VPN use is skyrocketing across the UK as the region's Online Safety Act places age verification controls on adult websites.

As the UK’s Online Safety Act came into effect on Friday—along with its age verification controls—the use of virtual private network (VPN) services has skyrocketed by up to 20-fold across the region.

Top10VPN, which monitors VPN traffic around the world, spotted UK VPN traffic spiking 1,327% on July 25, compared to the daily average over the prior four weeks. The traffic didn’t slow down on the days following, either, increasing 1,.712% above the pre-July 25 baseline on July 26, and by almost 2,000% on July 27.

The Online Safety Act forces a variety of websites to verify a user’s age, ensuring they are 18 years old or over. This doesn’t just apply to the obvious porn sites, but to a broad array of other categories: social media, gaming, and even search. The content considered harmful under the bill isn’t just sexual either, but covers areas including suicide, self-harm, and content related to eating disorders. Sites that don’t comply risk fines or even bans in the UK.

The more stringent law means that simply checking a box saying you’re over 18 won’t cut it. Instead, the UK’s communications regulator OFCOM suggests several ways for sites to verify a person’s age:

*   Using open banking information (where a person submits information from their bank that proves their age)
*   Photo ID matching using facial recognition
*   Proving your age to your mobile operator who then approves you on the site’s behalf
*   Checking your credit card (only adult UK residents can get one)
*   Analyzing your email to see if it’s likely to have been used in an adult situation (a mortgage application, say)
*   Using digital identity services such as a digital ID wallet (the EU is working on one of these)
*   Estimating a person’s age from a selfie.

OFCOM argues that all methods must be implemented in line with UK privacy law, but it’s understandable that adult users might consider this a privacy risk. It’s also likely that some minors will want to flout the rules and access content that the government doesn’t want them to, especially given the wide scope of the law. Both these reasons are likely why VPN activity has soared since the law kicked in.

When you browse the internet directly, your computer uses an IP address that your internet service provider gives you. The site you’re browsing can use that to determine what country you’re in. A VPN is a program that connects your internet browsing device to the VPN company’s computer. That computer then serves as your jumping-off point to the internet.

Because VPN providers have networks of these computers around the world, you can pretend to be in another country of your choosing when using a VPN, meaning people often use them to bypass censorship laws. As more countries have been restricting access to adult content, they have also become a tool for internet users to dodge age protection laws.

UK Science Secretary Peter Kyle downplayed the use of VPNs in a Guardian interview yesterday, arguing that “very few children” were seeking harmful content online. Yet according to OFCOM, 8% of children between eight and 14 in the UK access online porn every month. That figure increases to almost one in five boys in that age bracket.

Kyle insisted that the government had solved up to 90% of the problem. “That 10% that’s remaining, or whatever that percentage is? We’ll go figuring it out as we move forward,” he said.

Per Wired, the Proton VPN service tweeted that its UK signups surged over 1,400%. “Unlike previous surges, this one is sustained, and is significantly higher than when France lost access to adult content,” it added.

VPN service Windscribe also tweeted a graph showing what appeared to be a massive spike in daily sign-ups on July 25.

And AdGuard also reported a spike in traffic, “Website traffic from UK users has surged by more than 60%, with visits from Android devices more than doubling and iOS traffic up by nearly 100%,” it said. “VPN installs in the UK have also grown by 2.5 times, and we’re seeing a clear increase in traffic from keyword searches—a significant share of which is related to adult content.”

Kyle told the Guardian that he was not going to ban VPNs, but that he would be looking “very closely” at how they are being used.

 VPN use rises following Online Safety Act’s age verification controls 

Apple has released important security updates for iOS and iPadOS patching 29 vulnerabilities, mostly in WebKit.

Apple released a security update for iOS and iPadOS to patch multiple vulnerabilities, including one that could leak sensitive information when visiting a malicious website and one that allows an attacker to display false information in the address bar.

In total, 29 vulnerabilities were patched, most of them in WebKit, Apple’s web rendering engine that powers Safari and renders webpages in other apps.

