Worried parents tracking their children with T-Mobile SyncUP devices suddenly found that they were looking at the location of random other children. And could not locate their own.

Not one but several worried parents that tracked their children by using T-Mobile tracking devices suddenly found that they were looking at the location of random other children. And could not locate their own.

T-Mobile sells a small GPS tracker called SyncUP, which can be used to track, among others, the locations of young children who don’t have cell phones yet. SyncUP uses a combination of GPS technology, Wi-Fi, and T-Mobile’s LTE nationwide network to locate registered devices and comes in the form of a small tag, a car tracker or a kids watch.

According to our friends at 404 Media, several users reported receiving information that came from another tracker, not their own. And from some of the statements it’s very clear that the disclosed locations belonged to other children because of the names and pictures associated with the accounts.

One woman who spoke to 404 Media could see the location address where the random children were, as well as their name and the last time the location was updated. In many cases, the time said “just now” or “one minute ago.”

> “I was probably shown more than eight children. I would log in and I couldn’t see my children but I could see a kid in California. I refreshed and then I had no trackers, and then I refreshed again and would see a different child.” 

Car owners using SyncUP Drive, the car tracking device, reported similar problems.

Here are some of the potential issues that this mix up could bring up:

*   A big concern about tracking devices is their vulnerability to hacking, potentially exposing personal data. No hacking was needed here. Every time some of the users tried they would get the location of a different tracker.
*   Without consent, tracking devices can infringe on individuals’ privacy rights. While you may say this is mainly about tracking without consent, nobody consented to strangers tracking their children.
*   GPS tracking must comply with privacy laws like the Electronic Communications Privacy Act (ECPA) and the Driver’s Privacy Protection Act (DPPA) to prevent unauthorized surveillance. Did T-Mobile fail to comply, even if only for a short time?
*   Inaccurate tracking, or not being able to track, can compromise personal safety if devices are used for emergency services or monitoring vulnerable individuals.
*   Repeated problems can erode the trust in the underlying GPS tracking technology.

This raises the question for parents to ask themselves: What’s worse, not knowing where your child is exactly or running the risk of exposing their location to other people?

Privacy concerns surrounding tracking devices are multifaceted. On one hand, these devices are designed to give users a sense of safety and security by providing accurate location information. However, they also pose risks if not properly secured.

We have reported multiple times about stalkerware users getting exposed by security flaws in the apps they used. While SyncUP may be more secure than some of the stalkerware apps we wrote about, this incident shows it’s not watertight either.

T-Mobile did not disclose the exact problem, but told 404 Media the incident is now resolved:

> “Yesterday we fully resolved a temporary system issue with our SyncUP products that resulted from a planned technology update. We are in the process of understanding potential impacts to a small number of customers and will reach out to any as needed. We apologize for any inconvenience.”

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Location, name, and photos of random kids shown to parents in child tracker mix up 

A generative AI nudify service has been found storing explicit deepfakes in an unprotected cloud database.

Yesterday, we told you about how millions of pictures from specialized dating apps had been stored online without any kind of password protection.

Now it’s the turn of an AI “nudify” service.

A researcher, famous for finding unprotected cloud storage buckets, has uncovered an unprotected AWS bucket belonging to the nudify service.

The rising popularity of these nudify services apparently has caused a selection of companies without any security awareness to hop on the money train. Millions of people use these services to turn normal pictures into nude images, and it only takes a few minutes.

South Korean AI company GenNomis by AI-NOMIS or somebody acting at their behalf stored 93,485 images and json files with a total size of 47.8 GB in a non-password-protected nor encrypted, but publicly exposed database.

Looking at the service, GenNomis is an AI-powered image generation platform that allows users to transform text descriptions into images, create AI personas, turn images to videos, face-swap images, remove backgrounds, etc., and all that without restrictions. It also provides a marketplace, where users can buy and sell these images as “artwork.”

The researcher saw numerous pornographic images, including what appeared to be disturbing AI-generated portrayals of very young people. Even though the GenNomis guidelines prohibit explicit images of children and any other illegal activities, the researcher found many of them. That doesn’t mean they were available to buy on the platform, but they were at least created.

Some of the deepfakes are hard to discern from real images, and as such may lead to serious privacy, ethical, and legal risks. Not to mention the humiliation for the owners of those images or parts thereof who didn’t consent. Sadly, there are many examples where young people have taken their own lives over sextortion attempts.

