Bitsight’s TRACE research team revealed the issue in a report released this month. The cameras were providing the images without any kind of password or authentication, it said. While some of them were connected to businesses, showing images of offices, retail stores, and factories, many were likely connected in private residences.

Many cameras contain their own web servers that people can access remotely using a browser or app so that they can monitor their premises while away. These are often completely exposed to the internet, according to the report. That means anyone could access the video feed by typing in the right IP address.

The highest number of exposed cameras by far was in the US, at around 14,000. Breaking down the states there showed the highest concentrations in California and Texas.

Japan, the second highest country, had just half that, at 7,000. After that came Austria, Czechia, South Korea, Germany, Italy, Russia, and Taiwan.

The big threat for such users is privacy. People put these cameras everywhere, including extra-private spaces in their homes like kids’ and adults’ bedrooms. Attackers might spy on people or even set them up for extortion if the images are compromising.

Aside from the obvious privacy implications, there are other security worries, the report said. Cameras could be used to gather surveillance data by someone planning a physical intrusion, it pointed out.

But access to admin interfaces is just one threat; getting SSH access (which allows someone to log into the device via a terminal and control it as they would a regular computer) could give an attacker total control over the camera’s hardware and software if they’re able to exploit vulnerabilities left there by the manufacturer.

If this happens, a camera (which is, after all, just a computer with a lens) could become a jumping-off point for the attacker to compromise other computers on the network. Or it could be joined to a botnet to do the attacker’s bidding.

Botnets made of up connected devices are common. One of the most famous such botnets, Mirai, co-opted cameras and other internet-connected systems to launch denial of service attacks, in which thousands of devices would try to connect with a target, flooding it with traffic and rendering it inoperable.

Bitsight’s report also cites one case where attackers used vulnerabilities in a camera to install ransomware on it.

A long history of camera compromise

Internet-enabled camera issues are nothing new. Finding exposed feeds, whether via Bitsight’s own scanning engine or via publicly accessible ones like Shodan.io, is like shooting fish in a barrel. Indeed, Bitsight did something similar in 2023. In the past, we’ve seen sites like Insecam (now offline), which streamed images from 40,000 unsecured video cameras around the world. Some of those cameras were doubtless there for public consumption, just as many were not.

Finding unsecured feeds is so easy because people tend to just plug these things in and turn them on, much as you might use a portable air conditioner. Vendors should force some basic cybersecurity hygiene, but they don’t, because they don’t want to introduce any costly friction. Regulation for connected smart devices like IP cameras has emerged in the US and the UK, but enforcement is another issue.

Some might advise you to only choose a respectable brand of IP camera, but you can’t always trust big-name vendors who claim to act responsibly. Last year, Amazon settled with the Federal Trade Commission, paying $5.6m over charges that its employees and contractors spied on users of its Ring cameras.

Ring allowed everyone working for it to see any customer’s feeds, the FTC said, which led to some employees repeatedly accessing feeds of young women in sensitive areas of the home. Ring also failed to protect its cameras adequately against intruders that compromised them, the FTC said. That led to intruders taking control of the cameras. They would use camera microphones to hurl racial slurs at children, and swear at women lying in bed, the complaint alleged.

Other vendor missteps have included Wyze accidentally showing customers each others’ video feeds, and Eufy sending camera images to the cloud when it said it wouldn’t.

How to protect your internet-enabled camera

We can’t think of a worse privacy scenario than having someone snoop on you and your loved ones in what is supposed to be your safest space. Letting any connected device into your home is always risky, especially when it has video capabilities. Here is some advice to minimize that risk:

• Use unique credentials. Make sure that you set unique logins and passwords for your cameras so that people can’t just stroll in and view them. That means taking some time to configure the camera through its admin interface and making sure to change the default password.
• Restrict IP camera use to non-sensitive places as much as possible. While some Ring customers apparently needed cameras in the bathroom and bedroom, we urge you to think twice.
• Research the camera for vulnerabilities. Check to see whether the brand you’re considering has had any security issues in the past, and how quickly the issues have been fixed.
• Try accessing your camera insecurely. Try accessing your camera remotely without using your login credentials. If you can, then so can everyone else.
• Patch regularly. Find out how to update your device with the latest security patches and check for updates regularly, or preferably set it to update automatically if you can.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The hackers pulled this off by posing as US Department of State officials in advanced social engineering attacks, building a rapport with the target and then persuading them into creating app-specific passwords (app passwords).

App passwords are special 16-digit codes that Google generates to allow certain apps or devices to access your Google Account securely, especially when you have MFA enabled.

Normally, when you sign in to your Google account, you use your regular password plus a second verification step like a code sent to your phone. But since some older or less secure apps and devices—like certain email clients, cameras, or older phones—are unable to handle this extra verification step, Google provides app passwords as an alternative way to sign in.

However, because app passwords skip the second verification step, hackers can steal or phish them more easily than a full MFA login.

In an example provided by CitizenLab, the attackers initially made contact by posing as a State Department representative, inviting the target to a consultation in the setting of a private online conversation.

Although the invitation came from a Gmail account, it CCed four @state.gov accounts, giving a false sense of security and making the target believe that other people at the State Department had monitored the email conversation.

Most likely, the attacker fabricated those email addresses, knowing that the State Department’s email server accepts all messages and does not send a bounce response even if the addresses do not exist.

As the conversation unfolded and the target showed interest, they received an official looking document with instructions to register for an “MS DoS Guest Tenant” account. The document outlined the process of  “adding your work account… to our MS DoS Guest Tenant platform,” which included creating an app password to “enable secure communications between internal employees and external partners.”

So, while the target believes they are creating and sharing an app password to access a State Department platform in a secure way, they are actually giving the attacker full access to their Google account.

The targets of this campaign, which ran for months, were prominent academics and critics of Russia, and was set up with so much attention for details and skill that the researchers suspect the attacker was a Russian state-sponsored entity.

Be safe, avoid app passwords

Now that this bypass is known, we can expect more social engineering attacks leveraging app-specific passwords in the future. Here’s how to stay safe:

• Only use app passwords when absolutely necessary. If you have the opportunity to change to apps and devices that support more secure sign-in methods, make that switch.
• The advice to enable MFA still stands strong, but not all MFA is created equal. Authenticator apps (like Google Authenticator) or hardware security keys (FIDO2/WebAuthn) are more resistant to attacks than SMS-based codes, let alone app passwords.
• Regularly educate yourself and others about recognizing phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords through phishing.
• Keep an eye on unusual login attempts or suspicious behavior, such as logins from unfamiliar locations or devices. And limit those logins where possible.
• Regularly update your operating system and the apps you use to patch vulnerabilities that attackers might exploit. Enable automatic updates whenever possible so you don’t have to remember yourself.
• Use security software that can block malicious domains and recognize scams.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

• The data on denying social media for kids (re-air) (Lock and Code S06E12)
• Reddit’s new AI-powered tools scan your posts to serve you better ads
• Smart air fryers ordered to stop invading our digital privacy
• WhatsApp to start targeting you with ads
• Scammers hijack websites of Bank of America, Netflix, Microsoft, and more to insert fake phone number
• 5 riskiest places to get scammed online
• Fake bank ads on Instagram scam victims out of money
• Mattel’s going to make AI-powered toys, kids’ rights advocates are worried
• Billions of logins for Apple, Google, Facebook, Telegram, and more found exposed online

Last week on ThreatDown:

• Atomic Stealer now using clipboard hijacking to target Macs
• SimpleHelp exploited by DragonForce ransomware group

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Researchers at Cybernews have discovered 30 exposed datasets containing from several millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records.