The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

To check if you’re using the latest software version, go to Settings > General > Software Update. You want to be on iOS 18.6 or iPadOS 18.6, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

update now

Apple has also released updates for macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, watchOS 11.6, and tvOS 18.6.

**Technical details**

Here we will discuss some of the vulnerabilities that Apple patched in this update.

CVE-2025-31229: A logic issue might disclose your passcode by the VoiceOver reading it aloud. VoiceOver is a gesture-based screen reader which allows people to use an iPhone even if they can’t see the screen.

CVE-2025-43217: Devices may fail to display the privacy indicators when apps access the microphone or camera, which could prevent users from being notified about this usage.

CVE-2025-43227: Visiting a specially crafted malicious website can expose your sensitive information; while Apple has not specified the exact types, data handled by the browser (for example, cookies, authentication tokens, browsing history, and other personal information), could be at risk.

CVE-2025-43228: Visiting a malicious website may lead to address bar spoofing. “Address bar spoofing” is when a website tricks your web browser into showing a fake or misleading website address (URL) in the address bar, at the top of your browser window, instead of the website you’re actually visiting. This means what you see in the address bar looks like a trustworthy site (for example, your bank or a popular service), but in reality, you’re on a different, potentially dangerous site controlled by an attacker.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple patches multiple vulnerabilities in iOS and iPadOS. Update now! 

After the initial uproar about leaked images, a researcher was able to access Tea Dating app private messages

A few days after Tea Dating Advice discovered unauthorized access to one of its systems that leaked 72,000 user images, the popular mobile app faced a second issue involving a separate database, as a researcher reported to 404Media that they were able to access private conversations.

Tea Dating Advice, or just Tea for short, aims to provide a space for women to exchange information about men they know, have met, or dated in the past. The app seeks to provide a platform for people to share relevant information about, say, potentially abusive partners, and it claims to have more than 1.6 million users. After approving a new user, the system allows them to search for men by name, find people they know, and leave comments about them. Theoretically, men can’t access the app, so they have no recourse if they’re drowning in red flags and warnings on Tea.

The set of leaked images includes 13,000 selfies and photo IDs submitted for account verification including driver license photos, as well as 59,000 images from posts, comments, and direct messages.

While Tea acknowledged that a data breach occurred on a legacy data storage system, resulting in unauthorized access to a dataset from prior to February 2024, this is a completely different breach, and even worse for those involved. The researcher was able to see over a million private messages, stretching from early 2023 up until last week.

Kasra Rahjerdi, the researcher who flagged the issue, provided a database of more than 1.1 million messages to prove his findings. With the content of these messages at hand, it was trivial to find social media profiles, telephone numbers, and the real-world identities of most users.

They found messages from women discussing abortions, cheating partners, and other sensitive info.

One internet forum, 4chan, openly shared the images exposed in the first breach, but Rahjerdi informed only Tea and 404Media about his latest work, providing enough information to confirm their findings. But there is no way of knowing whether others used the same method to access Tea’s private messages.

Aside from how you might feel about the Tea app, its purpose, the users, and those intent on destroying it, the developers could have anticipated the scrutiny and attacks on their infrastructure. Leaks happen everywhere, but sensitive data should not be stored unencrypted. And, while Tea claims to donate 10% of it profits to the National Domestic Violence Hotline, the company still has a responsibility of safety (through cybersecurity) to its own users.

A Tea app spokesperson limited their statement to:

> “We have engaged third-party cybersecurity experts and are working around the clock to secure our systems. At this time, we have implemented additional security measures and have fixed the data issue.”

Tea Dating Advice users will have to be vigilant since phishing attacks banking on these incidents might occur.

**Protecting yourself after a data breach**

While there are no indications that this database was found by cybercriminals before it was secured, it might have been. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Tea Dating Advice app has users&#8217; private messages disclosed 

Allianz notified authorities about a data breach that exposed the information about almost all its US customers

Insurance company Allianz Life was breached, exposing the data of most of its 1.4 million American customers.

According to Allianz, an attacker gained access to a third-party, cloud-based Customer Relationship Management (CRM) system through social engineering. The company filed a data breach notification with the Attorney General of the US state of Maine on Friday July 25, 2025.

