The extension disclosed its AI data collection, but not in a way most users would recognize—or knowingly agree to.

_This case highlights a growing grey area in consumer privacy: data collection that is technically disclosed, but so far outside user expectations that most people would never knowingly agree to it._

The next time you tell an AI chat assistant your deepest secrets, think twice; you never know who (or what) might be listening. More than seven million users of a VPN extension for Google Chrome and Microsoft Edge found that out the hard way this week after researchers at Koi Security revealed the browser extension had been logging users’ AI chats and sending them to a data broker.

Urban VPN Proxy looked like a reputable program. It sat in the Chrome Web Store with a 4.7-star rating and Google’s “Featured” badge, which is meant to indicate that an extension meets higher standards for user experience and design. More than six million people downloaded the Chrome version of the tool, which ironically claims to protect users’ online privacy. Another 1.3 million installed it on Microsoft Edge.

The extension was originally benign, but then on July 9, 2025 its publisher, Urban Cybersecurity, shipped version 5.5.0. According to Koi Security, that update introduced code that intercepted every conversation users had with eight AI assistant platforms: ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI), and Meta AI.

The extension intercepted chat prompts from the user’s browser, along with responses from the AI. It then reportedly packaged them up and sent them to Urban Cybersecurity’s parent company, BiScience (B.I Science (2009) Ltd). That is a data broker company, which collects browsing history and device IDs from millions of users.

As Koi Security points out in its report, Urban Cybersecurity _does_ mention AI data collection in the consent screen that it shows during product setup. It says:

> “…we process certain browsing data such as pages you visit, your network connection, ChatAI communication, and security signals, as outlined in our Privacy Policy.”

The privacy policy further explains what data it collects and says that it discloses the data for marketing analytics purposes.

There are two problems with that.

First, the extension silently auto-updates on Chrome and Microsoft Edge browsers, as Koi Security points out. That means users who installed an earlier, non-harvesting version installed would have been automatically upgraded to the chat-slurping version in July and been none the wiser—unless they happened to read updated privacy policies for fun.

fromSecond, the Chrome Web Store listing reportedly described the product as protecting people from entering personal information into AI chatbots. That claim is hard to square with the fact that the extension captures and exfiltrates AI chats regardless of whether its protection features are turned on, according to Koi.

The researchers also found that seven other extensions from the same publisher contained identical harvesting code, bringing the total number of affected users to more than eight million. Koi Security published a list of those extensions in its report.

**Why data brokers love AI chat**

With people inclined to tell AI sessions increasingly personal things, this secretive harvesting should worry us. Set aside for a minute those who confess to crimes, or those who pour out deeply private thoughts while using AI as a form of therapy. Many other chats are filled with things that feel more mundane but are still highly sensitive: job advice (people have shared full resumes with AI chats), medical symptoms, family planning questions, study materials, and legal queries.

Those conversations are often far more detailed and revealing than traditional search engine queries. If data brokers obtain them, they can mine the content for personal insights and link it with other data they already hold about you.

This episode reinforces two pieces of advice that we’ve given before. The first is to be careful which browser extensions you install, and which VPN services you use. Not all are what they seem.

Second, be careful what you tell AI assistants. Even if nothing is intercepting the conversation locally, the company operating the AI itself might be made to hand over chat data, as OpenAI was earlier this month.

Google’s “Featured” badge says extensions “follow our technical best practices and meet a high standard of user experience and design” but this seems to have been one that slipped through the next. As of last night, Urban Proxy VPN and Urban Cybersecurity’s other apps appeared to have been removed from the Chrome Web Store. The ones identified by Koi Security on the Microsoft Edge Add-ons store were still available, though.

If you used any of these extensions, were unaware of the situation and are unhappy about it, you should assume that any AI chats since July 9 this year may have been compromised. To remove extensions, you can do so in Chrome by visiting chrome://extensions and in Edge by visiting edge://extensions. You may also want to reset passwords and clear browser caches and cookies.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

**About the author**

Danny Bradbury has been a journalist specialising in technology since 1989 and a freelance writer since 1994. He covers a broad variety of technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector. He hails from the UK but now lives in Western Canada.

 Chrome extension slurps up AI chats after users installed it for privacy 

Google's patched two flaws in Chrome, both of which can be triggered remotely when a user loads specially crafted web content.

Google issued an extra patch addressing two security vulnerabilities in Chrome, both of which can be triggered remotely by an attacker when a user visits a specially crafted, malicious web page.

Chrome is by far the world’s most popular browser, with an estimated 3.4 billion users. That makes it a massive target. When Chrome has a security flaw that can be triggered just by visiting a website, billions of users are exposed until they update.