The researcher contacted the company about what he had found. He told The Register:

> “They took it down immediately with no reply.”

**Keep your children safe from nudify services**

We’ve seen many cases where social media and other platforms have used the content of their users to train their AI. Some people have a tendency to shrug it off because they don’t see the dangers, but let us explain the possible problems.

In this case, it’s at the extreme end of what the content could be used for.

*   Deepfakes: Users of this generative AI could have used the nudify service on publicly available pictures to create explicit deepfakes without consent. AI generated content, like deepfakes, can be used to spread misinformation, damage your reputation or privacy, or defraud people you know.
*   Metadata: Users often forget that the images they upload to social media also contain metadata, such as where the photo was taken. This information could potentially be sold to third parties or used in ways the photographer didn’t intend.
*   Intellectual property. Never upload anything you didn’t create or own. Artists and photographers may feel their work is being exploited without proper compensation or attribution.
*   Bias: AI models trained on biased datasets can perpetuate and amplify societal biases.
*   Facial recognition: Although facial recognition is not the hot topic it once used to be, it still exists. And actions or statements done by your images (real or not) may be linked to your persona.
*   Memory: Once a picture is online, it is almost impossible to get it completely removed. It may continue to exist in caches, backups, and snapshots.

If you want to continue using social media platforms that is obviously your choice, but consider the above when uploading pictures of you, your loved ones, or even complete strangers.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 &#8220;Nudify&#8221; deepfakes stored unprotected online 

A number of specialized dating apps leaked the--not so--secret storage location of 1.5 Million more or less explicit images

A researcher found millions of pictures from specialized dating apps for iOS stored online without any kind of password protection.

The pictures, some of which are explicit, stem from dating apps that all have a specific audience. The five platforms, all developed by M.A.D. Mobile are kink sites BDSM People and Chica, and LGBTQ+ apps Pink, Brish, and Translove.

As we reported not too long ago, many iOS apps leak at least one hard coded secret. We consider hard coded secrets in the source code of the apps as exposed because they are relatively easy to find and abuse by cybercriminals. And those secrets can have serious consequences for the apps’ users

Cybernews’ Aras Nazarovas found the storage location (a Google Cloud Storage bucket) used by the apps by reverse engineering the code. To his surprise, he could access the unencrypted and otherwise unprotected photos without needing any password.

As soon as he saw the first image, he knew this storage should not have been public. Not only did it contain profile pictures, it also included pictures sent in private messages, including some removed by moderators.

In total, nearly 1.5 million user-uploaded images were available to anyone stumbling over the storage bucket. Although the images are not linked to any user accounts or other private information, it is not unthinkable that cybercriminals could figure out some of the identities by using commonly available face search engines.

Many of these search engines use Artificial Intelligence (AI) for facial recognition combined with reverse image search technology to find other photos of a person published online, based on a picture submitted by the user.

Although officially intended only for self-searches, many of them don’t bother to check whether that’s actually the case.

Coupled to the identity of the person in the picture, these images could expose users to extortion, as well as an increased risk of hostility. As if online dating isn’t nervewracking enough, especially for those looking in special categories, the last we need is to see our explicit images exposed.

M.A.D Mobile was warned about the leak in January, but didn’t take any action to protect the storage until the BBC contacted the company on Friday. The issue has now been fixed.

It’s important to stipulate that the apps are exclusive to iOS and do not have Android or web alternatives.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 Intimate images from kink and LGBTQ+ dating apps left exposed online 

With tax season in full swing, we're seeing scammers flexing their social engineering muscles. Be prepared.

Tax season is in full force, and with the filing deadline fast approaching on April 15, scammers are happy to use that sense of urgency to coax us into handing them our cash.

In one example, one of our customers recently received an email with an attachment titled “Urgent reminder.” The attachment was a PDF file with a QR code in it.

> “Tax Services Department
> 
> Important Tax Review and Update Required by
> 
> 2025-03-16!
> 
> Dear receiver,
> 
> As part of our ongoing efforts to ensure compliance with the latest tax regulations, we
> 
> are conducting a mandatory review and update of your tax records. This update must
> 
> be completed by 2025-03-16 to avoid any potential penalties or disruptions to your
> 
> account.
> 
> To proceed with the update, please scan the QR code below with your mobile device or
> 
> click the link provided to access the secure tax portal. Once logged in, follow the
> 
> prompts to review and confirm your tax information.
> 
> Thank you for your prompt attention to this matter.
> 
> Tax Services Team
> 
> This is an automated message. Please do not reply to this email.”