The likely source: information stealers, or infostealers for short. Infostealers are malicious software designed specifically to gather sensitive information from infected devices. These malware variants silently extract credentials stored in browsers, email clients, messaging apps, and even crypto wallets, and send the data to cybercriminals.

The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. And no chance for us to cross-reference the data with our sources to find out more about their origin and age.

But that doesn’t take away from the fact that these credentials are in the hands of cybercriminals who can use them for:

• Account takeovers: Cybercriminals can use stolen credentials to hijack social media, banking, or corporate accounts.
• Identity theft: Personal details enable fraud, loan applications, or impersonation.
• Targeted phishing: Combining leaked data allows cybercriminals to engage in very convincing and personalized scams.
• Ransomware/business email compromise (BEC) attacks: Compromised business credentials facilitate network intrusions or fraudulent wire transfers.

The leak includes credentials for virtually every large online service. Apple, Google, Facebook, Telegram, developer platforms, VPNs, and more.

And the number is so massive it exceeds our imagination. If you printed each credential (16 billion usernames + passwords) on a single line, using standard paper, and stacked the pages, the pile would reach far beyond the edge of the stratosphere (roughly 35 miles).

How to protect against infostealers

There are a few things you can do to limit the dangers of infostealers:

• Use an up-to-date and active anti-malware solution that can detect and remove infostealers.
• Do not reuse passwords across different sites and services. A password manager can be very helpful to create safe passwords and remember them for you.
• Enable two-factor authentication (2FA) for every account you can. 2FA makes it much more difficult for an attacker to access your account with your login credentials. If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

Check your digital footprint

Data stolen by infostealers is often sold or posted online. If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll give you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

In a press release last week, the owner of the Barbie brand signed a “strategic collaboration” with the AI company, which owns ChatGPT. “By using OpenAI’s technology, Mattel will bring the magic of AI to age-appropriate play experiences with an emphasis on innovation, privacy, and safety,” it said.

Details on what might emerge were scarce, but Mattel said that it only integrates new technologies into its products in “a safe, thoughtful, and responsible way”.

Advocacy groups were quick to denounce the move. Robert Weissman, co-president of public rights advocacy group Public Citizen, commented:

“Mattel should announce immediately that it will not incorporate AI technology into children’s toys. Children do not have the cognitive capacity to distinguish fully between reality and play.

Endowing toys with human-seeming voices that are able to engage in human-like conversations risks inflicting real damage on children. It may undermine social development, interfere with children’s ability to form peer relationships, pull children away from playtime with peers, and possibly inflict long-term harm.”

The kids aren’t alright

Some are concerned about the effect of AI on young developing minds. Researchers from universities including Harvard and Carnegie Mellon have warned about negative social effects, along with a tendency for children to attribute human-like properties to AI.

One such child, 14 year-old Sewell Seltzer III, took his own life after repeatedly talking to chatbots from Character.AI, which allows users to create their own AI characters.

In a lawsuit against the company, his mother Megan Garcia described how he began losing sleep and growing more depressed after using the service, to the point where he fell asleep in class. A therapist diagnosed him with anxiety and disruptive mood disorder. It emerged that he had become obsessed with an AI representing an adult character from Game of Thrones that purported to be in a real romantic relationship with him.

Past mistakes

We’re not suggesting Mattel would condone such activities. It cites “more than 80 years of earned trust from parents and families”, but that statement glosses over previous missteps.

These include Hello Barbie. Mattel launched this Wi-Fi connected doll in 2015 and encouraged kids to talk with it. It asked personal questions about children and their families, sending that audio to a third-party company that used AI to generate a response. Non-profit group Fairplay, which advocates for protecting children from inappropriate technology and brand marketing, launched a campaign protesting child surveillance. Subsequently, investigators found vulnerabilities that would allow intruders to eavesdrop on that audio. Mattel pulled the toy from shelves in 2017.

Fairplay executive Josh Golin slammed the OpenAI partnership announcement.

“Apparently, Mattel learned nothing from the failure of its creepy surveillance doll Hello Barbie a decade ago and is now escalating its threats to children’s privacy, safety and well-being.

Children’s creativity thrives when their toys and play are powered by their own imagination, not AI. And given how often AI ‘hallucinates’ or gives harmful advice, there is no reason to believe Mattel and OpenAI’s ‘guardrails’ will actually keep kids safe.”

Another incident where Mattel lost parents’ trust was back in November 2024 when a packaging mistake sent owners of its ‘Wicked’ doll to an adult movie website (Wicked Pictures) instead of a promotional landing page for the Wicked movie.

Incidents like these show that even with the best intentions in the world, companies can make mistakes.

Ultimately, it’s up to parents to make decisions about whether they’ll expose their children to AI-powered toys. It’s perhaps inevitable that AI will reach every corner of our lives, but is it ready and polished enough to be used on our children?

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

There are some variations in how the scammers approach this. Some use Artificial Intelligence (AI) to create deepfake videos aimed at gathering personal information, while others link to typosquatted domains that not just look the same but also have very similar domain names as the impersonated bank.

BleepingComputer shows an example of an advertisement, which claims to be from “Eq Marketing” and closely mimics EQ Bank’s branding and color scheme, while promising a rather optimistic interest yield of “4.5%”.

In this example, using the “Yes, continue with my account” button presents the user with a fraudulent “EQ Bank” login screen, prompting the visitor to provide their banking credentials. From there, it’s likely the scammers will empty the bank account and move on to their next victim.

Another fraudulent ad impersonates BMO bank’s Chief Investment Strategist and leader of the Investment Strategy Group Brian Belski. This may lead people to believe they are getting valuable financial advice, for example by luring them to a “private WhatsApp investment group”.

Impersonations of bank employees and authorities are increasing and can often sound very convincing. These scammers demand immediate payment or action to avoid further impacts, which can dupe individuals into inadvertently sending money to a fraudulent account.

It’s not just Instagram where WhatsApp investment groups are used as a lure by scammers. On X we see invites like these several times a week.

Recommendations to stay safe

As cyberthreats and financial scams become more sophisticated, it is increasingly difficult for individuals to determine if a request coming via social media, email, text, phone call or even video call is authentic.

By staying alert and proactive, you can outsmart even the most convincing deepfake scams. Remember, a healthy dose of skepticism is your best companion in the digital age.