The incident reportedly took place on July 16, 2025 and was discovered one day later. According to a spokesperson:

> “The threat actor was able to obtain personally identifiable data related to the majority of Allianz Life’s customers, financial professionals, and select Allianz Life employees, using a social engineering technique.”

Although the company did not disclose an exact number of affected people, the Allianz Life has 1.4 million customers in the US. Its parent company, Allianz, has more than 125 million customers worldwide.

Allianz Life did not disclose the exact CRM system involved. However, in June, Google warned about a ransomware group that was specializing in voice phishing (vishing) campaigns that are specifically designed to compromise organizations’ Salesforce instances for large-scale data theft and extortion.

Google tracks this group as UNC6040, which the cybersecurity community commonly calls “The Com.” The group called Scattered Spider likely is the most well-known entity associated with The Com. Earlier this month we reported that Scattered Spider breached Australia’s largest airline Qantas by gaining access to a third-party platform, utilizing social engineering.

If Scattered Spider was indeed behind the Allianz data breach, they will extort the company by threatening to release the acquired data or sell it to the highest bidder.

The data breach notification indicates that Allianz plans to start informing affected consumers as of August 1, 2025.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Allianz Life says majority of 1.4 million US customers&#8217; info breached 

This week on the Lock and Code podcast, we revisit an interview with Joseph Cox about the largest FBI sting operation ever carried out.

_This week on the Lock and Code podcast…_

For decades, digital rights activists, technologists, and cybersecurity experts have worried about what would happen if the US government secretly broke into people’s encrypted communications.

The weird thing, though, is that, in 2018, it already happened. Sort of.

US intelligence agencies, including the FBI and NSA, have long sought what is called a “backdoor” into the secure and private messages that are traded through platforms like WhatsApp, Signal, and Apple’s Messages. These applications all provide what is called “end-to-end encryption,” and while the technology guarantees confidentiality for journalists, human rights activists, political dissidents, and everyday people across the world, it also, according to the US government, provides cover for criminals.

But to access any single criminal or criminal suspect’s encrypted messages would require an entire reworking of the technology itself, opening up not just one person’s communications to surveillance, but everyone’s. This longstanding struggle is commonly referred to as The Crypto Wars, and it dates back to the 1950s during the Cold War, when the US government created export control regulations to protect encryption technology from reaching outside countries.

But several years ago, the high stakes in these Crypto Wars became somewhat theoretical, as the FBI gained access to the communications and whereabouts of hundreds of suspected criminals, and they did it without “breaking” any encryption whatsover.

It all happened with the help of Anom, a budding company behind an allegedly “secure” phone that promised users a bevy of secretive technological features, like end-to-end encrypted messaging, remote data wiping, secure storage vaults, and even voice scrambling. But, unbeknownst to Anom’s users, the entire company was a front for law enforcement. On Anom phones, every message, every photo, every piece of incriminating evidence, and every order to kill someone, was collected and delivered, in full view, to the FBI.

Today, on the Lock and Code podcast with host David Ruiz, we revisit a 2024 interview with 404 Media cofounder and investigative reporter Joseph Cox about the wild, true story of Anom. How did it work, was it “legal,” where did the FBI learn to run a tech startup, and why, amidst decades of debate, are some people ignoring the one real-life example of global forces successfully installing a backdoor into a company?

> The public…and law enforcement, as well, \[have\] had to speculate about what a backdoor in a tech product would actually look like. Well, here’s the answer. This is literally what happens when there is a backdoor, and I find it crazy that not more people are paying attention to it.

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 How the FBI got everything it wanted (re-air) (Lock and Code S06E15) 

A list of topics we covered in the week of July 21 to July 27 of 2025

July 25, 2025 - A cybercriminal managed to insert malicious files leading to info stealers in a pre-release of a game on the Steam platform

July 25, 2025 - Phishers are using legitimate looking Instagram emails in order to scam users.

July 24, 2025 - With more platforms and governments asking for age verification, we look at the options and the implications.

