Internet Archive attackers email support users: “Your data is now in the hands of some random guy”

Those who hacked the Internet Archive haven't gone away. Users of the Internet Archive who have submitted helpdesk tickets are reporting replies to the tickets from the hackers themselves. Internet Archive, most known for its Wayback Machine, is a digital library that allows users to look at...

A week in security (October 14 – October 20)

Last week on Malwarebytes Labs: Unauthorized data access vulnerability in macOS is detailed by Microsoft 23andMe will retain your genetic information, even if you delete the account "Nudify" deepfake bots remove clothes from victims in minutes, and millions are using them Tor Browser and Firefox...

Unauthorized data access vulnerability in macOS is detailed by Microsoft

The Microsoft Threat Intelligence team disclosed details about a macOS vulnerability, dubbed "HM Surf," that could allow an attacker to gain access to the user’s data in Safari. The data the attacker could access without users’ consent includes browsed pages, along with the device’s camera,...

23andMe will retain your genetic information, even if you delete the account

Deleting your personal data from 23andMe is proving to be hard. There are good reasons for people wanting to delete their data from 23andMe: The DNA testing platform has a lot of problems, so let’s start with a recap. A little over a year ago, cybercriminals put up information belonging to as man...

“Nudify” deepfake bots remove clothes from victims in minutes, and millions are using them

Millions of people are turning normal pictures into nude images, and it can be done in minutes. Journalists at Wired found at least 50 "nudify" bots on Telegram that claim to create explicit photos or videos of people with only a couple of clicks. Combined, these bots have millions of monthly...

Tor Browser and Firefox users should update to fix actively exploited vulnerability

Mozilla has announced a security fix for its Firefox browser which also impacts the closely related Tor Browser. The new version fixes one critical security vulnerability which is reportedly under active exploitation. To address the flaw, both Mozilla and Tor recommend that users update their...

AI scammers target Gmail accounts, say they have your death certificate

Several reputable sources are warning about a very sophisticated Artificial Intelligence AI supported type of scam that is bound to trick a lot of people into compromising their Gmail account. The most recent warning comes from CEO of Y Combinator Garry Tan who posted on X, saying the scammers...

Election season raises fears for nearly a third of people who worry their vote could be leaked

As the United States enters full swing into its next presidential election, people are feeling worried, unsafe, and afraid. And none of that has to do with who wins. According to new research from Malwarebytes, people see this election season as a particularly risky time for their online privacy...

Robot vacuum cleaners hacked to spy on, insult owners

Multiple robot vacuum cleaners in the US were hacked to yell obscenities and insults through the onboard speakers. ABC news was able to confirm reports of this hack in robot vacuum cleaners of the type Ecovacs Deebot X2, which are manufactured in China. Ecovacs is considered the leading service...

A week in security (October 7 – October 13)

Last week on Malwarebytes Labs: Modern TVs have "unprecedented capabilities for surveillance and manipulation," group reveals Internet Archive suffers data breach and DDoS Google Search user interface: A/B testing shows security concerns remain AI girlfriend site breached, user fantasies stolen...

Modern TVs have “unprecedented capabilities for surveillance and manipulation,” group reveals

Your television is debuting the latest, most captivating program: You. In a report titled “How TV Watches Us: Commercial Surveillance in the Streaming Era,” the Center for Digital Democracy CDD spotlighted a massive data-driven surveillance apparatus that ensnares the public through modern...

Internet Archive suffers data breach and DDoS

A non-profit that benefits millions of people has fallen victim to a data breach and a DDoS attack. Internet Archive, most known for its Wayback Machine, is a digital library that allows users to look at website snapshots from the past. It is often used for academic research and data analysis...

Google Search user interface: A/B testing shows security concerns remain

For the past few days, Google has been A/B testing some subtle visual changes to its user interface for the search results page. You may only get the new UI for certain types of searches or based on your current geolocation. This test is not to be confused with but could part of a previously...

AI girlfriend site breached, user fantasies stolen [updated]

A hacker has stolen a massive database of users’ interactions with their sexual partner chatbots, according to 404 Media. The breached service, Muah.ai, describes itself as a platform that lets people engage in AI-powered companion NSFW chat, exchange photos, and even have voice chats. As you can...

MoneyGram confirms customer data breach

Money transfer company MoneyGram has notified its customers of a data breach in which it says certain customers had their personal information taken between September 20 and 22, 2024. The investigation into the incident that was discovered on September 27 is still ongoing, and the number of...

Exposing the Facebook funeral livestream scam (Lock and Code S05E21)

This week on the Lock and Code podcast … Online scammers were seen this August stooping to a new low—abusing local funerals to steal from bereaved family and friends. Cybercrime has never been a job of morals calling it a "job" is already lending it too much credit, but, for many years, scams...

Comcast and Truist Bank customers impacted by debt collector’s breach

A data breach at Financial Business and Consumer Solutions FBCS, a US debt collection agency, has led to the loss of data of some Comcast Cable Communications and Truist Bank customers. FBCS is in the business of collecting unpaid debts on behalf of its customers. The data breach occurred in...

