Sendit and its CEO are accused of preying on young users—signing them up illegally, misusing their data, and tricking them with bogus messages and hidden fees.

The Federal Trade Commission (FTC) has sued Sendit’s parent company, saying it signed up children under 13, collected their personal data, and misled them with fake messages and recurring bills.

The lawsuit, filed against the app’s owner Iconic Hearts Holdings Inc and CEO Hunter Rice, alleges the company let users under the age of 13 sign up for Sendit and collected personal information about these users without parental consent—violating the Children’s Online Privacy Protection Rule (COPPA).

Sendit is an add-on for Snapchat and Instagram, rather than a standalone app. Its primary feature is to allow users to post prompts or questions (called a Sendit) on their social media stories and receive anonymous replies from other users.

In 2022, the app registered 116,000 people who self-declared that they were under 13 years old, according to the suit. Even after parents complained, the company continued to collect children’s phone numbers, birthdates, photos, and usernames for Snapchat, Instagram, TikTok and other accounts.

The FTC also alleges that Sendit misled users about its paid “Diamond Membership.” The feature promised to allow users to see who had sent certain messages. In practice, it didn’t reveal the senders, according to the suit. Worse still, the company and its CEO faked some of these messages, the FTC alleges. According to the complaint:

> “Defendants trick users into believing that they have received provocative and sometimes sexual or romantic messages from their social media contacts, when in reality it is often Defendants themselves who have sent those messages.”

Iconic Hearts also failed to disclose recurring charges clearly, according to the FTC—charging up to $9.99 every week after making it look like users were paying a single fee to disclose a user’s identity.

Normally, cases like this end in a settlement. This time, the FTC referred the case to the Department of Justice (DoJ). It does this when it believes that the defendants are violating or about to violate the law, and that referring the case would be in the public interest. So now, the Central District of California will decide the case.

Iconic Hearts also publishes the apps Noteit, Starmatch, and Locksmith. Launched in 2018, Sendit has been downloaded more than five million times on Google Play, and the company claims a total user base of around 25 million. The company has claimed Sendit is “the top Gen Alpha social networking app.”

This isn’t the only case where anonymous messaging apps have run afoul of COPPA violations. In July 2024, the FTC settled with NGL Labs and its founders for $5 million. That app was accused of marketing to kids and teens, sending fake messages to drive up usage, tricking users into paid upgrades, and sneaking in recurring charges.

“Company executives told employees to reach out to high school kids directly,” said the FTC at the time. NGL Labs also falsely claimed that AI content moderation filtered harmful messages like cyber bullying, the Commission added. The settlement banned NGL from marketing its app to anyone under 18.

What could this mean for Iconic Hearts? The current maximum penalty enforceable by courts for failing to comply with COPPA is $53,088 per violation, according to the FTC.

DoJ COPPA-related suits on the FTC’s behalf are not unheard of. Epic Games got a record $275 million penalty for COPPA violations in December 2022 after the DOJ sued it on behalf of the FTC (alongside another $245 million penalty for using ‘dark patterns’ to mislead users).

Epic Games was aware that many children were playing its Fortnite game, yet it collected personal data from children without first obtaining parents’ verifiable consent, the suit said. The company also made it difficult for parents to delete their children’s personal information, and sometimes didn’t do as asked.

The takeaway from this story? Try to keep kids under 13 off social media apps as long as possible, and when the time does come, stay involved. Talk to them about online safety, monitor their usage, and keep the conversation open.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Sendit tricked kids, harvested their data, and faked messages, FTC claims 

Google’s Gemini AI suite had vulnerabilities that let attackers hide malicious instructions in everyday web activity.

Security researchers discovered three vulnerabilities in Google’s Gemini artificial intelligence (AI) assistant. Although now patched, this “Trifecta”, as the researchers called it, raises important questions about how safe AI tools really are, especially as they become a part of services many of us use on a daily basis.

The flaws were found in three different Gemini components:

*   **Gemini Cloud Assist**, which summarizes logs for cloud services, could be tricked by hidden prompts inside web requests. Attackers could exploit this flaw to sneak malicious instructions into the system, potentially gaining control over cloud resources.
*   **Gemini Search Personalization Model** could inject harmful prompts into a user’s Chrome browsing history by getting them to visit a special website. If the user later interacted with Gemini’s personalized search AI, the injected commands could force the AI leak to personal data, including saved information and location.
*   **Gemini Browsing Tool** could be tricked into sending stored user information and location data to a malicious server through its web page summarization feature.

