Watch out: Instagram users targeted in novel phishing campaign

A phishing campaign targeting Instagram users is doing the rounds. There are plenty of those around, but when we took a look at this particular email, it seemed a bit different to the normal phishing emails that point to scammy websites. The email looked like this, which is very similar to the on...

Age verification: Child protection or privacy risk?

With governments demanding actual age verification on websites with adult content, and platforms like social media and Roblox introducing restrictions based on a user’s age, the controversy about different types of age verification and their implications is growing. Last week, Roblox announced ne...

iPhone vs. Android: iPhone users more reckless, less protected online

The smartphone wars have a winner, and it’s Android. No, this isn’t about which device has the best camera, the snappiest processor, or the flashiest AI features—this is about which device owners are safer online, and in many ways, it is Android users who take the crown. According to a new analys...

Introducing the smarter, more sophisticated Malwarebytes Trusted Advisor, your cybersecurity personal assistant

You ever get that feeling when you double-check the locks, but still wonder if you’ve missed something? That’s what a lot of people feel about cybersecurity. That’s where Malwarebytes Trusted Advisor comes in. You can see it as your very own cybersecurity personal assistant, giving you real-time...

AI-generated image watermarks can be easily removed, say researchers

Now that AI can make fake images that look real, how can we know what's legitimate and what isn't? One of the primary ways has been the use of defensive watermarking, which means embedding invisible markers in AI-generated images to show they were made up. Now, researchers have broken that...

Proton launches Lumo, a privacy-focused AI chatbot

Proton, known for its privacy focused set of services, announced the introduction of Lumo, a privacy-first Artificial Intelligence AI chatbot. It is good to know before you dive in that Proton’s chatbot has two user options that offer a very different experience. If you want Lumo to access the...

Startup takes personal data stolen by malware and sells it on to other companies

A tech startup is using personal data stolen by infostealer malware that it has found on the dark web, and then selling access to that data. And it claims to be working within the law. According to 404 Media, for as little as $50, Farnsworth Intelligence will give companies a look at records from...

‘Car crash victim’ calls mother for help and $15K bail money. But it’s an AI voice scam

A woman in Florida was tricked into giving thousands of dollars to a scammer after her daughter's voice was AI-cloned and used in a scam. Sharon Brightwell says she received a call from someone who sounded just like her daughter. The woman on the other end was sobbing and crying, telling her mom...

“Ring cameras hacked”? Amazon says no, users not so sure

In the last week, countless Amazon Ring users on TikTok, Reddit, and X have been saying they believe their Ring cameras were hacked starting May 28. Many posted screenshots of their accounts, showing multiple unauthorized device logins, making these claims hard to ignore. Forbes looked into the...

A week in security (July 14 – July 20)

Last week on Malwarebytes Labs: Meta execs pay the pain away with $8 billion privacy settlement Adoption agency leaks over a million records Meta AI chatbot bug could have allowed anyone to see private conversations WeTransfer walks back clause that said it would train AI on your files Chrome fix...

Meta execs pay the pain away with $8 billion privacy settlement

Meta chief Mark Zuckerberg and several other members of the social media giant's top brass agreed to settle increasingly heated privacy violation claims for the price of $8 billion. It is far from the first time that the company, its subsidiary Facebook, or its executives have responded to allege...

Adoption agency leaks over a million records

Security researcher Jeremiah Fowler found a publicly accessible database online that contained highly personal information from an adoption agency. Jeremiah, who specializes in locating exposed cloud storage, is used to finding sensitive information exposed. However, because of the nature of the...

Meta AI chatbot bug could have allowed anyone to see private conversations

A researcher has disclosed to TechCrunch that he received a $10,000 bounty for reporting a bug that let anyone access private prompts and responses with the Meta AI chatbot. On June 13, we reported that the Meta AI app publicly exposes user conversations, often without users realizing it. In thes...

WeTransfer walks back clause that said it would train AI on your files

File sharing site WeTransfer has rolled back language that allowed it to train machine learning models on any files that its users uploaded. The change was made after criticisms from its users. The company had quietly inserted the new language in the terms and conditions on its website. Sometime...

Chrome fixes 6 security vulnerabilities. Get the update now!

Google has released an update for its Chrome browser to patch six security vulnerabilities, including one zero-day. This update is crucial since it addresses one actively exploited vulnerability which can be abused when the user visits a malicious website. It doesn’t require any further user...

Dating app scammer cons former US army colonel into leaking national secrets

Even hard-headed military types can fall victim to romance scams, it seems. A former US army colonel faces up to ten years in prison after revealing national secrets on a foreign dating app. David Slater was a retired colonel in the US army who took up work as a civilian at US Strategic Command,...

Amazon warns 200 million Prime customers that scammers are after their login info

Amazon has sent out an alert to its 200 million customers, warning them that scammers are impersonating Amazon in a Prime membership scam. In the email, sent earlier this month, Amazon said it had noticed an increase in reports about fake Amazon emails: What 's happening: Scammers are sending fak...

