Luxury retail chain Neiman Marcus has begun to inform customers about a cyberattack it discovered in May. The attacker compromised a database platform storing customers’ personal information.

The letter tells customers:

“Promptly after learning of the issue, we took steps to contain it, including by disabling access to the relevant database platform.”

In the data breach notification, Neiman Marcus says 64,472 people are affected.

An investigation showed that the data contained information such as name, contact data, date of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers. According to Neiman Marcus, the exposed data does not include gift card PINs. Shortly after the data breach disclosure, a cybercriminal going by the name “Sp1d3r” posted on BreachForums that they were willing to sell the data.

“Neiman Marcus not interested in paying to secure data. We give them opportunity to pay and they decline. Now we sell. Enjoy!”

According to Sp1d3r, the data includes name, address, phone, dates of birth, email, last four digits of Social Security Numbers, and much more in 6 billion rows of customer shopping records, employee data, and store information.

Neiman Marcus is reportedly one of the many victims of the Snowflake incident, in which the third-party platform used by many big brands was targeted by cybercriminals. The name Sp1d3r has been associated with the selling of information belonging to other Snowflake customers.

Oddly enough, Sp1d3r’s post seems to have since disappeared.

Sp1d3r’s post count went down back to 19 instead of the 20 displayed in the screenshot above.

So, the post has either been removed, withdrawn, or hidden for reasons which are currently unknown. As usual, we will keep an eye on how this develops.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

While matters are still unclear on how much information was involved in the Neiman Marcus breach, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

For the first time since news broke about a ransomware attack on Change Healthcare, the company has released details about the data stolen during the attack.

First, a quick refresher: On February 21, 2024, Change Healthcare experienced serious system outages due to a cyberattack. The incident led to widespread billing outages, as well as disruptions at pharmacies across the United States. Patients were left facing enormous pharmacy bills, small medical providers teetered on the edge of insolvency, and the government scrambled to keep the money flowing and the lights on. The ransomware group ALPHV claimed responsibility for the attack.

But shortly after, the ALPHV group disappeared in an unconvincing exit scam designed to make it look as if the FBI had seized control over the group’s website. Then a new ransomware group, RansomHub, listed the organization as a victim on its dark web leak site, saying it possessed 4 TB of “highly selective data,” relating to “all Change Health clients that have sensitive data being processed by the company.”

In April, parent company UnitedHealth Group released an update, saying:

“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.”

Now, Change Healthcare has detailed the types of medical and patient data that was stolen. Although Change cannot provide exact details for every individual, the exposed information may include:

• Contact information: Names, addresses, dates of birth, phone numbers, and email addresses.
• Health insurance information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
• Health information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
• Billing, claims, and payment information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
• Other personal information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.

Change Healthcare added:

“The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review.”

Change Healthcare says it will send written letters—as long as it has a person’s address and they haven’t opted out of notifications—once it has concluded the data review.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The cybercriminal acting under the name “Sp1d3r” gave away the first 1 million records that are part of the data set that they claimed to have stolen from Ticketmaster/Live Nation. The files were released without a price, for free.

When Malwarebytes Labs first learned about this data breach, it happened to be the first major event that was shared on the resurrected BreachForums, and someone acting under the handle “ShinyHunters” offered the full details (name, address, email, phone) of 560 million customers for sale.

The same data set was offered for sale in an almost identical post on another forum by someone using the handle “SpidermanData.” This could be the same person or a member of the ShinyHunters group.

Following this event, Malwarebytes Labs advised readers on how to respond and stay safe. Importantly, even when a breach isn’t a “breach”—in that immediate moment when the details have yet to be confirmed and a breach subject is readying its public statements—the very news of the suspected breach can be used by advantageous cybercriminals as a phishing lure.

Later, Ticketmaster confirmed the data breach.

Bleeping Computer spoke to ShinyHunters who said they already had interested buyers. Now, Sp1d3r, who was seen posting earlier about Advance Auto Parts customer data and Truist Bank data, has released 1 million Ticketmaster related data records for free.

In a post on BreachForums, Sp1d3r said:

“Ticketmaster will not respond to request to buy data from us.

They care not for the privacy of 680 million customers, so give you the first 1 million users free.”

The cybercriminals that are active on those forums will jump at the occasion and undoubtedly try to monetize those records. This likely means that innocent users that are included in the first million released records could receive a heavy volume of spam and phishing emails in the coming days.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

While matters are still unclear how much information was involved, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A moderator of the notorious data breach trading platform BreachForums is offering data for sale they claim comes from a data breach at T-Mobile.

The moderator, going by the name of IntelBroker, describes the data as containing source code, SQL files, images, Terraform data, t-mobile.com certifications, and “Siloprograms.” (We’ve not heard of siloprograms, and can’t find a reference to them anywhere, so perhaps it’s a mistranslation or typo.)

To prove they had the data, IntelBroker posted several screenshots showing access with administrative privileges to a Confluence server and T-Mobile’s internal Slack channels for developers.

But according to sources known to BleepingComputer, the data shared by IntelBroker actually consists of older screenshots. These screenshots show T-Mobile’s infrastructure, posted at a known—yet unnamed—third-party vendor’s servers, from where they were stolen.

When we looked at the screenshots IntelBroker attached to their post, we spotted something interesting in one of them.

This screenshot shows a search query for a critical vulnerability in Jira, a project management tool used by teams to plan, track, release and support software. It’s typically a place where you could find the source code of works in progress.

The search returns the result CVE-2024-1597, a SQL injection vulnerability. SQL injection happens when a cybercriminal injects malicious SQL code into a form on a website, such as a login page, instead of the data the form is asking for. The vulnerability affects Confluence Data Center and Server according to Atlassian’s May security bulletin.

For a better understanding, it’s important to note that Jira and Confluence are both products created by Atlassian, where Jira is the project management and issue tracking tool and Confluence is the collaboration and documentation tool. They are often used together.

If IntelBroker has a working exploit for the SQL injection vulnerability, this could also explain their claim that they have the source code of three internal tools used at Apple, including a single sign-on authentication system known as AppleConnect.

This theory is supported by the fact that IntelBroker is also offering a Jira zero-day for sale.

“I’m selling a zero-day RCE for Atlassian’s Jira.

Works for the latest version of the desktop app, as well as Jira with confluence.

No login is required for this, and works with Okta SSO.”

If this is true then this exploit, or its fruits, might be used for data breaches that involve personal data.

Meanwhile, T-Mobile has denied it has suffered a breach, saying it is investigating whether there has been a breach at a third-party provider.

“We have no indication that T-Mobile customer data or source code was included and can confirm that the bad actor’s claim that T-Mobile’s infrastructure was accessed is false.”

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The Federal Trade Commission (FTC) has announced it’s referred a complaint against TikTok and parent company ByteDance to the Department of Justice.

The investigation originally focused on Musical.ly which was acquired by ByteDance on November 10, 2017, and merged it into TikTok.

The FTC started a compliance review of Musical.ly following a 2019 settlement with the company for violations of the Children’s Online Privacy Protection Act (COPPA). In the settlement, Musical.ly received a fine of $5.7m for collecting personal information from children without parental consent.

One of the main concerns was that Musical.ly did not ask the user’s age and later failed to go back and request age information for people who already had accounts.

COPPA requires sites and services like Musical.ly and TikTok – among other things – to get parental consent before collecting personal information from children under 13.

Musical.ly also failed to deal with complaints properly. The FTC found that—in just a two-week period in September 2016—the company received over 300 complaints from parents asking Musical.ly to delete their child’s account. However, under COPPA it’s not enough just to delete existing accounts, companies have to remove the kids’ videos and profiles from the company’s servers; Musical.ly failed to do this.

In 2022, TikTok itself faced a $28m fine for failing to protect children’s privacy after an investigation of a possible breach of the UK’s data protection laws.

In the US, TikTok agreed to pay $92 million in 2021 to settle dozens of lawsuits alleging that it harvested personal data from users, including information using facial recognition technology, without consent, and shared the data with third parties.

The FTC states that during the investigation it uncovered reasons to believe that “defendants are violating or are about to violate the law and that a proceeding is in the public interest.”

The FTC also said it usually doesn’t publicize the referral of complaints but feels it is in the public interest to do so now.

TikTok has been in the crosshairs of privacy and security professionals and politicians for years.

In June 2022,  the FCC (Federal Communications Commission), called on the CEOs of Apple and Google to remove TikTok from their app stores considering it an unacceptable national security risk because of its Chinese ownership.

In 2023, General Paul Nakasone, Director of the National Security Agency (NSA) referred to TikTok as a loaded gun in the hands of America’s TikTok-addicted youth.

Recently, we reported about the take-over of some high-profile TikTok accounts just by opening a Direct Message.

And the clock is ticking when it comes to TikTok’s presence in the US, after the US Senate has approved a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance gives up its share of the still immensely popular app.

Somehow we don’t think we’ve heard the last of this.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

All isn’t fair in love and romance today, as 43% of people in a committed relationship said they have felt pressured by their own partners to share logins, passcodes, and/or locations. A worrying 7% admitted that this type of pressure has included the threat of breaking up or the threat of physical or emotional harm.

These are latest findings from original research conducted by Malwarebytes to explore how romantic couples navigate shared digital access to one another’s devices, accounts, and location information.

In short, digital sharing is the norm in modern relationships, but it doesn’t come without its fears.

While everybody shares some type of device, account, or location access with their significant other (100% of respondents), and plenty grant their significant other access to at least one personal account (85%), a sizeable portion longs for something different—31% said they worry about “how easy it is for my partner to track what I’m doing and where I am all times because of how much we share,” and 40% worry that “telling my partner I don’t want to share logins, PINs, and/or locations would upset them.”

By surveying 500 people in committed relationships in the United States, Malwarebytes has captured a unique portrait of what it means to date, marry, and be in love in 2024—a part of life that is now inseparable from smart devices, apps, and the internet at large.

The complete findings can be found in the latest report, “What’s mine is yours: How couples share an all-access pass to their digital lives.” You can read the full report below.

Here are some of the key findings:

• Partners share their personal login information for an average of 12 different types of accounts.
• 48% of partners share the login information of their personal email accounts.
• 30% of partners regret sharing location tracking.
• 18% of partners regret sharing account access. The number is significantly higher for men (30%).
• 29% of partners said an ex-partner used their accounts to track their location, impersonate them, access their financial accounts, and other harms.
• Around one in three Gen Z and Millennial partners report an ex has used their accounts to stalk them.

But the data doesn’t only point to causes for concern. It also highlights an opportunity for learning. As Malwarebytes reveals in this latest research, people are looking for guidance, with seven in 10 people admitting they want help navigating digital co-habitation.

According to one Gen Z survey respondent:

“I feel like it might take some effort (to digitally disentangle) because we are more seriously involved. We have many other kinds of digital ties that we would have to undo in order to break free from one another.”

That is why, today, Malwarebytes is also launching its online resource hub: Modern Love in the Digital Age. At this new guidance portal, readers can learn about whether they should share their locations with their partners, why car location tracking presents a new problem for some couples, and how they can protect themselves from online harassment. Access the hub below.

Microsoft has announced it will postpone the broadly available preview of the heavily discussed Recall feature for Copilot+ PCs. Copilot+ PCs are personal computers that come equipped with several artificial intelligence (AI) features.

The Recall feature tracks anything from web browsing to voice chats. The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user’s activity and storing them locally. The user would then be able to search the database for anything they’ve seen on their PC.

However, Recall received heavy criticism by security researchers and privacy advocates since it was announced last month. The ensuing discussion saw a lot of contradictory statements. For example, Microsoft claimed that Recall would be disabled by default, while the original documentation said otherwise.

Researchers demonstrated how easy it was to extract and search through Recall snapshots on a compromised system. While some may remark that the compromised system is the problem in that equation—and they are not wrong—Recall would potentially provide an attacker with a lot of information that normally would not be accessible. Basically, it would be a goldmine that spyware and information stealers could easily access and search.

In Microsoft’s own words:

“Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

Microsoft didn’t see the problem, with its vice chair and president, Brad Smith even using Recall as an example to demonstrate how Microsoft is secure during the Committee Hearing: A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.

But now things have changed, and Recall will now only be available for participants in the Windows Insider Program (WIP) in the coming weeks, instead of being rolled out to all Copilot+ PC users on June 18 as originally planned.

Another security measure taken only as an afterthought was that users will now have to log into Windows Hello in order to activate Recall and to view your screenshot timeline.

In its blog, Microsoft indicates it will act on the feedback it expects to receive from WIP users.

“This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users.”

Our hope is that the WIP community will convince Microsoft to abandon the whole Recall idea. If not, we will make sure to let you know how you can disable it or use it more securely if you wish to do so.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

On Wednesday June 12, 2024, a well-known dark web data broker and cybercriminal acting under the name “Sp1d3r” offered a significant amount of data allegedly stolen from Truist Bank for sale.