That’s why it’s important to install these patches promptly. Staying unpatched means you could be at risk just by browsing the web. Attackers often try to exploit browser vulnerabilities quickly, before most users have a chance to update. Always let Chrome update itself, and don’t delay restarting it, as updates usually fix exactly this kind of risk.

**How to update Chrome**

The latest version number is **143.0.7499.146/.147** for Windows and macOS, and **143.0.7499.146** for Linux. So, if your Chrome is on version **143.0.7499.146 or later,** it’s protected from these vulnerabilities.

The easiest way to update is to allow Chrome to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To update manually, click the **More** menu (three dots), then go to **Settings** > **About Chrome**. If an update is available, Chrome will start downloading it. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.

You can also find step-by-step instructions in our guide to how to update Chrome on every operating system.

****Technical details****

One of the vulnerabilities was found in the WebGPU web graphics API, which allows for graphics processing, games, and more, as well as AI and machine learning applications. This vulnerability, tracked as CVE-2025-14765 is a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Use-after-free is a class of vulnerability caused by incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker may be able to use the error to manipulate the program.

Heap corruption occurs when a program inadvertently damages the allocator’s view of the heap, which can lead to unexpected alterations in memory. The heap is a region of memory used for dynamic memory allocation.

The other vulnerability, known as CVE-2025-14766 was—once again—found in the V8 engine as an out-of-bounds read and write.

V8 is the engine that Google developed for processing JavaScript, and it has seen more than its fair share of bugs.

An out-of-bounds read and write vulnerability means an attacker may be able to manipulate parts of the device’s memory that should be out of their reach. Such a flaw allows a program to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers could write code to a part of the memory where the system executes it with permissions that the program and user should not have.

In this case, the vulnerability could be exploited when the engine processes specially crafted HTML content, such as a malicious website.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Two Chrome flaws could be triggered by simply browsing the web: Update now 

A “purchase order” PDF blocked by Malwarebytes led to a credential-harvesting phishing site. So we analyzed the attack and where the data went next.

_A PDF named “NEW Purchase Order # 52177236.pdf” turned out to be a phishing lure. So we analyzed the phishing script behind it._

A customer contacted me when Malwarebytes blocked the link inside a “purchase order” email they had received.  

Malwarebytes blocked this ionoscloud.com subdomain

When I examined the attachment, it soon became clear why we blocked it.

The visible content of the PDF showed a button prompting the recipient to view the purchase order. Hovering over the button revealed a long URL that included a reference to a PDF viewer. While this might fool some people at first glance, a closer look raised red flags:

Hovering over the button to see where it goes

Since I’m rarely able to control my curiosity, I temporarily added an exclusion to Malwarebytes’ web protection so I could see where the link would take me. The destination was a website displaying a login form with the target’s email address already filled in (the address shown here was fabricated by me):

The objective was clear: phishing. But the site’s source code didn’t reveal much.

The most likely objective was to harvest business email addresses and their passwords. Attackers commonly test these credentials against enterprise services such as Microsoft Outlook, Google Workspace, VPNs, file-sharing platforms, and payroll systems. The deliberately vague prompt for a “business email” increases the likelihood that users will provide corporate credentials rather than personal ones.

There was also a small personalization touch. The “Estimado” greeting sets a professional tone and is common in business correspondence across Spanish-speaking regions.

For a full analysis read on, but the real clue is that the harvested credentials accompanied additional information about the victim’s browser, operating system, language, cookies, screen size, and location. This data was sent directly to the scammer’s account on Telegram, where it’s likely to be used to compromise the business network or sold on to other cybercriminals.

A quick search on VirusTotal showed that there were several PDF files linking to the exact same ionoscloud.com subdomain.

**Analysis**

As I pointed out earlier, the source code of the initial phishing page did not reveal a lot. These are probably auto-generated templates that can be planted on any website, allowing attackers a fast rotation.

ionoscloud.com belongs to IONOS Cloud, the cloud infrastructure division of IONOS, a major European hosting company. It offers services similar to Amazon AWS or Microsoft Azure, including hosting for websites and files. Scammers specifically choose reputable cloud platforms like IONOS Cloud because of the “halo effect” of being hosted at a well-known domain, which means security companies can’t just block the whole domain.

The criminals also get the flexibility to quickly spin up, modify, or tear down phishing sites and continue to evade detection by moving to new URLs or storage buckets.

So, we followed the trail to a JavaScript file, which turned out to be obfuscated script—and a long one at that. But the end of it looked promising.

113,184 lines of code

Since it was still unclear at this point what it was up to, I made a change to the script to avoid infection and which allowed me to get the source code without executing the script. To achieve this, I replaced the last line of the original script with code that exports the next layer to an HTML file.

