The New York Blood Center has started sending out data breach notifications to those affected by a recent ransomware attack.

A blood center has begun sending data breach notifications to its users after suffering a ransomware attack and theft of personal data.

The New York Blood Center’s (NYBC) suffered the ransomware attack in January, in which an unauthorized party gained access to its network and acquired copies of a subset of files. The security incident was first noticed on January 26, 2025, but this week NYBC has started notifying victims.

NYBC publicly acknowledged the scale but has not issued a precise number of affected people due to ongoing investigations and limitations in contact information for all service recipients. Based on documents that NYBC submitted to regulators in several states, hackers could have stolen information belonging to at least tens of thousands of people.

NYBC ranks among the largest independent community-based blood collection organizations in the US. It serves over 75 million people across more than 17 states and delivers about one million lifesaving blood products annually.

The information varies per affected individual but can include:

*   Name
*   Social Security number
*   Driver’s license or other government identification card number.
*   Financial account information if you participated in direct deposit.

NYBC also provides clinical services, and diagnostic blood testing, for which it needs clinical information from healthcare providers. New York Blood Center Enterprises said some of this information was also accessed by the attackers during the cyber incident.

So far it is unknown which ransomware group might have been behind the attack, and we have seen no threats to publish or sell the acquired data. But this could change quickly once negotiations about the ransom come to an end without the cybercriminals getting paid what they demand.

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor** **authentication** **(****2FA****).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up** **identity monitoring****.** Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

 Ransomware attack at blood center: Org tells users their data&#8217;s been stolen 

This scammy text pretends to come from a doctor and says a weight-loss medication prescription has been approved.

A co-worker received a text which is, unfortunately, becoming more common. The text pretends to come from a doctor and states a weight-loss medication prescription has been approved.

> “Good morning. This is Dr. Santos. I pre-approved your GLP1 prescription. You may start treatment as of 09/04. {followed by a link}”

**Signs it’s a scam**

1.  The message claims to be from “Dr. Santos,” a doctor the recipient does not know.
2.  The text references a GLP-1 prescription. GLP-1 drugs (like Ozempic, Wegovy, and Mounjaro) are legitimate prescription medications for diabetes and weight loss, but they should only be prescribed by a health professional after an in-person consultation. No real provider would cold-text a random person about starting such treatment.
3.  The sender’s number appears to be in Texas while our co-worker lives in California. That is one long-distance prescription.
4.  The linked website does not match any real medical or pharmacy provider and is not a site known for drug fulfillment.

what’s more, when we visited the page with a US IP address, we received a Browser Guard warning:

The site tried to redirect me to a known Phishing domain while sending some information in the URL which might be used to identify which of the targets clicked the link.

The use of a dedicated tracker subdomain (track.savezmeet\[.\]com) matches common phishing infrastructure, where user data is collected as soon as the victim clicks and before further redirection occurs.

URL parameters are routinely used in phishing to uniquely identify visitors and record who clicked which phishing SMS. In this case we suspect:

*   {var1} may refer to the vector or campaign type (“txt1” = SMS/text campaign).
*   {var2} is empty, possibly reserved for an additional variable (such as a tracking code or message ID)
*   {var3} is a 10-digit number meeting the format of a US phone number, which may be mapped to the target.

So we visited the URL after replacing the receiving phone number with the sender’s, and lo and behold, we got what we expected.

According to our telemetry, we first saw the track.savezmeet\[.\]com with this format on August 2. Malwarebytes has blocked MyStartHealth.com since March 2025.

What you will get if you decide to buy there is probably not recommended. The website explicitly uses compounded GLP-1 products (not FDA approved), with the disclaimer buried in legalese and clear acknowledgment that these are not branded or FDA-validated versions of Ozempic, Wegovy or any other GLP-1s.

And it’s not just an issue in the US, the EU recently sent out a warning about a sharp rise in illegal medicine sold in the EU.

> “In recent months there has been a sharp rise in the number of illegal medicines marketed as GLP-1 receptor agonists such as semaglutide, liraglutide and tirzepatide for weight loss and diabetes. These products, often sold via fraudulent websites and promoted on social media, are not authorised and do not meet necessary standards of quality, safety and efficacy.”

