Proton, known for its privacy focused set of services, announced the introduction of Lumo, a privacy-first Artificial Intelligence (AI) chatbot. It...

Proton, known for its privacy focused set of services, announced the introduction of Lumo, a privacy-first Artificial Intelligence (AI) chatbot.

It is good to know before you dive in that Proton’s chatbot has two user options that offer a very different experience. If you want Lumo to access the internet you will have to use the “Web search” button before you submit your prompt. If you don’t, it will tell you it doesn’t have the capability to browse the web or access real-time information.

While this somewhat limits the usefulness of Lumo when you’re looking at recent developments, it is reassuring that the model was trained on selected sources. This also reduces the risk of hallucinating. Lumo is set up to recognize when it doesn’t know the answer and in such cases, it will make you aware of that and suggest alternative sources of information, or other ways to find the answer you’re looking for.

Private, Safeguarded, and Treated with respect

Proton believes that a privacy-first AI is essential because hundreds of millions of ordinary people currently interact with AI tools, unknowingly sharing sensitive information. This information is far more sensitive than what they would reveal in a typical Google search query.

Not only does this constant interaction with AI tools put personal information at risk, but we also witnessed several instances where company secrets got submitted to an AI without realizing that the information might be used to train the AI or accessed by third parties.

Similarly, we recently reported on how Meta AI chats might be public without the user’s awareness, and many AI bots have spilled sensitive information for separate reasons, like someone guessing a default password.

Lumo offers a different approach to AI chatbots. Other AI companies keep a record of all the conversations on their servers, leaving this information vulnerable to data leaks or exploitation for profit. Lumo does not store any logs of your conversations on its server, and only your device can decrypt any chats you choose to save.

Most people recognize a significant privacy risk here: the possibility that their conversations could help train the AI. This concern makes sense because the training process might use your personal data to generate responses in other users’ conversations.

Lumo does not do that. I asked Lumo where its training data comes from, and how—if it cannot browse the web, or use conversations—it is able to learn. Lumo answered:

> “Great question! My training data comes from a curated set of sources that were available up until my last training cut-off in October 2023. These sources include a wide range of books, articles, websites, and other publicly available texts. The data was carefully selected and processed to ensure quality and relevance.
> 
> While I can’t browse the web or use conversations for learning, my training data provides a broad foundation of knowledge that allows me to understand and respond to a wide variety of topics. Additionally, my ability to process and interpret information means that I can often provide helpful and accurate responses even to questions that are somewhat different from what I was specifically trained on.
> 
> As for learning, I don’t have the ability to update my knowledge or learn from new experiences after my initial training. However, my design allows me to provide useful and informative responses based on the knowledge I already have. If you have any specific questions or need information, feel free to ask, and I’ll do my best to help!”

We took Lumo for a little spin and, for now, the failing support for direct image uploads or processing is the only thing keeping us from using it much more. But we appreciate the idea of having a privacy-focused AI chatbot available when we want our conversations to stay private.

And who can resist a purple kitty anyway?

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Proton launches Lumo, a privacy-focused AI chatbot 

A tech startup is using personal data stolen by infostealer malware that it has found on the dark web, and then selling access to that data.

A tech startup is using personal data stolen by infostealer malware that it has found on the dark web, and then selling access to that data. And it claims to be working within the law.

According to 404 Media, for as little as $50, Farnsworth Intelligence will give companies a look at records from infostealer logs.

Infostealers are a type of malware that focus on harvesting as much data from a victim’s computer as possible. Criminals infect computers in various ways, including via malicious links and infected versions of pirated software or cheat add-ons.

The malware can do everything from monitoring every key you type through to code that probes your internal storage and memory for secrets. Some infostealers even take snapshots of screens to see what they can find. All this data gets beamed back to the infostealer’s criminal operators.

There is no suggestion that Farnsworth Intelligence infects computers with infostealer software itself. It claims to operate within legal frameworks, with data provided through a third-party vendor that specializes in security monitoring services.

This data is available in huge quantities. The startup offers over 20 billion records of stolen data from over 50 million computers. A professional subscription-based version of the service offers access to include anything that an infostealer can pilfer, including cryptocurrency wallet data, browser histories detailing what sites you’ve visited, usernames and passwords for those sites, and browser cookies that criminals could use to impersonate you on a site. Customers can also get access to a list of applications on a person’s computer.