Truist is a US bank holding company and operates 2,781 branches in 15 states and Washington DC. By assets, it is in the top 10 of US banks. In 2020, Truist provided financial services to about 12 million consumer households.

The online handle of the seller immediately raised the suspicion that this was yet another Snowflake related data breach.

The post also mentions Suntrust bank because Truist Bank arose after SunTrust Banks and BB&T (Branch Banking and Trust Company) merged in December 2019.

For the price of $1,000,000, other cybercriminals can allegedly get their hands on:

• Employee Records: 65,000 records containing detailed personal and professional information.
• Bank Transactions: Data including customer names, account numbers, and balances.
• IVR Source Code: Source code for the bank’s Interactive Voice Response (IVR) funds transfer system.

IVR is a technology that allows telephone users to interact with a computer-operated telephone system through the use of voice and Dual-tone multi-frequency signaling (DTMF aka Touch-Tone) tones input with a keypad. Access to the source code may enable criminals to find security vulnerabilities they can abuse.

Given the source and the location where the data were offered, we decided at the time to keep an eye on things but not actively report on it. But now a spokesperson for Truist Bank told BleepingComputer:

“In October 2023, we experienced a cybersecurity incident that was quickly contained.”

Further, the spokesperson stated that after an investigation, the bank notified a small number of clients and denied any connection with Snowflake.

“That incident is not linked to Snowflake. To be clear, we have found no evidence of a Snowflake incident at our company.”

But the bank disclosed that based on new information that came up during the investigation, it has started another round of informing affected customers.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

While matters are still unclear how much information was involved, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Following days of user pushback that included allegations of forcing a “spyware-like” Terms of Service (ToS) update into its products, design software giant Adobe explained itself with several clarifications.

Apparently, the concerns raised by the community, especially among Photoshop and Substance 3D users, caused the company to reflect on the language it used in the ToS. The adjustments that Adobe announced earlier this month suggested that users give the company unlimited access to all their materials—including materials covered by company Non-Disclosure Agreements (NDAs)—for content review and similar purposes.

As Adobe included in its Terms of Service update:

“As a Business User, you may have different agreements with or obligations to a Business, which may affect your Business Profile or your Content. Adobe is not responsible for any violation by you of such agreements or obligations.

This wording immediately sparked the suspicion that the company intends to use user-generated content to train its AI models. In particular, users balked at the following language:

“[.] you grant us a non-exclusive, worldwide, royalty-free sublicensable, license, to use, reproduce, publicly display, distribute, modify, create derivative works based on, publicly perform, and translate the Content.”

To reassure these users, on June 10, Adobe explained:

“We don’t train generative AI on customer content. We are adding this statement to our Terms of Use to reassure people that is a legal obligation on Adobe. Adobe Firefly is only trained on a dataset of licensed content with permission, such as Adobe Stock, and public domain content where copyright has expired.”

Alas, several artists found images that reference their work on Adobe’s stock platform.

As we have explained many times, the length and the use of legalese in the ToS does not do either the user or the company any favors. It seems that Adobe understands this now as well.

“First, we should have modernized our Terms of Use sooner. As technology evolves, we must evolve the legal language that evolves our policies and practices not just in our daily operations, but also in ways that proactively narrow and explain our legal requirements in easy-to-understand language.”

Adobe also said in its blog post that it realized it has to earn the trust of its users and is taking the feedback very seriously and it will be grounds to discuss new changes. Most importantly it wants to stress that you own your content, you have the option to opt out of the product improvement program, and that Adobe does not scan content stored locally on your computer.

Adobe expects to roll out new terms of service on June 18th and aims to better clarify what Adobe is permitted to do with its customers’ work. This is a developing story, and we’ll keep you posted.

---

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

The British and Canadian privacy authorities have announced they will undertake a joint investigation into the data breach at global genetic testing company 23andMe that was discovered in October 2023.

On Friday October 6, 2023, 23andMe confirmed via a somewhat opaque blog post that cybercriminals had “obtained information from certain accounts, including information about users’ DNA Relatives profiles.”

Later, an investigation by 23andMe showed that an attacker was able to directly access the accounts of roughly 0.1% of 23andMe’s users, which is about 14,000 of its 14 million customers. The attacker accessed the accounts using credential stuffing which is where someone tries existing username and password combinations to see if they can log in to a service. These combinations are usually stolen from another breach and then put up for sale on the dark web. Because people often reuse passwords across accounts, cybercriminals buy those combinations and then use them to login on other services and platforms.

For a subset of these accounts, the stolen data contained health-related information based on the user’s genetics.

The finding that most data was accessed through credential stuffing led to 23andMe sending a letter to legal representatives of victims blaming the victims themselves.

Privacy Commissioner of Canada Philippe Dufresne and UK Information Commissioner John Edwards say they will investigate the 23andMe breach jointly, leveraging the combined resources and expertise of their two offices.

The privacy watchdogs are going to investigate:

• the scope of information that was exposed by the breach and potential harms to affected individuals;
• whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and
• whether the company provided adequate notification about the breach to the two regulators and affected individuals as required under Canadian and UK privacy and data protection laws.               

The joint investigation will be conducted in accordance with the Memorandum of Understanding between the ICO and OPC.

Scan for your exposed personal data

You can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report. If your data was part of the 23andMe breach, we’ll let you know.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

“When things go wrong” is a troubling prospect for most couples to face, but the internet—and the way that romantic partners engage both with and across it—could require that this worst-case scenario become more of a best practice.

In new research that Malwarebytes will release this month, romantic partners revealed that the degree to which they share passwords, locations, and devices with one another can invite mild annoyances—like having an ex mooch off a shared Netflix account—serious invasions of privacy—like being spied on through a smart doorbell—and even stalking and abuse.

Importantly, this isn’t just about jilted exes. This is also about people in active, committed relationships who have been pressured or forced into digital sharing beyond their limit.

The proof is in the data.

When Malwarebytes surveyed 500 people in committed relationships, 30% said they regretted sharing location tracking with their partner, 27% worried about their partners tracking them through location-based apps and services, and 23% worried that their current partner had accessed their accounts without their permission.

---

---

Plenty of healthy, happy relationships share digital access through trust and consent. For those couples, mapping out how to digitally separate and insulate their accounts from one another “when things go wrong” could seem misguided.

But for the many spouses, girlfriends, boyfriends, and partners who do not fully trust their significant other—or who are still figuring out how much to trust someone new—this exercise should serve as an act of security.

Here’s what people can think about when working through just how much of their digital lives to share.

Inconvenient, annoying, and just plain bothersome

A great deal of digital sharing within couples occurs on streaming platforms. One partner has Netflix, the other has Hulu, the two share Disney+, and years down the line, the couple can’t quite tell who is in charge of Apple Music and who is supposed to cancel the one-week free trial to Peacock.

This logistical nightmare, already difficult for people who are not in a committed relationship, is further complicated after a breakup (or during the relationship if one partner is particularly sensitive about their weekly algorithmic recommendations from Spotify).

If an ex maintains access to your streaming accounts even after a breakup, there’s little chance for abuse, but the situation can be aggravating. Maybe you don’t want your ex to know that you’re watching corny rom-coms, or that you’re absolutely going through it on your seventh replay of Spotify’s “Angry Breakup Mix.” These are valid annoyances that will require a password reset to boot your ex out of the shared account.

But there’s one type of shared account that should raise more caution than those listed above: A shared online shopping account, like Amazon.

With access to a shared online shopping account, a spiteful ex could purchase goods using your saved credit card. They could also keep updates on your location should you ever move and change addresses in the app. This isn’t the same threat as an ex having your real-time location, but for some individuals—particularly survivors of domestic abuse who have escaped their partner—any leak of a new address presents a major risk.

Non-consensual tracking, monitoring, and spying

When couples move into the same home, it can make sense to start sharing a variety of location-based apps.

Looking for a vacation rental online for your next getaway? You’re (hopefully) lodging together. Ordering delivery because nobody wants to make dinner? That order is being sent to the same shared address. Even some credit cards offer specific bonuses on services like Lyft, incentivizing some couples to rely more heavily on one account to score extra credits.

While sharing access between these types of accounts can increase efficiency, it’s important to know—and this may sound obvious—that many of these same shared location-based apps can reveal locations to a romantic partner, even after a breakup.

Your vacation could be revealed to an ex who is abusing their previously shared login privileges into services like Airbnb or Vrbo, or by someone peering into the trip history of a shared Uber account that discloses that a car was recently taken to the airport. Food delivery apps, similarly, can reveal new addresses after a move—a particular risk for survivors of domestic abuse who are trying to escape their physical situation.

In fact, any account that tracks and provides access to location—including Google’s own “Timeline” feature and fitness tracking devices made by Strava—could, in the wrong hands, become a security risk for stalking and abuse.

The vulnerabilities extend farther.

With the popularity of Internet of Things devices like smart doorbells and baby monitors, some partners may want to consider how safe they are from spying in their own homes. Plenty of user posts on a variety of community forums claim that exes and former spouses weaponized video-equipped doorbells and baby monitors to spy on a partner.

These scenarios are frightening, but they are part of a larger question about whether you should share your location with your partner. With the proper care and discussion, your location-sharing will be consensual, respected, and convenient for all.

Stalking and abuse

When discussing the risks around digital sharing between couples, it’s important to clarify that trustworthy partners do not become abusive simply because of their access to technology. A shared food delivery app doesn’t guarantee that a partner will be spied on. A baby monitor with a live video stream is sometimes just that—a baby monitor.

But many of the stories shared here expose the dangers that lie within arm’s reach for abusive partners. The technology alone cannot be blamed for the abuse. Instead, the technology must be scrutinized simply because of its ubiquitous use in today’s world.

The most serious concerns regarding digital access are the potential for stalking and abuse.

For partners that share devices and device passcodes, the notorious threat of stalkerware makes it easy for an abusive partner to pry into a person’s photos, videos, phone calls, text messages, locations, and more. Stalkerware can be installed on a person’s device in a matter of minutes—a low barrier of entry for couples that live with one another and who share each other’s device passcodes.

For partners who share a vehicle, a recent problem has emerged. In December, The New York Times reported on the story of a woman who—despite obtaining a restraining order against her ex-husband—could not turn off her shared vehicle’s location tracking. Because the car was in her husband’s name, he was able to reportedly continue tracking and harassing her.

Even shared smart devices have become a threat. According to reporting from The New York Times in 2018, survivors of domestic abuse began calling support lines with a bevvy of new concerns within their homes:

“One woman had turned on her air-conditioner, but said it then switched off without her touching it. Another said the code numbers of the digital lock at her front door changed every day and she could not figure out why. Still another told an abuse help line that she kept hearing the doorbell ring, but no one was there.”

The survivors’ stories all pointed to the abuse of shared smart devices.

Whereas the solutions to many of the inconveniences and annoyances that can come with shared digital access are simple—a reset password, a removal of a shared account—the “solutions” for technology-enabled abuse are far more complex. These are problems that cannot be solely addressed with advice and good cybersecurity hygiene.

If you are personally experiencing this type of harassment, you can contact the National Network to End Domestic Violence on their hotline at 1-800-799-SAFE.

Making sure things go right

Sharing your life with your partner should be a function of trust, and for many couples, it is. But, in the same way that it is impossible for a cybersecurity company to ignore even one ransomware attack, it’s also improper for this cybersecurity and privacy company to ignore the reality facing many couples today.

There are new rules and standards for digital access within relationships. With the right information and the right guidance, hopefully more people will feel empowered to make the best decisions for themselves.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Google announced that it will reduce the amount of personal data it is storing by automatically deleting old data from “Timeline”—the feature that, previously named “Location History,” tracks user routes and trips based on a phone’s location, allowing people to revisit all the places they’ve been in the past.

In an email, Google told users that they will have until December 1, 2024 to save all travels to their mobile devices before the company starts deleting old data. If you use this feature, that means you have about five months before losing your location history.

Moving forward, Google will link the Location information to the devices you use, rather than to the user account(s). And, instead of backing up your data to the cloud, Google will soon start to store it locally on the device.

As I pointed out years ago, Location History allowed me to “spy” on my wife’s whereabouts without having to install anything on her phone. After some digging, I learned that my Google account was added to my wife’s phone’s accounts when I logged in on the Play Store on her phone. The extra account this created on her phone was not removed when I logged out after noticing the tracking issue.

That issue should be solved by implementing this new policy. (Let’s remember, though, that this is an issue that Google formerly considered a feature rather than a problem.)

Once effective, unless you take action and enable the new Timeline settings by December 1, Google will attempt to move the past 90 days of your travel history to the first device you sign in to your Google account on. If you want to keep using Timeline:

• Open Google Maps on your device.
• Tap your profile picture (or initial) in the upper right corner.
• Choose Your Timeline.
• Select whether to keep you want to keep your location data until you manually delete it or have Google auto-delete it after 3, 18, or 36 months.