• Verify before you trust: Always double check the legitimacy of any ad or message claiming to be from your bank. Go to your bank’s official website or contact them directly using verified contact details before taking any action.
• Double check the advertiser account: BleepingComputer found that the advertiser accounts running the fake ads on Instagram only had pages on Facebook, not on Instagram itself.
• Look for red flags: Be wary of ads that create a sense of urgency, promise unrealistic rewards, or ask for sensitive information like passwords or PINs. Authentic banks will never request such details through social media or ads.
• Scrutinize visuals and language: Deepfakes can be convincing, but subtle inconsistencies in video quality, unnatural facial movements, or awkward phrasing can be giveaways. Trust your instincts if something feels off.
• Enable Multi-Factor Authentication (MFA) : Strengthen your account security by enabling MFA on your banking and social media accounts. This adds an extra layer of protection even if your credentials are compromised.
• Report suspicious content: If you encounter a suspicious ad or message, report it to Instagram and notify your bank immediately. Your vigilance can help prevent others from falling victim.
• Use web protection: This can range from programs that block known malicious sites, to browser extensions that can detect skimmers, to sophisticated assistants that you can ask if something is a scam.
• Stay informed: Keep up to date with the latest scam tactics and security advice from your bank and reputable cybersecurity sources. Awareness is your best defense.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

They can text you fraudulent tracking links for packages you never bought. They can profess their empty love to you across your social media apps. They can bombard your email inbox with phishing attempts, impersonate a family member through a phone call, and even trick you into visiting malicious versions of legitimate websites.

But, according to new research from Malwarebytes, while scammers can reach people through just about any modern method of communication, they have at least five favored tracts for finding new victims—emails, phone calls and voicemails, malicious websites, social media platforms, and text messages. It’s here that people are most likely to find phishing attempts, romance scams, sextortion threats, and more, and it’s here that everyday people should stay most cautious when receiving messages from unknown senders or in responding to allegedly urgent requests for money or information.

For this research, Malwarebytes surveyed 1,300 people over the age of 18 in the US, UK, Austria, Germany, and Switzerland, asking about the frequency, type, impact, and consequences of any scams they found on their smartphones. Capturing just how aggravating today’s online world is, a full 78% of people said they encountered or received a scam on their smartphone at least once a week.

Here are the top five places that people actually encountered those weekly scams:

• 65% of people encountered a scam at least once a week through their email
• 53% encountered a scam at least once a week through phone calls and voicemails
• 50% encountered a scam at least once a week through text messages (SMS)
• 49% encountered a scam at least once a week through malicious websites
• 47% encountered a scam at least once a week through social media platforms

Unfortunately, scam prevention cannot fixate on only these five channels, as scammers change their tactics based on how they’re trying to trick their victims. For instance, though people were least likely to encounter a scam once a week through a buying or selling platform like Facebook Marketplace or Craigslist (36%), such platforms were of course the most likely place for scam victims to have their credit card details and passwords stolen by a scammer masquerading as a legitimate business.

The noise from such daily strife has become deeply confusing, as just 15% of people strongly agreed that they could confidently identify a scam on their phone.

Daily dilemma

While 78% of people encountered a scam on their smartphone at least once a week, a shocking 44% of people encountered a scam at least daily. Similar to the weekly breakdown, here are the top five ways that people encountered scams once a day:

• 34% of people encountered a scam at least once a day through their email
• 25% encountered a scam at least once a day through malicious websites
• 24% encountered a scam at least once a day through phone calls and voicemails
• 24% encountered a scam at least once a day through social media platforms
• 22% encountered a scam at least once a day through text messages (SMS)

This list encompasses so much of any person’s daily use of their smartphone. They use it to check emails, browse the internet, make phone calls, scroll through social media, and text family and friends. And yet, it is in these exact places that people have come to expect getting scammed. As if the 44% of people who encounter a daily scam wasn’t depressing enough, there are 28% of people who said they encounter scams “multiple times a day.”

But the frequency of scams can only reveal so much. How, exactly, are scammers trying to trick their targets?

Social engineering and extortion

Scams are so difficult to analyze because they vary both in their delivery method and their method of deceit. A message that tries to trick a person into clicking a package tracking link is a simple act of social engineering—relying on false urgency or faked identity to fool a victim. But that message itself can come through a text message or an email, and it can direct a person to a malicious website on the internet. A romance scam, similarly, can start on a social media platform but can move into a messaging service like WhatsApp. And sometimes, a threat to release private information—which can be categorized as “extortion”—can happen through a phone call, a text message, or any combination of other communication channels.

This is why, to understand how people were being harmed by scams, Malwarebytes asked respondents about roughly 20 types of cybercrime that they could encounter and experience.

Broadly, Malwarebytes found that 74% of people had “encountered” or come across a social engineering scam, and that 36% fell victim to such scams. These were the most common social engineering scams that people encountered and that they experienced:

• Phishing/smishing/vishing: 53% encountered and 19% experienced
• USPS/FedEx/postal scams: 42% encountered and 12% experienced
• Impersonation scams: 35% encountered and 10% experienced
• Marketplace or business scams: 33% encountered and 10% experienced
• Romance scams: 33% encountered and 10% experienced

For respondents who experienced any type of scam—making them scam victims—Malwarebytes also asked where they had found or encountered that scam. Here, the results show a far more intimate picture of where scams are most likely to harm the public.

For instance, 26% of charity scam victims were originally tricked on social media platforms. 37% of postal notification scam victims were first reached, predictably, through SMS/text messages. And, interestingly, despite how frequently cryptocurrency scams spread through social media, the most likely place for such a scam victim to be contacted was through email (30% for email vs. 13% for social media).

In its research, Malwarebytes also discovered that 17% of people have fallen victim to extortion scams, which includes ransomware scares, virtual kidnapping schemes, and threats to release sexually explicit photos (sextortion) or deepfake images.

Here, scam victims again shared where these scams arrived. The most popular channels for deepfake scammers to victimize people were social media platforms and emails—both at 17%. For sextortion scam victims, the most popular channel was email, at 35%. And 24% of virtual kidnapping scam victims said they were contacted through text messages, making it the most popular way to deliver such a threat.

These numbers may look depressing, but they should instead educate. No, there is no such thing as a perfectly safe communication channel today. But that doesn’t mean there isn’t help.

Check if something is a scam

Malwarebytes Scam Guard is a free, AI-powered digital safety companion that reviews any concerning text, email, phone number, link, image, or online message and provides on the spot guidance to help users avert and report scams. Just share a screenshot of any questionable message—like that strange email demanding a password reset or that alarming text flagging a traffic penalty—and Scam Guard will guide you to safety.

Cybercriminals frequently use fake search engine listings to take advantage of our trust in popular brands, and then scam us. It often starts, as with so many attacks, with a sponsored search result on Google.

In the latest example of this type of scam, we found tech support scammers hijacking the results of people looking for 24/7 support for Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal.

Here’s how it works: Cybercriminals pay for a sponsored ad on Google pretending to be a major brand. Often, this ad leads people to a fake website. However, in the cases we recently found, the visitor is taken to the legitimate site with a small difference.

Visitors are taken to the help/support section of the brand’s website, but instead of the genuine phone number, the hijackers display their scammy number instead.

The browser address bar will show that of the legitimate site and so there’s no reason for suspicion. However, the information the visitor sees will be misleading, because the search results have been poisoned to display the scammer’s number prominently in what looks like an official search result.