Farnsworth Intelligence says its target audience for the service is “professionals with a legitimate use case in industries such as investigations, intelligence, journalism, law enforcement, cyber security, compliance, IP/brand protection, executive protection, etc”.

There is also a version with ad hoc searches paid for in credits. This gives you access to a subset of the data, searched via phone number, email address, username, domain, password, or autofills (the information that browsers use to fill common fields in web forms). At one credit per search, the cheapest version is the $50 version, which buys users 45 credits.

The service doesn’t just provide access to a static set of data; it’s adding to it all the time. It claims to add over 185 million new records, stolen from over 40,000 computers each month.

“While historical breach data remains valuable, its utility diminishes over time as credentials change and contact information becomes outdated,” says the blurb on Farnsworth’s website (which we’re not linking to here). “Infostealer logs provide investigators with current, device-level data that offers significantly higher intelligence value than traditional breach compilations.”

Is this legal? The startup seems to think so. There’s no vetting of customers, though, at least for the consumer service, which makes us worry about how, for example, a cyberstalker or abusive ex might use such a thing. Regardless, it’s another reason why you should protect yourself from infostealers.

**How to protect yourself from infostealers**

All the normal cybersecurity rules apply:

*   Use a well-established, up-to-date anti-malware program on your computer.
*   Don’t click on links or download files you’re not sure about or weren’t expecting to receive.
*   Be careful when storing passwords, postal addresses, or credit card data in your browser’s built-in autofill storage. These are common targets for infostealers.
*   Use a password manager that prevents you having to type usernames and passwords to get into sites.
*   Never download or install software from suspicious sites including torrent sites.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Startup takes personal data stolen by malware and sells it on to other companies 

A woman in Florida was tricked into giving thousands of dollars to a scammer after her daughter's voice was AI-cloned and used in a scam.

A woman in Florida was tricked into giving thousands of dollars to a scammer after her daughter’s voice was AI-cloned and used in a scam.

Sharon Brightwell says she received a call from someone who sounded just like her daughter. The woman on the other end was sobbing and crying, telling her mom that she had caused a car accident in which a pregnant woman had been seriously injured. She said she’d been texting and driving and that her phone had now been taken by police.

> “There is nobody that could convince me that it wasn’t her. I know my daughter’s cry.”

A man claiming to be her daughter’s attorney then allegedly took over the phone. He told Sharon that authorities were detaining her daughter and that she needed to provide $15,000 in cash for bail. He gave very specific instructions on what to do, including not telling the bank what the large withdrawal was for since, he said, it might affect her daughter’s credit rating.

Sharon withdrew the money, placed it in a box, and a driver picked it up. But that wasn’t the end. A new call followed, informing her that the pregnant woman’s unborn child had died in the accident, but that the family had agreed not to sue Sharon’s daughter if she paid them $30,000 dollars.

Luckily for Sharon, her grandson didn’t trust the whole thing and decided to call her daughter’s number. That call was answered by her daughter who was at work, unaware of anything that had been going on.

By then it was too late for the $15,000.

> “My husband and I are recently retired. That money was our savings.”

Unfortunately, we’re hearing a lot of these and similar stories. So, what’s going on and how can we protect ourselves?

Cloning voices with AI has improved considerably over the years and has become easily available to everyone, including cybercriminals. Many of our voices are online, via video or audio that’s been posted to social media. In Sharon’s case, they believe the scammers used videos from Facebook or other social media to create the replica of her daughter’s voice.

AI-powered phone scams can range from brief, scripted robocalls to full conversations. Recent studies have shown that relying on human perception to detect AI-generated voice clones is no longer consistently reliable. I imagine it’s even harder to determine when the voice is made to sound stressful and upset and you believe it to be your child.

**How to stay safe from AI-generated voice scams**

*   Don’t answer calls from unknown callers and be careful about where you’ve posted audio and video online in which your voice features. It only takes a recording of a few seconds of your voice to create a convincing clone.
*   Agree on a family password that only you and your loved ones know. Don’t ever post or message about this online anywhere, decide on it in person and stick to it.
*   If you’ve forgotten the password, ask about a long-ago memory that hasn’t featured on social media. Be sure it is definitely your loved one that you are talking to.
*   Don’t try to handle situations like these alone. Find a friend, family member, friendly neighbor, or anyone who can sensitively give you their view, or support you if you’ve fallen for the scam. Sometimes having a second opinion, like Sharon’s grandson, can help to make you think twice before handing over any money.