In April of 2023, Google Play launched a series of initiatives that gives users control over the way that separate, third-party apps stored data about them. This was seemingly done because Google wanted to increase transparency and control mechanisms for people to control how apps would collect and use their data.

With the latest announcement, it appears that Google is finally tackling its own apps.

Only recently, Google agreed to purge billions of records containing personal information collected from more than 136 million people in the US surfing the internet using its Chrome web browser. But this was part of a settlement in a lawsuit accusing the search giant of illegal surveillance.

It’s nice to see the needle move in the good direction for a change. As Bruce Schneier pointed out in his article Online Privacy and Overfishing:

“Each successive generation of the public is accustomed to the privacy status quo of their youth. What seems normal to us in the security community is whatever was commonplace at the beginning of our careers.”

This has led us all to a world where we don’t even have the expectation of privacy anymore when it comes to what we do online or when using modern technology in general.

If you want to take firmer control over how your location is tracked and shared, we recommend reading How to turn off location tracking on Android.

---

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

A cybercriminal using the handle Sp1d3r is offering to sell 3 TB of data taken from Advance Auto Parts, Inc. Advance Auto Parts is a US automotive aftermarket parts provider that serves both professional installers and do it yourself customers.

Allegedly the customer data includes:

• Names
• Email addresses
• Phone numbers
• Physical address
• Orders
• Loyalty and gas card numbers
• Sales history

The data set allegedly also includes information about 358,000 employees and candidates—which is a lot more than are currently employed by Advance Auto Parts (69,000 in 2023).

The cybercriminal is asking $1.5 Million for the data set.

Advance Auto Parts has not disclosed any information about a possible data breach and has not responded to inquiries. But BleepingComputer confirms that a large number of the Advance Auto Parts sample customer records are legitimate.

Interestingly enough, the seller claims in their post that the data comes from Snowflake, a cloud company used by thousands of companies to manage their data. On May 31st, Snowflake said it had recently observed and was investigating an increase in cyber threat activity targeting some of its customers’ accounts. It didn’t mention which customers.

At the time, everybody focused on Live Nation / Ticketmaster, another client of Snowflake which said it had detected unauthorized activity within a “third-party cloud database environment” containing company data.

The problem allegedly lies in the fact that Snowflake lets each customer manage the security of their environments, and does not enforce multi-factor authentication (MFA).

Online media outlet TechCrunch says it has:

“Seen hundreds of alleged Snowflake customer credentials that are available online for cybercriminals to use as part of hacking campaigns, suggesting that the risk of Snowflake customer account compromises may be far wider than first known.”

TechCrunch also says it found more than 500 credentials containing employee usernames and passwords, along with the web addresses of the login pages for Snowflake environments, belonging to Santander, Ticketmaster, at least two pharmaceutical giants, a food delivery service, a public-run freshwater supplier, and others.

Meanwhile, Snowflake has urged its customers to immediately switch on MFA for their accounts.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

While the Advance Auto Parts data has yet to be confirmed, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Following their divorce, a husband carried out a campaign of stalking and abuse against his ex-wife—referred to only as “S.K.”—by allegedly hiding seven separate Apple AirTags on or near her car, according to documents filed by US prosecutors for the Eastern District of Pennsylvania.

The documents, unearthed by 404 Media in collaboration with Court Watch, reveal how everyday consumer tools, like Bluetooth trackers, are sometimes leveraged for abuse against spouses and romantic partners.

 “The Defendant continued to adapt and use increasingly sophisticated efforts to hide the AirTags he placed on S.K.’s car,” US attorneys said. “It is clear from the timing of the placement of the AirTags and corroborating cell-site data, that he was monitoring S.K.’s movements.”

On May 8, the US government filed an indictment against the defendant, Ibodullo Muhiddinov Numanovich, with one alleged count of stalking against his ex-wife, S.K.

The stalking at the center of the government’s indictment allegedly began around March 27, when the FBI first learned about S.K. finding and removing an AirTag from her car. Less than a month later, on April 18, the FBI found a second AirTag that “was taped underneath the front bumper of S.K.’s vehicle with white duct tape.”

The very next day, the FBI found a third AirTag. This time, it was “wrapped in a blue medical mask and secured under the vehicle near the rear passenger side wheel well.”

This pattern of finding an AirTag, removing it, and then finding another was punctuated by physical and verbal intimidation, the government wrote. After a fourth AirTag was removed, the government said that Numanovich called S.K., followed her to a car wash, and “banged on her windows, and demanded to know why S.K. was not answering his calls.” Less than one week later, during a period of just 10 minutes, the government said that Numanovich left five threatening voice mails on S.K.’s phone, calling her “disgusting” and “worse than an animal.”

During the investigation, the FBI retrieved seven AirTags in total. Here is where those AirTags were found:

1. Found by S.K. with no detail on specific location
2. Duct-taped underneath the front bumper of S.K.’s car
3. Underneath S.K.’s car, near the passenger-side wheel well, wrapped in a blue medical mask
4. Within the frame of SK’s driver-side mirror, wedged between the mirror itself and the casing around it
5. “An opening within the vehicle’s frame” which, documents say, was previously sealed by a rubber plug that was removed
6. Underneath the license plate on S.K.’s car
7. Undisclosed

For two of the retrieved AirTags, the FBI deactivated the trackers and then, away from S.K., placed the AirTags at separate locations. At an undisclosed location in Philadelphia where the FBI placed one AirTag, FBI agents later saw Numanovich “exit his vehicle with his phone in his hand, and begin searching for the AirTag.” At a convenience store where the FBI placed a second AirTag, agents said they again saw Numanovich.

The FBI also received information about attempted pairings and successful unpairings with Numanovich’s Apple account for three of the Apple AirTags.

In addition to the alleged pattern of stalking, the government also accused Numanovich of abusing SK both physically and emotionally, threatening her in person and over the phone, and recording sexually explicit videos of her to use as extortion. After a search warrant was authorized on May 13, agents found “approximately 140 sexually explicit photographs and videos of S.K.” stored on Numanovich’s phone, along with records for “numerous” financial accounts that transferred more than $4 million between 2022 and 2023.

In a follow-on request from the government to detain Numanovich before his trial begins, prosecutors also revealed that S.K. may have been brought into the US through a “Russian-based human smuggling network”—a network of which Numanovich might be a member.

According to 404 Media, a jury trial for Numanovich is scheduled to start on June 8.

Improving AirTag safety

Just last month, Apple and Google announced an industry specification for Bluetooth tracking devices such as AirTags to help alert users to unwanted tracking. The specification will make it possible to alert users across both iOS and Android if a device is unknowingly being used to track them. We applaud this development.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Microsoft’s Recall feature has been criticized heavily by pretty much everyone since it was announced last month. Now, researchers have demonstrated the risks by creating a tool that can find, extract, and display everything Recall has stored on a device.

For those unaware, Recall is a feature within what Microsoft is calling its “Copilot+ PCs,” a reference to the AI assistant and companion which the company released in late 2023.

The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user’s activity and storing them, so it can answer important questions like “where did I see those expensive white sneakers?”

However, the scariest part is that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers and that data may be in snapshots that are stored on your device.

Many security professionals have pointed out that this kind of built-in spyware is a security risk. But Microsoft tried to reassure users, saying:

“Recall data is only stored locally and not accessed by Microsoft or anyone who does not have device access.”

The problem lies in that last part of the statement. Who has device access? Although Microsoft claimed that an attacker would need to gain physical access, unlock the device and sign in before they could access saved screenshots, it turns out that might not be true.

As a warning about how Recall could be abused by criminal hackers, Alex Hagenah, a cybersecurity researcher, has released a demo tool that is capable of automatically extracting and displaying everything Recall records on a laptop.

For reasons any science fiction fan will understand, Hagenah has named that tool TotalRecall.  All the information that Recall saves into its main database on a Windows laptop can be “recalled.“

As Hagenah points out:

“The database is unencrypted. It’s all plain text.”

TotalRecall can automatically find the Recall database on a person’s computer and make a copy of the file, for whatever date range you want. Pulling one day of screenshots from Recall, which stores its information in an SQLite database, took two seconds at most, according to Hagenah. Once TotalRecall has been deployed, it is possible to generate a summary about the data or search for specific terms in the database.

Now imagine an info-stealer that incorporates the capabilities of TotalRecall. This is not a far-fetched scenario because many information stealers are modular. The operators can add or leave out certain modules based on the target and the information they are after. And reportedly, the number of devices infected with data stealing malware has seen a sevenfold increase since 2023.

Another researcher, Kevin Beaumont, says he has built a website where a Recall database can be uploaded and instantly searched. He says he hasn’t released the site yet, to allow Microsoft time to potentially change the system.

According to Beaumont:

“InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade—now these can just be easily modified to support Recall.”

It’s true that any information stealer will need administrator rights to access Recall data, but attacks that gain those right have been around for years, and most information stealer malware does this already.

Hagenah also warned that in cases of employers with bring your own devices (BYOD) policies, there’s a risk of someone leaving with huge volumes of company data saved on their laptops.

It is worrying that this type of tools is already available even before the official launch of Recall. The risk of identity theft only increases when we allow our machines to “capture” every move we make and everything we look at.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The US debt collection agency Financial Business and Consumer Solutions (FBCS) has filed a data breach notification, listing the the total number of people affected as 3,226,631.

FBCS is a nationally licensed, third-party collection agency that collects commercial and consumer debts, with most of its activity involving the recovery of consumer debts on behalf of creditors. According to the official statement provided by FBCS, the exposed data includes:

• Full names
• Social security numbers
• Birth dates
• Account information
• Drivers license or other state ID numbers

In some cases, it also includes medical claims information, provider information, and clinical information (including diagnosis/conditions, medications, and other treatment information), and/or health insurance information.

FBCS has sent data breach notifications to those affected, detailing what data was compromised and offering 12 months of free credit monitoring.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Scan for your exposed personal data

You can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

On May 29, 2024, the US Department of Justice (DOJ) announced it had dismantled what was likely the world’s largest botnet ever. This botnet, called “911 S5,” infected systems at over 19 million IP addresses across more than 190 countries. The main sources of income for the operators, who stole a billions of dollars across a decade, came from committing pandemic and unemployment fraud, and by selling access to child exploitation materials.

The botnet operator generated millions of dollars by offering cybercriminals access to these infected IP addresses. As part of this operation, a Chinese national, YunHe Wang, was arrested. Wang is reportedly the proprietor of the popular service.

Of the infected Windows devices, 613,841 IP addresses were located in the United States. The DOJ also called the botnet a residential proxy service. Residential proxy networks allow someone in control to rent out a residential IP address which then can be used as a relay for their internet communications. This allows them to hide their true location behind the residential proxy. Cybercriminals used this service to engage in cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

To set up this botnet, Wang and his associates provided users with free, illegitimate VPN applications that were created to connect to the 911 S5 service. Unaware of the proxy backdoor, once users downloaded and installed these VPN applications, they unknowingly became part of the 911 S5 botnet.

Sometimes the VPN applications were bundled with games and other software and installed without user consent.

For this reason, the FBI has published a public service announcement (PSA) to help users find out if they have been affected by this botnet.

Users can start by going over this list of malicious VPN applications associated with the 911 S5 botnet:

• MaskVPN
• DewVPN
• PaladinVPN
• ProxyGate
• ShieldVPN
• ShineVPN

If you have one of these VPN applications installed, sometimes you can find an uninstaller located under the Start menu option of the VPN application. If present, you can use that uninstall option.

If the application doesn’t present you with an uninstall option, then follow the steps below to attempt to uninstall the application:

• Click on the Start menu (Windows button) and type “Add or remove programs” to bring up the “Add and Remove Programs” menu.
• Search for the name of the malicious VPN application.
• Once you find the application in the list, click on the application name, and select the “Uninstall” option.

Once you have uninstalled the application, you will want to make sure it’s no longer active. To do that, open the Windows Task manager. Press Control+Alt+Delete on the keyboard and select the “Task Manager” option or right-click on the Start menu (Windows button) and select the “Task Manager” option.

In Task Manager look under the “Process” tab for the following processes:

• MaskVPN (mask_svc.exe)
• DewVPN (dew_svc.exe)
• PaladinVPN (pldsvc.exe)
• ProxyGate (proxygate.exe, cloud.exe)
• ShieldVPN (shieldsvc.exe)
• ShineVPN (shsvc.exe)

If found, select the service related to one of the identified malicious software applications running in the process tab and select the option “End task” to attempt to stop the process from running.

Or, download Malwarebytes Premium (there is a free trial) and run a scan.

Whether you’re using the free or paid version of the app, you can manually run a scan to check for threats on your device. 

1. Open the app.
2. On the main dashboard, click the Scan button.
3. A progress page appears while the scan runs.
4. After the scan finishes, it displays the Threat scan summary.
   • If the scan detected no threats: Click Done.
   • If the scan detected threats on your device: Review the threats found on your computer. From here, you can manually quarantine threats by selecting a detection and clicking Quarantine.
5. Click View Report or View Scan Report to see a history of prior scans. After viewing the threat report, close the scanner window.

