Billions of logins for Apple, Google, Facebook, Telegram, and more found exposed online

When organizations, good or bad, start hoarding collections of login credentials the numbers quickly add up. Take the 184 million logins for social media accounts we reported about recently. Now try to imagine 16 billion! Researchers at Cybernews have discovered 30 exposed datasets containing fro...

Mattel’s going to make AI-powered toys, kids’ rights advocates are worried

Toy company Mattel has announced a deal with OpenAI to create AI-powered toys, but digital rights advocates have urged caution. In a press release last week, the owner of the Barbie brand signed a "strategic collaboration" with the AI company, which owns ChatGPT. "By using OpenAI's technology,...

Fake bank ads on Instagram scam victims out of money

Ads on Instagram—including deepfake videos—are impersonating trusted financial institutions like Bank of Montreal BMO and EQ Bank Equitable Bank in order to scam people, according to BleepingComputer. There are some variations in how the scammers approach this. Some use Artificial Intelligence AI...

5 riskiest places to get scammed online

Scammers love your smartphone. They can text you fraudulent tracking links for packages you never bought. They can profess their empty love to you across your social media apps. They can bombard your email inbox with phishing attempts, impersonate a family member through a phone call, and even...

Scammers hijack websites of Bank of America, Netflix, Microsoft, and more to insert fake phone number

The examples in this post are actual fraud attempts found by Malwarebytes Senior Director of Research, Jérôme Segura. Cybercriminals frequently use fake search engine listings to take advantage of our trust in popular brands, and then scam us. It often starts, as with so many attacks, with a...

WhatsApp to start targeting you with ads

WhatsApp has announced that it will start to show you targeted ads on the app. The ads, it says, will appear under the Updates tab. WhatsApp launched the Updates tab a year ago, and now 1.5 billion people visit it every day. Updates has historically been a place for users to follow news and updat...

Smart air fryers ordered to stop invading our digital privacy

In a confirmation that we've gone full Black Mirror, the UK's privacy czar has wagged a finger at air fryer manufacturers and told them to stop playing with our data. New draft guidance from the Information Commissioner's Office ICO targets not just air fryer vendors but manufacturers of any smar...

Reddit’s new AI-powered tools scan your posts to serve you better ads

Reddit has introduced two Artificial Intelligence AI tools which will use Reddit comments, posts, and conversations to help sellers make the most of the community. Reddit is a social media platform and online forum where users can share and discuss content across a wide range of topics. The...

The data on denying social media for kids (re-air) (Lock and Code S06E12)

This week on the Lock and Code podcast … Complex problems often assume complex solutions, but recent observations about increased levels of anxiety and depression, increased reports of loneliness, and lower rates of in-person friendships for teens and children in America today have led some schoo...

A week in security (June 9 – June 15)

Last week on Malwarebytes Labs: Been scammed online? Here’s what to do How and where to report an online scam Google bug allowed phone number of almost any user to be discovered 44% of people encounter a mobile scam every single day, Malwarebytes finds GirlsDoPorn owner faces life in jail after...

Your Meta AI chats might be public, and it’s not a bug

Conversations that people are having with the Meta AI app are being exposed publicly, often without the users realizing it, revealing a variety of medical, legal, and private matters. The standalone app and the company's integrations with artificial intelligence AI across its platforms—Facebook,...

US airline industry quietly selling flight data to DHS

A data broker owned by some of America's biggest airlines has been selling access to customer flight data to the US Department of Homeland Security DHS. The data, compiled by data broker Airlines Reporting Corporation ARC, includes names, flight itineraries, and financial details. It also covers...

23andMe raked by Congress on privacy, sale of genetic data

In a Senate hearing adequately titled “23 and You: The Privacy and National Security Implications of the 23andMe Bankruptcy,” 23andMe executives addressed concerns about the privacy implications of the company’s sale and the handling of associated genetic data. For those who missed the latest...

GirlsDoPorn owner faces life in jail after pleading guilty to sex trafficking

Michael James Pratt, the owner of pornographic websites GirlsDoPorn and GirlsDoToys, has pleaded guilty to sex trafficking in a US court. Pratt ran the websites, which lured and coerced young women into filming pornographic videos, from 2013 to 2019. Pratt and his accomplices lured women from...

44% of people encounter a mobile scam every single day, Malwarebytes finds

It’s become so troublesome owning a phone. Malicious texts pose as package delivery notifications, phishing emails impersonate trusted brands, and unknown calls hide extortion attempts, virtual kidnapping schemes, or AI threats. Confusingly, even legitimate businesses now lean on outreach tactics...

Google bug allowed phone number of almost any user to be discovered

Google has fixed vulnerabilities that made it possible to retrieve the phone numbers of almost any Google user. The flaw was found in the flow that allows users to recover their Google account using a phone number. A cybersecurity researcher called Brutecat was able to figure out the phone number...