And if you decide you don’t trust the situation:

*   Call the number you have for the relative or use other channels to contact them.
*   Whether you’ve fallen for the scam or not, report the incident to local authorities, the FTC, or relevant consumer protection bodies. Every report helps track and prevent future scams, and you may even help catch one of these criminals.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 &#8216;Car crash victim&#8217; calls mother for help and $15K bail money. But it&#8217;s an AI voice scam 

Ring users on TikTok, Reddit, and X are reporting multiple unauthorized device logins all dating back to May 28.

In the last week, countless Amazon Ring users on TikTok, Reddit, and X have been saying they believe their Ring cameras were hacked starting May 28.

Many posted screenshots of their accounts, showing multiple unauthorized device logins, making these claims hard to ignore. Forbes looked into the issue and even the journalist found several logins on his own device.

However, on Friday Ring claimed it’s just a minor issue with the displayed date:

> “We are aware of a bug that incorrectly displays prior login dates as May 28, 2025.

Visitors who go to Ring’s site are shown the following (correct at the time of writing):

> “We are aware of an issue where information is displaying inaccurately in Control Center. This is the result of a backend update, and we’re working to resolve this. We have no reason to believe this is the result of unauthorized access to customer accounts.”

This message was posted on Friday, July 18. We spoke to one user who let us know that, as of Monday morning (July 21), he was unable to log in through the website. He was, however, able to log in through the app and saw no May 28 logins.

So, what’s Ring claiming here? That it did an update and messed up the database? In a later message it claimed:

> “Ring made a backend update that resulted in prior login dates for client devices to be inaccurately displayed as May 28, 2025, and device names to be incorrectly displayed as ‘Device name not found’.“

But if you look at any of the plethora of screenshots, you’ll see that there are plenty of device names displayed.

The Ring software release notes show no updates for the doorbells on or around May 28, so we think it’s safe to assume that Ring is right about it being a backend update that caused this.

There is one other thing that’s interesting in this puzzle. On July 17, founder and now CEO Jamie Siminoff announced some drastic changes. Siminoff reinstated Ring’s original mission statement, “Make neighborhoods safer,” which might suggest the business is going back to its founding identity as a crime prevention tool.

Before Siminoff came back as CEO he wasn’t working for Ring, and in that time the company leaned into a more community-focused brand, distancing itself from the surveillance tool image. Last year, the company discontinued “Request for Assistance,” a feature that allowed law enforcement officers to ask people for camera footage through Ring’s Neighbors app. At the time, the company said it would only let police request footage during “emergencies.”

However, in April, Ring announced a partnership with Axon that effectively reintroduces video sharing with law enforcement.

The two issues could be completely unrelated, but reintroducing this functionality does sound like it would need a backend update.

Either way, Amazon will not be happy about this issue, shortly after having to warn over 200 million Prime customers that their accounts are under attack.

**Worried your Ring camera has been hacked?**

Again, we should reiterate that Ring says that its cameras have not been hacked. However, if you’re worried, there are some things you can do:

*   Since there is no evidence of an actual breach yet, the best thing to do for now is wait and keep an eye on the updates by Ring about this issue.
*   In the Ring app’s **Control Center**, check the list of authorized devices that have access to your account and remove any unfamiliar ones.
*   If you’re worried about unauthorized access and you have an alternative camera or can cope without one for a bit, you could temporarily disable your Ring doorbell and/or cameras until we hear more on the situation.
*   Consider resetting your Ring account password using a strong, unique password that you have never used before and enable two step verification. There’s no harm in doing this so you may as well take this extra security step.
*   Phishers and other scammers might try to take advantage of the situation by sending you emails or messages hoping to get you to click or hand over personal details. If you receive a message that appears to come from Ring, double check via another means that it really is from Ring.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 &#8220;Ring cameras hacked&#8221;? Amazon says no, users not so sure 

A list of topics we covered in the week of July 14 to July 20 of 2025

July 18, 2025 - Meta executives settled a shareholders' lawsuit alleging continuous disregard of privacy regulations for the price of $8 billion.

July 17, 2025 - The database contained 1,115,061 records including the names of children, birth parents, adoptive parents, and other potentially sensitive information like case notes.