If neither of these options, including the Malwarebytes scan, resolve the problem, the FBI has more elaborate instructions. You can also contact the Malwarebytes Support team to assist you.

---

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Earlier this week, a cybercriminal group posted an alleged database up for sale online which, it says, contains customer and card details of 560 million Live Nation/Ticketmaster users.

The data was offered for sale on one forum under the name “Shiny Hunters”. ShinyHunters is the online handle for a group of notorious cybercriminals associated with numerous data breaches, including the recent AT&T breach.

The post says:

“Live Nation / Ticketmaster

Data includes

560 million customer full details (name, address, email, phone)

Ticket sales, event information, order details

CC detail – customer last 4 of card, expiration date

Customer fraud details

Much more

Price is $500k USD. One time sale.”

The same data set was offered for sale in an almost identical post on another forum by someone using the handle SpidermanData. This could be the same person or a member of the ShinyHunters group.

According to news outlet ABC, the Australian Department of Home Affairs said it is aware of a cyber incident impacting Ticketmaster customers and is “working with Ticketmaster to understand the incident.”

Some researchers expressed their doubts about the validity of the data set:

Thoughts on the alleged Ticketmaster Data Breach

TLDR: Alert not Alarmed

The Ticketmaster data breach claim has provided BreachForums with the quick attention they need to boost their user numbers and reputation.

The claim has possibly been over-stated to boost… pic.twitter.com/WJsFkBfQbw

— CyberKnow (@Cyberknow20) May 29, 2024

While others judged it looks legitimate based on conversations with involved individuals, and studying samples of the data set:

Today we spoke with multiple individuals privy to and involved in the alleged TicketMaster breach.

Sometime in April an unidentified Threat Group was able to get access to TicketMaster AWS instances by pivoting from a Managed Service Provider. The TicketMaster breach was not…

— vx-underground (@vxunderground) May 30, 2024

Whether or not the data is real remains to be seen. However, there’s no doubt that scammers will use this opportunity to make a quick profit.

Ticketmaster users will need to be on their guard. Read our tips below for some helpful advice on what to do in the event of a data breach.

You can also check what personal information of yours has already been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

All parties involved have refrained from any further comments. We’ll keep you posted.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Many companies are starting to implement Artificial Intelligence (AI) within their services. Whenever there are large amounts of data involved, AI offers a way to turn that pile of data into actionable insights.

And there’s a big chance that our data are somewhere in that pile, whether they can be traced back to us or not. In this blog we’ll look at the different ways in which credit card companies are planning to use AI.

Two of the major credit card companies, MasterCard and Visa, made announcements this month on how they will use AI in the near future.

Mastercard announced the introduction of generative AI for earlier detection of credit card fraud.

Johan Gerber, executive vice president of security and cyber innovation at Mastercard, said:

“Generative AI is going to allow to figure out where did you perhaps get your credentials compromised, how do we identify how it possibly happened, and how do we very quickly remedy that situation not only for you, but the other customers who don’t know they are compromised yet.”

Generative AI models learn the patterns and structure of their input training data and then generate new data with similar characteristics.

There’s an enormous amount of stolen credit and debit card details available on various marketplaces, some of which aren’t even on the dark web. These details come from many different data breaches, and they can go unnoticed for extended periods of time. Analyzing the data and spotting patterns in the abuse can help the credit card company identify and inform affected customers before the criminals actually use the card.

VISA, on the other hand, said it will use AI to tailor a better shopping experience. This, it says, will allow it to share more information about customers’ preferences based on their shopping history with retailers.

VISA will require consumer consent for sharing the required information. According to VISA CEO Ryan McInerney, consumers will have the option, through their bank app, to revoke access to their information.

And last but not least, American Express Global Business Travel revealed in February that it started an AI initiative to improve efficiency. As one of the early results it reported it has reduced customer call times by about a minute.

All in all, credit card companies are gathering data to predict our behavior. They are not the only ones, for sure, but they do have access to some information that most people are not prone to share freely, our finances.

Sure, less time spent being held up by that slightly less annoying chatbot, or a warning about a compromised credit card before the abuse happens, that sounds great. But an online store guessing what I am likely to purchase isn’t something I’m so keen on—about the same level of spooky as targeted ads.

Does increased efficiency outweigh the cost of handing over our data? What we’d like to see are improved security AND ease of use. Let us know how you feel in the comments below.

---

We don’t just talk about credit cards—we help monitor them

Cybersecurity risks should never spread beyond a headline. Keep an eye on your finances with identity and credit monitoring.

A cybercriminal going by the names of EquationCorp and USDoD has released an enormous database containing the criminal records of millions of Americans. The database is said to contain 70 million rows of data.

The leaked database is said to include full names, dates of birth, known aliases, addresses, arrest and conviction dates, sentences, and much more. Dates reportedly range from 2020 to 2024.

The exact source of the database is as yet unknown.

USDoD is a high-profile player in this field, closely associated with “Pompompurin”, the operator of the first iteration of data leak site BreachForums. USDoD is said to have plans to set up a successor to the second iteration of BreachForums which was recently seized by law enforcement. Releasing this database may be USDoD’s way to round up some interested users.

USDoD is also believed to be involved in a breach at TransUnion, the data of which was (partly) dumped in September, 2023.

Needless to say, having the criminal information leaked could have a tremendous impact, not only for the listed individuals but also for the justice system. We’ll keep you updated.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out how much of your own data has been exposed online, including your criminal record data, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll give you a free report, along with tips on what to do next.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Across America, survivors of domestic abuse and stalking are facing a unique location tracking crisis born out of policy failure, unclear corporate responsibility, and potentially risky behaviors around digital sharing that are now common in relationships.

No, we’re not talking about stalkerware. Or hidden Apple AirTags. We’re talking about cars.

Modern cars are the latest consumer “device” to undergo an internet-crazed overhaul, as manufacturers increasingly stuff their automobiles with the types of features you’d expect from a smartphone, not a mode of transportation.

There are cars with WiFi, cars with wireless charging, cars with cameras that not only help while you reverse out of a driveway, but which can detect whether you’re drowsy while on a long haul. Many cars now also come with connected apps that allow you to, through your smartphone, remotely start your vehicle, schedule maintenance, and check your tire pressure.

But one feature in particular, which has legitimate uses in responding to stolen and lost vehicles, is being abused: Location tracking.

It’s time car companies do something about it.  

In December, The New York Times revealed the story of a married woman whose husband was abusing the location tracking capabilities of her Mercedes-Benz sedan to harass her. The woman tried every avenue she could to distance herself from her husband. After her husband became physically violent in an argument, she filed a domestic abuse report. Once she fled their home, she got a restraining order. She ignored his calls and texts.

But still her husband could follow her whereabouts by tracking her car—a level of access that Mercedes representatives reportedly could not turn off, as he was considered the rightful owner of the vehicle (according to The New York Times, the husband’s higher credit score convinced the married couple to have the car purchased in his name alone).

As reporter Kashmir Hill wrote of the impasse:

“Even though she was making the payments, had a restraining order against her husband and had been granted sole use of the car during divorce proceedings, Mercedes representatives told her that her husband was the customer so he would be able to keep his access. There was no button she could press to take away the app’s connection to the vehicle.”

This was far from an isolated incident.

In 2023, Reuters reported that a San Francisco woman sued her husband in 2020 for allegations of “assault and sexual battery.” But some months later, the woman’s allegations of domestic abuse grew into allegations of negligence—this time, against the carmaker Tesla.

Tesla, the woman claimed in legal filings, failed to turn off her husband’s access to the location tracking capabilities in their shared Model X SUV, despite the fact that she had obtained a restraining order against her husband, and that she was a named co-owner of the vehicle.

When The New York Times retrieved filings from the San Francisco lawsuit above, attorneys for Tesla argued that the automaker could not realistically play a role in this matter:

“Virtually every major automobile manufacturer offers a mobile app with similar functions for their customers,” the lawyers wrote. “It is illogical and impractical to expect Tesla to monitor every vehicle owner’s mobile app for misuse.”

Tesla was eventually removed from the lawsuit.

In the Reuters story, reporters also spoke with a separate woman who made similar allegations that her ex-husband had tracked her location by using the Tesla app associated with her vehicle. Because the separate woman was a “primary” account owner, she was able to remove the car’s access to the internet, Reuters reported.

A better path

Location tracking—and the abuse that can come with it—is a much-discussed topic for Malwarebytes Labs. But the type of location tracking abuse that is happening with shared cars is different because of the value that cars hold in situations of domestic abuse.

A car is an opportunity to physically leave an abusive partner. A car is a chance to start anew in a different, undisclosed location. In harrowing moments, cars have also served as temporary shelter for those without housing.

So when a survivor’s car is tracked by their abuser, it isn’t just a matter of their location and privacy being invaded, it is a matter of a refuge being robbed.

In speaking with the news outlet CalMatters, Yenni Rivera, who works on domestic violence cases, explained the stressful circumstances of exactly this dynamic.

“I hear the story over and over from survivors about being located by their vehicle and having it taken,” Rivera told CalMatters. “It just puts you in a worst case situation because it really triggers you thinking, ‘Should I go back and give in?’ and many do. And that’s why many end up being murdered in their own home. The law should make it easier to leave safely and protected.”

Though the state of California is considering legislative solutions to this problem, national lawmaking is slow.

Instead, we believe that the companies that have the power to do something act on that power. Much like how Malwarebytes and other cybersecurity vendors banded together to launch the Coalition Against Stalkerware, automakers should work together to help users.

Fortunately, an option may already exist.

When the Alliance for Automobile Innovation warned that consumer data collection requests could be weaponized by abusers who want to comb through the car location data of their partners and exes, the automaker General Motors already had a protection built in.

According to Reuters, the roadside assistance service OnStar, which is owned by General Motors, allows any car driver—be they a vehicle’s owner or not—to hide location data from other people who use the same vehicle. Rivian, a new electric carmaker, is reportedly working on a similar feature, said senior vice president of software development Wassym Bensaid in speaking with Reuters.

Though Reuters reported that Rivian had not heard of their company’s technology being leveraged in a situation of domestic abuse, Wassym believed that “users should have a right to control where that information goes.”

We agree.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Dell is warning its customers about a data breach after a cybercriminal offered a 49 million-record database of information about Dell customers on a cybercrime forum.

A cybercriminal called Menelik posted the following message on the “Breach Forums” site:

“The data includes 49 million customer and other information of systems purchased from Dell between 2017-2024.

It is up to date information registered at Dell servers.

Feel free to contact me to discuss use cases and opportunities.

I am the only person who has the data.”

According to Menelik the data includes:

• The full name of the buyer or company name
• Address including postal code and country
• Unique seven digit service tag of the system
• Shipping date of the system
• Warranty plan
• Serial number
• Dell customer number
• Dell order number

Most of the affected systems were sold in the US, China, India, Australia, and Canada.

Users on Reddit reported getting an email from Dell which was apparently sent to customers whose information was accessed during this incident:

“At this time, our investigation indicates limited types of customer information was accessed, including:

• Name
• Physical address
• Dell hardware and order information, including service tag, item description, date of order and related warranty information.

The information involved does not include financial or payment information, email address, telephone number or any highly sensitive customer information.”

Although Dell might be trying to play down the seriousness of the situation by claiming that there is not a significant risk to its customers given the type of information involved, it is reassuring that there were no email addresses included. Email addresses are a unique identifier that can allow data brokers to merge and enrich their databases.

So, this is another big data breach that leaves us with more questions than answers. We have to be careful that we don’t shrug these data breaches away with comments like “they already know everything there is to know.”

This kind of information is exactly what scammers need in order to impersonate Dell support.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

Medical health care provider DocGo has disclosed in a form 8-K that it experienced a cybersecurity incident involving some of the company’s systems. As part of the investigation of the incident, the company says it has determined that the attacker accessed and acquired data, including certain protected health information.

DocGo is a healthcare provider that offers mobile health services, ambulance services, and remote monitoring for patients in 30 US states, and across the United Kingdom. On its company website it touts over 7,000,000 patient interactions.

In the same form, DocGo says the breach concerns a limited number of healthcare records within the company’s US-based ambulance transportation business, and that no other business lines have been involved.

DocGo says it is actively reaching out to those individuals who had their data compromised in the attack.  

So far, we have no indication what the nature of the cyberattack was, but it is almost standard procedure nowadays for ransomware groups to use stolen data as extra leverage to get the victim to pay the ransom.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Dropbox is reporting a recent “security incident” in which an attacker gained unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. During this access, the attacker had access to Dropbox Sign customer information.

Dropbox Sign is a platform that allows customers to digitally sign, edit, and track documents. The accessed customer information includes email addresses, usernames, phone numbers, and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. The access is limited to Dropbox Sign customers and does not affect users of other Dropbox services because the environments are largely separate.