July 24, 2025 - Lower rates for creating unique passwords, buying items from known websites, and using protection software leave iPhone users at risk to online scams.

July 24, 2025 - Malwarebytes Trusted Advisor has had an update, and it's now sharper, smarter, and more helpful than ever.

 A week in security (July 21 &#8211; July 27) 

A cybercriminal managed to insert malicious files leading to info stealers in a pre-release of a game on the Steam platform

A cybercriminal known as EncryptHub (aka Larva-208) has reportedly abused the online game platform Steam to distribute information stealers.

EncryptHub managed to sneak malicious files into the Chemia game files hosted on Steam. Chemia is an adventurous survival type of game that puts the player in a world ravaged by a catastrophic natural disaster… which is nothing compared to the real-world disasters that can be caused by information stealers.

Chemia has not been publicly released yet, but was available as an early access on Steam. Steam offers Early Access to certain games primarily as a development model that allows players to purchase and play games while they are still in progress, rather than waiting for a full official release. It helps developers to receive direct, ongoing feedback from the community which they can use to find bugs, balance gameplay, and improve features.

According to security researchers at the Proactive Defense Against Future Threats (PRODAFT), the initial compromise took place on July 22, 2025. EncryptHub added a Trojan downloader to the game files that runs alongside the actual application.

The downloader establishes persistence on the affected machine and distributes Fickle Stealer, HijackLoader, and Vidar.

Vidar is a Malware-as-a-Service information stealer which uses public networks such as social media, communication platforms—and Steam—as parts of its Command & Control infrastructure.

HijackLoader is a malware loader used by attackers to load additional malware (such as Trojans like Danabot or the RedLine stealer) onto infected computers.

The Fickle stealer is a relatively new information stealer which uses PowerShell scripts to bypass User Account Control (UAC) and can steal sensitive files, system information, browser-stored data, cryptocurrency wallet details, and more.

As we explained many times before, information stealers can turn your life upside down. Depending on what is stored on the infected device the consequences can range from financial damage to identity theft.

In another case of abuse of the Steam platform, we saw a cybercriminal use a sniper video game to distribute malware to unsuspecting gamers. But that criminal didn’t circulate the malicious demo on Steam directly. Instead, the game’s Steam page featured a link to the developer’s external website promoting a demo that turned out to be malware.

A month before that, a game called PirateFi was released on Steam, but turned out to be circulating malware amongst gamers.

With Steam’s huge userbase (over 100 million monthly active users), a compromised game can serve as a direct path for cybercriminals to get hold of valuable digital assets, direct financial information, and personal information.

**How to stay safe**

Some tips to help gamers stay clear of downloading malicious software:

*   Do not act on direct messages and other unsolicited ways to try out some game. Random people asking you to download something should be treated as suspicious.
*   Verify invitations from “friends” through a different channel, such as texting them directly or contacting them on another social media platform. This is because their current account may have been compromised.
*   Make sure to run an up-to-date and active anti-malware solution on your computer.

_Malwarebytes blocking the domain hosting the Powershell script_

If you have tried the Chemia game, run a full system anti-malware scan.

**Indicators of compromise**

**Domains:**

soft-gets\[.\]com

reaitek\[.\]com

safesurf.fastdomain-uoemathhvq.workers\[.\]dev

**Fickle downloader hash:**  
ed076c27b420bfa66c251488b4121913fa461367a60c5fa32cee3953efcae32b

**Fickle Stealer hash:**

6fb7fd9763d6b269793c80bbc03a1be358390781af4b698fba1591cb8dbb8825

**Vidar Stealer has:**

2cd8c0e75cf76381f06dfe465a542e52eefa713b0bea2557763e0c0c45b21481

**HijackLoader hashes:**

9a733b2de84e2bf466287abd034b04b18c8c269535606e8f6403eee2a3b288c4

12935315254175719cbbaad0b213204ddebd4100ffc551d54f8cf39ced1be227

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Steam games abused to deliver malware once again 

Phishers are using legitimate looking Instagram emails in order to scam users.

