Under the engineering hood: Why Malwarebytes chose WordPress as its CMS

It might surprise some that a security company would choose WordPress as the backbone of its digital content operations. After all, WordPress is often associated with open-source plugins, community themes, and a wide range of deployment practices—some stronger than others. But that perception...

Video call app Huddle01 exposed 600K+ user logs

The Cybernews research team found that video call app Huddle01 exposed email addresses, real names, and other identifiers through an unprotected Kafka broker. Think of an unprotected Kafka broker like a post office that stores and delivers confidential mail. Now, imagine the manager leaves the...

Mango discloses data breach at third-party provider

Mango has reported a data breach at one of its external marketing service providers. The Spanish fashion retailer says that only personal contact information has been exposed—no financial data. The breach took place at the service provider and did not affect Mango’s own systems. According to the...

Roku accused of selling children’s data to advertisers and brokers

The state of Florida has accused Roku, which powers many smart TVs and streaming devices, of selling children's data to third parties without their consent. According to the Florida Attorney General James Uthmeier, Roku collected viewing habits, voice recordings, and precise geolocation from kids...

TikTok scam sells you access to your own fake money

This scam starts in your TikTok DMs. A brand-new account drops a melodramatic message—terminal illness, last goodbye, “I left you some assets.” At the bottom: a ready-made username and password for a crypto site you’ve never used. It’s designed to feel urgent and personal so you tap before you...

Scammers are still sending us their fake Robinhood security alerts

A short while ago, our friends at Malwaretips wrote about a text scam impersonating Robinhood, a popular US-based investment app that lets people trade stocks and cryptocurrencies. The scam warns users about supposed “suspicious activity” on their accounts. As if to demonstrate that this phishing...

Satellites leak voice calls, text messages and more

Scientists from several US universities intercepted unencrypted broadcast through geostationary satellites using only off-the-shelf equipment on a university rooftop. Geostationary satellites move at the same speed as the Earth’s rotation so it seems as though they are always above the same exact...

AI-driven scams are preying on Gen Z’s digital lives​

Gone are the days when extortion was only the plot line of crime dramas—today, these threatening tactics target anyone with a smartphone. As AI makes fake voices and videos sound and look real, high-pressure plays like sextortion, deepfakes, and virtual kidnapping feel more believable than ever...

Pixel-stealing “Pixnapping” attack targets Android devices

Researchers at US universities have demonstrated how a malicious Android app can trick the system into leaking pixel data. That may sound harmless, but imagine if a malicious app on your Android device could glimpse tiny bits of information on your screen—even the parts you thought were secure,...

Researchers break OpenAI guardrails

The maker of ChatGPT released a toolkit to help protect its AI from attack earlier this month. Almost immediately, someone broke it. On October 6, OpenAI ran an event called DevDay where it unveiled a raft of new tools and services for software programmers who use its products. As part of that, i...

Phishing scams exploit New York’s inflation refund program

A warning from the New York State on their website informs visitors that: “Scammers are calling, mailing, and texting taxpayers about income tax refunds, including the inflation refund check.” Here's the warning on the website: We can confirm that several phishing campaigns are exploiting a...

A week in security (October 6 – October 12)

Last week on Malwarebytes Labs: Apple voices concerns over age-check law that could put user privacy at risk Your passwords don’t need so many fiddly characters, NIST says Millions of very private chats exposed by two AI companion apps Fake VPN and streaming app drops malware that drains your ban...

Apple voices concerns over age-check law that could put user privacy at risk

Apple has raised concerns about a new Texas state law, SB 2420, which introduces age assurance requirements for app stores and app developers. One of its main objections is that the requirements are over the top and don’t take into account what the user is actually trying to do. Apple stated: “We...

Your passwords don’t need so many fiddly characters, NIST says

It’s once again time to change your passwords, but if one government agency has its way, this might be the very last time you do it. After nearly four years of work to update and modernize its guidance for how companies, organizations, and businesses should protect their systems and their...

Millions of (very) private chats exposed by two AI companion apps

Cybernews discovered how two AI companion apps, Chattee Chat and GiMe Chat, exposed millions of intimate conversations from over 400,000 users. This is not the first time we have to write about AI "girlfriends" exposing their secrets—and it probably won't be the last. This latest incident is a...

Fake VPN and streaming app drops malware that drains your bank account

Security researchers are warning Android users to delete a fake VPN and streaming app that can let criminals take over their phones and drain their bank accounts. The app, Mobdro Pro IP TV + VPN, was discovered by researchers at Cleafy to be a malicious sideloaded app, not a legitimate VPN. Their...

California just put people back in control of their data

California's 2025 legislative session closed with 14 new privacy and AI-related bills. We’d like to highlight a few of the most relevant signed bills and encourage other states and countries to follow California’s example. Let’s go over some of the bills that were signed by the governor and how...