The next obfuscation layer turned out to be easy. All it contained was a long string that needed to be unescaped. Because of the length, I used an online decoder to do that for me.

Simple unescape script

This showed me the code for the actual form that the target would see—and the goal of the whole phishing expedition.

The part that did the actual harvesting was hidden in another script.

This was still pretty long and obfuscated but by analyzing the code and giving the functions readable names I managed to find out which information the script gathered. For example, the script uses the ipapi location service:

Deobfuscated location script

And I found out where it sent the details.  

Telegram bot function

Any credentials entered on the phishing page are POSTed directly to the attacker’s Telegram bot and immediately forwarded to their chosen Telegram chat for collection. The Telegram chat ID hardcoded in the script was 5485275217.

**How to stay safe**

The advice here is pretty standard. (Do as our customer did, not as I did.)

*   Phishing and malware campaigns frequently use PDF files, so treat them like any other attachment: don’t open until the trusted sender confirms sending you one.
*   Never click links inside attachments without verifying with the sender, especially if you weren’t expecting the message or don’t know the sender.
*   Always check the address of any website asking for your login details. A password manager can help here, as it won’t auto-fill credentials on a fake site.
*   Use real-time anti-malware protection, preferably with a web protection component. Malwarebytes blocks the domains associated with this campaign.
*   Use an email security solution that can detect and quarantine suspicious attachments.

**Pro tip:** Malwarebytes Scam Guard recognized the screenshot of the PDF as a phishing attempt and provided advice on how to deal with it.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Inside a purchase order PDF phishing campaign 

We compared three incidents that surfaced today to show why the impact of a breach depends less on who was hit and more on what was taken.

Comparing data breaches is like comparing apples and oranges. They differ on many levels. To news media, the size of the brand, how many users were impacted, and how it was done often dominate the headlines. For victims, what really matters is the type of information stolen. And for the organizations involved, the focus is on how they will handle the incident. So, let’s have a look at the three that showed up in the news feeds today.

**700Credit**

700Credit is a US provider of credit reports, preliminary credit checks, identity verification, fraud detection, and compliance tools for automobile, recreational vehicle, powersports, and marine dealerships.

In a notice on its website, 700Credit informed media, partners, and affected individuals that it suffered a third-party supply-chain attack in late October 2025. According to the notice, an attacker gained unauthorized access to personally identifiable information (PII), including names, addresses, dates of birth, and Social Security numbers (SSNs). The breach involves data collected between May and October, impacting roughly 5.6 million people.

The supply-chain attack demonstrates the importance of how you handle attacks. Reportedly, 700Credit communicates with more than 200 integration partners through application programming interfaces (APIs). When one of the partners was compromised in July, they failed to notify 700Credit. As a result, unnamed cybercriminals broke into that third-party’s system and exploited an API used to pull consumer information.

700Credit shut down the exposed third-party API, notified the FBI and FTC, and is mailing letters to victims offering credit monitoring while coordinating with dealers and state regulators.

**SoundCloud**

SoundCloud is a leading audio streaming platform where users can upload, promote, stream, and share music, podcasts, and other audio content.

SoundCloud posted a notice on its website stating that it recently detected unauthorized activity in an ancillary service dashboard. Ancillary services refer to specialized functions that help maintain stability and reliability. When SoundCloud contained the attack, it experienced denial-of-service attacks, two of which were able to temporarily disable its platform’s availability on the web.

An investigation found that no sensitive data such as financial or password data was accessed. The exposed data consisted of email addresses and information already visible on public SoundCloud profiles. The company estimates the incident affected roughly 20% of its user base.

**Pornhub**

Pornhub is one of the world’s most visited adult video-sharing websites, allowing users to view content anonymously or create accounts to upload and interact with videos.

Reportedly, Pornhub disclosed that on November 8, 2025, a security breach at third-party analytics provider Mixpanel exposed “a limited set of analytics events for certain users.” Pornhub stressed that this was not a breach of Pornhub’s own systems, and said that passwords, payment details, and financial information were not exposed. Mixpanel, however, disputes that the data originated from its November 2025 security incident.

According to reports, the ShinyHunters ransomware group claims to have obtained about 94 GB of data containing more than 200 million analytics records tied to Pornhub Premium activity. ShinyHunters shared a data sample with BleepingComputer that included a Pornhub Premium member’s email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred.

ShinyHunters has told BleepingComputer that it sent extortion demands to Pornhub, and the nature of the exposed data creates clear risks for blackmail, outing, and reputational harm—even though no Social Security numbers, government IDs, or payment card details are in the scope of the breach.

**Comparing apples and oranges**

As you can see, these are three very different data breaches. Not just in how they happened, but in what they mean for the people affected.