If the receiver were to scan the QR code, they would be sent to a phishing site. The destination is hidden through a clever use of doubleclick.net redirects.

Lucky for our customer, Malwarebytes had already blocked the real destination.

Malwarebytes blocks fmhjhctk.ru

When we disabled our protection to see where the QR code led, we first had to pass the bot protection:

And then we were asked for our Microsoft credentials with the email address already filled out.

Entering your password will send your credentials to a Russian receiver, who will decide what the most profitable way to use them is. Perhaps they’ll sell the details on the dark web, or use them for themselves to get access to your Microsoft accounts.

But that’s just one example of a tax scam.

The IRS’s annual Dirty Dozen list of tax scams shows common schemes that threaten your tax and financial information. And, although these scams do appear year-round, tax season is when they reach their peak level.

One of the pitfalls the IRS warns about is bad tax advice provided on social media, as submitting false information to the IRS could land you in serious trouble. An example is the so-called “self-employment tax credit” which does exist in some countries, but the US is not one of them. Last year the misinformation was so rampant that the IRS issued a warning about it.

The other big type of scams are phishing emails, like we saw above. Even though scammers can use Artificial Intelligence to create convincing emails that appear to come from the IRS, there are often some tell-tale signs of social engineering attempts:

*   Too good to be true: Huge, unexpected tax returns are usually just an incentive to get you to surrender private information in the hopes of obtaining that sum.
*   Urgency is always implied, because the scammers do not want you to think things through.
*   The IRS rarely contacts people by email. And when it does, it is only to send general information and in an ongoing case with an assigned IRS employee. So receiving an email should be an immediate pause for thought.

**Avoiding scams**

These days it has become increasingly difficult to navigate your way online without being exposed to a scam. People have become accustomed to trusting their search engine and naturally follow the different paths laid in front of them.

While some websites look obviously fake to someone, they may fool someone else. At the same time, the tools to build convincing schemes are readily available to anyone for free.

*   Before calling a number, ensure that it is legitimate by visiting the official site directly.
*   Beware of unsolicited phone calls or emails, especially those that ask you to act immediately.
*   Beware of impersonators who may hide behind sponsored results and instead click on organic search results.
*   Always check the website you visit by looking at the address bar. If in doubt, close the page and open a new one.
*   If a website asks you for a small fee upfront it likely is trying to get your credit card information to sell you more expensive services.
*   Never send sensitive personal information such as your bank account, charge card, or Social Security number by email. Instead use a secure method such as your online account or another application on IRS.gov.
*   Use security software that blocks phishing domains and other scam sites. Malwarebytes Premium does this, leaving your computer and financial assets protected.

The IRS has a specific page dedicated to helping you identify if it’s really them reaching out to you or a scammer. Study that guide before making any rash decisions.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 &#8220;Urgent reminder&#8221; tax scam wants to phish your Microsoft credentials 

A list of topics we covered in the week of March 24 to March 30 of 2025

March 31, 2025 - The internet is so filled with falsehoods that April Fools hits different these days. That's why, as a cybersecurity company, we're out.

March 27, 2025 - A man didn't just have his ID stolen, identity theft ruined his life and robbed him of a promising future.

March 27, 2025 - Is moving from WhatApp to Signal a good idea? We look at the pros and cons, and which settings can make Signal even more private.

March 26, 2025 - Fake Booking.com emails sent to hotels lead to fake CAPTCHA sites that trick the staff into infecting their own systems.

March 26, 2025 - With its growing popularity, sponsored Google search ads have started impersonating DeepSeek AI.

 A week in security (March 24 &#8211; March 30) 

The internet is filled with falsehoods.  We’re forever investigating new scams here at Malwarebytes, and it’s so hard to know what—or...

The internet is filled with falsehoods. 

We’re forever investigating new scams here at Malwarebytes, and it’s so hard to know what—or who—to trust online.  

There’s the scam that takes advantage of grieving people and tricks them into paying for a funeral live stream. 

There’s the fake CAPTCHA that hijacks clipboards and tricks users into installing malware. 

There’s the many, many, many scams that use Google ads to trick people into granting remote access to their machine, handing over money, or installing malware. 