One stolen iPhone uncovered a network smuggling thousands of devices to China

If you think Apple's 'Find My' feature was just there to help you locate your phone when it slipped down the side of the couch, think again. It turns out this service also helps law enforcement capture criminals. The original "Find My iPhone" was introduced in 2010 as a feature on the iPhone. It...

Modeling scams see mature models as attractive new prospects

The BBC reported on modeling scams targeting older models. Modeling scams aren't new, but it’s worth looking at how they spread today, how to spot them, and—most importantly—how to avoid falling victim to them. The classic pitch goes like this: Someone walks up to you in the street and says, "You...

Is your computer mouse eavesdropping on you?

The short answer is: probably not, but theoretically it’s possible. Researchers at the University of California found a method they called Mic-E-Mouse, which turns your computer mouse into a spy that can listen in on your conversations. The method uses high-performance optical sensors in optical...

“Can you test my game?” Fake itch.io pages spread hidden malware to gamers

You get a message from a Discord friend. Or maybe an unknown indie developer reaches out to you. “Can you test my game?” they ask. The webpage they send over a link to looks legit: screenshots, dev blurb, itch.io-style layout, and the download button is right there, waiting to be clicked. The...

Don’t connect your wallet: Best Wallet cryptocurrency scam is making the rounds

Phishers and scammers can’t get enough of sending their feeble attempts to Malwarebytes’ employees. For which we can’t thank them enough because it means we can warn you, our readers. This time the scammers tried to impersonate Best Wallet—an app that lets people store, send, and receive...

Troops and veterans’ personal information leaked in CPAP Medical data breach

In December 2024, CPAP Medical Supplies and Services Inc. CPAP, a Jacksonville—a Florida-based provider of sleep therapy services and CPAP machines—experienced a cybersecurity incident that compromised the personal data of over 90,000 patients. Since CPAP Medical specializes in tailored sleep apn...

Discord warns users after data stolen in third-party breach

Popular social platform Discord has suffered a data breach—though technically, it wasn’t Discord itself that was hacked. A third-party customer support provider was compromised, allowing attackers to access Discord’s user data. Either way, it’s Discord users who feel the impact. The breach, which...

Phishers target 1Password users with convincing fake breach alert

In a very recent and well-targeted phishing attempt, scammers tried to get hold of the 1Password credentials belonging to a Malwarebytes’ employee. Stealing someone’s 1Password login would be like hitting the jackpot for cybercriminals, because they potentially export all the saved logins the...

What’s there to save about social media? (Lock and Code S06E20)

This week on the Lock and Code podcast … "Connection" was the promise—and goal—of much of the early internet. No longer would people be separated from vital resources and news that was either too hard to reach or made simply inaccessible by governments. No longer would education be guarded behind...

How to set up two-factor authentication (2FA) on your Facebook account

While two-factor authentication 2FA is not completely fool-proof, it is one of the best ways to protect your accounts from hackers. It adds an extra step when logging in, which is a small extra effort for you, but it dramatically boosts your security. With 2FA, you’ll be asked for a special login...

A week in security (September 29 – October 5)

Last week on Malwarebytes Labs: From threats to apology, hackers pull child data offline after public backlash Your Meta AI conversations may come back as ads in your feed Scam Facebook groups send malicious Android malware to seniors Sendit tricked kids, harvested their data, and faked messages,...

From threats to apology, hackers pull child data offline after public backlash

Last week we yelled at some “hackers” that threatened parents after stealing data from their children's nursery. This followed a BBC report that a group calling itself “Radiant” claimed to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the U...

Your Meta AI conversations may come back as ads in your feed

Meta has announced that conversations with its AI assistant will soon be used for targeted advertising. If you’re the kind of person that notices ads for products just after you spoke about them, you won't be happy about this update. Meta AI is the company’s generative AI assistant, built into...

Scam Facebook groups send malicious Android malware to seniors

An infostealer and banking Trojan rolled into one is making the rounds in Facebook groups aimed at "active seniors". Attackers used social engineering methods to lure targets into joining fake Facebook groups that appeared to promote travel and community activities—such as trips, dance classes, a...

Sendit tricked kids, harvested their data, and faked messages, FTC claims

The Federal Trade Commission FTC has sued Sendit’s parent company, saying it signed up children under 13, collected their personal data, and misled them with fake messages and recurring bills. The lawsuit, filed against the app's owner Iconic Hearts Holdings Inc and CEO Hunter Rice, alleges the...

Gemini AI flaws could have exposed your data

Security researchers discovered three vulnerabilities in Google's Gemini artificial intelligence AI assistant. Although now patched, this "Trifecta", as the researchers called it, raises important questions about how safe AI tools really are, especially as they become a part of services many of u...

Tile trackers plagued by weak security, researchers warn

Researchers at the Georgia Institute of Technology scrutinized the security of the popular Tile tracker and came out disappointed. Bluetooth trackers are a steadily growing market, and Life360 is one of the major players. In 2021, Amazon expanded its Sidewalk network to include Tile. That means...