While email addresses and knowing that someone uses SoundCloud could be useful for phishers and scammers, it’s a long way from the leverage that comes with detailed records of Pornhub Premium activity. If that doesn’t get you on the list of a “hello pervert” scammer, I don’t know what will.

But undoubtedly the most dangerous one for those affected is the 700Credit breach which provides an attacker with enough information for identity theft. In the other cases an attacker will have to penetrate another defense layer, but with a successful identity theft the attacker has reached an important goal.

**Aspect**

**SoundCloud**

**700Credit**

**Pornhub**

**People affected**

Estimated ~28–36 million users (about 20% of users) ​

~5.6 million people ​

“Select” Premium users; ~201 million activity records (not 201 million people) ​

**Leaked data**

Email addresses and public profile info ​

Names, addresses, dates of birth, SSNs ​​

Search, watch, and download activity; attacker-shared samples include email addresses, timestamps, and IP/geo-location data

**Sensitivity level**

Low (mostly already public contact/profile data) ​

Very high (classic identity‑theft PII) ​​

Very high (intimate behavioral and preference data, blackmail/extortion potential) ​

**Breach cause**

Unauthorized access to an internal service dashboard ​

Third‑party API compromise (supply‑chain attack) ​​

Disputed incident involving third-party analytics data (Mixpanel), following a smishing campaign

**We don’t just report on threats—we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 SoundCloud, Pornhub, and 700Credit all reported data breaches, but the similarities end there 

Android users spent 2025 walking a tighter rope than ever, with malware, data-stealing apps, and SMS-borne scams all climbing sharply.

_Android users spent 2025 walking a tighter rope than ever, with_ _malware, data‑stealing apps, and SMS‑borne scams all climbing sharply while attackers refined their business models around mobile data and access._

Looking back, we may view 2025 as the year when one-off scams were replaced on the score charts by coordinated, well-structured, attack frameworks.

Comparing two equal six‑month periods—December 2024 through May 2025 versus June through November 2025—our data shows Android adware detections nearly doubled (90% increase), while PUP detections increased by roughly two‑thirds and malware detections by around half.

The strong rise in SMS-based attacks we flagged in June indicates that 2025 is the payoff year. The capabilities to steal one‑time passcodes are no longer experimental; they’re being rolled into campaigns at scale.

**The shift from nuisances to serious crime**

Looking at the preceding full year, malware and PUPs together made up almost 90% of Android detections, with malware rising to about 43% of the total and potentially unwanted programs (PUPs) to 45%, while adware slid to around 12%.

That mix tells an important story: Attackers are spending less effort on noisy annoyance apps and more on tools that can quietly harvest data, intercept messages, or open the door to full account takeover.

But that’s not because adware and PUP numbers went down.

Shahak Shalev, Head of AI and Scam Research at Malwarebytes pointed out: 

> The holiday season may have just kicked off, but cybercriminals have been laying the groundwork for months for successful Android malware campaigns. In the second half of 2025, we observed a clear escalation in mobile threats. Adware volumes nearly doubled, driven by aggressive families like MobiDash, while PUP detections surged, suggesting attackers are experimenting with new delivery mechanisms. I urge everyone to stay vigilant over the holidays and not be tempted to click on sponsored ads, pop-ups or shop via social media. If an offer is too good to be true, it usually is.”  

For years, Android/Adware.MobiDash has been one of the most common unwanted apps on Android. MobiDash comes as an adware software development kit (SDK) that developers (or repackagers) bolt onto regular apps to flood users with pop‑ups after a short delay. In 2025 it still shows up in our stats month after month, with thousands of detections under the MobiDash family alone.

So, threats like MobiDash are far from gone, but they increasingly become background noise against more serious threats that now stand out.

Over that same December–May versus June–November window, adware detections nearly  doubled, PUP detections rose by about 75%, and malware detections grew by roughly 20%.

In the adware group, MobiDash alone grew its monthly detection volume by more than 100% between early and late 2025, even as adware as a whole remained a minority share of Android threats. In just the last three months we measured, MobiDash activity surged by about 77%, with detections climbing steadily from September through November.

**A more organized approach**

Rather than relying on delivering a single threat, we found cybercriminals are chaining components like droppers, spying modules, and banking payloads into flexible toolkits that can be mixed and matched per campaign.

What makes this shift worrying is the breadth of what information stealers now collect. Beyond call logs and location, many samples are tuned to monitor messaging apps, browser activity, and financial interactions, creating detailed behavioral profiles that can be reused across multiple fraud schemes. As long as this data remains monetizable on underground markets, the incentive to keep these surveillance ecosystems running will only grow.