And we’re being tricked constantly by AI, take the Texan restaurant with its dino croissant and photos of Jeff Bezos at the bar. Or the scam that uses an AI replica of a loved one’s voice to trick a family member into handing over money. 

It’s hard to know what to believe any day of the year online and so, while we used to participate in April Fools, it just hits different these days. 

Especially when things go wrong when it comes to April Fools’ pranks. Last year a burger restaurant sent customers into a spin after sending them a fake order confirmation email, which led to customers fearing that their accounts had been hacked. All in good faith, but it no doubt hit a nerve for the affected customers. 

So go ahead and order your Hot Dog Sparkling Water, eat your crust only pizza, or have a snooze in your banana sleeping bag. We love that. But as a cybersecurity brand we want you to feel like you can trust us—every single day of the year. If we say something is fake, then it’s fake. If we say it’s real, then it’s real. No exceptions. 

****How to protect yourself from scams** **

*   **Watch out for a false sense of urgency.** Scammers will often use time pressure to get you to click, fill in your personal data, or hand over money. If you feel like you’re being asked to act quickly, take a pause. 

*   **Is it too good to be true?** Offers of big discounts or free stuff can be really tempting, but they’re often used as lures for scammers. The likelihood is that it is, indeed, **too good to be true** and should be avoided at all costs. 

*   **Have a family code word**. Scammers are known to use an AI-generated voice of a loved one to trick a family member into handing over money. Come up with a code word in person that only you and your loved ones know and keep it a secret so you can ask for it if you receive such a phone call. 

*   **Check via another way**. If your “bank” gives you an unexpected phone call, ring them back on a number you know is theirs. If a Facebook friend DMs you a link, send them a quick text to check it’s really them. Double checking in this way could save you doing something you later regret. 

*   **Use a different password for every account**. If you get your username and password stolen on one account you don’t want scammers to be able to use it on another. Password managers help you create complex passwords, and they remember them for you.  

*   **Set up multi-factor authentication** on every account you can. It’s not foolproof, but it does make it considerably harder for scammers.

 Why we’re no longer doing April Fools’ Day  

A vulnerability has been found that can be exploited through every browser as long as its running on a Windows system

Researchers found a vulnerability in Chrome that was abused in the wild against organizations in Russia.

Google has released an update for its Chrome browser which includes patches for this vulnerability.

The update brings the Stable channel to versions 134.0.6998.178 for Windows. Other operatings sytems are not vulnerable.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click **Settings > About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

Chrome up to date

The vulnerability exists in Windows for all Chromium based browsers, including Edge, Brave, Vivaldi, and Opera. These browsers can all be updated in more or less the same way.

But it doesn’t stop there. After studying the vulnerability, Mozilla concluded that Firefox and the Tor browser are also vulnerable. So, it released updates to patch them.

**Technical details**

The vulnerability, tracked as CVE-2025-2783 lies in Mojo for Windows. Mojo is a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC).

An incorrect handle provided under certain circumstances allows an attacker to escape the browser sandbox. Which means that due to a logical error on the level where the sandbox and the Windows operating system meet it allows an attacker to execute code on the actual operating system just by getting the target to visit a malicious site. This is something that the sandbox is supposed to prevent.

According to the researchers:

> “Without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist.”

The researchers did mention that there has to be an additional vulnerability to allow the attacker to enable remote code execution, which they have been unable to find.

All in all, it seems imperative that you update your browser(s) at your earliest convenience.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Vulnerability in most browsers abused in targeted attacks 

A man didn't just have his ID stolen, identity theft ruined his life and robbed him of a promising future.

This is a sad story that illustrates how losing your ID can effectively ruin your life and reputation.

19-year-old dual German Tunisian national Rami Battikh travelled to the UK in 2019, bringing both his passport and his German national ID. When he returned to Germany, Rami noticed that his German ID card was missing. He figured he either lost it or someone stole it.

Without giving it much thought, he applied for a new one. This was issued without any problem since he could prove his identity.

Fast forward a few years, and Rami applied for a job after finishing school and a vocational apprenticeship. A routine employer check showed that Rami had a criminal record. In London.

The criminal record contains crimes he allegedly committed in the UK while he was in Tunisia.

> “I couldn’t believe it. I told my employers that it was not true that for sure it was not me, that I had proof I wasn’t in the UK at that time as I was in Tunisia at the time and had stamps on my passport to prove it.”

But his would-be employers who were eager to hire him said they couldn’t just take his word over a police record.