Google fixed these issues by blocking Gemini from rendering dangerous links and strengthening its defenses against such prompt injections. But if you used Google services that rely on Gemini AI, there is a chance these vulnerabilities were exploited before the patch—especially if you visited a malicious website or used Gemini features tied to cloud services.

These vulnerabilities are prime examples of how AI, despite its benefits, can open new attack avenues. Attackers may hide malicious instructions inside ordinary files and web requests, fooling AI into performing harmful actions without any obvious warning signs.

For everyday users, the risk is low—Google has already patched these vulnerabilities. But this news reminds all of us that AI security is an evolving concern, especially as new features and use-cases may be developed with security as an afterthought.

**How to safely use AI**

These flaws show that AI systems themselves can be used as a method for attacks, not just a target. This is important as AI becomes more embedded in cloud services and applications.

You should be cautious about:

*   Avoid visiting unknown or suspicious websites, especially those that prompt you to interact with AI assistants.
*   Keeping software, browsers, and apps up to date to benefit from security patches.
*   Be mindful of the information you share with AI tools.
*   Use a real-time anti-malware solution, preferably with web protection.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Gemini AI flaws could have exposed your data 

Researchers found several security problems in Life360's Tile trackers, most of which could be solved with encryption.

Researchers at the Georgia Institute of Technology scrutinized the security of the popular Tile tracker and came out disappointed.

Bluetooth trackers are a steadily growing market, and Life360 is one of the major players. In 2021, Amazon expanded its Sidewalk network to include Tile. That means Ring cameras and Echo devices can act as relays, picking up the location of Tile trackers and phones running the Tile app.

Reportedly, some 88 million Tile trackers are in use worldwide, but researchers reported that Tile trackers were not as safe as they hoped. The major problem the researchers found is that the trackers broadcast an unencrypted, static MAC address and unique ID. To allow users to find their wallet or lost items, other Bluetooth devices or radio-frequency antennas in a tracker’s vicinity can pick up these signals to follow the movements of the tracker.

That’s the whole point, you’d think. But let me clarify what’s wrong with this method.

Other trackers don’t broadcast their actual MAC address. Instead, they send out a temporary ID based on it, which makes long-term tracking harder. Tile does things differently: while it rotates the unique ID, it still transmits the same MAC address. Researchers also found the rotating ID generation was weak and could allow continuous tracking.

The receiver then sends the tracker’s location, MAC address, and unique ID to a server without encryption. The researchers believed the server stored this information in cleartext, which would mean Life360 could continuously monitor the location of trackers and their owners who have the app installed.

As one of the researchers put it while warning about the dangers:

> “An attacker only needs to record one message from the device … to fingerprint it for the rest of its lifetime.”

This could pose a major problem in case of a breach or if your tracker was caught in a mass scan. In other tracker systems, the information about the location of a tag is decrypted by using a key only available on the user’s phone, so only the owner can see this information.

Another issue is Tile’s anti-stalking feature. After concerns were raised about the ability to stalk persons with these trackers, most manufacturers added automatic alerts that warn the user if a tracker that is not theirs is following them around.

With Tile, the app doesn’t scan in the background—the user has to start the scan manually. Even then, it only works if the user keeps moving around for 10 minutes.

This behavior could be due to a feature that Tile offers and others don’t: anti-theft mode. Tile users have the ability to make their trackers invisible to others, so would-be thieves can’t scan an area to see if there are any items with a Tile in the vicinity.

But stalkers could abuse the same feature. They would still see the tag’s location, while the victim’s scan would not detect it, leaving them unaware of a rogue device.

To enable Anti-Theft Mode, Tile requires a government-issued ID, a live photo of the user, and agreement to a $1 million fine if convicted of stalking. While this could deter some abusers, researchers note it isn’t clear whether the penalty is enforceable.

The researchers concluded that many of the problems they found with Tile trackers could be solved by encrypting the signals it broadcasts, and they didn’t understand why the company apparently hadn’t followed the example of its competitors.

That sounds easier than it might be though. In February 2025, researchers found a way to track any Bluetooth device using nRootTag vulnerability in the “Find My” network. Apple has a partial fix out, but full protection may take years. This shows that a redesign from (almost) scratch could be a lengthy and costly process.

In a statement to The Verge, a spokesperson for Life360 said the company had “made a number of improvements” since researchers reported the issue last November, although didn’t provide any details about the fixes. From the statement:

> Using a Tile to track someone’s location without their knowledge is never okay and is against our terms of service.