“We believe that this incident was isolated to Dropbox Sign infrastructure and did not impact any other Dropbox products.”

Even if you never created a Dropbox Sign account but received or signed a document through Dropbox Sign, your email addresses and names were exposed. In a government (K-8) filing about the incident, Dropbox says it found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information. 

The attacker compromised a back-end service account that acted as an automated system configuration tool for the Dropbox Sign environment. The attacker used the privileges of the service account for the production environment to gain access to the customer database.

To limit the aftermath of the incident, Dropbox’s security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens.

For customers with API access to Dropbox Sign, the company said new API keys will need to be generated and warned that certain functionality will be restricted while they deal with the breach.

Dropbox says it has reported this event to data protection regulators and law enforcement.

Recommendations

Dropbox expired affected passwords and logged users out of any devices they had connected to Dropbox Sign for further protection. The next time these users log in to their Sign account, they’ll be sent an email to reset the password. Dropbox recommends users do this as soon as possible.

If you’re an API customer, to ensure the security of your account, you’ll need to rotate your API key by generating a new one, configuring it with your application, and deleting your current one. Here is how you can easily create a new key.

API customers should be aware that names and email addresses for those who received or signed a document through Dropbox Sign, even if they never created an account, were exposed. So, this may impact their customers.

Customers who use an authenticator app for multi-factor authentication should reset it. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.

If you reused your Dropbox Sign password on any other services, we strongly recommend that you change your password on those accounts and use multi-factor authentication when available.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

On October 30, 2020, I started a article with the words:

“Hell is too nice a place for these people.”

The subject of this outrage focused on the cybercriminals behind an attack on Finnish psychotherapy practice Vastaamo. Because it was a psychotherapy practice, the records contained extremely sensitive and confidential information about some of the most vulnerable people.

Sadly, the attacker did not stop at extorting the clinic but also sent extortion messages to the patients, asking them to pay around $240 to prevent their data from being published online. And that was a first, as far as we know—not just demanding a ransom from the breached organization, but also from all those that were unlucky enough to have their data on record there.

The attacker demanded a €400,000 ($425,000) ransom from the company. When it refused to pay, he emailed thousands of patients asking for €200 and threatening to publish their therapy notes and personal details on the dark web if they didn’t pay. He ended up publishing it anyway.

As a result of this cyberattack and the extortion attempts:

• Vastaamo’s board fired the CEO because they held him responsible for knowing about the breaches and of the shortcomings in the psychotherapy provider’s data security systems.
• Vastaamo’s owner, who bought the practice a few months after the second breach but was not informed about it, began legal proceedings related to its purchase.
• Vastaamo had to shut its doors because it could not meet its financial obligations.
• The Finnish government contemplated expanding the options for individuals to change their social security number in certain circumstances, such as the aftermath of a hacking incident.
• At least one suicide has been linked to the case.

Now the attacker has been convicted. 26-year-old Julius Kivimäki has been sentenced to six years and three months in prison. Kivimäki, known online as Zeekill, was one of the leading members of several groups of teenage cybercriminals which caused chaos between 2009-2015. One of those groups was the infamous Lizard Squad.

At the age of 17, Kivimäki was convicted of more than 50,000 computer hacks and sentenced to a two-year prison sentence, which was suspended because he was 15 and 16 when he carried out the crimes in 2012 and 2013.

Despite the conviction, the Vastaamo case is not over as civil court cases are now likely to begin to seek compensation for the victims of the hack.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

After four years of investigation, the Federal Communications Commission (FCC) has concluded that four of the major wireless carriers in the US violated the law in sharing access to customers’ location data.

The FCC fined AT&T, Sprint, T-Mobile, and Verizon a total of almost $200 million for “illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.”

The fines are divided up into $12 million for Sprint, $80 million for T-Mobile (which has now merged with Sprint), more than $57 million for AT&T, and an almost $47 million for Verizon.

From the press release it becomes apparent that the FCC considers real-time location data some of the most sensitive data in a carrier’s possession. Each of the four major carriers was found to be selling its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers.

The investigation by the FCC was set in motion by public reports like the ones in the New York Times, Vice.com, and a letter from Sen. Ron Wyden to the FCC. All pointed out that anyone could get location information about almost any US phone if they were willing to pay an unauthorized source.

The FCC press release specifically mentions a location-finding service operated by Securus, a provider of communications services to correctional facilities, as a source that provided the possibility to track people’s location.

The US law, including section 222 of the Communications Act, requires carriers to take reasonable measures to protect certain customer information, including location information.

The wireless carriers attempted to offload their obligation to obtain customer consent onto the downstream recipients of the location information. The end result was a failure in which no valid customer consent was obtained. And even though the carriers were aware of this, they continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.

As reported by Krebs on Security, one of the data aggregation firms, LocationSmart, had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.

Spokespersons of Verizon and AT&T both indicated to BleepingComputer that they felt as if they were taking the blame for another company’s failure to obtain consent.

T-Mobile said in a statement to CNN that it discontinued the location data-sharing program over five years ago. The company wanted to make sure first that critical services like roadside assistance, fraud protection, and emergency response would not suffer any negative consequences if it did.

All three companies indicated they will appeal the order. We’ll keep you posted on any new developments.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Health insurance giant Kaiser has announced it will notify millions of patients about a data breach after sharing patients’ data with advertisers.

Kaiser said that an investigation led to the discovery that “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”

In the required notice with the US government, Kaiser lists 13.4 million affected individuals. Among these third-party ad vendors are Google, Microsoft, and X. Kaiser said it subsequently removed the tracking code from its websites and mobile apps.

A tracking pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track people and target adverts at them. That’s nice for the advertisers, but the information gathered by these pixels tells them a lot about your browsing behavior, and a lot about you.

This kind of data leak normally happens when a website includes sensitive information in its URLs (web addresses). The URLs you visit are shared with the company that provides the tracking pixel, so if the URL contains sensitive information it will end up in the hands of the tracking company. The good news is that while it’s easy for websites to leak information like this, there is no suggestion that tracking pixel operators are aware of it, or acting on it, and it would probably be hugely impractical for them to do so.

The leaked data includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service, how they interacted with it, how they navigated through the website and mobile applications, and what search terms they used in the health encyclopedia.

A spokesperson said that Kaiser intends to begin notifying the affected current and former members and patients who accessed its websites and mobile apps in May.

Not so long ago, we reported how mental health company Cerebral failed to protect sensitive personal data, and ended up having to pay $7 million. Also due to tracking pixels, so this is a recurring problem we are likely to see lots more of. Research done by TheMarkup in June of 2022 showed that Meta’s pixel could be found on the websites of 33 of the top 100 hospitals in America.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Amazon’s Ring has settled with the Federal Trade Commission (FTC) over charges that the company allowed employees and contractors to access customers’ private videos, and failed to implement security protections which enabled hackers to take control of customers’ accounts, cameras, and videos.

The FTC is now sending refunds totaling more than $5.6 million to US consumers as a result of the settlement.

Ring LLC, which was purchased by Amazon in February 2018, sells internet-connected, home security cameras and video doorbells.

However, in a shocking lapse of security protection, it turned out that every single person working for Amazon Ring, whether they were an employee or a contractor, was able to access every single customer video, even when it wasn’t necessary for their jobs.

But that wasn’t the only issue. In May 2023, the FTC stated that:

“Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using its customer videos to train algorithms without consent, and failing to implement security safeguards. These practices led to egregious violations of users’ privacy.”

The FTC gave the example of one employee who, over several months, viewed thousands of video recordings belonging to female users of Ring cameras that were pointed at intimate spaces in their homes such as their bathrooms or bedrooms. This didn’t stop until another employee discovered the misconduct.

The FTC is now sending 117,044 PayPal payments to US customers who had certain types of Ring devices, such as indoor cameras, during periods when the FTC alleges unauthorized users may have had access to customer videos. Customers should redeem their PayPal payment within 30 days.

“The FTC identified eligible Ring customers based on data provided by the company,” the agency told BleepingComputer, clarifying that Ring users “were eligible for a payment if their account was vulnerable because of privacy and security problems alleged in the complaint.”

Consumers who have questions about their payment should contact the refund administrator, Rust Consulting, Inc., at 1-833-637-4884, or visit the FTC website to view frequently asked questions about the refund process.

Beware of scammers

As always, you can expect scammers to take advantage of this news. So, it’s important to know that the FTC never asks people to pay money or provide account information to get a refund.

A payment or claim form sent as part of an FTC settlement will include an explanation of, and details about, the case. The case will be listed at ftc.gov/refunds, along with the name of the company issuing payments and a phone number for questions.

The FTC only works with four private companies to handle the refund process:

• Analytics Consulting, LLC
• Epiq Systems
• JND Legal Administration
• Rust Consulting, Inc.

Before sending any PayPal payment, the FTC will send an email from the subscribe@subscribe.ftc.gov address to issue a payment recipient. Once payments have been issued, PayPal will send an email telling recipients about their refund.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

Four billions public Discord messages are for sale on an internet scraping service called Spy.pet.

At first sight there doesn’t seem to be much that is illegal about it. The messages were publicly accessible and there are no laws against scraping data. However, it turns out the site did disregard some laws: more on that later.

To get this amount of data the platform gathered information from 14,201 servers about 627,914,396 users.

The way in which Spy.pet organized the information could turn out to be problematic for certain users. It built a database based on user profiles which contains all known aliases, pronouns, connected accounts (such as Steam and GitHub), Discord servers joined, and public messages.

The buyers don’t need to descend into the dark dungeons of the dark web to buy this information. It’s available for anyone on the regular web.

For a search of information about a specific user, all you need is their Discord User-ID and some cryptocurrency.

To look up profiles, you’ll first have to buy credits. A credit costs $0.01 and you’ll have to buy a minimum of 500 credits.

A new search for a profile will put you back 10 credits (7 for a cached profile).

Interestingly the platform also offers an enterprise version for which interested parties are invited to contact the administrator.

Breaking a few laws

Scraping data is a common practice nowadays, but there are a few rules that, when broken, will cost a lot more than a few dollars. Scraping and selling data about minors, especially without consent, is illegal in most parts of the world, including the US.

And when you are gathering data about European Union (EU) citizens, you’ll need to have a method in place for those citizens to have their information removed. Spy.pet does have a “Request Removal” button, but clicking it will show you an annoying snippet of a Spiderman movie where the news editor laughs at Peter Parker.

Discord told the Register it is probing Spy.pet to see if any action needs to be taken against the chat-harvesting service.

“Discord is committed to protecting the privacy and data of our users. We are currently investigating this matter. If we determine that violations of our Terms of Service and Community Guidelines have occurred, we will take appropriate steps to enforce our policies. We cannot provide further comments as this is an ongoing investigation.”

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data.

Cerebral has agreed to an order that will restrict how the company can use or disclose sensitive consumer data, as well as require it to provide consumers with a simple way to cancel services.

After a data breach in 2023 Cerebral disclosed that it had been using invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since October 2019.

A tracking pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track people and target adverts at them. That’s nice for the advertisers, but the combined information of all these pixels potentially provides a company with an almost complete picture of your browsing behavior and a lot of information about you.

The FTC statement claims that by using these tracking pixels, which are invisible to the website visitor unless they look at the underlying code, Cerebral provided the sensitive information of nearly 3.2 million consumers to these third parties.

The complaint points out that to get consumers to sign up for Cerebral’s services and to provide detailed personal data, the company claimed to offer “safe, secure, and discreet” services, saying that users’ data would be kept confidential.

Also, according to the complaint, the company specifically claimed in many instances that it would not share users’ data for marketing purposes without obtaining people’s consent.

Many organizations are unclear about how much information the social media companies behind the tracking pixels can gather. In the Notice of HIPAA Privacy Breach Cerebral disclosed that the following data were potentially exposed:

• Full name
• Phone number
• Email address
• Date of birth
• IP address
• Cerebral client ID number
• Demographic information
• Self-assessment responses and associated health information
• Subscription plan type
• Appointment dates
• Treatment details and other clinical information
• Health insurance/pharmacy benefit information

Among other penalties, Cerebral has to refund $5.1 million to customers who were impacted by deceptive cancellation practices and pay a $10 million civil penalty, limited to $2 million due to Cerebral’s inability to pay the full amount.

The number of breaches concerning health information is shocking. As required by section 13402(e)(4) of the HITECH Act, the Secretary of the US Department of Health and Human Services Office for Civil Rights publishes a list of breaches that reveal unsecured protected health information affecting 500 or more individuals.

We have reported about similar cases that involved tracking pixels. Research done by TheMarkup in June of 2022 showed that Meta’s pixel showed up on the websites of 33 of the top 100 hospitals in America.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

Every relationship has its disagreements. Who takes out the trash and washes the dishes? Who plans the meals and writes out the grocery list? And when is it okay to start tracking one another’s location?  