So, besides social media, we can add cold texts as a means of promoting these products in the US.

**Avoiding weight-loss scams**

Before buying weight-loss products, there are a few pointers you can use:

*   Never follow unsolicited links in social media posts, text messages, or emails.
*   Don’t let anybody rush you into buying anything.
*   Read the fine print. Often this will tell you that you are signing up for a monthly subscription model instead of a one-time payment.
*   Research the name of the product the scammers are selling. In many cases you will find the name associated with scams.
*   If you have bought one of these products, keep an eye on your financial accounts, because some scammers might use your card for other transactions.
*   If you’re not sure if a text message is trustworthy, submit it to Malwarebytes Scam Guard and we will tell you if it’s likely genuine or a scam.
*   Use an active security solution that blocks malicious domains.

**Indicators of compromise (IOCs)**

**Phone number:** +1(682) 416-2557

**Domains:**

andkovz\[.\]com

savezmeet\[.\]com

mystarthealth\[.\]com

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Pre-approved GLP-1 prescription scam could be bad for your health 

Media streaming platform Plex has warned customers about a data breach, advising them to reset their password.

Media streaming platform Plex has warned customers about a data breach, advising them to reset their password.

Plex said an attacker broke into one of its databases, allowing them to access a “limited subset” of customer data. This included email addresses, usernames, hashed passwords, and authentication data.

> “Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account… Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.”

Hashing is a way to protect users’ passwords by transforming them into a scrambled and unreadable format before storing them. Think of it like turning a password into a unique “fingerprint” made of random letters and numbers that doesn’t resemble the original password. This scrambled form is called a hash, and it is created using a special mathematical process called a hash function.

The main point about hashing is that it is a one-way process: once a password is hashed, it cannot be reversed or decrypted back into the original password. When you log in, the system hashes the password you enter and compares that to the stored hash. If they match, you get access. This means companies never store your real, plain text password, which helps keep your credentials safe even if their database is hacked.

The downside is that some systems are vulnerable to pass-the-hash attacks where an attacker can sign in by only knowing the hash. But those are mainly a concern in Windows network environments.

In the case of the Plex breach, pass-the-hash attacks are less of a worry for regular users. Plex uses hashed passwords mainly for user login access to its streaming platform, not for network-level authentication. Plex doesn’t directly enable attackers to authenticate anywhere else without cracking those hashes first.

However, as a precaution, Plex users should still follow the instructions from the company, below.

**What Plex asks users to do**

**If you normally log in using a password**: Reset your Plex account password immediately by visiting https://plex.tv/reset. During the reset process you’ll see a checkbox to “Sign out connected devices after password change,” which the company recommends you enable. This will sign you out of all your devices (including any Plex Media Server you own). After the reset you’ll need to sign back in with your new password.

**If you normally log in using Single Sign-On**: Log out of all active sessions by visiting http://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

For further account protection, we also recommend enabling two-factor authentication 2FA on your Plex account if you haven’t already done so.

Look out for any phishing attempts that may try to prey on this incident. Plex has said that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Plex users: Reset your password! 

Researchers found a host of vulnerabilities in the platforms run by RBI to service Burger King, Tim Horton's, and Popeyes.

Two ethical hackers say they have uncovered massive security vulnerabilities in the platforms hosted by Restaurant Brands International (RBI).

RBI is one of the world’s largest quick service restaurant companies. It was formed in 2014 through a $12.5 billion merger of the American fast food chain Burger King and the Canadian coffee and restaurant chain Tim Hortons. Since then, RBI has expanded its brand portfolio to include Popeyes Louisiana Kitchen, acquired in 2017, and Firehouse Subs. It operates a global network of over 32,000 restaurants across more than 120 countries and territories.

The two researchers that scrutinized the security were far from impressed. Their, now removed but archived, blog states:

> “Their security was about as solid as a paper Whopper wrapper in the rain.  
> We stumbled upon vulnerabilities so catastrophic that we could access every single store in their global empire. From a Burger King in Times Square to that lonely Tim Hortons where Bugs Bunny shoulda taken a left turn at Albuquerque. Oh, and did we mention we could listen to your actual drive-thru conversations? Yeah, that happened too.”