To help you find the main differences between Tile and other trackers, we constructed this overview.

**Features**

**Tile**

**Others**

Static MAC address

Uses static MAC addresses, enabling persistent tracking by anyone nearby.

Uses rotating MAC addresses that change frequently to prevent tracking.

Data transmission

Broadcasts unique IDs and device data unencrypted via Bluetooth, which is easily intercepted.

Uses encrypted communication with nearby devices, protecting data in transit.

Data storage

Stores location and device data unencrypted on own servers, making it vulnerable to breaches.

Stores encrypted data on servers, reducing risk from breaches.

Detection of unwanted trackers

Requires users to manually scan with Tile app’s Scan and Secure feature, which is less intuitive.

Automatically alerts users of unknown trackers traveling with them and provides disabling them.

Anti-theft feature

Offers “anti-theft mode,” which hides trackers from detection scans, but which makes automatic stalking alerts ineffective.

No equivalent feature.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Tile trackers plagued by weak security, researchers warn 

Apple has patched a serious vulnerability (CVE-2025-43400) in how devices handle fonts.

Apple has released important security updates to address a critical vulnerability in _FontParser_—the part of MacOS/iOS/iPadOS that processes fonts.

Identified as CVE-2025-43400, the flaw was discovered internally by Apple and allows an attacker to craft a malicious font that can cause apps to crash or corrupt process memory, potentially leading to arbitrary code execution.

While Apple hasn’t said it’s being actively exploited, similar bugs have been used in jailbreaks and spyware attacks in the past, so it’s smart to patch it promptly.

**How to update your devices******How to update your iPhone or iPad****

For iOS and iPadOS users, you can check if you’re using the latest software version, go to **Settings > General > Software Update**. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

******How to update macOS on any version******

To update macOS on any supported Mac, use the Software Update feature, which Apple designed to work consistently across all recent versions. Here are the steps:

*   Click the Apple menu in the upper-left corner of your screen.
*   Choose **System Settings** (or **System Preferences** on older versions).
*   Select **General** in the sidebar, then click **Software Update** on the right. On older macOS, just look for **Software Update** directly.
*   Your Mac will check for updates automatically. If updates are available, click **Update Now** (or **Upgrade Now** for major new versions) and follow the on-screen instructions. Before you upgrade to macOS Tahoe 26, please read these instructions.
*   Enter your administrator password if prompted, then let your Mac finish the update (it might need to restart during this process).
*   Make sure your Mac stays plugged in and connected to the internet until the update is done.

****How to update Apple Watch****

*   Ensure your iPhone is paired with your Apple Watch and connected to Wi-Fi.
*   Keep your Apple Watch on its charger and close to your iPhone.
*   Open the Watch app on your iPhone.
*   Tap **General > Software Update**.
*   If an update appears, tap **Download and Install**.
*   Enter your iPhone passcode or Apple ID password if prompted.

Your Apple Watch will automatically restart during the update process. Make sure it remains near your iPhone and on charge until the update completes.

****How to update Apple TV****

*   Turn on your Apple TV and make sure it’s connected to the internet.
*   Open the Settings app on Apple TV.
*   Navigate **to System > Software Updates**.
*   Select **Update Software**.
*   If an update appears, select **Download and Install**.

The Apple TV will download the update and restart as needed. Keep your device connected to power and Wi-Fi until the process finishes.

**Updates for your particular device**

**Name and information link**

**Available for**

iOS 26.0.1 and iPadOS 26.0.1

iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

iOS 18.7.1 and iPadOS 18.7.1

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

macOS Tahoe 26.0.1

macOS Tahoe

macOS Sequoia 15.7.1

macOS Sequoia

macOS Sonoma 14.8.1

macOS Sonoma

visionOS 26.0.1

Apple Vision Pro

watchOS 26.0.2 no published CVE entries.

Apple Watch Series 6 and later

tvOS 26.0.1 no published CVE entries.

Apple TV HD and Apple TV 4K (all models)

**Technical details**

The vulnerability tracked as CVE-2025-43400 was described as an out-of-bounds write issue in FontParser that, when exploited, could cause the processing of a maliciously crafted font to lead to unexpected app termination or corrupt process memory.

An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

Typically, fonts are safe and standardized files used daily in countless apps and websites, but due to this vulnerability an attacker can create a specially crafted font file containing manipulated data that exploits vulnerabilities in the font processing engine of the operating system. When this malicious font is loaded by an app or system process, it can trigger memory corruption or crashes. In worst-case scenarios, this can enable attackers to execute harmful code remotely, gaining control over the device.