Location sharing is becoming the norm between romantic partners—50% of people valued location sharing in their relationships, according to recent research from Malwarebytes—and plenty of couples have found ways to track one another’s location, with consent, in a respectful and transparent way.

But, as a cybersecurity, privacy, and identity protection company, Malwarebytes is concerned with risk, and location sharing carries significant risks within many types of relationships.

There are new relationships in which the rules around privacy and sharing are still being agreed upon, old relationships in which power imbalances are deeply entrenched, and, of course, abusive relationships in which non-consensual tracking and surveillance are used as levers of control.

As a company—and not a relationship counselor—Malwarebytes cannot endorse any reasons for location sharing between romantic partners. But Malwarebytes can provide guidance on what safe location sharing looks like, including a requirement for consent.

Importantly, Malwarebytes can also remind readers about one simple, often-forgotten fact in this conversation: You don’t have to engage in location sharing if you do not want to.

It really is as simple as that. Do not agree to location sharing in your relationship if:

• You are being pressured, coerced, or harassed into sharing your location.
• You do not trust or feel comfortable sharing your location with your partner.  
• You do not want to.

As the reasons for location sharing are valid for many couples, the reasons against it are just as valid, too. You have the right to determine the rules in your own relationship, and that includes the digital decisions that impact your feelings of privacy, safety, and trust.

Safety, security, and convenience

According to research conducted last year by Malwarebytes, location tracking among partners is popular in North America—and even more popular amongst younger generations.

When polling more than 1,000 people about their attitudes and behaviors around online privacy and cybersecurity, a full 50% agreed or strongly agreed with the statement that “monitoring my spouse’s/significant other’s online activity and/or location makes me feel they are safer.”

Similarly, 42% agreed or strongly agreed with the statement that “being able to track my spouse’s/significant other’s location when they are away is extremely important to me.” This sentiment was higher amongst Gen Z—49% felt the same way compared to the general population.

As to why location tracking has become so popular, there is little doubt. It’s about safety (or, at least, the feeling of it).

On Reddit, the question of location tracking between partners is frequently posed and is just as frequently answered: “I think it should be fine for safety reasons,” said one user in a the most popular response to a thread.

In writing for the media platform Her Campus, one Pennsylvania State University student said that, if she already shares her location with her friends for safety, “why would I not share it with someone I am involved with romantically?”

For some of the editorial staff at the healthy living brand Poosh, location sharing also provided convenience.  

“If I want to call my boyfriend for something, sometimes I’ll check his location first (if he’s at the office, for example, I won’t call),” wrote Erika Harwood, managing editor. “Or if he tells me he’s on his way home and it seems to be taking unusually long, it’s easier to just check his location and see if he’s stuck in traffic.”

Harwood continued:

“Basically, it all boils down to me trying to eliminate as many phone calls from my day as possible.”

What these explanations all share is purpose and consent. The people featured here have told their partners about location sharing, and they have identified specific reasons to engage in this practice. Because of this, these situations are hardly cause for alarm.

What Malwarebytes hopes to draw attention to, however, are starkly different situations.

Coercion, control, and crisis

Location “sharing” implies two partners who consensually share their locations with one another. But as Malwarebytes discovered last year, location “sharing” isn’t the only activity that some people engage in—it’s also location spying.

According to the same survey last year, 41% of all people admitted to monitoring their partner in some way without their partner’s permission.

That includes 16% of people who non-consensually “tracked my spouse’s/significant other’s location through an app or Bluetooth tracker (like Apple AirTags, Tile, Find My)” and 13% who non-consensually “installed monitoring software/apps on spouse’s/significant other’s devices (e.g., Life360).”

The harms here are obvious.

Non-consensual location tracking in a relationship is a clear invasion of privacy. It puts sensitive information into one partner’s hands without the other partner knowing it, and the nature of the information itself can be used to harass and stalk someone—especially after a breakup.

Non-consensual location tracking is also present in domestic abuse, particularly in instances where one partner is being spied upon with the use of “stalkerware” apps. And while those who deploy these types of invasive apps are not guaranteed to be physically abusive against their partners, several documented cases highlight the risk.

As Danielle Citron, professor of law at UVA, wrote back in 2015 about what she called “cyber stalking apps”:

“A woman fled her abuser who was living in Kansas. Because her abuser had installed a cyber stalking app on her phone, her abuser knew that she had moved to Elgin, Illinois. He tracked her to a shelter and then a friend’s home where he assaulted her and tried to strangle her. In another case, a woman tried to escape her abusive husband, but because he had installed a stalking app on her phone, he was able to track down her and her children. The man murdered his two children. In 2013, a California man, using a spyware app, tracked a woman to her friend’s house and assaulted her.”

These cases may sound extreme, but they should not be ignored. They reveal that it isn’t location sharing itself which is harmful, but rather that harmful relationships will lead to harmful forms of location tracking.

Be sure that, if you do engage in location sharing, it is with someone who you trust, on both of your agreed terms, and in a way that you can turn off the location sharing at any point in the future.

What’s the answer?

Your real-time location is extraordinarily sensitive information, and as such, access to it should be understood as a privilege, not a right. No romantic partner has a “right” to your location just because their previous partners practiced location sharing. No romantic partner should coerce or harass you into location sharing. And no, the refusal to share your location, at any stage of the relationship, is not a “red flag.”

If you do decide to share your location with your partner, be sure to follow these guidelines:

• Have an open conversation about location sharing with one another. You must obtain consent from your partner if you’re going to share your locations. Spying on your partner’s location without their consent is a breach of trust.
• Have a reason why you’re engaging in location sharing. Many problems in a relationship will not be solved by location sharing. Have a firm reason why you want to share locations and what value it will provide. If you do not have a good reason, you may not need location sharing at all.
• Set up rules about location sharing. Location sharing can be enabled on a case-by-case basis for, say, music festivals, vacations, or solo hiking trips. It can also be enabled between partners indefinitely.
• Check in periodically about whether it is working. Just because you agreed to location sharing a year ago does not mean you cannot revisit the topic. See how location sharing feels and then see if you still want it later in your relationship.

As every couple has its own rules and behaviors for success, there is no single answer to whether you should share your location with your partner. You know your partner—and yourself—best to answer this question. Be safe, whatever option you choose.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple has reportedly sent alerts to individuals in 92 nations on Wednesday, April 10, to say it’s detected that they may have been a victim of a mercenary attack. The company says it has sent out these types of threat notifications to over 150 countries since the start in 2021.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

The second number became known when Apple changed the wording of the relevant support page. The change also included the title that went from “About Apple threat notifications and protecting against state-sponsored attacks” to “About Apple threat notifications and protecting against mercenary spyware.”

If you look at the before and after, you’ll also notice an extra paragraph, again with the emphasis on the change from “state-sponsored attacks” to “mercenary spyware.”

The cause for the difference in wording might be because “state-sponsored” is often used to indicate attacks targeted at entities, like governments or companies, while these mercenary attacks tend to be directed at individual people.

The extra paragraph specifically calls out the NSO Group and the Pegasus spyware it sells. While the NSO Group claims to only sell to “government clients,” we have no reason to take its word for it.

Apple says that when it detects activity consistent with a mercenary spyware attack it uses two different means of notifying the users about the attack:

• Displays a Threat Notification at the top of the page after the user signs into appleid.apple.com.
• Sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

Apple says it doesn’t want to share information about what triggers these notifications, since that might help mercenary spyware attackers adapt their behavior to evade detection in the future.

The NSO Group itself argued in a court case started by Meta for spying on WhatsApp users, that it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

How to stay safe

Apple advises iPhone users to:

• Enable Lockdown mode.
• Keep devices up to date.
• Protect devices with a passcode.
• Use Multi-Factor-Authentication (MFA) for your Apple ID.
• Only install apps from the App Store.
• Use strong and unique passwords online.
• Don’t click on links or attachments from unknown senders.

We’d like to add:

• Use an anti-malware solution on your device.
• If you’re not sure about something that’s been sent to you, verify it with the person or company via another communcation channel.
• Use a password manager.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

AT&T has notified US state authorities and regulators about its recent (or not) data breach, saying 51,226,382 people were affected.

For those that have missed the story so far:

• Back in 2021, a hacker named Shiny Hunters claimed to have breached AT&T.
• On March 20, 2024, we reported how the data of over 70 million people was posted for sale on an online cybercrime forum. The seller claimed the data came from the Shiny Hunters breach. However, AT&T denied (both in 2021 and in March, 2024) that the data came from its systems.
• On March 30, AT&T reset customer passcodes after a security researcher discovered the encrypted login passcodes found in the leaked data were easy to decipher.
• Finally, on April 2, 2024, AT&T confirmed that 73 million current and former customers were caught up the data leak.

Weirdly enough, in the data breach notification, AT&T says the date of discovery of the breach was March 26, 2024. AT&T has still not disclosed the source of the leak, but says the data appears to be from June 2019 or earlier.

Malwarebytes VP of Consumer Privacy, Oren Arar, describes the AT&T breach as “especially risky” because of the type of data that’s been exposed.

“SSN, name, date of birth—this is personal identifiable information (PII) that cannot be changed, and if scammers get their hands on it, it just makes their work in stealing people’s identities a lot easier. In addition, this exposed data was published on the internet – in a way that anyone could access it, and not on the dark web where you need some expertise to find it”.

Check if your data was exposed

Malwarebytes has an easy, free tool—the Malwarebytes Digital Footprint Portal—that allows you to check if your data was exposed in the AT&T breach. Simply click the button below, enter your email address, and follow the prompts on the screen.

After our tool completes a digital footprint analysis on the internet and the dark web, you will be presented with a small graphic that directly addresses your involvement in the AT&T breach, with other relevant information.

When receiving your Digital Footprint Portal results, a pink bubble with the words “Exposed on AT&T breach” mean that your information was affected in the AT&T breach.

A green bubble with the words “Not exposed on AT&T breach” mean that your information was not affected in the AT&T breach—but it may still have been leaked through various, other breaches, which our tool can provide more information on.

Click the button below to begin your free, digital scan.

We will keep you posted of any new developments in this case. Stay tuned!

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

It takes a little to receive a lot of online hate today, from simply working as a school administrator to playing a role in a popular movie or video game.

But these moments of personal crisis have few, immediate solutions, as the current proposals to curb and stem online harassment zero in on the systemic—such as changes in data privacy laws to limit the personal information that can be weaponized online or calls for major social media platforms to better moderate hateful content and its spread.

Such structural shifts can take years (if they take place at all), which can leave today’s victims feeling helpless.

There are, however, a few steps that everyday people can take, starting now, to better protect themselves against online hate and harassment campaigns. And thankfully, none of them involve “just getting off the internet,” a suggestion that, according to Leigh Honeywell, is both ineffective and unwanted.

“The [idea that the] answer to being bullied is that you shouldn’t be able to participate in public life—I don’t think that’s okay,” said Honeywell, CEO and co-founder of the digital safety consultancy Tall Poppy.

Speaking to me on the Lock and Code podcast last month, Honeywell explained that Tall Poppy’s defense strategies to online harassment incorporate best practices from Honeywell’s prior industry—cybersecurity.

Here are a few steps that people can proactively take to limit online harassment before it happens.

Get good at Googling yourself

One of the first steps in protecting yourself from online harassment is finding out what information about you is already available online. This is because, as Honeywell said, much of that information can be weaponized for abuse.

Picture an angry diner posting a chef’s address on Yelp alongside a poor review, or a complete stranger sending in a fake bomb threat to a school address, or a real-life bully scraping the internet for embarrassing photos of someone they want to harass.  

All this information could be available online, and the best way to know if it exists is to do the searching yourself.

As for where to start?

“First name, last name, city name, or other characteristics about yourself,” Honeywell said, listing what, specifically, to search online.

It’s important to understand that the online search itself may not bring immediate results, but it will likely reveal active online profiles on platforms like LinkedIn, X (formerly Twitter), Facebook, and Instagram. If those profiles are public, an angry individual could scrape relevant information and use it to their advantage. Even a LinkedIn profile could be weaponized by someone who calls in fake complaints to a person’s employer, trying to have them fired from their position.

In combing through the data that you can find about yourself online, Honeywell said people should focus on what someone else could do with that data.

“If an adversary was trying to find out information about me, what would they find?” Honeywell said. “If they had that information, what would they do with it?”

Take down what you can

You’ve found what an adversary might use against you online. Now it’s time to take it down.

Admittedly, this can be difficult in the United States, as Americans are not protected by a national data privacy law that gives them the right to request their data be deleted from certain websites, platforms, and data brokers.

Where Americans could find some help, however, is from online resources and services that streamline the data removal process that is enshrined in some state laws. These tools, like the iOS app Permission Slip, released by Consumer Reports in 2022, show users what types of information companies are collecting about them, and give user the opportunity to request that such data be deleted.

Separately, Google released on online tool in 2023 where users can request that certain search results that contain their personal information be removed. You can learn more about the tool, called “Results about you,” here.