Apple fixes critical font processing bug. Update now!

Apple has released important security updates to address a critical vulnerability in FontParser —the part of MacOS/iOS/iPadOS that processes fonts. Identified as CVE-2025-43400, the flaw was discovered internally by Apple and allows an attacker to craft a malicious font that can cause apps to cra...

260 romance scammers and sextortionists caught in huge Interpol sting

Online crime of all kinds is deplorable, but romance scammers and sextortionists who target the most vulnerable victims are among the worst. Now, there’s likely a place for 260 of them in jail, thanks to international law enforcement. Interpol's Operation Contender 3.0 targeted alleged criminals...

Amazon pays $2.5B settlement over deceptive Prime subscriptions

Another day, another settlement. Amazon has settled a lawsuit filed by the Federal Trade Commission FTC over misleading customers who signed up for Amazon Prime—though it claims it did nothing wrong. The FTC alleged that Amazon used deceptive methods to sign up consumers for Prime subscriptions—a...

Sex offenders, terrorists, drug dealers, exposed in spyware breach

We've covered spyware and stalkerware leaks many times before, but we don't often see such exposure in software used by law enforcement. According to a report by Straight Arrow News SAN, the hacker “wikkid” said the intrusion against RemoteCOM was “one of the easiest” they’d ever carried out...

A week in security (September 22 – September 28)

Last week on Malwarebytes Labs: Hackers threaten parents: Get nursery to pay ransom or we leak your child’s data Google and Flo to pay $56 million after misusing users’ health data Neon App pays users to record their phone calls, sells data for AI training updated New SVG-based phishing campaign ...

Hackers threaten parents: Get nursery to pay ransom or we leak your child’s data

Just when you think extortionists can’t sink any lower, along comes a lowlife that manages to surprise you. The BBC reported that a group calling itself "Radiant" claims to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the UK, US, China, an...

Google and Flo to pay $56 million after misusing users’ health data

Popular period-tracking app Flo Health shared users’ intimate health data—such as menstrual cycles and fertility information—with Google and Meta, allegedly for targeted advertising purposes, according to multiple class-action lawsuits filed in the US and Canada. Between 2016 and 2019, the...

Neon App pays users to record their phone calls, sells data for AI training [updated]

TechCrunch reports about a “bizarre app” inviting you to record and share your audio calls so that it can sell the data to AI companies. And if that’s not weird enough on its own, it’s ranking No. 2 in Apple's US app store at the time of writing. The name of the app is Neon Mobile and it promises...

New SVG-based phishing campaign is a recipe for disaster

We've written in the past about cybercriminals using SVG files for phishing and for clickjack campaigns. We found a new, rather sophisticated example of an SVG involved in phishing. For readers that missed the earlier posts, SVG files are not always simply image files. Because they are written in...

LinkedIn will use your data to train its AI unless you opt out now

LinkedIn plans to share user data with Microsoft and its affiliates for AI training. Framed as "legitimate interest", it won't ask for your permission—instead you'll have to opt out before the deadline. Microsoft has made major investments in ChatGPT’s creator OpenAI, and as we know, the more dat...

TikTok is misusing kids’ data, says privacy watchdog

A group of privacy commissioners in Canada have accused TikTok of scooping up information about hundreds of thousands of children who shouldn't have been on the platform. The Chinese social media giant is also accused of collecting data on Canadian users without properly explaining what it does...

Police using drones to read your license plates, warns EFF

Police are using drones as flying automated license plate readers ALPRs, according to a report by the Electronic Frontier Foundation EFF. And where there is a market, a provider will jump in. Or was it the other way around this time? Flock Safety, for example, recently told a group of potential l...

Malwarebytes for Teams now includes VPN

Running a small business today can hardly be done from a single device, a single location, or a single network. Staying cybersecure is quite the same. To extend the security and privacy of small business owners, no matter where you are, Malwarebytes for Teams now includes personal VPN access, for...

Fake Malwarebytes, LastPass, and others on GitHub serve malware

Fake versions of legitimate software are currently circulating on GitHub pages, in a large-scale campaign targeting Mac users. Unfortunately, Malwarebytes for Mac is one of them. Impersonating brands is sadly commonplace, as scammers take advantage of established brand names to target their...

Can you disappear online? (Lock and Code S06E19)

This week on the Lock and Code podcast There's more about you online than you know. The company Acxiom, for example, has probably determined whether you’re a heavy drinker, or if you're overweight, or if you smoke or all three. The same company has also probably estimated—to the exact dollar—the...

American Archive of Public Broadcasting allowed access to restricted media for years

A security flaw in the American Archive of Public Broadcasting AAPB website allowed unauthorized access to protected and private media, according to BleepingComputer. The American Archive of Public Broadcasting AAPB is a collaborative initiative between the Library of Congress and WGBH Educationa...