Once the number is called, the scammers will pose as the brand with the aim of getting their victim to hand over personal data or card details, or even allow remote access to their computer. In the case of Bank of America or PayPal, the scammers want access to their victim’s financial account so they can empty it of money.

A technically more correct name for this type of attack would be a search parameter injection attack, because the scammer has crafted a malicious URL that embeds their own fake phone number into the genuine site’s legitimate search functionality.

See the below example on Netflix:

These tactics are very effective because:

• Users see the legitimate Netflix URL in their address bar
• The page layout looks authentic (again, because it is the real Netflix site)
• The fake number appears in what looks like a search result, making it seem official.

This is able to happen because Netflix’s search functionality blindly reflects whatever users put in the search query parameter without proper sanitization or validation. This creates a reflected input vulnerability that scammers can exploit.

Fortunately, Malwarebytes Browser Guard caught this and shows a warning about “Search Hijacking Detected,” and explains that unauthorized changes were made to search results with an overlaid phone number.

But Netflix is just one example. As we mentioned earlier, we found that other brands, such as PayPal, Apple, Microsoft, Facebook, Bank of America, and HP being abused in the same way by scammers.

The HP example is a bit clearer to identify as suspicious, as it says “4 Results for” which is shown in front of the scammers text. But even then if you’re on a genuine website you expect to see a genuine number, right?

Interestingly, Apple is the one where we found the scammer’s number was the hardest to identify as false.

This looks as if the web page tells the visitor they have no matches for their search, so they’d better call the number on display. That would drive them straight in the arms of scammers.

How to stay safe from tech support scams

As demonstrated in these cases, Malwarebytes Browser Guard is a great defense mechanism against this kind of scam, and it is free to use.

There are also some other red flags to keep an eye out for:

• A phone number in the URL
• Suspicious search terms like “Call Now” or “Emergency Support” in the address bar of the browser
• Lots of encoded characters like the %20 (space) and %2B (+ sign) along with phone numbers
• The website showing a search result before you entered one
• The urgent language (Call Now, Account suspended, Emergency support) displayed on the website
• An in-browser warning for known scams (don’t ignore this).

And before you call any brand’s support number, look up the official number in previous communications you’ve had with the company (such as an email, or on social media) and compare it to the one you found in the search results. If they are different, investigate until you’re sure which one is the legitimate one.

If during the call, you are asked for personal information or banking details that have nothing to do with the matter you’re calling about, hang up.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

WhatsApp launched the Updates tab a year ago, and now 1.5 billion people visit it every day. Updates has historically been a place for users to follow news and updates from their favorite companies, news organizations and celebrities. 

This is different to the Chats tab where users send and receive messages. Chats remain end-to-end encrypted and, according to Meta’s vice president for product management Nikila Srinivasan, will not display ads.

To determine your interests for ad purposes, WhatsApp says:

“We’ll use limited info like your country or city, language, the Channels you’re following, and how you interact with the ads you see. For people that have chosen to add WhatsApp to Accounts Center, we’ll also use your ad preferences and info from across your Meta accounts.”

That means that anyone who has linked their Facebook or Instagram accounts with their WhatsApp account will now have that data used for ad targeting. This cross-platform integration feels like a significant invasion of privacy, especially for users who expected WhatsApp to remain more private than Facebook or Instagram.

The European privacy group NOYB (None Of Your Business) has already voiced concerns, warning that WhatsApp may soon adopt the same “Pay or OK” model as Facebook and Instagram to obtain the user consent that’s required under EU law.

With Meta’s “Pay or OK” system, users face a choice between two options nobody asked for: either pay a monthly subscription fee to avoid targeted ads and tracking, or accept extensive data collection and personalized advertising in exchange for free access. If you don’t want your data tracked, you must pay. If you don’t pay, you must accept tracking and profiling for ads.

Meta introduced this model in response to strict privacy regulations in Europe, especially the General Data Protection Regulation (GDPR), which requires companies to get clear, “freely given” consent from users before using their data for personalized ads.

In the past, Meta has argued that it had obtained a ruling of the Court of Justice of the European Union (CJEU) that accepted the subscription model as a valid form of consent for an ads funded service.

Meta also said its pricing was in line with those of ad-free services such as YouTube Premium and Spotify Premium. However, it conveniently forgot to consider that ad-free services are not the same as those that gather data about you and sell them to the highest bidder to create personalized ads.

WhatsApp built its reputation on privacy, with end-to-end encryption and minimal data collection. And, as privacy advocates feared, bringing it into the Meta “family” moved the platform away from its privacy-first roots.

Even if WhatsApp says it won’t read your messages, it can still use your usage patterns, contacts, and other metadata to build detailed profiles for advertisers. This increases the risk of data leaks, misuse, or surveillance.

What can users do?

A while back I asked whether it was a good idea to move from WhatsApp to Signal. With this new development, the question may be worth reconsidering.

If you’re on iOS 18, you can now allow WhatsApp to access only selected contacts instead of your entire address book. This reduces the amount of data WhatsApp can collect about your network.

On Android, you can technically use WhatsApp without granting access to your contacts, but you’ll need to manually start chats using wa.me links. Or, for convenience, you can use a third-party app that does the work for you.

WhatsApp frequently adds or changes privacy options, so revisit your settings periodically to maintain control.

If you can, disassociate your WhatsApp account from other Meta accounts you may have. Don’t use the same email address, handle, etc. You can remove your WhatsApp account from the Meta Accounts Center, but it is unclear whether Meta will “remember” the link if it once existed.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

New draft guidance from the Information Commissioner’s Office (ICO) targets not just air fryer vendors but manufacturers of any smart home products, ranging from smart lighting systems through to internet-connected refrigerators and connected toys.

Collectively known as IoT (Internet of Things) devices, these connected objects have a nasty habit of collecting our data without us really understanding what they’re doing. It’s a problem with many of them, although late last year Which? magazine added air fryers to the list of offenders.

The guidance highlights data that IoT vendors might collect. This includes registration data such as an owner’s name, address, and email. It also means information gathered directly from the product that reveals how the user interacts with it. A device might simply tell its manufacturer when you used the product and how long for, but sensors embedded in it might monitor anything from temperature to motion.

The ICO is interested in enforcing privacy laws such as the UK’s version of the General Data Protection Regulation (UK GDPR). That allows products to process user information if it’s purely for domestic use, like asking a smart speaker to play Lady Gaga’s all-time greatest hits, say.

But if the IoT vendor uses audio recordings of the person’s interactions with the speaker to improve its own service or even to make inferences about that person from their musical choices, then that isn’t domestic use. That’s processing for the company’s own purposes, and it falls on the wrong side of the law.

Consent is key

The guidance tells vendors to ask for consent when processing this kind of data. That means ensuring that users can easily tell what they’re consenting to, and be able to make a clear choice not to do so.

Users should be able to find out how the manufacturer is using their information after they sign up for the service, says the ICO. They must also be able to withdraw consent at any time. In practice, that helps people who might click a consent button early on but then think twice about it later and decide to change their permissions.

When vendors do collect information about users they must tell them what they’re collecting, and why they’re using it. They should tell people what decisions they’re making with it, and how it affects their service. People should also be informed about how long the vendor will keep that data.