How and where to report an online scam

If you've been scammed it's really important to report it, if you can, in order to help prevent others falling for the same scam, and give authorities a chance to catch the criminal who did it. The methods in which to report a scam varies according to the country you're in, the platforms you're...

Been scammed online? Here’s what to do

Unfortunately, people getting scammed online is a frequent event. Scammers are getting better at social engineering and are using Artificial Intelligence AI to sound more authentic and eliminate any spelling errors. It really can happen to anyone, so there's no need to feel embarrassed if you hav...

A week in security (June 1 – June 7)

Last week on Malwarebytes Labs: What does Facebook know about me? Lock and Code S06E11 Victims risk AsyncRAT infection after being redirected to fake Booking.com sites Juice jacking warnings are back, with a new twist The North Face warns customers about potentially stolen data Scammers are...

How to update Chrome on every operating system

We often write about important updates for the most popular browser, Google Chrome. Since it would be out of scope to post elaborate update instructions for every possible platform and operating system OS—like iOS, macOS, Windows, Android, etc.—we decided to turn this topic into a separate post...

OpenAI forced to preserve ChatGPT chats

OpenAI has protested a court order that forces it to retain its users' conversations. The creator of the ChatGPT AI model objected to the order, which is part of a copyright infringement case against it by The New York Times and other publishers. The news organizations argued that ChatGPT was...

Booking.com reservation abused as cybercriminals steal from travelers

Robert Woodford, a recruitment marketing specialist, recently shared on LinkedIn how he fell victim to a highly sophisticated scam while booking a hotel in Verona through Booking.com, providing a striking example of how attacks on the hospitality industry affect travelers. After completing a...

Pornhub, RedTube, and YouPorn block access in France, VPN use set to soar

VPNs Virtual Private Networks are suddenly popular in France. Not because France has suddenly become super privacy conscious, but because Pornhub, RedTube, and YouPorn, have blocked access in France. But why? Last year, France enacted a law mandating that pornographic sites implement stricter...

Ransomware hiding in fake AI, business tools

Artificial intelligence AI and small business tools are being abused as smokescreens to hit unsuspecting victims with ransomware. In the masquerade campaigns discovered by Cisco Talos, cybercriminals hid malware behind software and install packages that mimicked the websites or names of the lead...

Google fixes another actively exploited vulnerability in Chrome, so update now!

Google has released an update for the Chrome browser to patch an actively exploited flaw. The update brings the Stable channel to versions 137.0.7151.68/.69 for Windows and Mac and 137.0.7151.68 for Linux. The easiest way to update Chrome is to allow it to update automatically, but you can end up...

Scammers are constantly changing the game, but so are we. Introducing Malwarebytes Scam Guard

Mobile scams are becoming increasingly sophisticated, leaving people vulnerable to cybercriminals. We recently reported on the ever-increasing number of scams that are created by AI-supported tools, with attackers crafting highly convincing phishing emails that target both individuals and...

The North Face warns customers about potentially stolen data

For the fourth time in its history, The North Face has notified customers that their account may have been compromised. This time, the company laid blame on a credential stuffing attack. The North Face is best known for its line of outdoor clothing, footwear, and related equipment. With an annual...

Juice jacking warnings are back, with a new twist

Remember juice jacking? It's a term that crops up every couple of years to worry travelers. This spring has seen another spate of stories, including a new, more sophisticated form of attack. But how much of a threat is it, really? Juice jacking is where an attacker uses a malicious public USB...

Victims risk AsyncRAT infection after being redirected to fake Booking.com sites

Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities...

A week in security (May 26 – June 1)

Last week on Malwarebytes Labs: Porn sites probed for allegedly failing to prevent minors from accessing content Take back control of your browser—Malwarebytes Browser Guard now blocks search hijacking attempts Deepfake-posting man faces huge $450,000 fine Fake AI video generator tools lure in...

What does Facebook know about me? (Lock and Code S06E11)

This week on the Lock and Code podcast … There's an easy way to find out what Facebook knows about you—you just have to ask. In 2020, the social media giant launched an online portal that allows all users to access their historical data and to request specific types of information for download...

Porn sites probed for allegedly failing to prevent minors from accessing content

Four porn sites are being investigated by the European Commission under its Digital Services Act DSA for allegedly failing to verify its users' ages properly. The Commission, which drafts and enforces the European Union's laws, is focusing the lens on Pornhub, Stripchat, XNXX, and XVideos with th...

Take back control of your browser—Malwarebytes Browser Guard now blocks search hijacking attempts

Search hijacking, often referred to as browser hijacking, occurs when cybercriminals modify users’ browser settings without their consent. This often results in users being redirected to potentially malicious websites, such as fake customer service offerings. Search hijacking commonly happens...

Deepfake-posting man faces huge $450,000 fine

A man is facing a $450,000 AU fine after he published deepfake images of prominent Australian women on the now-defunct MrDeepfakes web site. That's if Australia's online safety regulator gets its way. Anthony Rotondo faces charges of posting these and other explicit deepfake images to the...

