceForge distribute Deno RAT Fake...

Why Canadian Telecom Providers Are Prime Targets for Cyberattacks

Canadian telecom providers face mounting cyber threats from ransomware, SIM swapping, data breaches, and nation-state attacks targeting critical infrastructure...

US-Estonian Suspect Arrested Over Alleged Scattered Spider Cyberattacks

US-Estonian suspect Peter Stokes arrested in Finland over alleged ties to Scattered Spider, facing US charges for cyberattacks, fraud, and data breaches...

Your extensions leak clues about you, so we made sure Browser Guard doesn&#8217;t

Did you know you can be profiled based on the browser extensions you use? Advertisers can detect which extensions are installed and use that to build a picture of the kind of user you are. For instance, do you pride yourself on being a good online shopper who never pays full price? Maybe you use ...

HackerOne, Mazda, Infinite Campus and Dutch Ministry Hit by Data Breaches

HackerOne, Mazda, Infinite Campus and the Dutch Ministry report data breaches, exposing employee and partner data across multiple sectors worldwide...

Estimating the Social Cost of Corporate Data Breaches

While the size of a data breach is typically measured by the number of consumer, customer, or user records exposed or compromised, its economic impact is generally measured from the point of view of the corporation suffering the data breach: cost in crisis management, legal fees, drop in stock...

Data Breaches in 2026: What’s old, what’s new?

Data breaches in 2026 explained, new cyber threats, AI driven attacks, common breach causes, and practical security strategies for individuals and businesses...

Attacks are Evolving: 3 Ways to Protect Your Business in 2026

Every year, cybercriminals find new ways to steal money and data from businesses. Breaching a business network, extracting sensitive data, and selling it on the dark web has become a reliable payday. But in 2025, the data breaches that affected small and medium-sized businesses SMBs challenged ou...

A week in security (December 15 &#8211; December 21)

Last week on Malwarebytes Labs: CISA warns ASUS Live Update backdoor is still exploitable, seven years on The ghosts of WhatsApp: How GhostPairing hijacks accounts Chrome extension slurps up AI chats after users installed it for privacy Two Chrome flaws could be triggered by simply browsing the...

The Privacy Gap in API Security: Why Protecting APIs Shouldn’t Put Your Data at Risk

The more critical APIs become, the more sensitive data they carry identities, payment details, health records, customer preferences, tokens, keys, and more. And this is where organizations face a painful, often invisible problem: To protect APIs, many organizations end up exposing the very data...

The price of ChatGPT’s erotic chat? $20/month and your identity

To talk dirty to ChatGPT, you may soon have to show it your driver’s license. OpenAI announced last month that ChatGPT will soon offer erotica—but only for verified adults. That sounds like a clever guardrail until you realize what “verified” might mean: uploading government identification to a...

Synergistic Development of Cybersecurity and Functional Safety for Smart Electric Vehicles

The introduction of Smart Electric Vehicles SEVs represents an increasingly disruption on automotive area, once integrates advanced computer and communication technologies to highly electrical cars, which come with high performances, environment friendly and user friendly characteristics . But th...

EUVD-2024-28047

HCL DRYiCE AEX product is impacted by Missing Root Detection vulnerability in the mobile application. The mobile app can be installed in the rooted device due to which malicious users can gain unauthorized access to the rooted devices, compromising security and potentially leading to data breache...

Elasticsearch Leak Exposes 6 Billion Records from Scraping, Old and New Breaches

An Elasticsearch leak exposed 6 billion records from global data breaches and scraping sources, including banking and personal details tied to multiple regions...

CVE-2025-40774

A vulnerability has been identified in SiPass integrated All versions V3.0. Affected server applications store user passwords encrypted in its database. Decryption keys are accessible to users with administrative privileges, allowing them to recover passwords. Successful exploitation of this...

CVE-2025-40774

CVE-2025-40774 affects SiPass integrated prior to v3.0. The vulnerability stems from passwords stored in the server’s database with decryption keys accessible to administrators, enabling password recovery. Exploitation could allow an attacker with admin access to obtain and use valid user passwor...