The company should also process user data fairly. That means only doing what people expect them to do with it, and not in ways that harm the user.

This is all good advice, and in keeping with existing privacy laws, but it means vendors will have a fine line to walk. Some of the requirements are nuanced. For example, the guidance asks companies to consider ways of making their privacy information easy to follow. That means giving them all the information they need without overloading them. It might require careful user interface design, along with collaboration between designers and privacy or compliance professionals.

Where appropriate, design choices like navigation panels, collapsible lists, large text, and diagrams will go a long way towards satisfying these requirements, the ICO says.

There’s an existing UK law for IoT security

There’s also a section outlining security for IoT devices and the data they collect. This points to an existing UK law called the Product and Telecommunications Infrastructure Regulations 2024 (PSTI Regulations), which came into effect last year. This calls for specific protections such as the use of unique passwords for devices, encryption of user data, and regular security updates.

The security aspect of IoT is perhaps one of the most important of all. Even companies with the best of intentions can make mistakes and leak customer data gathered by everything from connected chastity devices through to kids’ toys.

This guidance applies not just to smart connected objects but to the apps that vendors often provide with them. Those apps, which give you data about what your smart object is doing and allow you to control it, are great ways for vendors to harvest information about you.

You’re your own best protection

The document is still in draft form and open to consultation. Because it’s UK guidance it likely won’t protect people not in the UK. As always, the first line of defense is you.

So, when buying a smart home device, consider whether an app for it is necessary. Your smart fryer might have no way of phoning home without an app, but you might be able to just check whether your food is done without needing your phone to tell you.

In some cases, you might want to consider whether you really need a product to be connected at all. Connected devices are a great way for companies to nickel and dime you unexpectedly through subscription programs, or brick your product remotely when they decide it isn’t profitable for them any more.

Sometimes, all you want to do is cook up some hot fries without things getting too complicated, you know?

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Reddit is a social media platform and online forum where users can share and discuss content across a wide range of topics. The platform’s structure divides it into communities known as “subreddits,” each focused on a specific subject or interest (from cars to movies to sports to knitting).

There are also promoted posts, which look like regular Reddit posts but are marked as sponsored. They can include text, images, videos, or carousels and often appear in users’ feeds or within specific subreddits. Due to its size, Reddit has evolved into a major digital platform for both advertising and AI-powered data analysis.

Reddit introduced its “Reddit Community Intelligence” at the Cannes Lions International Festival of Creativity 2025. It described this new addition as the collective knowledge of billions of conversations to help businesses and organizations make “smarter marketing decisions.”

Last year, Reddit launched AI-powered advertising such as an ads inspiration library, AI copywriter, and image auto-cropper to help small businesses create more effective, platform-specific ads.

The new tools, dubbed “Reddit Insights” and “Conversation Summary Add-ons” use AI to analyze conversations, summarize sentiment, and surface relevant user-generated content for advertisers.

Last year, the FTC advised Reddit that it would conduct a non-public inquiry focused on Reddit’s sale, licensing, or sharing of user-generated content with third parties to train AI models. This was before Reddit announced a partnership with OpenAI to bring Reddit content to ChatGPT.

When the FTC launched a Request for Information (RFI) to better understand how technology platforms deny or degrade users’ access to services based on the content of their speech or affiliations, and how this conduct may have violated the law, without specifically mentioning Reddit, the company saw a 9% drop in stock price.

The new tools will undoubtedly fuel the ongoing debates about the ethics of AI-driven analysis on Reddit, especially regarding user consent and the potential for privacy breaches.

In April, users of the r/ChangeMyView subreddit expressed outrage at the revelation that researchers at the University of Zurich were secretly using the site for an AI-powered experiment in persuasion, prompting the moderation team to explain that the experiment was conducted without authorization.

Careful what you share

Given the open nature of Reddit it’s important to keep in mind that anything you post can be found by anyone and everything, including AI. So, it’s important to hold yourself to the same standards you may use when posting on social media.

On June 28, 2025 a new Privacy Policy will go into effect. It stands to reason that you should be aware of the current policy and keep up with any changes.

A few general rules to help improve your privacy on the platform:

• Anonymity: there is no reason to use your real name or any identifying information in your username or profile. Don’t share personal details like your location, workplace, or other identifiers in posts or comments unless they are relevant to the post.
• Don’t link to other social media profiles in your profile or posts. Also don’t link your account to your Google or Apple account.
• If you’re active in several Reddit communities, consider creating separate accounts for different interests or sensitive topics.
• In your Reddit account settings, under Privacy you can turn off “Show up in search results” to prevent your posts and comments from being indexed by search engines or easily browsed by others.
• You can also disable “Personalize ads on Reddit based on information and activity from our partners.”
• Protect your account using a unique, complex password and enable two-factor authentication (2FA) for your Reddit account.
• Regularly check your account activity for unauthorized access and report anything suspicious.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

Complex problems often assume complex solutions, but recent observations about increased levels of anxiety and depression, increased reports of loneliness, and lower rates of in-person friendships for teens and children in America today have led some school districts across the country to take direct and simple action: Take away the access to smartphones in schools.

Not everyone is convinced.

When social psychologist and author Jonathan Haidt proposed five solutions to what he called an “epidemic of mental illness” for young adults in America, many balked at the simplicity.

Writing for the outlet Platformer, reporter Zoe Schiffer spoke with multiple behavioral psychologists who alleged that Haidt’s book cherry-picks survey data, ignores mental health crises amongst adults, and over-simplifies a complex problem with a blunt solution. And in speaking on the podcast Power User, educator Brandon Cardet-Hernandez argued that phone bans in schools would harm the students that need phones the most for things like translation services and coordinating rides back home from parents with varying schedules.

But Haidt isn’t alone in thinking that smartphones have done serious harm to teenagers and kids today, and many schools across America are taking up the mantle to at least remove their access in their own hallways. In February, Los Angeles Unified School District did just that, and a board member for the school district told the Lock and Code podcast that he believes the change has been for the better.

But for those still in doubt, there’s a good reason now to look back.

Today, on the Lock and Code podcast with host David Ruiz, we revisit a 2024 interview with Dr. Jean Twenge about her research into the differences in America between today’s teens and the many generations that came before. A psychologist and published author, Twenge believes she has found enough data tying increased smartphone use and social media engagement with higher strains on mental health. In today’s re-broadcast episode, Twenge explains where she believes there is a mental health crisis amongst today’s teens, where it is unique to their generation, and whether it can all be traced to smartphones and social media.

According to Dr. Twenge, the answer to all those questions is, pretty much, “Yes.” But, she said, there’s still some hope to be found.

“This is where the argument around smartphones and social media being behind the adolescent mental health crisis actually has, kind of paradoxically, some optimism to it. Because if that’s the cause, that means we can do something about it.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

• Been scammed online? Here’s what to do
• How and where to report an online scam
• Google bug allowed phone number of almost any user to be discovered
• 44% of people encounter a mobile scam every single day, Malwarebytes finds
• GirlsDoPorn owner faces life in jail after pleading guilty to sex trafficking
• 23andMe raked by Congress on privacy, sale of genetic data
• US airline industry quietly selling flight data to DHS
• Your Meta AI chats might be public, and it’s not a bug

Last week on ThreatDown:

• June 2025 Microsoft Patch Tuesday fixes two zero-days

Stay safe!