When all else fails, Honeywell said that people shouldn’t be afraid to escalate the situation to their state’s regulators. That could include filing an official complaint with a State Attorney General, or with the Consumer Financial Protection Bureau, or the Federal Trade Commission.

“It sounds like the big guns,” Honeywell said, “but I think it’s important that, as individuals, we do what we can to hold the companies that are creating this mess accountable.”

Lock down your accounts

If an adversary can’t find your information through an online search, they may try to steal that information by hacking into your accounts, Honeywell said.

“If I’m mad at David, I’m going to hack into David’s email and share personal information,” Honeywell said. “That’s a fairly standard way that we see some of the worst online harassment attacks escalate.”

While hackers may have plenty of novel tools at their disposal, the best defenses you can implement today are the use of unique passwords and multifactor authentication.

Let’s first talk about unique passwords.

Each and every single one of your online accounts—from your email, to your social media profiles, to your online banking—should have a strong, unique password. And because you likely have dozens upon dozens of online accounts to manage, you should keep track of all those passwords with a devoted password manager.

Using unique passwords is one of the best defenses to company data breaches that expose user login credentials. Once those credentials are available on the dark web, hackers will buy those credentials so they can attempt to use them to gain access to other online accounts. You can prevent those efforts going forward by refusing to repeat passwords across any of your online accounts.

Now, start using multifactor authentication, if you’re not already.

Multifactor authentication is offered by most major companies and services today, from your bank, to your email, to your medical provider. By using multifactor authentication, also called MFA or 2FA, you will be required to “authenticate” yourself with more than just your password. This means that when you enter your username and password onto a site or app, you will also be prompted with entering a separate code that is, in many cases, sent to your phone via text or an app.

MFA is one of the strongest protections to password abuse, ensuring that, even if a hacker has your username and password, they still can’t access your account because they will not have the additional authentication that is required to complete a login.

In the world of cybersecurity, these two defense practices are among the gold standard in stopping cyberattacks. In the world of online harassment, they’re much the same—they work to prevent the abuse of your online accounts.

Here to help

Online harassment is an isolating experience, but protecting yourself against it can be quite the opposite. Honeywell suggested that, for those who feel overwhelmed or who do not know where to start, they can find a friend to help.

“Buddy up,” Honeywell said. “If you’ve got a friend who’s good at Googling, work on each other’s profile, identify what information is out there about you.”

Honeywell also recommended going through data takedown requests together, as the processes can be “extremely tedious” and some of the services that promise to remove your information from the internet are really only trying to sell you a service.

If you’re still wondering what information about you is online and you aren’t comfortable with your way around Google, Malwarebytes has a new, free tool that reveals what information of yours is available on the dark web and across the internet at large. The Digital Footprint Portal, released in April, provides free, unlimited scans for everyone, and it can serve as a strong first step in understanding what information of yours needs to be locked down.

To learn what information about you has been exposed online, use our free scanner below.

Digital security is about so much more than malware. That wasn’t always the case. 

When I started Malwarebytes more than 16 years ago, malware was the primary security concern—the annoying pop-ups, the fast-spreading viruses, the catastrophic worms—and throughout our company’s history, Malwarebytes routinely excelled against this threat. We caught malware that other vendors missed, and we pioneered malware detection methods beyond the signature-based industry standard.  

I’m proud of our success, but it wasn’t just our technology that got us here. It was our attitude.  

At Malwarebytes, we believe that everyone has the right to a secure digital life, no matter their budget, which is why our malware removal tool was free when it launched and remains free today. Our ad blocking tool, Browser Guard is also available to all without a charge. This was very much not the norm in cybersecurity, but I believe it was—and will always be—the right thing to do.  

Today, I am proud to add to our legacy of empowering individuals regardless of their wallet by releasing a new, free tool that better educates and prepares people for modern threats that abuse exposed data to target online identities. I’d like to welcome everyone to try our new Digital Footprint Portal.  

See your exposed data in our new Digital Footprint Portal.

By simply entering an email address, anyone can discover what information of theirs is available on the dark web to hackers, cybercriminals, and scammers. From our safe portal, everyday people can view past password breaches, active social media profiles, potential leaks of government ID info, and more.  

More than a decade ago, Malwarebytes revolutionized the antivirus industry by prioritizing the security of all individuals. Today, Malwarebytes is now also revolutionizing digital life protection by safeguarding the data that serves as the backbone of your identity, your privacy, your reputation, and your well-being online.  

Why data matters 

I can’t tell you how many times I’ve read that “data is the new oil” without reading any explanations as to why people should care.  

Here’s my attempt at clarifying the matter: Too much of our lives are put online without our control.  

Creating a social media account requires handing over your full name and birthdate. Completing any online shopping order requires detailing your address and credit card number. Getting approved for a mortgage requires the exchange of several documents that reveal your salary and your employer. Buying a plane ticket could necessitate your passport info. Messaging your doctor could involve sending a few photos that you’d like to keep private.  

As we know, a lot of this data is valuable to advertisers—this is what pundits focus on when they invoke the value of “oil” in discussing modern data collection—but this data is also valuable to an entirely separate group that has learned to abuse private information in novel and frightening ways: Cybercriminals.  

Long ago, cybercriminals would steal your username and password by fooling you with an urgently worded phishing email. Today, while this tactic is still being used, there’s a much easier path to data theft. Cybercriminals can simply buy your information on the dark web.  

That information can include credit card numbers—where the risk of financial fraud is obvious—and even more regulated forms of identity, like Social Security Numbers and passport info. Equipped with enough forms of “proof,” online thieves can fool a bank into routing your money elsewhere or trick a lender into opening a new line of credit in your name.  

Where the risk truly lies, however, is in fraudulent account access.  

If you’ve ever been involved in a company’s data breach (which is extremely likely), there’s a chance that the username and password that were associated with that data breach can be bought on the dark web for just pennies. Even though each data breach involves just one username and password for each account, cybercriminals know that many people frequently reuse passwords across multiple accounts. After illegally purchasing your login credentials that were exposed in one data breach, thieves will use those same credentials to try to log into more popular, sensitive online accounts, like your online banking, your email, and your social media.  

If any of these attempts at digital safe-cracking works, the potential for harm is enormous.  

With just your email login and password, cybercriminals can ransack photos that are stored in an associated cloud drive and use those for extortion. They can search for attachments that reveal credit card numbers, passport info, and ID cards and then use that information to fool a bank into letting them access your funds. They can pose as you in bogus emails and make fraudulent requests for money from your family and friends. They can even change your password and lock you out forever. 

This is the future of personal cybercrime, and as a company committed to stopping cyberthreats everywhere, we understand that we have a role to play in protecting people.  

We will always stop malware. We will always advise to create and use unique passwords and multifactor authentication. But today, we’re expanding our responsibility and helping you truly see the modern threats that could leverage your data.  

With the Digital Footprint Portal, who you are online is finally visible to you—not just cybercriminals. Use it today to understand where your data has been leaked, what passwords have been exposed, and how you can protect yourself online.  

Digitally safe 

Malwarebytes and the cybersecurity industry at large could not have predicted today’s most pressing threats against online identities and reputations, but that doesn’t mean we get to ignore them. The truth is that Malwarebytes was founded with a belief broader than anti-malware protection. Malwarebytes was founded to keep people safe.  

As cybercriminals change their tactics, as scammers needle their way onto online platforms, and as thieves steal and abuse the sensitive data that everyone places online, Malwarebytes will always stay one step ahead. The future isn’t about worms, viruses, Trojans, scams, pig butchering, or any other single scam. It’s about holistic digital life protection. We’re excited to help you get there.  

In news that is, sadly, unlikely to shock you, new research indicates that many websites ignore visitors’ choices to refuse cookies and collect their data anyway.

Researchers at the University of Amsterdam (UvA) analyzed 85,000 European websites and came to the conclusion that 90% of them violated at least one privacy regulation.

Cookies are bits of data that websites save on your computer when you look at a page, view an image, download a file, or interact with them in any other way. Cookies help websites remember you, which is often useful, particularly if you are logging in to a website, but they can also be used for things that some users don’t like, such as tracking. Tracking cookies are used by marketers to target you with ads that may interest you based on your browsing habits.

Working with researchers from Swiss university ETH Zürich, the team from UvA created a machine-learning tool that allowed them to analyze 100,000 websites. The main goal was to compare what information websites said they would gather with what they actually did. The researchers found an enormous number of privacy violations.

To make the data a bit more insightful, they discriminated between “naive” violations and deliberate violations.

Naive violations are things like not offering a choice to reject cookies (affecting 57% of sites), and forgetting to ask for permission to store cookies (which occurred on 32% of websites visited by Europeans). Forgetting to ask for permission, or making it very hard to reject cookies, is very easy to spot, yet several major website owners have already been fined for violations like this.

But then we enter the realm of deliberate privacy violations. Of the websites that offered visitors a choice, 65% used tracking cookies, even if visitors chose to reject them. In many cases, websites created the cookies even before the visitor had the chance to make their choice.

More than 77% of the websites chose to interpret closing a cookie notification dialog as user consent.

On top of this, many websites also used so-called “dark patterns” to manipulate visitors into making the site’s preferred choice. Dark patterns, also known as deceptive design patterns, occur when a user interface has been crafted to nudge or trick users into doing things they didn’t set out to do.

Dark patterns are not subliminal messaging or visual or auditory stimuli that the conscious mind cannot perceive, although advertisers have been accused of using those as well. It’s more like making the accept button bright and easy to find and the reject button dark, smaller, or harder to read.

The researchers came to the conclusion that the way the cookie consent system is working is far from satisfactory. Small websites don’t have the technical and legal knowledge to comply, and some others are simply choosing to ignore or bend the rules.

And warnings to website owners seem to fall on deaf ears. Since March 31, 2021, when the deadline set for websites and mobile applications to comply with the new rules on cookies expired, the French privacy watchdog Commission Nationale de l’Informatique et des Libertés (CNIL) has adopted nearly 100 corrective measures (orders and sanctions) related to non-compliance with the legislation on cookies.

---

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Social media giant Facebook snooped on Snapchat users’ network traffic, engaged in anticompetitive behavior and exploited user data through deceptive practices. That’s according to a court document filed March 23, 2024.

The document mentions Facebook’s so-called In-App Action Panel (IAAP) program, which existed between June 2016 and approximately May 2019. The IAAP program, used an adversary-in-the-middle method called to intercept and decrypt Snapchat’s—and later YouTube’s and Amazon’s—SSL-protected analytics traffic to provide information for Facebook’s competitive decision making. Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client.

On June 9, 2016, Facebook CEO Mark Zuckerberg complained about the lack of analytics about competitor Snapchat.

“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them. . . .

Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”

So, as part of the IAAP program, the company started Project Ghostbusters by using Onavo. Onavo was a VPN-like research tool that Facebook acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that Facebook had been secretly paying teenagers to use Onavo so the company could access all of their web activity.

The Project Ghostbusters technique relied on technology known as a server-side SSL bump performed on Facebook’s Onavo servers. SSL bumping, also known as SSL interception, involves intercepting and decrypting SSL/TLS traffic, inspecting it for malicious content or policy violations, and then re-encrypting and forwarding it to the intended destination.

To gain access to the data about their competitor, Facebook incentivized users to install “kits” on both Android and iOS devices that impersonated official servers and decrypted traffic that Facebook had no right to access.

These kits allowed Facebook to intercept traffic for specific sub-domains, allowing them to read what would otherwise be encrypted traffic and to measure in-app usage of their competitor’s apps. The users were clueless about what the kits did exactly, but it allowed the operators to view and analyze the traffic before it got encrypted.

According to the court documents, advertisers suing Meta claim that Facebook later expanded the program to Amazon and YouTube. This practice is likely in violation of wiretapping laws and “potentially criminal.” Facebook’s secret program likely violated the Wiretap Act, because it prohibits intentionally intercepting electronic communications with no applicable exception and the use of such intercepted communications.

We’ll keep you updated on how this develops.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Federal US authorities have asked Google for the names, addresses, telephone numbers, and user activity of accounts that watched certain YouTube videos, according to unsealed court documents Forbes has seen.

Of those users that weren’t logged in when they watched those videos between January 1 and 8, 2023, the authorities asked for the IP addresses.

The starting point of one of the investigations is an entity that uses the handle “elonmuskwhm” and is suspected of money laundering by selling Bitcoin for cash. As part of the investigation, agents sent the suspect links to tutorials on YouTube about mapping via drones and augmented reality software.Then they asked YouTube to send them data about the people that watched that video.

But those video tutorials were not private and had been watched over 30,000 times by the time the agents asked YouTube’s parent company Google for information about the viewers.

In another case, related to a bomb threat, the authorities asked for information about the viewers of eight selected live streams. One of those live streams has over 130,000 subscribers.