As the ThreatDown 2025 State of Malware report points out:

> “Just like phishing emails, phishing apps trick users into handing over their usernames, passwords, and two-factor authentication codes. Stolen credentials can be sold or used by cybercriminals to steal valuable information and access restricted resources.”

Predatory finance apps like SpyLoan and Albiriox typically use social engineering (sometimes AI-supported) promising fast cash, low-interest loans, and minimal checks. Once installed, they harvest contacts, messages, and device identifiers, which can then be used for harassment, extortion, or cross‑platform identity abuse. Combined with access to SMS and notifications, that data lets operators watch victims juggle real debts, bank balances, and private conversations.

One of the clearest examples of this more organized approach is Triada, a long-lived remote access Trojan (RAT) for Android. In our December 2024 through May 2025 data, Triada appeared at relatively low but persistent levels. Its detections then more than doubled in the June–November period, with a pronounced spike late in the year.

Triada’s role is to give attackers a persistent foothold on the device: Once installed, it can help download or launch additional payloads, manipulate apps, and support on‑device fraud—exactly the kind of long‑term ‘infrastructure’ behavior that turns one‑off infections into ongoing operations.

Seeing a legacy threat like Triada ramp up in the same period as newer banking malware underlines that 2025 is when long‑standing mobile tools and fresh fraud kits start paying off for attackers at the same time.

If droppers, information stealers, and smishing are the scaffolding, banking Trojans are the cash register at the bottom of the funnel. Accessibility abuse, on‑device fraud, and live screen streaming, can make transactions happen inside the victim’s own banking session rather than on a cloned site. This approach sidesteps many defenses, such as device fingerprinting and some forms of multi-factor authentication (MFA). These shifts show up in the broader trend of our statistics, with more detections pointing to layered, end‑to‑end fraud pipelines.

Compared to the 2024 baseline, where phishing‑capable Android apps and OTP stealers together made up only a small fraction of all Android detections, the 2025 data shows their share growing by tens of percentage points in some months, especially around major fraud seasons.

**What Android users should do now**

Against this backdrop, Android users need to treat mobile security with the same seriousness as desktop and server environments. This bears repeating, as Malwarebytes research shows that people are 39% more likely to click a link on their phone than on their laptop.

 A few practical steps make a real difference:​

*   Prefer official app stores, but do not trust them blindly. Scrutinize developer reputation, reviews, and install counts, especially for financial and “utility” apps that ask for sensitive permissions.​
*   Be extremely cautious with permissions like SMS access, notification access, Accessibility, and “Display over other apps,” which show up again and again in infostealers, banking Trojans, and OTP-stealing campaigns.​​
*   Avoid sideloading and gray‑market firmware unless absolutely necessary. When possible, choose devices with a clear update policy and apply security patches promptly.​
*   Treat unexpected texts and messages—particularly those about payments, deliveries, or urgent account issues—as hostile until proven otherwise and never tap links or install apps directly from them.​​
*   Run up-to-date real-time mobile security software that can detect malicious apps, block known bad links, and flag suspicious SMS activity before it turns into full account compromise.​

Mobile threats in 2025 are no longer background noise or the exclusive domain of power users and enthusiasts. For many people, the phone is now the main attack surface—and the main gateway to their money, identity, and personal life.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Android threats in 2025: When your phone becomes the main attack surface 

A security researcher says a basic website flaw at a photo booth operator may have exposed hundreds of private customer photos.

Photo booths are great. You press a button and get instant results. The same can’t be said, allegedly, for the security practices of at least one company operating them.

A security researcher spent weeks trying to warn a photo booth operator about a vulnerability in its system. The flaw reportedly exposed hundreds of customers’ private photos to anyone who knew where to look.

The researcher, who goes by the name Zeacer, said that a website operated by photo kiosk company Hama Film allowed anyone to download customer photos and videos without logging in. The Australian company provides photo kiosks for festivals, concerts, and commercial events. People take a snap and can both print it locally and also upload it to a website for retrieval later.

You would expect that such a site would be properly protected, so only you get to see yourself wearing nothing but a feather boa and guzzling from a bottle of Jack Daniels at your mate’s stag do. But reportedly, that wasn’t the case.

**You get a photo! You get a photo! Everyone gets a photo!**

According to TechCrunch, which has reviewed the researcher’s analysis, the website suffered from a well-known and extremely basic security flaw. TechCrunch stopped short of naming it, but mentioned sites with similar flaws where people could easily guess where files were held.

When files are stored at easily guessable locations and are not password protected, anyone can access them. Because those locations are predictable, attackers can write scripts that automatically visit them and download the files. When these files belong to users (such as photos and videos), that becomes a serious privacy risk.