The researchers say they found that RBI uses AWS Cognito but forgot to turn off user signups. AWS Cognito is a managed service from Amazon Web Services that helps developers handle user signups, sign-ins, and access control without building these features from scratch.

Disabling user signups is important to make sure that only authorized personnel get accounts, which may be created and managed centrally by IT administrators. This approach reduces the attack surface by blocking open self-registration and unauthorized account creation, which is critical for protecting sensitive internal resources and services. Administrators can then validate and approve accounts before enabling user access to applications managed via Cognito.

After managing their way in through that gateway, the researchers said they realised they could have saved themselves the trouble because they found an even easier signup endpoint that completely bypassed email verification, resulting in an email with the password in plain text.

The researchers say they found three assistant platforms (domains bk.com, popeyes.com, and timhortons.com) were all vulnerable and could enable an attacker to:

*   Access voice recordings of customer orders
*   Add/remove/manage franchise stores
*   View and edit employee accounts
*   Access store analytics and sales data
*   Upload files and send notifications to any store’s systems
*   Use a self-install device ordering system (with the password hard coded into the HTML)

They also say they found that the voice recordings of customer orders, raw audio files of real people ordering food, complete with background conversations, car radios, and sometimes personally identifiable information (PII), were fed into an AI to analyze things like:

*   Customer sentiment
*   Employee friendliness levels
*   Upsell success rates
*   Order processing times
*   How many times employees said “You rule” (because that’s definitely a crucial business metric)

The only good thing about this story is that despite the researchers finding all these vulnerabilities in one day, RBI fixed them the same day. But apparently without acknowledging the researchers or commenting on the vulnerabilities.

If you were involved in this or any other data breach, please read: Involved in a data breach? Here’s what you need to know.

Do not share further personal information. Avoid sharing additional personal details publicly on social media or online directories that could be linked to your exposed information. You can check what information is already out there about you by using our free Digital Footprint Scanner.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Popeyes, Tim Hortons, Burger King platforms have &#8220;catastrophic&#8221; vulnerabilities, say hackers 

A court has ordered Google to pay $425m in a class action lawsuit after it was found to have misled users about their online privacy.

A court has ordered Google to pay $425m in a class action lawsuit after it was found to have misled users about their online privacy.

In July 2020, Google user Anibal Rodriguez filed a lawsuit against the search giant, arguing that it misled users with its “Web & App Activity” setting. The setting was supposed to stop Google collecting data about users’ activities online and in apps.

In reality, Google continued to collect data about how people were using their apps, even after they had switched off data collection in the Web & App Activity setting. Although it said that it was anonymizing that data.

The company collected this information via Firebase, a database that it uses to monitor activities across 1.5 million apps for analytics purposes which operates separately to the Web & App Activity setting. It’s reportedly in 97% of the top thousand Android apps, and 54% of leading iOS apps. Google harvested data from apps including Uber, Venmo, Shazam, the New York Times, Duolingo, and Instagram.

This arrangement created a dual data collection system. It misled 98 million Google users into thinking that their actions were completely private, argued the case, which became a class action suit.

Google’s lawyers protested that users were properly informed about how the company collects information and what it does with it. They pointed out that when confirming their choice, Google displays an “Are You Sure?” prompt that lets them check on what information Google collects, according to Bloomberg Law.

This clearly didn’t resonate with jurors, one of whom said after the verdict that Google needed to be clearer in how it communicated its data handling to its users. They’re generally “skimmers, not readers” he said.

Plaintiffs originally asked for $31bn in damages, but the amount awarded is far less, equating to around $4 per user.

Nevertheless, Google plans to appeal. “This decision misunderstands how our products work,” its spokesperson Jose Castaneda reportedly said. “Our privacy tools give people control over their data, and when they turn off personalization, we honor that choice.”