The past two years have seen an explosion in generative AI tools, such as ChatGPT, Anthropic’s Claude, Google Gemini, and more. But with new players entering the market almost daily, not all of them deserve the same level of trust.

With 1 billion active monthly users, Meta AI is one of the contenders aiming for ChatGPT’s crown. To monetize this success, Meta’s CEO Zuckerberg said “there will be opportunities to either insert paid recommendations” or offer “a subscription service so that people can pay to use more compute.”

Similar to ChatGPT, Meta AI can generate text, answer questions, and help users plan, brainstorm, and strategize on various issues. But when using the Meta AI app, after submitting a question, users can also press a “share” button, which directs them to a screen showing a preview of the post, which users can then publish. But some users appear blissfully unaware that they are sharing these text conversations, audio clips, and images publicly with the world.

Other users can access “shared” conversations by using the apps Discover feed.

With only one glance at that feed, I found this example of a conversation the user might not have wanted to be publicly visible. A teacher shared an email thread regarding their upcoming arbitration of a job termination that felt unjust. The Meta AI app responded:

“Hello {name}, it’s great to hear from you again. I can sense the emotional weight of revisiting this experience, and I appreciate your trust in sharing it with me. It sounds like a really tough situation, and I’m here to listen and support you as you process it. No rush, take your time to gather your thoughts, and we can continue the conversation whenever you’re ready. How’s the preparation for the arbitration going so far?”

The emphasis is by me. If the AI realizes how much trust it takes to share that story with anyone, even if it’s only a bot, then how must it feel when the user finds out the whole world can find and read it. I didn’t even have to log in to find this conversation.

TechCrunch reported about people asking for help with tax evasion and other personal matters, calling Meta AI a “privacy disaster.” Many sources found threads about medical topics, and other conversations about delicate and private issues.

What people may not realize is that if they use the integrated versions on social media, they are logged in and their conversation can be tied to their social media profile.

How to not share your chats with Meta AI

Your best option would be not to use Meta AI at all. If you do, make sure you are not logged in and double check that fact if you are logged in on any of the Meta platforms on the same device. And never, ever use the Share button unless you mean to.

Meta spokesperson Daniel Roberts wrote in an emailed statement to WIRED that users’ chats with Meta AI are private unless users go through a multistep process to share them on the Discover feed.

When asked about these mishaps, the Meta AI chatbot said:

“Some users might unintentionally share sensitive info due to misunderstandings about platform defaults or changes in settings over time.”

However, Meta has not provided detailed, easily accessible in-app guidance at the moment of sharing, which contributes to user confusion. I decided to ask Meta AI.

Question: What do I need to do so you don’t share our conversation with the rest of the world? And is it true that the information I share with you might be used for advertising? Or, at least for “sponsored” recommendations?

Answer: Your conversations with me are used to improve the model and might be reviewed by our team to ensure quality. We may also use your conversations to train our models to be more helpful and accurate. However, we take steps to protect your privacy.

If you have concerns about how your data is used, you can visit Meta’s Privacy Center to learn more about how Meta handles data: https://www.facebook.com/privacy/center/.

Did that actually answer my question? No.

So, here are the steps you may want to take if you decide to engage with Meta AI for all the different platforms where you may encounter it.

Meta AI App

• To ensure your prompts and conversations are only visible to you:
  • Tap your profile icon in the Meta AI app.
  • Go to Data & Privacy under App settings.
  • Select Manage your information.
  • Set Make all your prompts visible to only you.
• Avoid using the Share button unless you are certain you want your conversation to appear publicly on the Discover feed.

WhatsApp, Facebook, and Instagram

Note: Conversations with Meta AI on WhatsApp are not protected by end-to-end encryption and may be used for AI training

To limit Meta’s use of your data for AI training:

• Go to Settings & Privacy > Privacy Center.
• Scroll to Privacy Topics and select AI at Meta.
• Under Submit an objection request click Your messages with AIs on WhatsApp (or any of the other platforms you’re looking for) and fill out the form to request that Meta not use your data for AI training.
  

Deleting AI conversation data

Meta has introduced commands to delete information shared in any chat with an AI:

• For example, type /reset-ai in a conversation on Messenger, Instagram, or WhatsApp to delete your AI messages.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

The data, compiled by data broker Airlines Reporting Corporation (ARC), includes names, flight itineraries, and financial details. It also covers flights booked via US travel agencies.

ARC makes this data available to Customs and Border Protection (CBP), along with Immigration and Customs Enforcement (ICE), both of which were previously known as the US Customs Service until 2003, and both of which are offices under DHS.

ARC is owned and operated by eight major US airlines and is unique in being the only financial intermediary between the airline industry and US travel agencies, according to the data broker’s contract with ICE. ARC also provides payment settlement services for travel agencies and airlines, which has created a huge database of travel information that the data broker then makes available under its Travel Intelligence Program (TIP).

ARC’s most recently revealed contract, uncovered by tech news outlet by 404 Media, is with US Customs and Border Protection. A statement of work with that agency revealed that the TIP pilot program “generated meaningful results to current [redacted] cases and will continue to do so once fully accessible to [redacted] analysts across [redacted] Offices.”

The CBP contract mandates silence from DHS on where it got the data. The statement of work, which began in June 2024 and could optionally run until June 2029, states that the CBP will “not publicly identify vendor, or its employees, individually or collectively, as the source of the Reports unless the Customer is compelled to do so by a valid court order or subpoena and gives ARC immediate notice of same.”

ARC’s contract with ICE, meanwhile, provides a view into the data obligations from travel agencies. As the contract stated:

“Daily, travel agencies must submit ticket sales and funds for over 240 airlines worldwide to ARC. This process enables ARC’s TIP, an essential intelligence tool integrated into HSI INTEL’s investigative mission.”

HSI INTEL stands for the Homeland Security Investigations Office of Intelligence. It investigates criminal networks, and also any “individual or organization that threatens national security or seeks to exploit the customs and immigration laws of the United States,” per the DHS website.

Those with access to the TIP database can search across 39 months of flight booking data. Flight itineraries and passenger name records, along with travel dates, flight dates, and even credit card numbers are available from the database.

Other agencies that have purchased access to the database include The Secret Service, the Securities and Exchange Commission, the Drug Enforcement Administration, and the US Marshals Service, according to 404 Media.

Delta, Southwest, United, Lufthansa, Air France, American Airlines, Air Canada, Alaska Airlines, and JetBlue all have seats on the ARC board. The company also partners with hundreds of airlines and travel agencies around the world.

For those who missed the latest developments, in May 2025, we reported that 23andMe had agreed to sell itself to the pharmaceutical organization Regeneron for $256 million. In that agreed sale, Regeneron was also going to acquire the genetic data of 23andMe’s customers. But in early June, 23andMe’s former CEO Anne Wojcicki put forth a last-minute bid of $305 million, throwing Regeneron’s purchase into question, and placing 23andMe itself back on auction.