Large scale Google Ads campaign targets utility software

After what seemed like a long hiatus, we've observed threat actors returning to malvertising to drop malware disguised as software downloads. The campaign we identified is high-impact, going after utility software such as Slack, Notion, Calendly, Odoo, Basecamp, and others. For this blog, we...

iPhone flaw could read your saved passwords out loud. Update now!

Apple has issued security updates for iOS 18.0.1 and iPadOS 18.0.1 which includes a fix for a bug that could allow a user's saved passwords to be read aloud by its VoiceOver feature. VoiceOver allows users to use their iPhone or iPad even if they can't see the screen. It gives audible description...

A week in security (September 30 – October 6)

Last week on Malwarebytes Labs: Facebook and Instagram passwords were stored in plaintext, Meta fined Android users targeted on Facebook and porn sites, served adware Fake Disney+ activation page redirects to pornographic scam Radiology provider exposed tens of thousands of patient files Not Blac...

Browser Guard now flags data breaches and better protects personal data

Two things are true of data online: It will be collected and, just as easily, it will be lost. But a major update to Malwarebytes Browser Guard will better protect users from opaque data collection that happens every day online, as well as raising their awareness about corporate data breaches tha...

Not Black Mirror: Meta’s smart glasses used to reveal someone’s identity just by looking at them

Like something out of Black Mirror, two students have demonstrated a way to use smart glasses and facial recognition technology to immediately reveal people’s names, phone numbers, and addresses. The Harvard students have dubbed the system I-XRAY and it works like this: When you look at someone’s...

Radiology provider exposed tens of thousands of patient files

An anonymous person has disclosed that they gained online access to a radiologist's platform that hosted patient information using stolen credentials. I-MED Radiology is Australia’s leading medical imaging provider. Their clinics offer a range of imaging procedures including MRI, CT, x-ray,...

Fake Disney+ activation page redirects to pornographic scam

A common way to activate digital subscriptions such as Netflix, Prime or Disney+ on a new TV is to visit a website and enter the code seen on your screen. It's much easier than having to authenticate using a remote and typing a username and password. Scammers are creating fake activation pages th...

Android users targeted on Facebook and porn sites, served adware

Android users, be on your guard against adware trying to infect your device. The adware—known as MobiDash—is spreading via several channels, according to ThreatDown research. One of the characteristics that makes MobiDash stand out is that it can be added to legitimate apps without changing how t...

Facebook and Instagram passwords were stored in plaintext, Meta fined

Ireland’s privacy watchdog Data Protection Commission DPC has fined Meta €91M $101M after the discovery in 2019 that Meta had stored 600 million Facebook and Instagram passwords in plaintext. The DPC ruled that Meta was in violation of GDPR on several occasions related to this breach. It determin...

A week in security (September 23 – September 29)

Last week on Malwarebytes Labs: Millions of Kia vehicles were vulnerable to remote attacks with just a license plate number Privacy watchdog files complaint over Firefox quietly enabling its Privacy Preserving Attribution Telegram will hand over user details to law enforcement Don’t share the vir...

Millions of Kia vehicles were vulnerable to remote attacks with just a license plate number

In June of 2024 security researchers uncovered a set of vulnerabilities in the Kia dealer portal that allowed them to remotely take over any Kia vehicle built after 2013—and all they needed was a license plate number. According to the researchers: "These attacks could be executed remotely on any...

Privacy watchdog files complaint over Firefox quietly enabling its Privacy Preserving Attribution

A European privacy watchdog has filed a complaint against Mozilla for quietly enabling Privacy Preserving Attribution PPA in its Firefox browser. Noyb none of your business argues that despite its reassuring name, the feature allows the browser to track your online behavior. By design, Privacy...

Telegram will hand over user details to law enforcement

Last month we reported how Telegram CEO Pavel Durov was indicted on charges of complicity in the distribution of child sex abuse images, aiding organized crime, drug trafficking, fraud, and refusing lawful orders to give information to law enforcement. Now, in a potentially related development,...

Don’t share the viral Instagram Meta AI “legal” post

A new variation of a hoax that has been doing the rounds on Facebook for years has crossed over to Instagram. We’re seeing this post on Instagram Stories a lot suddenly over the last few days. The post is usually posted as a shareable screenshot on Instagram Stories, but it’s also been spotted on...

Romance scams costlier than ever: 10 percent of victims lose $10,000 or more

Romance scams continue to plague users, but their costs have risen to staggering heights, according to a Malwarebytes survey carried out last month via our weekly newsletter. More than 66 percent of 850 respondents have been targeted by a romance scam, and those that were ensnared paid a hefty...

Malwarebytes Personal Data Remover: A new way to help scrub personal data online

There’s an awful lot about you online that some awful groups want to exploit. The right combination of personal data points could help an identity thief fool a bank into opening a new, fraudulent line of credit in your name. Your alma mater, salary, and email address could help an online scammer...