Given that fonts are widely used and often processed silently in the background, font vulnerabilities pose a significant risk vector for attackers aiming to compromise devices.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple fixes critical font processing bug. Update now! 

Investigators linked 1,463 victims to the scams, and said their losses amounted to around $2.8 million.

Online crime of all kinds is deplorable, but romance scammers and sextortionists who target the most vulnerable victims are among the worst. Now, there’s likely a place for 260 of them in jail, thanks to international law enforcement.

Interpol’s Operation Contender 3.0 targeted alleged criminals from several countries across Africa. It arrested 260 people and captured 1,235 electronic devices. Investigators linked 1,463 victims to the scams, and said their losses amounted to around $2.8 million.

The images from Interpol’s press release tell just as lurid a story as the numbers do. In one, over 30 phones lie on a table, each with a different case. These were the devices that the scammers likely used to carry out their crimes, which focused on romance scams and extortion.

Criminals lured victims with fake online identities built from stolen photos and forged documents, then exploited victims through romance scams that demanded bogus courier or customs fees. Others ran sextortion schemes, secretly recording explicit video chats to extort money.

**What to watch for**

Romance scams are all too familiar to those in the know, but still catch out plenty of lonely people looking for affection online. A criminal half a world away will get to know a victim, often beginning the relationship via an ‘accidental’ text message, or via a dating site or social media. A fake social media account, usually with a stolen photo, lends them credibility. They will gradually get to know the victim, luring them into what seems like a romantic relationship. If you’re talking to someone who claims to be in the military and therefore unable to travel, be very wary. This is a common scam tactic.

Eventually the request for money will come, in some form or other. In some scams, it’ll be a recommendation to invest in a fraudulent investment scheme (this used to be called ‘pig butchering’ but now Interpol prefers the more humane term ‘romance baiting’).

In other variations of the scam, there will be a plan to visit the victim – except, of course, there’s some financial hurdle that the perpetrator must overcome before they can travel. If the victim sends the money, the requests will keep coming, always with another excuse for why they can’t make the trip just yet.

Talking with someone you’ve never met who’s asking for financial help with a medical emergency, or to solve a legal or business issue? Think twice before sending the funds. Then think a third time. Then don’t do it.

**A loneliness epidemic**

In an era where people are increasingly lonely, romance scams are a surprisingly effective tactic. Americans lost $1.2 billion to romance scammers last year, with medium losses hitting $2,000.

The extortion side of things is even more horrid. People aren’t just lonely these days; they’re lusty. That leads to many people doing things online with strangers that they shouldn’t, including sharing intimate images or videos of themselves. Once a criminal has those assets, they can use them to extort the victims by threatening to send the material to their friends, family, and professional contacts.

Romance scams and other forms of financial fraud can come from anywhere, including in your own country. But Africa does seem to be a hotbed for it. Last year’s Interpol Africa Cyberthreat Assessment Report found that cybercrime accounted for 30% of all reported crime in Western and Eastern Africa. Criminals engage in many kinds of digital crime, according to the report, including business email compromise and banking malware, but online scams are especially popular—as is digital sextortion and harassment.

Interpol arrested eight people a year ago in Nigeria and Côte d’Ivoire for financial fraud including romance scams as part of its Contender 2.0 operation. And in 2022, it dismantled a South African gang for swindling companies, but also suspected it of being involved in romance scams.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 260 romance scammers and sextortionists caught in huge Interpol sting 

Amazon settled a $2.5 billion lawsuit for tricking users into buying Prime subscriptions which were hard to cancel.

Another day, another settlement. Amazon has settled a lawsuit filed by the Federal Trade Commission (FTC) over misleading customers who signed up for Amazon Prime—though it claims it did nothing wrong.

The FTC alleged that Amazon used deceptive methods to sign up consumers for Prime subscriptions—and made it exceedingly difficult to cancel.

In the settlement, Amazon will be required to pay a $1 billion civil penalty, provide $1.5 billion in refunds back to consumers harmed by their deceptive Prime enrollment practices, and cease unlawful enrollment and cancellation practices for Prime.

The FTC claimed in its lawsuit that Amazon had used:

> “manipulative, coercive, or deceptive user-interface designs known as ‘dark patterns’ to trick consumers into enrolling in automatically-renewing Prime subscriptions.” 