**A history of questionable tactics**

This isn’t the first time that Google has been found guilty of misleading users. In February 2023, it agreed to pay $392m in a settlement with 40 states for storing users’ locations when it told them it wouldn’t. It coughed up another $40m in a separate arrangement with Washington state later that year and also settled with Arizona for $85m.

In December 2023, the search giant also settled in a class action over alleged misleading language in its incognito mode service, which promised not to collect data about browsing activity but actually did. It deleted records costing it at least $5bn to settle that claim, but didn’t pay damages to users. However, in May this year it settled with Texas to pay $1.38bn to resolve the state’s own claims in the location and incognito mode affairs.

One interesting snippet is that Google has a habit of internally playing down its privacy claims because it knows that explaining exactly what it keeps might alarm users. In a ruling that denied a motion to dismiss the Web & App Activites-related case in January, district judge Richard Seeborg said:

> “Internal Google communications also indicate that Google knew it was being ‘intentionally vague’ about the technical distinction between data collected within a Google account and that which is collected outside of it because the truth ‘could sound alarming to users.'”

Google executives had also privately discussed the need to soften up the privacy language in the company’s services to avoid alarming users of incognito mode. The message here to Joe and Jane Public is even clearer now than it was before; take privacy claims from big tech vendors with the skepticism they deserve, and adopt the ‘mom rule’ when dealing with them: never let them see anything you wouldn’t want them to know.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Google misled users about their privacy and now owes them $425m, says court 

This week on the Lock and Code podcast, we speak with Emily Galvin-Almanza about predictive policing and whether it actually improves safety.

_This week on the Lock and Code podcast…_

In the late 2010s, a group of sheriffs out of Pasco County, Florida, believed they could predict crime. The Sheriff’s Department there had piloted a program called “Intelligence-Led Policing” and the program would allegedly analyze disparate points of data to identify would-be criminals.

But in reality, the program didn’t so much predict crime, as it did make criminals out of everyday people, including children. 

High schoolers’ grades were fed into the Florida program, along with their attendance records and their history with “office discipline.” And after the “Intelligence-Led Policing” service analyzed the data, it instructed law enforcement officers on who they should pay visit to, who they should check in on, and who they should pester.

As reported by The Tampa Bay Times in 2020:

> “They swarm homes in the middle of the night, waking families and embarrassing people in front of their neighbors. They write tickets for missing mailbox numbers and overgrown grass, saddling residents with court dates and fines. They come again and again, making arrests for any reason they can.
> 
> One former deputy described the directive like this: ‘Make their lives miserable until they move or sue.’”

Predictive policing can sound like science fiction, but it is neither scientific nor is it confined to fiction.

Police and sheriff’s departments across the US have used these systems to plug broad varieties of data into algorithmic models to try and predict not just who may be a criminal, but where crime may take place. Historical crime data, traffic information, and even weather patterns are sometimes offered up to tech platforms to suggest where, when, and how forcefully police units should be deployed.

And when the police go to those areas, they often find and document minor infractions that, when reported, reinforce the algorithmic analysis that an area is crime-ridden, even if those crimes are, as the Tampa Bay Times investigation found, a teenager smoking a cigarette, or stray trash bags outside a home.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Emily Galvin-Almanza, cofounder of Partners for Justice and author of the upcoming book “The Price of Mercy,” about predictive policing, its impact on communities, and the dangerous outcomes that might arise when police offload their decision-making to data.

> “ I am worried about anything that a data broker can sell, they can sell to a police department, who can then feed that into an algorithmic or AI predictive policing system, who can then use that system—based on the purchases of people in ‘Neighborhood A’—to decide whether to hyper-police ‘Neighborhood A.’”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

 This “insidious” police tech claims to predict crime (Lock and Code S06E18) 

Phishers are abusing Apple and Microsoft infrastructure to send out call-back phishing emails with legitimate sender and return addresses.

Once again, phishers are targeting PayPal users by abusing existing legitimate infrastructure. Only this time they’re not abusing PayPal’s platform, but iCloud Calendar invites.

Our friends over at BleepingComputer unraveled a call-back phishing scam which was sent to one of their readers.