Back in London in 2021, a man was jailed by a court in London for 18 months for a series of offences including driving without a license or insurance, fraud by false representation, and possession of a false, improperly obtained identity document belonging to another person. Can you guess whose identity document that was?

Unfortunately, the crimes were actually recorded against Rami’s stolen ID. So, he hired a solicitor to get things sorted.

A judge tried to get London’s Metropolitan Police to rectify the error in 2022, describing it as a “mess” that had stained the German national’s record.

But the false database entry persisted and to make things worse, additional crimes were recorded against his stolen ID in London including possession of a knife in a public place.

Despite having confirmation from a judge, the Metropolitan Police haven’t managed to purge the false record, which has left Rami devastated.

He wrote to the court:

> “This fraud destroys my life. I can’t get any jobs. Please if you need I will give you my fingerprints, a hair strand … I can’t live like this any more. I am innocent and I never did any of those criminal acts I beg for help.”

At 24 he has no prospect of a job, has had to sell his car to cover bills, and is now sharing his story because he is desperate and doesn’t know what to do.

The Metropolitan Police said:

> “We are aware of this case and we continue to work with other agencies to progress this with a view to having the situation rectified. We understand that the length of time this has taken has added to the concern and upset, but aim to provide an update to the applicant in the near future.”

Sadly, this doesn’t sound too reassuring three years after the judge’s decision.

Not every identity theft story is as life-altering as this. But having your data stolen can still have an impact on your life, your family, and your finances.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 &#8220;This fraud destroyed my life.&#8221; Man ends up with criminal record after ID was stolen 

Is moving from WhatApp to Signal a good idea? We look at the pros and cons, and which settings can make Signal even more private.

This week we learned that the US Government uses Signal for communication, after a journalist was accidentally added to a Signal chat.

Accidental additions of people aside, the news has got regular folks asking if they should, too, be using Signal for private communications.

Probably the largest alternative to Signal, WhatsApp is owned by Meta, and has faced criticism for its data-sharing practices. But is switching to Signal truly an improvement? Let’s explore the differences between these apps and whether the move would be justified.

Both WhatsApp and Signal offer end-to-end encryption, ensuring that only the sender and recipient can read messages. But the difference is that Signal employs “Sealed Sender,” a feature that hides metadata even from itself, whereas WhatsApp collects metadata such as phone numbers, IP addresses, and device information, which it shares with Meta and third parties.

As president of Signal Meredith Whittaker said in a statement to Dutch website Security.nl:

> “WhatsApp collects and shares, when required, large amounts of private information that is not encrypted, like your profile picture, your location, your contacts, when you send a message, when you stop, who’s in your group chats, and so on.”

Signal collects minimal data, but it’s run by the non-profit Signal Foundation, which operates free from commercial interests. Signal’s open-source code allows for public scrutiny of its security claims, which is a transparency WhatsApp lacks.

Where Signal adds privacy-focused features such as call relay (to hide IP addresses), self-destructing messages, and customizable notification settings, WhatsApp provides more social features like status updates.

Switching to Signal is justified if privacy is your top priority. Its minimal data collection, transparency, and advanced security features make it superior to WhatsApp in protecting user information. However, for those who rely on WhatsApp’s massive user base or social features, the transition might be less convenient.

There is no inter-compatibility, so all participants in a conversation need to use the same app. Meaning that one of the few things holding many users back from switching from WhatsApp to Signal is leaving contacts behind that are not willing to move over.

Obviously, the decision is yours and depends on your personal priorities: privacy versus convenience.

To fully benefit from Signal’s privacy capabilities, users should enable the following features:

*   **Disappearing messages**:
    *   Open a chat in Signal.
    *   Tap the three dots or profile icon to enter chat settings.
    *   Select “Disappearing Messages” and set a timer (e.g., five minutes or one week). This ensures messages are automatically deleted after the specified time.
*   **Screen lock**:
    *   Go to Signal settings by tapping your profile avatar.
    *   Navigate to “Privacy.”
    *   Enable “Screen Lock” to require biometric authentication or a PIN to access the app.
*   **Relay calls**:
    *   Under “Privacy” settings, activate “Always Relay Calls.” This routes calls through Signal servers to hide your IP address from contacts.
*   **Incognito keyboard** (Android only):
    *   In “Privacy” settings, enable “Incognito Keyboard” to prevent your keyboard from sending typing data to third-party servers.
*   **Screen security**:
    *   For Android: Enable “Screen Security” to block screenshots within the app.
    *   For iPhone: Turn on “Enable Screen Security” to prevent app previews in multitasking mode.
*   **Registration lock**:
    *   Activate this feature in “Privacy” settings to require a PIN for re-registering your account on new devices.