July 17, 2025 - A researcher has disclosed how he found a—now fixed—vulnerability in Meta AI that could have allowed others to see private questions and answers.

July 17, 2025 - Google has released an update for its Chrome browser to patch six security vulnerabilities including one zero-day.

July 16, 2025 - A former US army colonel faces up to ten years in prison after revealing national secrets on a foreign dating app.

 A week in security (July 14 &#8211; July 20) 

Meta executives settled a shareholders' lawsuit alleging continuous disregard of privacy regulations for the price of $8 billion.

Meta chief Mark Zuckerberg and several other members of the social media giant’s top brass agreed to settle increasingly heated privacy violation claims for the price of $8 billion.

It is far from the first time that the company, its subsidiary Facebook, or its executives have responded to alleged user privacy violations with billions upon billions of dollars.

The lawsuit at hand accused Zuckerberg and other Meta leaders of failing to prevent years of violations of Facebook users’ privacy. The claims, which were originally filed in September 2018, took years to process, eventually resulting in a trial at the Delaware Court of Chancery. But on just the second day of proceedings, with Zuckerberg himself set to testify early next week, the multibillion-dollar settlement was announced, to timing that many observers found suspicious and revealing.

While nobody at Meta will confirm that the settlement was reached to avoid having to testify, it very much looks like it to yours truly.

The case was brought by shareholders who accused Meta executives of many years’ worth of negligence and failure to enforce a 2012 agreement that was reached by the US Federal Trade Commission, which was designed to safeguard user data. The shareholders who filed the lawsuit claimed that Zuckerberg and former Meta Chief Operating Officer Sheryl Sandberg “knowingly ran Facebook as an illegal data harvesting operation.”

The shareholders wanted the 11 defendants they sued to use their personal wealth to reimburse the company after years of alleged reputational damage due to compiling privacy fiascos. The defendants denied the allegations, which they called “extreme claims.” The parties did not disclose details of the settlement. The plaintiffs’ lawyer, Sam Closic, said the agreement “just came together quickly.”

In 2019, Facebook paid a record-breaking $5.1 billion penalty after the FTC found the company had deceived users about control over their personal data. The FTC ordered Facebook to implement new restrictions and overhaul its corporate structure, ensuring greater accountability in decisions related to user privacy. This fine was imposed by the FTC after the agency concluded that Facebook had violated the earlier 2012 FTC order by deceiving users about their ability to control the privacy of their personal information. The investigation was triggered by the Cambridge Analytica meltdown which showed the data of 50 million users was obtained without express permission and used for political purposes.

The $5 billion penalty explains a large part of the $8 billion demanded by the shareholders this week. In addition, Meta faced several fines in the European Union (EU). Among others, a 1.2 billion euro ($1.4 billion) fine for Meta’s transfers of personal data to the US without explicit consent.

All this is why the shareholders wanted Zuckerberg and others to reimburse Meta an estimated $8 billion or more for the FTC fine and other legal costs. The shareholders also questioned the timing of share sales by the executives.

By settling, Zuckerberg and other defendants avoid having to answer probing questions under oath. In January, former Meta COO Sandberg was sanctioned for deleting sensitive emails related to the Cambridge Analytica investigation, complicating her testimony.

The Delaware Chancery Court will likely manage access to full court documents for this case through its case files or release them via public interest or watchdog groups as the settlement process concludes. Until then, speculation about the settlement’s magnitude will run rampant. What will remain unrevealed is the true reason why Meta’s executives chose to settle. But it stands to reason that they expected the damages of a continued trial and the associated testimonies would have been even more damaging.

In a time where Meta sees many WhatsApp users actively switching to other messaging platforms, primarily Signal and Telegram, due to growing concerns about privacy and data sharing practices and a data breach at Instagram which sparked global privacy concerns, the last thing the company needs is a magnifying glass due to an ongoing lawsuit.

What has become very clear, even without knowing all the details, is that those in the know feel that Meta keeps abusing users’ personal data for monetary gain.

Despite promises to obtain specific user consent, offer privacy settings, and improve practices, Meta has consistently disregarded users’ privacy.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Meta execs pay the pain away with $8 billion privacy settlement 

The database contained 1,115,061 records including the names of children, birth parents, adoptive parents, and other potentially sensitive information like case notes.