Deepfake-posting man faces huge $450,000 fine

A man is facing a $450,000 AU fine after he published deepfake images of prominent Australian women on the now-defunct MrDeepfakes web site. That's if Australia's online safety regulator gets its way. Anthony Rotondo faces charges of posting these and other explicit deepfake images to the...

Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware

Cybercriminals are taking advantage of the public’s interest in Artificial Intelligence AI and delivering malware via text-to-video tools. According to researchers at Mandiant, the criminals are setting up websites claiming to offer “AI video generator” services, and then using those fake tools t...

New warning issued over toll fee scams

Over a year ago the FBI warned about what was then a new form of smishing phishing via SMS scam: text messages that demanded payment for toll fees. The FTC sent out a similar warning in January, 2025. Then, in April another wave of toll fee scams began doing the rounds. Now the Departments of Mot...

184 million logins for Instagram, Roblox, Facebook, Snapchat, and more exposed online

A recent discovery by cybersecurity researcher Jeremiah Fowler of an unsecured database containing over 184 million unique login credentials has once again highlighted the growing threat posed by infostealers. While the sheer volume of exposed data—including emails, passwords, and authorization...

A week in security (May 19 – May 25)

Last week on Malwarebytes Labs: Lumma information stealer infrastructure disrupted Stalkerware apps go dark after data breach Scammers are using AI to impersonate senior officials, warns FBI 23andMe and its customers’ genetic data bought by a pharmaceutical org Malware-infected printer delivered...

Lumma information stealer infrastructure disrupted

The US Department of Justice DOJ and Microsoft have disrupted the infrastructure of the Lumma information stealer infostealer. Lumma Stealer, also known as LummaC or LummaC2, first emerged in late 2022 and quickly established itself as one of the most prolific infostealers. Infostealers is the na...

Stalkerware apps go dark after data breach

A stalkerware company that recently leaked millions of users' personal information online has taken all of its assets offline without any explanation. Now Malwarebytes has learned that the company has taken down other apps too. Back in February, news emerged of a stalkerware app compromise...

Scammers are using AI to impersonate senior officials, warns FBI

The FBI has issued a warning about an ongoing malicious text and voice messaging campaign that impersonates senior US officials. The targets are predominantly current or former US federal or state government officials and their contacts. In the course of this campaign, the cybercriminals have use...

23andMe and its customers’ genetic data bought by a pharmaceutical org

The bankrupt genetic testing company 23andMe has been scooped up by drug producer Regeneron Pharmaceuticals for $256 million dollars. But why would a pharmaceutical company like Regeneron buy a bankrupt genetics testing company like 23andMe for such a large amount of money? Well, Regeneron is a...

Malware-infected printer delivered something extra to Windows users

You'd hope that spending $6,000 on a printer would give you a secure experience, free from viruses and other malware. However, in the case of Procolored printers, you'd be wrong. The Shenzen-based company sells UV printers, which are able to print on a variety of materials including wood, acrylic...

How Los Angeles banned smartphones in schools (Lock and Code S06E10)

This week on the Lock and Code podcast … There's a problem in class today, and the second largest school district in the United States is trying to solve it. After looking at the growing body of research that has associated increased smartphone and social media usage with increased levels of...

Update your Chrome to fix serious actively exploited vulnerability

Google released an emergency update for the Chrome browser to patch an actively exploited vulnerability that could have serious ramifications. The update brings the Stable channel to versions 136.0.7103.113/.114 for Windows and Mac and 136.0.7103.113 for Linux. The easiest way to update Chrome is...

A week in security (May 12 – May 18)

Last week on Malwarebytes Labs: Data broker protection rule quietly withdrawn by CFPB Meta sent cease and desist letter over AI training Google to pay $1.38 billion over privacy violations Android users bombarded with unskippable ads Last week on ThreatDown: ThreatDown introduces Firewall...

Data broker protection rule quietly withdrawn by CFPB

The Consumer Financial Protection Bureau CFPB has decided to withdraw a 2024 rule to limit the sale of Americans’ personal information by data brokers. In a Federal Register notice published yesterday, the CFPB said it "has determined that legislative rulemaking is not necessary or appropriate at...

Meta sent cease and desist letter over AI training

EU privacy advocacy group NOYB has clapped back at Meta over its plans to start training its AI model on European users' data. In a cease and desist letter to the social networking giant's Irish operation signed by founder Max Schrems, the non-profit demanded that it justify its actions or risk...

Google to pay $1.38 billion over privacy violations

The state of Texas reached a mammoth financial agreement with Google last week, securing $1.375 billion in payments to settle two three year-old lawsuits. The Office of Texas Attorney General Ken Paxton originally filed the first lawsuit against Google in January 2022, complaining that the tech...