At first glance, random photo theft might not sound that dangerous. But consider the possibilities. Facial recognition technology is widespread. People at events often wear lanyards with corporate affiliations or name badges. And while you might shrug off an embarrassing photos, it’s a different story if it’s a family shot and your children are in the frame. Those pictures could end up on someone’s hard drive somewhere, with no way to get them back or even know that they’ve been taken.

**Companies have an ethical responsibility to respond**

That’s why it’s so important for organizations to prevent the kind of basic vulnerability that Zeacer appears to have identified. They can do that by properly password-protecting files, limiting how quickly one user can access large numbers of files, and making the locations impossible to guess.

They should also acknowledge researchers and fix vulnerabilities quickly when they’re reported. According to public reports, Hama Film didn’t reply to Zeacer’s messages, but instead shortened its file retention period from roughly two to three weeks down to about 24 hours. That might narrow the attack surface, but doesn’t stop someone from scraping all images daily.

So what can you do if you used one of these booths? Sadly, little more than assume that your photos have been accessed.

Organizations that hire photo booth providers have more leverage. They can ask how long images are retained, what data protection policies are in place, whether download links are password protected and rate limited, and whether the company has undergone third-party security audits.

Hama Film isn’t the only company to fall victim to these kinds of exploits. TechCrunch has previously reported on a jury management system that exposed jurors’ personal data. Payday loan sites have leaked sensitive financial information, and in 2019, First American Financial Corp exposed 885 million files dating back 16 years.

In 2021, right-wing social network Parler saw up to 60 TB of data (including deleted posts) downloaded after hacktivists found an unprotected API with sequentially numbered endpoints. Sadly, we’re sure this latest incident won’t be the last.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Photo booth flaw exposes people&#8217;s private pictures online 

Photo booths are great. You press a button and get instant results. The same can’t be said, allegedly, for the security practices of at least one company operating them.

A security researcher spent weeks trying to warn a photo booth operator about a vulnerability in its system. The flaw reportedly exposed hundreds of customers’ private photos to anyone who knew where to look.

The researcher, who goes by the name Zeacer, said that a website operated by photo kiosk company Hama Film allowed anyone to download customer photos and videos without logging in. The Australian company provides photo kiosks for festivals, concerts, and commercial events. People take a snap and can both print it locally and also upload it to a website for retrieval later.

You would expect that such a site would be properly protected, so only you get to see yourself wearing nothing but a feather boa and guzzling from a bottle of Jack Daniels at your mate’s stag do. But reportedly, that wasn’t the case.

**You get a photo! You get a photo! Everyone gets a photo!**

According to TechCrunch, which has reviewed the researcher’s analysis, the website suffered from a well-known and extremely basic security flaw. TechCrunch stopped short of naming it, but mentioned sites with similar flaws where people could easily guess where files were held.

When files are stored at easily guessable locations and are not password protected, anyone can access them. Because those locations are predictable, attackers can write scripts that automatically visit them and download the files. When these files belong to users (such as photos and videos), that becomes a serious privacy risk.

At first glance, random photo theft might not sound that dangerous. But consider the possibilities. Facial recognition technology is widespread. People at events often wear lanyards with corporate affiliations or name badges. And while you might shrug off an embarrassing photos, it’s a different story if it’s a family shot and your children are in the frame. Those pictures could end up on someone’s hard drive somewhere, with no way to get them back or even know that they’ve been taken.

**Companies have an ethical responsibility to respond**

That’s why it’s so important for organizations to prevent the kind of basic vulnerability that Zeacer appears to have identified. They can do that by properly password-protecting files, limiting how quickly one user can access large numbers of files, and making the locations impossible to guess.

They should also acknowledge researchers and fix vulnerabilities quickly when they’re reported. According to public reports, Hama Film didn’t reply to Zeacer’s messages, but instead shortened its file retention period from roughly two to three weeks down to about 24 hours. That might narrow the attack surface, but doesn’t stop someone from scraping all images daily.

So what can you do if you used one of these booths? Sadly, little more than assume that your photos have been accessed.

Organizations that hire photo booth providers have more leverage. They can ask how long images are retained, what data protection policies are in place, whether download links are password protected and rate limited, and whether the company has undergone third-party security audits.

Hama Film isn’t the only company to fall victim to these kinds of exploits. TechCrunch has previously reported on a jury management system that exposed jurors’ personal data. Payday loan sites have leaked sensitive financial information, and in 2019, First American Financial Corp exposed 885 million files dating back 16 years.

In 2021, right-wing social network Parler saw up to 60 TB of data (including deleted posts) downloaded after hacktivists found an unprotected API with sequentially numbered endpoints. Sadly, we’re sure this latest incident won’t be the last.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

**About the author**

Danny Bradbury has been a journalist specialising in technology since 1989 and a freelance writer since 1994. He covers a broad variety of technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector. He hails from the UK but now lives in Western Canada.