Security researcher Jeremiah Fowler found a publicly accessible database online that contained highly personal information from an adoption agency.

Jeremiah, who specializes in locating exposed cloud storage, is used to finding sensitive information exposed. However, because of the nature of the information, this one immediately raised his concern and he hurried to find out who owned the data.

Research indicated that the database belonged to the Fort Worth (TX) based non-profit Gladney Center for Adoption. After notifying the agency, the database was secured the following day. Let’s hope nobody else found it before that time.

In total, the unencrypted and non-password-protected database contained 1,115,061 records including the names of children, birth parents, adoptive parents, and other potentially sensitive information like case notes.

The risks of leaking this type of data and it potentially falling in the hands of cybercriminals are huge. The sensitivity of adoption-related data makes these exposures particularly damaging, both for children and families, since adoption records often include highly personal details about children, birth parents, adoptive parents, and agency staff.

Criminals that get their hands on this kind of information could engage in phishing with very specific information, making their queries plausible. And in some cases, the information could even be sensitive enough to use for extortion or identity theft.

The researcher notes:

> “The records did not contain full case files, and the publicly exposed records were a combination of plain text and unique identifiers.”

He goes on to explain that unique identifiers are not necessarily a security enhancement.

> “From a cybersecurity perspective, a UUID is designed for unique identification, not secrecy, and it can potentially be guessed, reverse-engineered, or enumerated. UUIDs are not recommended to be used to protect sensitive data.”

Given the long-standing reputation of an adoption center like Gladney, people feel confident to share their personal information. People providing that amount of trust should not be let down by something as basic as securing an online database with a password.

It should be noted that it is unknown whether the database was exposed by Gladney itself or a third-party provider.

Wired posted a statement by Gladney’s Chief Operating Officer, which was not very helpful in determining what went wrong:

> “The Gladney Center for Adoption takes security seriously. We always work with the assistance of external information technology experts to conduct a detailed investigation into any incident. Data integrity and operations are our top priority.”

**Protecting yourself after a data breach**

While there are no indications that this database was found by cybercriminals before it was secured, it might have been. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Adoption agency leaks over a million records 

A researcher has disclosed how he found a—now fixed—vulnerability in Meta AI that could have allowed others to see private questions and answers.

A researcher has disclosed to TechCrunch that he received a $10,000 bounty for reporting a bug that let anyone access private prompts and responses with the Meta AI chatbot.

On June 13, we reported that the Meta AI app publicly exposes user conversations, often without users realizing it. In these cases, the app made “shared” conversations accessible through its Discover feed, so others could easily find them. Meta insisted this wasn’t a bug, even though many people didn’t understand that their conversations were visible to others.

However, Sandeep Hodkasia, the researcher that found the awarded bug, was able to find conversations that weren’t even shared, but “private.” To understand what he did, you need to know that the Meta AI allows users to edit their questions (prompts) to regenerate text and images.

Some of Sandeep’s testing revealed that the chatbot assigned unique numbers to queries that were the results of edited prompts. And by analyzing the network traffic generated by editing a prompt, Sandeep figured out how he could change the unique identification number.

Sending different numbers, which were easy to guess according to Sandeep, allowed him to view a prompt and AI-generated response of someone else entirely. And because the numbers were easy to guess, an attacker could have scraped a host of other users’ conversations with Meta AI.

Meta’s servers failed to check whether the person requesting the information had the authorization to access it.

According to Sandeep, Meta fixed the bug he filed on December 26, 2024, on January 24, 2025. Meta confirmed this date and stated that it found no evidence of abuse.

**How to safely use AI**

While we continue to argue that the developments in AI are going too fast for security and privacy to be baked into the tech, there are some things to keep in mind to make sure your private information remains safe:

*   If you’re using an AI that is developed by a social media company (Meta AI, Llama, Grok, Bard, Gemini, and so on), make sure you are not logged in on that social media platform. Your conversations could be tied to your social media account which might contain a lot of personal information.
*   When using AI, make sure you understand how to keep your conversations private. Many AI tools have an “Incognito Mode.” Do not “share” your conversations unless needed. But always keep in mind that there could be leaks, bugs, and data breaches revealing even those conversations you set to private.
*   Do not feed any AI your private information.
*   Familiarize yourself with privacy policies. If they’re too long, feel free to use an AI to extract the main concerns.
*   Never share personally identifiable information (PII).