The police received a threat from an unknown male that there was an explosive placed in a trash can in a public area. When the police went to investigate the matter, they found out their actions were broadcasted through a YouTube live stream camera. Apparently similar events had taken place before, so for good reason law enforcement is after the evildoers.

But asking for data of that many viewers, many of which we can assume to be innocent bystanders, goes against what privacy experts believe to be reasonable. This type of digital dragnets go against the fourth amendment: freedom from unreasonable searches.

Albert Fox-Cahn, executive director at the Surveillance Technology Oversight Project (STOP) said:

“No one should fear a knock at the door from police simply because of what the YouTube algorithm serves up. I’m horrified that the courts are allowing this.”

According to the documents Forbes has seen, the court granted the order but asked Google not to make it public. We don’t currently know if Google complied with the request for information.

Google spokesperson Matt Bryant told Forbes:

“We examine each demand for legal validity, consistent with developing case law, and we routinely push back against over broad or otherwise inappropriate demands for user data, including objecting to some demands entirely.”

STOP condemned the US Department of Justice for securing a bulk warrant to track every YouTube user who watched the completely legal videos about mapping software for drones.

John Davisson, senior counsel at the Electronic Privacy Information Center, told Forbes:

“What we watch online can reveal deeply sensitive information about us—our politics, our passions, our religious beliefs, and much more. It’s fair to expect that law enforcement won’t have access to that information without probable cause. This order turns that assumption on its head.”

Warrants like these turn innocent people into suspects for no other reason than watching a perfectly legal video. The YouTube warrants are similar to geofence warrants, where court issues a search warrant to allow law enforcement to search a database to find all active mobile devices within a particular area.

These warrants turn the fear that certain online searches or your viewing history is going to put you on some kind of list, into reality. It also encourages users to use a VPN for even the most harmless activities and discourages YouTube visitors from logging in.

---

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Skater brand Vans emailed customers last week to tell them about a recent “data incident.”

On December 13, 2023, Vans said it detected unauthorized activities on its IT systems, attributed to “external threat actors.” An investigation revealed that the incident involved some personal information of Vans’ customers. The affected information could include:

• Email address
• Full name
• Phone number
• Billing address
• Shipping address

In certain cases, the affected data may also include order history, total order value, and information about the payment method used for the purchases. Vans notes that the payment method does not specify details like account number, just the method described as “credit card”, “Paypal”, or “bank account payment”, with no additional details attached.

The data incident turned out to be a ransomware attack. In a filing with the Securities and Exchanges Commission (SEC), parent company V.F. Corporation stated the hackers disrupted business operations and stole the personal information of approximately 35.5 million individual consumers.

The attack was claimed by the ALPHV/BlackCat ransomware group. This happened during the period that ALPHV was in a spot of trouble themselves by events eventually leading to faking their own death.  It is unclear whether VF Corporation was able to use the decryptor made available after law enforcement seized control of ALPHV’s infrastructure, even though ALPHV reportedly claimed that the company tried to obtain a decryptor from law enforcement.

Vans says there’s no evidence suggesting any actual impact on any individual consumer whose personal data were part of the affected data set, but it does warn about phishing and fraud attempts which could lead to identity theft.

Data breach tips

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check if your data has been breached

Check if your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll send you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Three researchers scanned the internet for vulnerable Firebase instances, looking for personally identifiable information (PII).

Firebase is a platform for hosting databases, cloud computing, and app development. It’s owned by Google and was set up to help developers build and ship apps.

What the researchers discovered was scary. They found 916 websites from organizations that set their Firebase instances up incorrectly, some with no security rules enabled at all.

One of the researchers told BleepingComputer that most of the sites also had write enabled (meaning anyone can change it) which is bad, and one of them was a bank.

During a sweep of the internet that took two weeks, the researchers scanned over five million domains connected to Google’s Firebase platform.

The total amount of exposed data is huge:

• Names: 84,221,169
• Emails: 106,266,766
• Phone Numbers: 33,559,863
• Passwords: 20,185,831
• Billing Info (Bank details, invoices, etc): 27,487,924

And as if that isn’t bad enough, 19,867,627 of those passwords were stored in plaintext. Which is a shame given that Firebase has a built-in end-to-end identity solution called Firebase Authentication that is specifically designed for secure sign-in processes and does not expose user passwords in the records.

So, an administrator of a Firebase database would have to go out of their way and create an extra database field in order to store the passwords in plaintext.

The researchers have warned all the affected companies, sending 842 emails in total. Only 1% of the site owners replied, but about a quarter of them did fix the misconfiguration.

In this case we can consider it a blessing that these researchers managed to get a lot of those instances correctly configured. On the other hand it’s frightening that the rest lives on in a state of insecurity.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Social media influencers are attractive targets for identity thieves. With large followings and a literal influence on their followers, it’s no wonder they are targeted by scammers and spreaders of fake news.

A subset of influencers are the so-called “finfluencers”: influencers that provide their followers with financial advice. Such a person influences the financial investment decisions of their followers by doling out advice or recommendations. This comes in the form of get-rich-quick schemes, cryptocurrency related advice, stock investment, financial planning, or just about anything people can do to make money.

On the platforms that matter these days, like YouTube, TikTok and Instagram, the number of followers of some of the well-known finfluencers far exceeds the numbers of followers of some of the biggest broking houses. In May of 2023, India banned a YouTube finfluencer with over a million followers from the securities markets for a year for allegedly providing advisory services—daily stock investment/trading calls—without registering with the regulator.

With enough followers that heed their advice, these finfluencers also can have an effect on the financial markets. With enough demand, prices go up and if you know that’s going to happen, making money is indeed easy.

And as an exit scam in which you make one big whopper and then disappear, that’s a very profitable strategy. But most influencers are in it for the long run and don’t want to ruin the reputation they built. Unless their account falls into the wrong hands.

In October of 2023, the Federal Trade Commission warned people with a lot of social media followers they might be the target of scammers. These scammers would come up with fake job offers of offering to pay them for product promotion as “brand ambassadors.” But in reality the scammers are after personal and financial information.

Typically, the scammers say they’ll send you free products and pay you large amounts of money to promote those products in your social media posts. All you have to do is to accept the offer and give them your personal and banking information so they can pay you.

What the scammers are really after can vary from cleaning out the influencers’ bank accounts to taking over their social media accounts. “If you provide us with your login credentials, you don’t have to do the work, we’ll post the promotional content ourselves.”

The scammers will then leave the influencer behind with an account that has a bad reputation and lost a good part of its followers.

Some good news might come from the regulation side. The governments of ten nations have called on social media operators to improve their ability to detect and prevent fraud on their platforms. Australia, Canada, France, Germany, Italy, Japan, New Zealand, the Republic of Korea, Singapore, the United Kingdom, and the United States did this because:

“Fraudsters operate at scale, exploiting telecommunications networks, cyberspace and a population that spends an increasing amount of time online.”

In a communiqué issued as a result of the Global Fraud Summit, which also included representatives from INTERPOL, the Financial Action Task Force, the UN Office on Drugs and Crime, and the European Union, the partakers listed 29 action points that should help reduce online fraud.

It will be hard to accomplish this goal but as we have seen, similar actions led to a promising decline in robocalls. Australia also reported progress towards their vision of making Australia the world’s hardest target for scammers with, for example, a 38% decrease in losses due to investment scams.

What can influencers do to protect themselves

• Always assume that if it’s too good to be true, then it’s probably not true.
• Never give out your personal or financial information without doing proper research first.
• Contact the company directly to confirm the offer. Use a phone number or contact method you know to be legitimate.
• Check if the person contacting you is using an email address that’s affiliated with the company they claim to represent.
• Don’t let any person or app create posts on social media on your behalf.
• Don’t let scammers rush you into decisions. They will always claim it’s urgent or you need to act fast.

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

The House of Representatives has passed a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance gives up its share of the immensely popular app.

TikTok is an immensely popular social media platform that allows users to create, share, and discover, short video clips. It’s experienced explosive growth since it first appeared in 2017, and is now said to have well over 1.5 billion users, with an estimated 170 million of them in the US.

Since 2020, several governments and organizations have banned, or considered banning, TikTok from their staff’s devices, but a complete ban of an internet app would be a first in the US.

Other countries have done this before. In 2020, India was the first country to ban TikTok, along with around 200 other Chinese apps that were all blocked from operating within the country. The ban cost TikTok some 200 million users.

General Paul Nakasone, Director of the National Security Agency (NSA) certainly fueled the feeling of necessity for such a ban. Speaking at a US Senate hearing in March 2023, the general said “one third of Americans get their news from TikTok”, adding “one sixth of American youth say they’re constantly on TikTok. That’s a loaded gun.”

And a former executive at TikTok’s parent company ByteDance claimed in court documents that the Chinese Communist Party (CCP) had access to TikTok data, despite the data being stored in the US. The allegations were made in a wrongful dismissal lawsuit which was filed in May in the San Francisco Superior Court.

Ever since then, TikTok has been battling to convince politicians that it operates independently of ByteDance, which has deep ties to the CCP. For example, TikTok has repeatedly claimed the Chinese government never demanded access to US data and that TikTok would not comply if it did.

All this, and the fear of foreign influence on the upcoming elections, led to the bipartisan legislation introduced in the House with the expectation to send it to the Senate later this week.

Essentially, the bill says that TikTok has to find a new owner that is not based in a foreign adversarial country within the next 180 days or face a ban until it does comply.

The Electronic Frontier Foundation (EFF), an international non-profit digital rights group based in the US, says it opposes this bill, mainly because it is afraid that TikTok will not be the last app to face this type of ban. It mentions Tencent’s WeChat app as an example of what could be the next target.

A year ago, supporters of digital rights across the country successfully stopped the federal RESTRICT Act aka the “TikTok ban.” The RESTRICT Act was introduced in the United States Senate on March 7, 2023 and requires federal actions to identify and mitigate foreign threats to information and communications technology products and services (e.g., social media applications). It also establishes civil and criminal penalties for violations under the bill.

The EFF argues that the bill will not stop the sharing of data but it will reduce online rights in a way that is unconstitutional. And it says the focus should be on the common practice of data collection in the first place, rather than single out one app.

The point made by the EFF stipulates that data brokers will continue to sell our information to whomever is willing to pay. And the apps providing brokers with data are certainly not limited to those that hail from a foreign adversarial country.

Chinese officials reportedly said the government would “firmly oppose” any forced sale of TikTok because it would “seriously undermine the confidence of investors from various countries, including China, to invest in the United States.”

Check your digital footprint

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Some hoaxes on Facebook are years old, but like a cat with nine lives they keep coming back again and again. This is certainly the case with this most recent hoax.

Fact-checking site Snopes is reporting on a hoax that concerns Meta’s use of our photos, messages and other posts on Facebook. Users are told in numerous ways to repost something that contains the phrase:

“I do not authorize META, Facebook or any entity associated with Facebook to use my photos, information, messages or posts, past or future.”

“Hello It’s official. Signed at 8:44 PM. It was even on TV. Mine really turned blue. Don’t forget that tomorrow starts the new Facebook rule (aka… new name, META) where they can use your photos. Don’t forget the deadline is today!!!

I do not authorize META, Facebook or any entity associated with Facebook to use my photos, information, messages or posts, past or future.

With this statement, I notify Facebook that

it is strictly prohibited to disclose, copy, distribute or take any other action against me based on this profile and/or its contents. Violation of privacy may be punishable by law.

Here’s how to do it:

Hold your finger anywhere in this message and “copy” will appear. Click “copy”. Then go to your page, create a new post and place your finger anywhere in the empty field. “Paste” will appear and click Paste.

This will bypass the system….

He who does nothing consents.”

The first round of hoax posts similar to this one surfaced in 2012 (and have resurfaced many times since then). As you can see in this page on the Internet archives, Facebook even issued a statement about it:

“Fact Check

Copyright Meme Spreading on Facebook

There is a rumor circulating that Facebook is making a change related to ownership of users’ information or the content they post to the site. This is false. Anyone who uses Facebook owns and controls the content and information they post, as stated in our terms. They control how that content and information is shared. That is our policy, and it always has been.”

It’s not a Real Thing

With all the—legitimate—concern around keeping personal data private, one can see why people fall for hoaxes like this. However, this copy-paste post does nothing. Facebook doesn’t get to “own” your content and you don’t need to make any declarations about copyright issues since the law already protects you.

Equally, Facebook users cannot retroactively negate any of the privacy or copyright terms they agreed to when they signed up for their accounts, simply by posting a contrary legal notice on to Facebook.

In other words, you agreed to Facebook’s terms of use and when you did, you provided Facebook with a right to use, distribute, and share the things you post, subject to the terms and applicable privacy settings. If that doesn’t sit well with you, it’s worth considering deactivating or deleting your Facebook account.

Sharing posts like this “just in case” continues the hoax and unnecessarily worries people who might see your post. If you’re not sure about whether you should share something, it’s worth googling the post’s text to check if there are any alerts about it.

Check your own digital footprint

If you are worried about how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.