Is AI “healthy” to use? (Lock and Code S06E14)

This week on the Lock and Code podcast … “Health” isn’t the first feature that most anyone thinks about when trying out a new technology, but a recent spate of news is forcing the issue when it comes to artificial intelligence AI. In June, The New York Times reported on a group of ChatGPT users w...

CNN, BBC, and CNBC websites impersonated to scam people

Researchers have uncovered a large campaign impersonating news websites, such as those from CNN, BBC, CNBC, News24, and ABC News, to promote investment scams. Adding a well known brand to your scammy site is a tale as old as time, and gives it an air of legitimacy that increases the likelihood th...

A week in security (July 7 – July 13)

Last week on Malwarebytes Labs: Deepfake criminals impersonate Marco Rubio to uncover government secrets McDonald’s AI bot spills data on job applicants Millions of people spied on by malicious browser extensions in Chrome and Edge No thanks: Google lets its Gemini AI access your apps, including...

Deepfake criminals impersonate Marco Rubio to uncover government secrets

Deepfake attacks aren't just for recruitment and banking fraud; they've now reached the highest levels of government. News emerged this week of an AI-powered attack that impersonated US Secretary of State Marco Rubio. Authorities don't know who was behind the incident. A US State Department cable...

McDonald’s AI bot spills data on job applicants

McDonald's has outsourced the initial stages of its hiring process to an AI chatbot which seems to have been built without proper security measures. Security researchers managed to extract personal information about McDonald's job applicants by simply guessing a username and the password “12345.”...

Millions of people spied on by malicious browser extensions in Chrome and Edge

Researchers have discovered a campaign that tracked users’ online behavior using 18 browser extensions available in the official Chrome and Edge webstores. The total number of installs is estimated to be over two million. These extensions offered functionality, received good reviews, touted...

No thanks: Google lets its Gemini AI access your apps, including messages [updated]

If you're an Android user, you'll need to take action if you don’t want Google's Gemini AI to have access to your apps. That's because, regardless of your previous settings, Google now allows Gemini to interact with third-party apps. Through Gemini extensions, it already had the ability to...

Ransomware negotiator investigated over criminal gang kickbacks

If someone is going to negotiate with criminals for you, that person should at least be on your side. That might not have been the case at Digital Mint, a ransomware negotiation company where one worker allegedly went rogue. According to Bloomberg, Digital Mint is cooperating with the US Departme...

Free certificates for IP addresses: security problem or solution?

Let’s Encrypt has announced its issued its first certificate for an IP address. Why that’s significant deserves a little explanation. You may have run into Let’s Encrypt certificates many times without realizing it. When you see a padlock icon in your browser’s address bar, it means the site is...

Gamers hacked playing Call of Duty: WWII—PC version temporarily taken offline

On Saturday, the Call of Duty team announced that the PC version of Call of Duty: WWII has been taken offline following "reports of an issue." That issue seems to be a serious security problem, after reports surfaced about a remote code execution RCE vulnerability in the game. After Microsoft’s...

A week in security (June 30 – July 6)

Last week on Malwarebytes Labs: Drug cartel hacked cameras and phones to spy on FBI and identify witnesses Catwatchful "child monitoring" app exposes victims’ data Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams Qantas: Breach affects 6 million people, "significant"...

Drug cartel hacked cameras and phones to spy on FBI and identify witnesses

The "El Chapo" Mexican drug cartel snooped on FBI personnel through hacked cameras, and listened in on their phone calls to identify and kill potential witnesses, the US Department of Justice has said. And seven years on, the Bureau's defenses against this kind of surveillance are still inadequat...

Catwatchful “child monitoring” app exposes victims’ data

If an app markets itself as being for “child monitoring”, a customer might expect that their data and those of the person you’re monitoring is handled with the utmost care and respect. However, as we've seen many times before, stalkerware which is what monitoring software is known as apps have a...

Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams

Microsoft, DocuSign, Adobe, McAfee, NortonLifeLock, PayPal, and Best Buy’s Geek Squad are being impersonated online through malicious emails that contain fake telephone support numbers and dangerous QR codes that can ensnare victims into phishing scams. The brands and their products are frequentl...

Qantas: Breach affects 6 million people, “significant” amount of data likely taken

Australia's largest airline Qantas has confirmed that cybercriminals have gained access to a third party customer servicing platform that contained 6 million customer service records. Qantas says the breach occurred after a cybercriminal targeted a call centre and managed to gain access to the...

Update your Chrome to fix new actively exploited zero-day vulnerability

Google has released an update for its Chrome browser to patch an actively exploited flaw. This update is crucial since it addresses an actively exploited vulnerability which can be exploited when the user visits a malicious website. It doesn’t require any further user interaction, which means the...

Bluetooth vulnerability in audio devices can be exploited to spy on users

Researchers have found vulnerabilities in 29 Bluetooth devices like speakers, earbuds, headphones, and wireless microphones from reputable companies including Sony, Bose, and JBL. The vulnerabilities could be exploited to spy on users, and even steal information from the device. The researchers w...