Dark patterns are tricks on websites or in apps to nudge or mislead people toward choices they wouldn’t normally make, like spending more money or signing up for recurring services without realizing it. Instead of helping users, these designs obscure, confuse, or pressure viewers to act quickly or accidentally.

Some common examples are:

*   Large, colorful “Yes” buttons, but almost hidden “No” options
*   Confusing cancellation steps with unclear language
*   Pre-checked boxes for paid extras
*   Endless popups urging one not to leave a page

Former FTC commissioner Alvaro Bedoya described Amazon’s “End Your Prime Membership” method as:

> “a 4-page, 6-click, 15-option cancellation journey that Amazon itself compared to that slim airport read, Homer’s Iliad.”

Due to Amazon’s use of dark patterns, millions of people ended up signing up for Prime, some without realizing they’d agreed to recurring charges. Others gave up trying to cancel due to the exhausting steps.

The FTC found this to be a violation of the Restore Online Shoppers’ Confidence Act, which was signed into law in 2010 to prevent companies using deception to prompt or encourage online purchases.

Amazon issued a statement saying:

> “Amazon and our executives have always followed the law and this settlement allows us to move forward and focus on innovating for customers. We work incredibly hard to make it clear and simple for customers to both sign up or cancel their Prime membership, and to offer substantial value for our many millions of loyal Prime members around the world. We will continue to do so, and look forward to what we’ll deliver for Prime members in the coming years.”

Customers who enrolled in Prime between June 23, 2019 and June 23, 2025 may be eligible for a refund. Those who rarely used Prime benefits will automatically get back their fees—capped at $51—while others who meet the criteria can apply for a refund of up to the same amount.

As we argued a few days ago, settlements like these highlight a worrying trend: big tech pays off privacy violations, class actions grab headlines, and lawyers collect fees—while consumers hand over personal details again for a token payout.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Amazon pays $2.5B settlement over deceptive Prime subscriptions 

RemoteCOM's monitoring software leaked the personal details of suspects, offenders, and the law enforcement officers tracking them.

We’ve covered spyware and stalkerware leaks many times before, but we don’t often see such exposure in software used by law enforcement.

According to a report by Straight Arrow News (SAN), the hacker “wikkid” said the intrusion against RemoteCOM was “one of the easiest” they’d ever carried out.

RemoteCOM describes itself as “the premier computer, smartphone and tablet monitoring service for the management of pretrial, probation and parole clients”. According to a leaked training manual, its software, sold as “SCOUT”, says it can be used to track targets ranging from sex offenders, sex traffickers, and stalkers to terrorists, hackers, and gang members.

Behind its official branding, SCOUT behaves like spyware: it records keystrokes, captures screenshots, and even sends out an alert if the tracked person types certain keywords.

The hacker accessed two key files: “officers” (6,896 entries), containing the names, phone numbers, work addresses, email addresses, unique IDs, and job titles of people working in the criminal justice system who have used RemoteCOM’s services, and “clients” (around 14,000 entries), covering individuals currently or previously monitored by SCOUT; listing names, email addresses, IP addresses, home addresses, and phone numbers, alongside the names and emails of their probation officers.

The files also contained details of the offenses clients were charged with, ranging from sex offenses, weapons, and narcotics cases to terrorism, stalking, domestic violence, sex trafficking, fraud, violence, and hacking.

_Image courtesy of SAN_

This type of data leak can be dangerous for both sides of the app. Clients tagged with the keyword “sex” are not necessarily convicted sex offenders—they could be suspects under surveillance or have not yet been to trial—but that distinction might not stop any vigilantes out there.

For officers, the leak of names, contact details, and workplaces could expose them and their families to threats of violence. One officer even had the app installed on the phones of their sister-in-law and fiancé, making the breach especially personal.

Speaking to SAN, a spokesperson for RemoteCOM said:

> “We are assessing the situation currently along with your article that you posted.”

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable** **two-factor authentication (2FA****).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up** **identity monitoring**, which alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Sex offenders, terrorists, drug dealers, exposed in spyware breach 

A list of topics we covered in the week of September 22 to September 28 of 2025

Last week on Malwarebytes Labs:

*   Hackers threaten parents: Get nursery to pay ransom or we leak your child’s data
*   Google and Flo to pay $56 million after misusing users’ health data
*   Neon App pays users to record their phone calls, sells data for AI training \[updated\]
*   New SVG-based phishing campaign is a recipe for disaster
*   LinkedIn will use your data to train its AI unless you opt out now
*   TikTok is misusing kids’ data, says privacy watchdog
*   Police using drones to read your license plates, warns EFF
*   Malwarebytes for Teams now includes VPN
*   Fake Malwarebytes, LastPass, and others on GitHub serve malware
*   Can you disappear online? (Lock and Code S06E19)
*   American Archive of Public Broadcasting allowed access to restricted media for years
*   Scammers are impersonating the FBI to steal your personal data
*   Beware of Zelle transfer scams
*   ChatGPT solves CAPTCHAs if you tell it they’re fake

Stay safe!