100 million+ US citizens have records leaked by background check service

A background check left a huge database unprotected online containing 2.2TB of people's data, according to research by Cybernews. The database was left passwordless and easily accessible to anyone on the internet by background check firm MC2 Data. MC2 Data gathers publicly available data to provi...

San Francisco’s fight against deepfake porn, with City Attorney David Chiu (Lock and Code S05E20)

This week on the Lock and Code podcast … On August 15, the city of San Francisco launched an entirely new fight against the world of deepfake porn—it sued the websites that make the abusive material so easy to create. “Deepfakes,” as they’re often called, are fake images and videos that utilize...

Relationship broken up? Here’s how to separate your online accounts

Breaking up is hard to do. The internet has made it harder. With couples today regularly sharing access to one another’s email accounts, streaming services, social media platforms, online photo albums, and more, the risk of a bad breakup isn’t just heartache. Equipped with unfettered access into...

SpaceX, CNN, and The White House internal data allegedly published online. Is it real?

A cybercriminal has released internal data online that they say has come from leaks at several high-profile sources, including SpaceX, CNN, and the White House. However, there are some questions around the reliability and usefulness of the released data, so we took a closer look. When it comes to...

A week in security (September 16 – September 22)

Last week on Malwarebytes Labs: "Simply staggering" surveillance conducted by social media and streaming services, FTC finds Tor anonymity compromised by law enforcement. Is it still safe to use? Walmart customers scammed via fake shopping lists, threatened with arrest Snapchat wants to put your...

“Simply staggering” surveillance conducted by social media and streaming services, FTC finds

The US Federal Trade Commission FTC released a report that examines the data collection and use practices of major social media and video streaming services, finding that—and this will not come as a surprise to our regular readers—the companies engaged in vast surveillance of consumers in order t...

Tor anonymity compromised by law enforcement. Is it still safe to use?

Despite people generally considering the Tor network as an essential tool for anonymous browsing, german law enforcement agencies have managed to de-anonymize Tor users after putting surveillance on Tor servers for months. Before we go into the what the agencies did, let's take a look at some...

Walmart customers scammed via fake shopping lists, threatened with arrest

Shopping online or attempting to get in touch with a store is a little bit like walking on a minefield: you might get lucky or take a wrong step and get scammed. Case in point, a malicious ad campaign is abusing Walmart Lists, a kind of virtual shopping list customers can share with family and...

Snapchat wants to put your AI-generated face in its ads

Snapchat is reserving the right to use your selfie images to power Cameos, Generative AI, and other experiences on Snapchat, including ads, according to our friends at 404 Media, The Snapchat Support page about its My Selfie feature says: “You’ll take selfies with your Snap camera or select image...

iOS 18 is out. Here are the new privacy and security features

On September 16, 2024, Apple released iOS 18. Besides a lot of exciting new features, iOS 18 comes with some privacy and security enhancements. One of the most promising new features is the new Passwords app. Built on the foundation of Apple's password management system Keychain, Passwords makes ...

23andMe to pay $30 million in settlement over 2023 data breach

Genetic testing company 23andMe will pay $30 million to settle a class action lawsuit over a 2023 data breach which ended in some customers having information like names, birth years, and ancestry information exposed. In October 2023, we reported on how information belonging to as many as seven...

A week in security (September 9 – September 15)

Last week on Malwarebytes Labs: Ford seeks patent for conversation-based advertising Scammers advertise fake AppleCare+ service via GitHub repos Facebook scrapes photos of kids from Australian user profiles to train its AI PartnerLeak scam site promises victims full access to "cheating" partner’s...

Ford wants to eavesdrop on passenger conversations to help target ads

Car manufacturer Ford Motor Company has filed a patent application for an in-vehicle advertisement presentation system based on information derived from several trip and driver characteristics. Among those characteristics—human conversations. In the abstract of the patent application publication...

Scammers advertise fake AppleCare+ service via GitHub repos

Weve uncovered a malicious campaign going after Mac users looking for support or extended warranty from Apple via the AppleCare+ support plans. The perpetrators are buying Google ads to lure in their victims and redirect them to bogus pages hosted on GitHub, the developer and code repository...

Facebook scrapes photos of kids from Australian user profiles to train its AI

Facebook has admitted that it scrapes the public photos, posts and other data from the accounts of Australian adult users to train its AI models. Unlike citizens of the European Union EU, Australians are not offered an opt-out option to refuse consent. At an inquiry as to whether the social media...

PartnerLeak scam site promises victims full access to “cheating” partner’s stolen data

Earlier this week, we reported on a new type of scam that tells you your partner is cheating on you. However, we hit a dead end because we were unable to get hold of an original copy of the email. That was until the scammers were “kind enough” to send one to one of our co-workers. your partner is...

Payment provider data breach exposes credit card information of 1.7 million customers

Payment provider Slim CD has disclosed a security incident that may have exposed the full credit card information of anyone paying at a merchant that uses Slim CD’s services. The Florida-based gateway system, which allows merchants to take any kind of electronic payment, said on June 15 it notice...