Facebook wants to look at your entire camera roll for “AI restyling” suggestions, and more

Facebook's pursuit of your personal data continues apace, and now it has a new target: photos on your phone that you haven't shared with it yet. Techcrunch reports that the social media giant is now asking its users to peek at the photos on their phones' camera rolls. In return it will give them...

Corpse-eating selfies, and other ways to trick scammers (Lock and Code S06E14)

This week on the Lock and Code podcast … There’s a unique counter response to romance scammers. Her name is Becky Holmes. Holmes, an expert and author on romance scams, has spent years responding to nearly every romance scammer who lands a message in her inbox. She told one scammer pretending to ...

AT&T to pay compensation to data breach victims. Here’s how to check if you were affected

AT&T is set to pay $177 million to customers affected by two significant data breaches. These breaches exposed sensitive personal information of millions of current and former AT&T customers. For those that have missed the story so far: Back in 2021, an entity named Shiny Hunters a known hacking...

Android threats rise sharply, with mobile malware jumping by 151% since start of year

The Android threat landscape in the first half of 2025 has entered a new phase. An era marked not just by volume, but by coordination and precision. Attackers are no longer simply throwing malware at users and hoping for results. They’re building ecosystems . Recent Malwarebytes threat research...

A week in security (June 23 – June 29)

Last week on Malwarebytes Labs: Gmail’s multi-factor authentication bypassed by hackers to pull off targeted attacks Thousands of private camera feeds found online. Make sure yours isn’t one of them Sextortion email scammers increase their "Hello pervert" money demands Many data brokers are faili...

Fake DocuSign email hides tricky phishing attempt

On my daily rounds, I encountered a phishing attempt that used a not completely unusual, yet clever delivery method. What began as a seemingly routine DocuSign notification turned into a multi-layered deception involving Webflow, a shady redirect, and a legitimate Google login page. Webflow is a...

Jailbroken AIs are helping cybercriminals to hone their craft

Cybercriminals are bypassing the guardrails that are supposed to keep AI models from carrying out criminal activities, according to researchers. We've seen the misuse of AI models by cybercriminals growing rapidly over the past several years, shaping a new era of digital threats. Early on,...

Why the Do Not Call Registry doesn’t work

The “Do Not Call Registry” receives a lot of hate online for failing to do its job: Stop calls. “What’s the point of being on the Do Not Call list?” wrote one user on Reddit who shared a screenshot of ten declined phone calls received across one week. Though already registered with the Do Not Cal...

Facial recognition: Where and how you can opt out

Our remote team recently took a trip to our Estonian office. When we arrived from our various destinations, we started chatting about how our travel had been. Our senior privacy advocate, David Ruiz, mentioned that he'd opted out of facial recognition while at San Francisco International Airport...

Many data brokers are failing to register with state consumer protection agencies

Hundreds of data brokers haven't registered with state consumer protection agencies, according to The Electronic Frontier Foundation EFF and Privacy Rights Clearinghouse PRC. There are different kinds of data brokers, but what they all have in common is that they gather personally identifiable...

Sextortion email scammers increase their “Hello pervert” money demands

Every so often the sextortion emails that start with “Hello pervert” get a redesign. You may have received one yourself: The emails claim that the sender has been watching your online behavior and caught you red-handed doing activities that you would like to keep private. The email usually starts...

Thousands of private camera feeds found online. Make sure yours isn’t one of them

If you have internet-connected cameras in or around your home, be sure to check their settings. Researchers just discovered 40,000 of them serving up images of homes and businesses to the internet. Bitsight's TRACE research team revealed the issue in a report released this month. The cameras were...

Gmail’s multi-factor authentication bypassed by hackers to pull off targeted attacks

Russian hackers have bypassed Google's multi-factor authentication MFA in Gmail to pull off targeted attacks, according to security researchers at Google Threat Intelligence Group GTIG. The hackers pulled this off by posing as US Department of State officials in advanced social engineering attack...

A week in security (June 15 – June 21)

Last week on Malwarebytes Labs: The data on denying social media for kids re-air Lock and Code S06E12 Reddit’s new AI-powered tools scan your posts to serve you better ads Smart air fryers ordered to stop invading our digital privacy WhatsApp to start targeting you with ads Scammers hijack websit...

Billions of logins for Apple, Google, Facebook, Telegram, and more found exposed online

When organizations, good or bad, start hoarding collections of login credentials the numbers quickly add up. Take the 184 million logins for social media accounts we reported about recently. Now try to imagine 16 billion! Researchers at Cybernews have discovered 30 exposed datasets containing fro...

Mattel’s going to make AI-powered toys, kids’ rights advocates are worried

Toy company Mattel has announced a deal with OpenAI to create AI-powered toys, but digital rights advocates have urged caution. In a press release last week, the owner of the Barbie brand signed a "strategic collaboration" with the AI company, which owns ChatGPT. "By using OpenAI's technology,...