A phishing campaign targeting Instagram users is doing the rounds. There are plenty of those around, but when we took a look at this particular email, it seemed a bit different to the normal phishing emails that point to scammy websites.

The email looked like this, which is very similar to the one Instagram sends if it wants you to confirm your identity:

> “Hi {name}  
> Someone tried to log in to your Instagram account.  
> If this was you, please use the following code to confirm your identity:  
> 231342  
> If this wasn’t you, please \[Report this user\] to secure your account.”  

Instead of linking to a phishing website, which is most common with emails like this, both the “Report this user” and “Remove your email address” links are mailto: links. Clicking on a mailto: link opens your default email program with a pre-addressed message with the subject line “Report this user to secure your account” or “Remove your email address from this account” for the second link.

The email addresses in these links all had unsuspicious looking domains, made to look similar to legitimate ones. We call this technique of registering domain names “typosquatting.”

In the case we researched the email addresses were:

*   prestige@vacasa[.]uk.com (typosquat of vacasa.com vacation rentals)
*   ministry@syntec[.]uk.com (typosquat of syntechnologies.co.uk hardware provider)
*   technique@pdftools[.]com.de (typosquat of pdf-tools.com software provider)
*   service@boss[.]eu.com (several possibilities)
*   threaten@famy[.]in.net (science news site, possibly compromised)
*   difficulty@blackdiamond[.]com.se (known malicious domain)
*   anticipation@salomonshoes[.]us.com (typosquat of salomon.com running shoes)

We sent an email to these addresses from a dummy account to see what happened. Unfortunately, most of them were dead in the water when our email reached them. However, we did find that a lot of the servers were hosted at the same IP address.

Research of the IP address showed that there were many more domains set up, likely with the same objective in mind.

**Why mailto: links?**

Many email filters look for links to malicious domains and new ones get added fairly quickly, so the domains and emails are only useful for one day (on average). Using mailto: links can therefore help attackers avoid automated flagging or URL reputation checks.

It also saves the cybercriminals work. They don’t need to set up a fake website, which in this case would be an Instagram clone, or all the back end infrastructure needed to harvest the credentials. All they need to do now is watch the email inbox and wait for victims.

Receiving an email validates that the email address the phishing mail was sent to is active and someone is using it. That opens the victim up for further attempts. By engaging in a conversation, attackers can directly request sensitive information in a less obvious way than with a phishing form, often through continued correspondence.

Victims may feel safer replying to an email than clicking on a suspicious link. The fear of instant repercussions is smaller when you’re sending an email than for visiting an unknown website.

In March, 2025, security awareness provider Phishing Tackle reported about a phishing campaign targeting Meta users, which aimed to steal access to Instagram business accounts. The scam used step-by-step instructions and fake chat support to trick users.

In that case, the scammers threatened users with a suspension of the account due to advertising violations, but it showed once more that influential Instagram accounts are an attractive target for phishers. They can use compromised accounts for other campaigns or sell the harvested credentials to other cybercriminals.

But even if you’re not a business or bedecked with followers, if someone compromises your Instagram account they can lock you out and then demand money to give you back the account. Sadly, many people feel forced to pay because they don’t want to lose years of photos and their associated memories.

**How to avoid Instagram phishing**

Since we can expect to see more phishing campaigns that use mailto: links, here are some tips to avoid falling victim to such a scam.

*   As with regular links, scrutinize the destination of an email link. Even if the domain looks legitimate, your Instagram account isn’t secured by a shoe maker or vacation provider, or someone using a gmail address. The email address should be one that belongs to Instagram or Meta.
*   Remember that legitimate companies will not ask you to mail them your account details, credentials, or other sensitive information.
*   If there’s an urgency to respond to an email, take a pause before you do. This is a classic scammer trick to get you to act before you can think.
*   Don’t reply if the warning looks suspicious in any way. Sending an email will tell the phishers that your email address is active, and it will be targeted even more.
*   Do an online search about the email you received, in case others are posting about similar scams.
*   Use Malwarebytes Scam Guard to assess the message. It will tell you whether it’s a scam or give you tips how you can find out if it isn’t sure.

Source

Malwarebytes