By enabling these features, users can ensure their conversations remain private and secure.

Another important tip is to check **Group chat members**. Before you send messages to a group, check who can read them: Open your group chat and tap on the group name to view chat settings. Scroll to the Members list and tap “View all members” to see the full list of group members.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Moving from WhatsApp to Signal: A good idea? 

Tory Hunt, security expert and Have I Been Pwned owner, disclosed a phishing attack against him in a commendable display of transparency.

Internet security expert and educator Troy Hunt disclosed this week that he had been hit by one of the oldest—and most proven—scams in the online world: A phishing attack.

Through an automated attack disguised as a notice from Hunt’s chosen newsletter provider Mailchimp, scammers stole roughly 16,000 records belonging to current and past subscribers of Hunt’s blog. As such, readers should be the lookout for any scams or phishing attempts in the coming weeks.

“I’m enormously frustrated with myself for having fallen for this, and I apologise to anyone on that list,” Hunt wrote.

But Hunt’s immediate disclosure of the attack should be commended. By publishing a transparent blog that detailed the phish just _34 minutes_ after falling for it, Hunt used himself as the strongest example yet that online scams can hit anyone, and that, while shame and embarrassment are common, no one should ever feel alone in their experience.

****What happened?****

On March 25, Hunt received a malicious email disguised as a legitimate notice from the company Mailchimp, which he uses to email his blog entries to subscribed readers. The email claimed that Mailchimp was temporarily cutting service to Hunt because his blog had allegedly received a spam complaint.

“Your account has been flagged due to a spam complaint, and as a result, you are temporarily unable to send emails until this issue is resolved,” the email read. To fix the issue, Hunt was asked to sign into his Mailchimp account.

The phishing email was convincingly designed, and it threatened consequences if its recipient failed to act. But, as Hunt said, “I’ve received a gazillion similar phishes before that I’ve identified early,” so another simple factor was at play: Timing.

“You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow?” Hunt wrote. “That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog.”

Hunt also noticed that, when he tried to log into his Mailchimp account by following the phishing email’s link, his password manager did **not** auto-fill his account details.

While a password manager’s refusal to auto-fill credentials on a website can indicate that the website itself might be illegitimate, it’s far from a guaranteed red flag. As Hunt said, “there are so many services where you’ve registered on one domain (and that address is stored in 1Password), then you _legitimately_ log on to a different domain.”

In the phishing attack, the scammers stole about 16,000 records belonging to people who had both subscribed and _unsubscribed_ to Hunt’s blog. This is because Mailchimp preserves data of users who unsubscribe, a storage practice that Hunt is currently investigating with the company. Of the 16,000 records, 7,535 email addresses were of readers who unsubscribed. All breach victims are being notified over time, Hunt said.

The stolen records included email addresses, subscription statuses, and IP addresses, along with latitude and longitude data, which, as Hunt later learned, “_do not_ pinpoint the location of the subscriber.”

After recognizing his mistake, Hunt changed his password, reached out to Mailchimp to help delete the scammer’s API key, and then verified that the website he was directed to in the phishing attack had been taken offline.

And, importantly, as the owner of the website Have I Been Pwned (HIBP), which helps people search whether they’ve been involved in a data breach, Hunt had one more data breach to add to the website’s collection: His own.

“When I have conversations with breached companies, my messaging is crystal clear: be transparent and expeditious in your reporting of the incident and prioritise communicating with your customers,” Hunt said. “Me doing anything less than that would be hypocritical, including how I then handle the data from the breach, namely adding it to HIBP.”

**Best practice**

Responsible data breach disclosures are so rare that they deserve some news coverage, and Malwarebytes is happy to see that Hunt used himself as an example during a stressful and difficult incident. Phishing attacks are common because they’re effective, and that includes against new device owners users, longtime web users, and literal security experts.

For readers impacted in the attack, stay mindful for any phishing attempts that might hit your inbox, using your Have I Been Pwned subscription as a lure. There is no shame in falling for a scam, but it’s better to avoid one before it even happens.

Source

Malwarebytes