Google will discontinue its dark web report early next year, prompting mixed reactions. How does dark web monitoring actually help keep you safe?

Google has announced that early next year they are discontinuing the dark web report, which was meant to monitor breach data that’s circulating on the dark web.

The news raised some eyebrows, but Google says it’s ending the feature because feedback showed the reports didn’t provide “helpful next steps.” New scans will stop on January 15, 2026, and on February 16, the entire tool will disappear along with all associated monitoring data. Early reactions are mixed: some users express disappointment and frustration, others seem largely indifferent because they already rely on alternatives, and a small group feels relieved that the worry‑inducing alerts will disappear.

All those sentiments are understandable. Knowing that someone found your information on the dark web does not automatically make you safer. You cannot simply log into a dark market forum and ask criminals to delete or return your data.

But there is value in knowing what’s out there, because it can help you respond to the situation before problems escalate. That’s where dark web and data exposure tools show their use: they turn vague fear (“Is my data out there?”) into specific risk (“This email and password are in a breach.”).

The dark web is often portrayed as a shady corner of the internet where stolen data circulates endlessly, and to some extent, that’s accurate. Password dumps, personal records, social security numbers (SSNs), and credit card details are traded for profit. Once combined into massive credential and identity databases accessible to cybercriminals, this information can be used for account takeovers, phishing, and identity fraud.

There are no tools to erase critical information that is circulating on dark web forums but that was never really the promise.

Google says it is shifting its focus towards “tools that give you more actionable steps,” like Password Manager, Security Checkup, and Results About You. Without doubt, those tools help, but they work better when users understand why they matter. Discontinuing dark web report removes a simple visibility feature, but it also reminds users that cybersecurity awareness means staying careful on the open web and understanding what attackers might use against them.

**How can Malwarebytes help?**

The real value comes from three actions: being aware of the exposure, cutting off easy new data sources, and reacting quickly when something goes wrong.

This is where dedicated security tools can help you.

Malwarebytes Personal Data Remover assists you in discovering and removing your data from data broker sites (among others), shrinking the pool of information that can be aggregated, resold, or used to profile you.

Our Digital Footprint scan gives you a clearer picture of where your data has surfaced online, including exposures that could eventually feed into dark web datasets.

Malwarebytes Identity Theft Protection adds ongoing monitoring and recovery support, helping you spot suspicious use of your identity and get expert help if someone tries to open accounts or take out credit in your name.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Google is discontinuing its dark web report: why it matters 

This week on the Lock and Code podcast, we speak with Erin West about pig butchering scams and the efforts to stop this new, global crisis.

_This week on the Lock and Code podcast_…

This is the story of the world’s worst scam and how it is being used to fuel entire underground economies that have the power to rival nation-states across the globe. This is the story of “pig butchering.”

“Pig butchering” is a violent term that is used to describe a growing type of online investment scam that has ruined the lives of countless victims all across the world. No age group is spared, nearly no country is untouched, and, if the numbers are true, with more than $6.5 billion stolen in 2024 alone, no scam might be more serious today, than this.

Despite this severity, like many types of online fraud today, most pig-butchering scams start with a simple “hello.”

Sent through text or as a direct message on social media platforms like X, Facebook, Instagram, or elsewhere, these initial communications are often framed as simple mistakes—a kind stranger was given your number by accident, and if you reply, you’re given a kind apology and a simple lure: “You seem like such a kind person… where are you from?”

Here, the scam has already begun. Pig butchers, like romance scammers, build emotional connections with their victims. For months, their messages focus on everyday life, from family to children to marriage to work.

But, with time, once the scammer believes they’ve gained the trust of their victim, they launch their attack: An investment “opportunity.”

Pig butchers tell their victims that they’ve personally struck it rich by investing in cryptocurrency, and they want to share the wealth. Here, the scammers will lead their victims through opening an entirely bogus investment account, which is made to look real through sham websites that are littered with convincing tickers, snazzy analytics, and eye-popping financial returns.

When the victims “invest” in these accounts, they’re actually giving money directly to their scammers. But when the victims log into their online “accounts,” they see their money growing and growing, which convinces many of them to invest even _more_, perhaps even until their life savings are drained.

This charade goes on as long as possible until the victims learn the truth and the scammers disappear. The continued theft from these victims is where “pig-butchering” gets its name—with scammers fattening up their victims before slaughter.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Erin West, founder of Operation Shamrock and former Deputy District Attorney of Santa Clara County, about pig butchering scams, the failures of major platforms like Meta to stop them, and why this global crisis represents far more than just a few lost dollars.