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Meta AI chatbot bug could have allowed anyone to see private conversations 

File sharing site WeTransfer has rolled back language that allowed it to train machine learning models on any files that its users uploaded.

File sharing site WeTransfer has rolled back language that allowed it to train machine learning models on any files that its users uploaded. The change was made after criticisms from its users.

The company had quietly inserted the new language in the terms and conditions on its website. Sometime after July 2, it updated clause 6.3 of the document to include this claim:

> “You hereby grant us a perpetual, worldwide, non-exclusive, royalty-free, transferable, sub-licensable license to use your Content for the purposes of operating, developing, commercializing, and improving the Service or new technologies or services, including to improve performance of machine learning models that enhance our content moderation process, in accordance with the Privacy & Cookie Policy.”

In short, if you upload a document, WeTransfer would be able to train AI on it. The company could also license that content to other people, and could do these things forever.

The license would also include “the right to reproduce, distribute, modify, prepare derivative works based upon, broadcast, communicate to the public, publicly display, and perform Content,” the language said, adding that users wouldn’t be paid for any of this.

You can view the offending text on the Wayback Machine, which archives snapshots of documents online.

WeTransfer displayed this version of the text on July 14. However, today the text simply reads:

> “You hereby grant us a royalty-free license to use your Content for the purposes of operating, developing, and improving the Service, all in accordance with our Privacy & Cookie Policy.”

The company told the BBC that it had changed the clause “as we’ve seen this passage may have caused confusion for our customers.” It is not using AI to process content and doesn’t sell content to third parties, it added.

One studio manager posting on Reddit said that they had told their staff not to use the service anymore when they learned of the original policy change.

“Its crazy how WeTransfer is trying to tell us we ‘misunderstood’ them saying ‘perpetual license to distribute’,” they said. “I’m glad they changed the clause at least despite playing dumb.”

So what options exist for WeTransfer users still worried about the company’s motives? The best tip is to encrypt your content before uploading it. You can zip your file and password protect it, sending the password to the file’s recipient via another secure channel.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 WeTransfer walks back clause that said it would train AI on your files 

Google has released an update for its Chrome browser to patch six security vulnerabilities including one zero-day.

Google has released an update for its Chrome browser to patch six security vulnerabilities, including one zero-day.

This update is crucial since it addresses one actively exploited vulnerability which can be abused when the user visits a malicious website. It doesn’t require any further user interaction, which means the user doesn’t need to click on anything in order for their system to be compromised.

The update brings the version number to 138.0.7204.157/.158 for Windows, Mac and 138.0.7204.157 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the more menu (three stacked dots), then choose **Settings** > **About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is reload Chrome in order for the update to complete, and for you to be safe from the vulnerabilities.

You can find more elaborate update instructions and the version number information in our article on how to update Chrome on every operating system.

**Technical details on the zero-day vulnerability**

Attackers can exploit the vulnerability tracked as CVE-2025-6558 by taking advantage of insufficient validation of untrusted input in Chrome’s ANGLE and GPU components. This flaw, which affects versions of Google Chrome prior to 138.0.7204.157, enables an attacker to craft a malicious HTML page and, upon convincing a user to open it, escape the browser’s security sandbox

ANGLE (Almost Native Graphics Layer Engine) is open-source software developed by Google that acts as a translator for graphics commands in browsers like Chrome. It helps your browser display complex graphics, such as 3D games or interactive web apps, and works on a wide range of computers and devices, even if they use different underlying graphics systems.

As an everyday user you may never see or even notice ANGLE directly, but it powers a huge part of the web experience. Especially 3D content in Chrome, Edge, and Firefox on Windows, Mac, and even Android.

Its universal role means that when a security issue is found in ANGLE, everybody using Chrome (and Chromium browsers) is potentially at risk.

An attacker only needs to present a target with an especially crafted HTML file, meaning they just need to lure them to a malicious website. HTML is just the code that makes up a web page.

The sandbox escape means that successful exploitation of the vulnerability not only affects the—sandboxed—browser, but can compromise the victim’s device.

Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on June 23, 2025. The TAG group focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

**We don’t just report on** **browser vulnerabilities**, Malwarebytes’ Browser Guard protects your browser against malicious websites and credit card skimmers, blocks unwanted ads, and warns you about relevant data breaches and scams.

Source

Malwarebytes