The bid was made through the TTAM Research Institute, a nonprofit medical research organization recently set up by Wojcicki.

We explained earlier how consumers could (and why they maybe should) delete their genetic data from 23andMe. Apparently, people listened. Interim CEO Joe Selsavage said at the hearing that since the company’s March bankruptcy filing, 1.9 million of the company’s 15 million customers have chosen to delete their data.

Committee chairman James Comer said in opening remarks:

“It is imperative that 23andMe … ensure there is absolutely no legal or illegal way for foreign adversaries or anyone else to access or manipulate and abuse Americans’ genetic data to advance their nefarious agendas.”

The urgency of the matter, undoubtedly enhanced by the way 23andMe has handled data sales and breaches in the past, lies in the impending sale of the company.

The committee criticized the company for failing to model the potential transfer of customers’ genetic data in the upcoming sale with an “opt-in” framework, and ruled that 23andMe made it too cumbersome for consumers to delete the data—23andMe’s biggest asset in the sale.

US Representative Suhas Subramanyam of Virginia said:

“If there simply was a ‘delete my data’ page or button somewhere more prominent then I think it would be easier for a lot of people to feel that control.”

During the hearing, interim CEO Selsavage and former CEO Wojcicki repeatedly declined to commit to establishing a customer opt-in mechanism, specifically one that would require consumers’ approval before their data could be sold and transferred to a new owner, despite multiple requests from committee members.

Beyond the threat of genetic data falling into foreign hands, many raised concerns that the sale could enable targeted advertising aimed at individuals with mental health conditions, drive up insurance premiums, or restrict access to credit.

23andMe assured the committee that regardless of who wins the auction, the company will not be sold to any entity unless it agrees to uphold the existing privacy policy.

23andMe’s privacy statement tells users that any new owner must adhere to its existing data protection guidelines, which include not providing user data to insurers, employers, public databases, or law enforcement without a court order, search warrant, or subpoena.

What can consumers do to protect their data?

Customers should actively manage their data on 23andMe by reviewing policies, deleting data if desired, and staying vigilant about how their sensitive genetic information is used.

People that have submitted samples to 23andMe have three different options, each providing a different level of privacy.

1. Delete your genetic data from 23andMe

For 23andMe customers who want to delete their data from 23andMe:

• Log into your account and navigate to Settings.
• Under Settings, scroll to the section titled 23andMe data. Select View.
• You will be asked to enter your date of birth for extra security. 
• In the next section, you’ll be asked which, if there is any, personal data you’d like to download from the company (make sure you’re using a personal, not public, computer). Once you’re finished, scroll to the bottom and select Permanently delete data.
• You should then receive an email from 23andMe detailing its account deletion policy and requesting that you confirm your request. Once you confirm you’d like your data to be deleted, the deletion will begin automatically, and you’ll immediately lose access to your account. 

2. Destroy your 23andMe test sample

If you previously opted to have your saliva sample and DNA stored by 23andMe, but want to change that preference, you can do so from your account settings page, under “Preferences.”

3. Revoke permission for your genetic data to be used for research

If you previously consented to 23andMe and third-party researchers using your genetic data and sample for research, you may withdraw consent from the account settings page, under Research and Product Consents.

Check if you were caught in the 23AndMe data breach

Additionally, you may want to check if your data was exposed in the 2023 data breach. We recommend that you run a scan using our free Digital Footprint Portal to see if your data was exposed in the breach, and then to take additional steps to protect yourself (we’ll walk you through those).

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Pratt ran the websites, which lured and coerced young women into filming pornographic videos, from 2013 to 2019. Pratt and his accomplices lured women from across the US and Canada to San Diego, where the filming would take place in hotel rooms or short-term rental units.

The group would advertise via online sites including Craigslist. In some cases the advertisements would promote clothed modelling jobs. It would later transpire that the work involved performing in sex videos.

When women showed doubt about appearing in such videos, Pratt and his team would convince them that the videos they made would only be distributed to a small base of private collectors outside the US, and that no one who knew the women would ever see them. Pratt would also pay other young women known as ‘reference girls’ to seal the deal by helping to persuade the victims, on the expectation that another young woman’s testimony would be more convincing.

Victims were coerced

Once the victims arrived at the airport, they would be taken to the shoot, where Pratt and his accomplices would rush them into signing contracts without giving them copies.

The perpetrators would tell the women that the shooting sessions would be short, but in fact they would take hours. Pratt and his group would bully victims into having sex on camera, according to the FBI. Sometimes they would refuse to let them leave until they completed the shoots, pressing the women to perform acts that they had previously declined. Pratt and his associates would threaten to cancel flights home or publish what had already been filmed if victims did not comply.

The operation, which ran from 2013 to 2019, targeted hundreds of people. It would post the videos on its own sites, which were available in the US for a subscription fee. The operators would also post free versions of the videos on giant adult content site Pornhub to drum up business. These were often viewed millions of times. It generated over $17 million in revenue for Pratt, who originally conceived the operation. When contacted by one victim and asked to remove a video from the site, Pratt did not reply.

A fugitive from justice

Pratt played various parts in the operation, including recruiting victims, transporting them to the shooting sessions, and filming. He had already been charged in a US court in 2019 but fled to Spain, making it onto the FBI’s most wanted list. The FBI extradited him in 2022 and he pleaded not guilty in March 2024 to 19 felony counts, including sex trafficking (of both adults and minors), production of child pornography, and conspiracy to commit money laundering.

The pornography operation had already ordered to pay $18 million to victims in 2021 after 22 women sued it for damages. The FBI has also prosecuted other people involved in the sites. Matthew Wolfe, who moved from New Zealand to begin working for Pratt in 2011 and who run multiple parts of the business, received a 14-year sentence in March 2024. Cameraman Theodore Gyi was sentenced to four years in 2022. Adult film performer Ruben Andre Garcia received 20 years on June 2021. Office manager Valerie Moser will be sentenced on September 12.

Pratt will be sentenced on September 8 this year on two counts. He faces a minimum sentence of fifteen years for sex trafficking, and a maximum penalty of life in prison. Another count of sex trafficking conspiracy also carries a maximum life sentence.

Malicious texts pose as package delivery notifications, phishing emails impersonate trusted brands, and unknown calls hide extortion attempts, virtual kidnapping schemes, or AI threats. Confusingly, even legitimate businesses now lean on outreach tactics that have long been favored by online scammers—asking people to scan QR codes, download mobile apps, and trade direct messages with, essentially, strangers.

All this junk is adding up, and it’s hurting everyday people.

According to new research conducted by Malwarebytes, 44% of people encounter a mobile scam every single day, while 78% encounter scams at least weekly. The victims of those scams—be they people who accidentally clicked on a link, filled out their information on a malicious webpage, or simply believed the person on the other side of a social media account—also suffered serious harms to their finances, emotions, and reputations. As Malwarebytes learned, 25% of scam victims were harassed or blackmailed, 19% had private info exposed, and 15% permanently lost their money.

As shared by one scam victim writing about their experience:

“I felt like I was in a horror movie. I never thought it would happen to me like this.”