> “It’s really the most compelling, horrific, humanitarian global crisis that is happening in the world today.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

 Pig butchering is the next “humanitarian global crisis” (Lock and Code S06E25) 

Scammers exploited a PayPal subscriptions feature to send legitimate emails from service@paypal.com, using fake purchase notifications to push tech support scams.

After an investigation by BleepingComputer, PayPal closed a loophole that allowed scammers to send emails from the legitimate service@paypal.com email address.

Following reports from people who received emails claiming an automatic payment had been cancelled, BleepingComputer found that cybercriminals were abusing a PayPal feature that allows merchants to pause a customer’s subscription.

The scammers created a PayPal subscription and then paused it, which triggers PayPal’s genuine “Your automatic payment is no longer active” notification to the subscriber. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwards any email it receives to all other group members.

This allowed the criminals to use a similar method to one we’ve described before, but this time with the legitimate service@paypal.com address as the sender, bypassing email filters and a first casual check by the recipient.

Image courtesy of BleepingComputer

> “Your automatic payment is no longer active
> 
> You’ll need to contact Sony U.S.A. for more details or to reactivate your automatic payments. Here are the details:”

BleepingComputer says there are slight variations in formating and phone numbers to call, but in essence they are all based on this method.

To create urgency, the scammers made the emails look as though the target had been charged for some high-end, expensive device. They also added a fake “PayPal Support” phone number, encouraging targets to call in case if they wanted to cancel the payment of had questions

In this type of tech support scam, the target calls the listed number, and the “support agent” on the other end asks to remotely log in to their computer to check for supposed viruses. They might run a short program to open command prompts and folders, just to scare and distract the victim. Then they’ll ask to install another tool to “fix” things, which will search the computer for anything they can turn into money. Others will sell you fake protection software and bill you for their services. Either way, the result is the same: the victim loses money.

PayPal contacted BleepingComputer to let them know they were closing the loophole:

> “We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance.”

**How to stay safe**

The best way to stay safe is to stay informed about the tricks scammers use. Learn to spot the red flags that almost always give away scams and phishing emails, and remember:

*   **Use verified, official ways to contact companies.** Don’t call numbers listed in suspicious emails or attachments.
*   **Beware of someone wanting to connect to your computer remotely.** One of the tech support scammer’s biggest weapons is their ability to connect remotely to their victims. If they do this, they essentially have total access to all of your files and folders.
*   **Report suspicious emails.** Send the email to phishing@paypal.com to support their investigations.

If you’ve already fallen victim to a tech support scam:

*   **Paid the scammer?** Contact your credit card company or bank and let them know what’s happened. You may also want to file a complaint with the FTC or contact your local law enforcement, depending on your region.
*   **Shared a password?** If you shared your password with a scammer, change it everywhere it’s used. Consider using a password manager and enable 2FA for important accounts.
*   **Scan your system****:** If scammers had access to your system, they may have planted a backdoor so they can revisit whenever they feel like it. Malwarebytes can remove these and other software left behind by scammers.
*   **Watch your accounts:** Keep an eye out for unexpected payments or suspicious charges on your credit cards and bank accounts.
*   **Be wary of suspicious emails.** If you’ve fallen for one scam, they may target you again.

Pro tip: **Malwarebytes Scam Guard recognized this email as a scam.** Upload any suspicious text, emails, attachments and other files to ask for its opinion. It’s really very good at recognizing scams. Here’s what it reported back for this particular scam:

> “**Suspicious Email Assessment**
> 
> This email appears to be a **phishing attempt** designed to trick you into contacting scammers via a fake customer service number, a suspicious website, or email address. Here’s a breakdown of key warning signs:
> 
> **Red Flags Detected**
> 
> 1.  **Fake or Spoofed Sender Address**
>     1.  While it says “service@paypal.com”, sender addresses can be easily spoofed. The real test is the content and behavior of the message, not just the visible address.
> 2.  **Suspicious URLs**
>     1.  Links like http://sonyusa.store and \[sonyusa.store\] (both non-official and unrelated to PayPal or Sony).
>     2.  Official PayPal links always use paypal.com domain.
> 3.  **Non-Official Customer Service Email**
>     1.  Email provided is sony12service@gmail.com instead of an official Sony or PayPal domain.
> 4.  **Urgency and Threat of Unauthorized Charges**
>     1.  Creates panic by telling you a large payment was processed and prompts you to act quickly by contacting their “support” number or email.
> 5.  **Phone Number Trap**
>     1.  The number provided (805-500-6377) is likely operated by scammers. Real PayPal will never ask you to contact them via generic phone numbers outside of their secure website.
> 6.  **Unusual Formatting and Grammar**
>     1.  Awkward phrasing and formatting errors are common in scams.”

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Source

Malwarebytes