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 A week in security (September 22 &#8211; September 28) 

Hackers stole data on 8,000 nursery children, then called the children's parents, hoping to increase leverage for their ransom demand.

Just when you think extortionists can’t sink any lower, along comes a lowlife that manages to surprise you.

The BBC reported that a group calling itself “Radiant” claims to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the UK, US, China, and India.

The data the group says it stole includes names, photos, addresses, dates of birth, and details about their parents or carers. The hack also reportedly exposed safeguarding notes and medical information.

To prove their possession of the data, the criminals posted samples, including pictures and profiles of ten children on their darknet website. They then issued a ransom demand to Kido, threatening to release more sensitive data unless they were paid.

When contacted by the BBC about their extortion attempt, the group defended their actions, claiming to:

> “… deserve some compensation for our pentest.”

They should educate themselves before continuing. In most jurisdictions, to carry out this type of “penetration testing” legally, they need to get explicit permission from the company first (or choose a company that runs a bug bounty program).

As if stealing children’s data and publishing them on the dark web isn’t bad enough, Joe Tidy at the BBC reported that the group also called some of the children’s parents—telling them to put pressure on the nursery chain to pay the ransom demand, or they’ll leak their child’s data.

If history has taught us anything, the next step is that they will try to extort the parents individually, as happened in the case of the Finnish psychotherapy practice Vastaamo. Trust me, these things never end well. In Vastaamo’s case, the clinic went bankrupt, at least one suicide has been linked to the case, and the attackers have been sentenced to jail time.

Kido has not issued a public statement. Although the investigation is ongoing, it has contacted parents to confirm the incident and offer reassurance.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication **(****2FA)**.** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring**, which alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Hackers threaten parents: Get nursery to pay ransom or we leak your child&#8217;s data 

Flo Health and Google agreed to pay $56 million to settle lawsuits alleging the period-tracking app shared sensitive health data for ads.

Popular period-tracking app Flo Health shared users’ intimate health data—such as menstrual cycles and fertility information—with Google and Meta, allegedly for targeted advertising purposes, according to multiple class-action lawsuits filed in the US and Canada.

Between 2016 and 2019, the developers of Flo Health shared intimate user data with companies including Facebook and Google, mobile marketing firm AppsFlyer, and Yahoo!-owned mobile analytics platform Flurry. 

Google and Flo Health reached settlements with plaintiffs in July, just before the case went to trial. The terms, disclosed this week in San Francisco federal court, stipulate that Google will pay $48 million and Flo Health will pay $8 million to compensate users who entered information about menstruation or pregnancy between November 2016 and February 2019.

In an earlier trial, co-defendant Meta was found liable for violating the California Invasion of Privacy Act by collecting the information of Flo app users without their consent. Meta is expected to appeal the verdict.

The FTC investigated Flo Health and concluded in 2021 that the company misled users about its data privacy practices. This led to a class-action lawsuit which also involved the now-defunct analytics company Flurry, which settled separately for $3.5 million in March.

Flo and Google denied the allegations despite agreeing to pay settlements. Big tech companies have increasingly chosen to settle class action lawsuits while explicitly denying any wrongdoing or legal liability—a common trend in high-profile privacy, antitrust, and data breach cases.

It depicts a worrying trend where big tech pays off victims of privacy violations and other infractions. High-profile class-action lawsuits against, for example, Google, Meta, and Amazon, grab headlines for holding tech giants accountable. But the only significant winners are often the lawyers, leaving victims to submit personal details yet again in exchange for, at best, a token payout.

By settling, companies can keep a grip on the potential damages and avoid the unpredictability of a jury verdict, which in large classes could reach into billions. Moreover, settlements often resolve legal uncertainty for these corporations without setting a legal precedent that could be used against them in future litigation or regulatory actions.

Looking at it from a cynical perspective, these companies treat such settlements as just another operational expense and continue with their usual practices.

In the long run, such agreements may undermine public trust and accountability, as affected consumers receive minimal compensation but never see a clear acknowledgment of harm or misconduct.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Source

Malwarebytes