These are the latest findings from original research conducted by Malwarebytes to understand the reach, frequency, and impact that mobile scams have across multiple countries. By surveying 1,300 people over the age of 18 in the US, UK, Austria, Germany, and Switzerland, Malwarebytes can reveal a mobile reality full of tension: high concern, low action, and increasingly blurred lines between what’s safe and what’s not.

The complete findings can be found in the latest report, “Tap, swipe, scam: How everyday mobile habits carry real risk.” You can read the full report below.

Here are some of the key findings:

• 77% of people worry about mobile scams and threats. The biggest fears are around financial loss and fraud (73%), account and device lockout (70%), and identity theft (68%).
• 66% worry about the future of AI and how realistic scams are going to become.
• Just 15% of people strongly agreed: “I am confident in my ability to tell when something on my mobile phone is a scam.”
• 74% of people have encountered a social engineering scam in their lives, such as phishing attempts, fake FedEx notifications, or romance scams, and 36% have fallen victim.
• 37% of people have encountered an extortion scam and 17% have fallen victim, including 7% who were harmed specifically by a sextortion scam.  
• 10% of people have a “safe word” in their family to “protect against things like kidnapping and extortion scams.”
• 52% of scam victims suffered financially: 18% had to freeze their credit, 15% lost money permanently, and 8% had accounts opened fraudulently in their name.
• Only 20% of people use traditional security measures like antivirus, a VPN, and identity theft protection.
• 25% of people do not worry about scams at all because “it’s not something I can control.”

This is the mobile world that the public is forced to live in, and the mobile world that future generations may soon inherit. While broad, bold action is required to meaningfully catch and stop scammers, everyday people can lean on many cybersecurity best practices to stay safe and secure online. From using unique passwords, to implementing multifactor authentication (MFA), there is plenty at hand to make life more difficult for scammers.

Importantly, there’s also help from Malwarebytes.

With the launch of our free, AI-powered digital safety companion Scam Guard, users can review any concerning text, email, phone number, link, image, or online message and receive on the spot guidance to avert and report scams. Try it today and remove the fear from being online.

Scam Guard is available for both free and paid users of Malwarebytes Mobile Security (iOS and Android), without having to install an additional app.  

Try it out for yourself: Download Malwarebytes Mobile Security for iOS or Android.  

A cybersecurity researcher called Brutecat was able to figure out the phone number linked to any Google account, information that is usually not public and is considered sensitive.

Brutecat found that the page where users can recover their Google account if they have forgotten their login details lacked BotGuard protection. BotGuard is a cloud-based cybersecurity solution designed to protect websites and web applications from malicious bots, automated attacks, crawlers, and scrapers.

However, BotGuard does not work on websites that do not use Javascript. This is because many of its advanced detection techniques rely on executing Javascript in the visitor’s browser to gather client-side data. If a website does not serve Javascript, or if a user or bot disables Javascript, BotGuard cannot collect the necessary information for fingerprinting or behavioral analysis.

Brutecat also had to use rotating IP addresses and a trick to bypass the occasional CAPTCHAs but was able to manage 40k requests per second. At that rate, if the attacker knew the country code of the phone number, it would take about 20 minutes in the US to find out the recovery phone number. In the UK that would come down to 4 minutes because they have shorter phone numbers.

For those doing the math and finding this is impossible, it’s important to know that Google displays the last two numbers of the phone number as a hint and Brutecat used Google’s own library ‘libphonenumber’ to generate valid number formats.

But the researcher also needed the full display name of a targeted account. The researcher discovered a method to leak Google account display names by exploiting a feature in Looker Studio (formerly Google Data Studio). The researcher made a report/document in Google’s Looker Studio tool. Then changed the document’s owner to the victim’s Google account (using the victim’s email address). After transferring ownership, the victim’s full name automatically appeared on the Looker Studio home page’s “Recent documents” list even if the victim never opened the document, interacted with it, or knew about it. The key to this was finding that Looker Studio’s interface still displayed names for document transfers without requiring any action from the victim, unlike other Google services that now require prior interaction.

Google spokesperson Kimberly Samra told TechCrunch:

“This issue has been fixed. We’ve always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”

Google also says it’s not aware of any confirmed reports about exploits of these vulnerabilities.

Nonetheless, a weakness allowing an attacker to trace phone numbers to Google accounts like this creates a massive risk for phishing and SIM-swapping attacks—especially since the majority of users will have their primary phone number as their account recovery number.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The methods in which to report a scam varies according to the country you’re in, the platforms you’re using, and the outcome of the scam, so here are the most common methods you may need. Remember to report to both the authorities and the platforms the scammers are using.

How to report a scam in the United States

• Report to the FBI’s Internet Crime Complaint Center (IC3): File a complaint online at ic3.gov as soon as possible. This is the main hub for cybercrime reports and helps with investigations and to gather intelligence about scams and the people behind them. Rapid reporting can also help support the recovery of lost funds.
• Contact local law enforcement: If you lost money, you should also file a report with your local police department.
• Notify your bank or credit card company: Inform them about the fraud in order to freeze accounts or reverse charges where possible.

How to report a scam in Canada

• Canadian Anti-Fraud Centre (CAFC): Call 1-888-495-8501 or report online. The CAFC collects fraud reports nationwide and coordinates with law enforcement and the National Cybercrime Coordination Centre (NC3).
• Local police: Report the scam to your local police department, especially if you lost money.
• Credit bureaus: It is advisable to contact Equifax Canada and TransUnion Canada to order a free credit report immediately and ask that a fraud alert be put on your file.
• Financial institutions: Notify your bank or credit card issuer immediately, but also to the financial institution that transferred the money in case that’s a different one.

How to report a scam in the United Kingdom

• Action Fraud: Report online at actionfraud.police.uk or call 0300 123 2040 (Monday to Friday, 8 am to 8 pm). Action Fraud is the national reporting center for fraud and cybercrime. It collects reports about fraud on behalf of the police in England, Wales and Northern Ireland. For fraud in Scotland please report it directly to Police Scotland.
• Local police: For urgent matters or ongoing threats, contact your local police. If the police decide not to investigate your case as a crime, you might still be able to get compensation or money back by bringing a civil case yourself. Talk to a solicitor or asset recovery agent to find out more.
• Financial institutions: Alert your bank or credit card company to suspicious transactions.

Reporting scams on popular platforms

In all countries it’s also helpful to report on the platforms where the scam took place or was initiated. Use built-in reporting tools on platforms like Facebook and WhatsApp to report scam accounts or messages:

WhatsApp

• Open the chat with the suspicious business or individual.
• Tap the business name or contact info at the top.
• Scroll down and select Report Business or Report Contact.
• Block the contact to stop further messages. The last five messages in the chat will be sent to WhatsApp.

Facebook

• Click the three dots on the post, profile, or message you want to report.
• Select Find support or report post/profile/message.
• Follow the prompts to specify whether it’s a scam or fraudulent activity.
• Facebook reviews these reports and may remove or restrict the scammer’s account so they can’t use that account anymore to defraud others.

Other platforms (e.g. Instagram, X, eBay)

• Look for “Report” or “Help” links on the profile or message.
• Follow platform-specific instructions to flag fraudulent behavior.
• Provide as much detail as possible about the scam.