> “Pedro McCarthy invited you to ‘Purchase Invoice’.
> 
> Purchase Invoice
> 
> Hello Customer,  
> Your PayPal account has been billed $599.00  
> We’re confirming receipt of your recent payment. Below are the details:  
> Invoice ID: AFER13VD
> 
> Date: AUG 28, 2025
> 
> Amount: USD 599.00
> 
> If you wish to discuss or make changes to this payment, please contact our support team at +1 +1 (786) 902 8579”

The sender email address shows as noreply@email.apple.com which helps it pass every imaginable email security check since it actually came from an Apple server. This happens because it is an iCloud Calendar invite, with the phishing text written in the “Notes” field.

To the recipient it shows a Microsoft 365 account controlled by the phishers. When creating such an iCloud Calendar event with external people added to the invite, an email is sent from Apple’s servers from the iCloud Calendar owner’s name with the email address noreply@email.apple.com.

The Microsoft 365 account is very likely a mailing list holding the email addresses of the targets in this campaign. This method allows the phishers to use the Microsoft Sender Rewriting Scheme (SRS), a technical method used to make email forwarding work smoothly without breaking anti-spoofing protections.

Because the rewritten sender address now belongs to the forwarding domain (e.g., Microsoft 365) it doesn’t trigger any alarms. Meanwhile, the “From” address you see in your email program remains the same as the original sender, so the email looks legitimate to the recipient—especially when that address belongs to Apple.

A call-back phishing campaign is usually set up to entrap targets that decide to call the number listed in the invitation. They’ll be asked to download something under false pretences, which often turns out to be a remote desktop client or information-stealing malware—which will then be used to drain all your accounts.

**How to stay safe**

Don’t be fooled by the legitimate sender email address. Besides spoofing a sender email address, criminals are finding other ways to abuse big tech infrastructure and make it look as if an email came from a legitimate company.

The email has many of the usual signs of a phishing mail:

*   Urgency is imposed by a large amount being billed
*   Generic greetings: “Hello customer” and not your name.
*   The receiver’s email address is not yours.
*   The spelling error in the phone number (twice the +1)

What you can do:

*   Always search phone numbers and email addresses to look for associations with known scams.
*   Login directly to PayPal.com to see if there are any messages in your account.
*   Enable two-factor authentication (2FA) on your Paypal account to add an extra layer of security to your financial accounts and help prevent scammers getting in.
*   Report suspicious emails and phishing emails to phishing@paypal.com. Then delete them.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 iCloud Calendar infrastructure abused in PayPal phishing campaign 

A list of topics we covered in the week of September 1 to September 7 of 2025

September 5, 2025 - A hacker cracked into a database of video recordings taken from Nexar-branded cameras, which are built to be placed drivers’ cars,...

September 4, 2025 - Roblox announced plans to roll out age estimation for using the communication features on the platform to help fight sexual predators.

September 4, 2025 - Today we're launching Malwarebytes Tools, a new set of free features designed to give your Windows PC a breath of fresh air.

September 4, 2025 - The Quad7 botnet is adding End-of-Life TP-Link routers to its arsenal and using them to steal Microsoft 365 accounts.

September 4, 2025 - A recent report has revealed that many VPNs might allow others to sniff your data—and they're not being honest about who's behind them.

 A week in security (September 1 &#8211; September 7) 

A hacker cracked into a database of video recordings taken from Nexar-branded cameras, which are built to be placed drivers’ cars,...

A hacker cracked into a database of video recordings taken from Nexar-branded cameras, which are built to be placed drivers’ cars, according to a new report from 404 Media.

Nexar is a dashcam company that promotes its products as “virtual CCTV cameras” and offers automatic cloud uploads of critical incidents, AI-driven insights, and real-time road alerts. It offers customers remote video streaming, live GPS tracking, and easy-to-share video-evidence.

Nexar also sells access to reportedly blurred images captured by the cameras and other related data to other companies. Nexar monetizes users’ data and recordings by repackaging them into various products. One of those is the company’s CityStream map which uses recent and blurred images taken by Nexar dashcams, superimposes them on a publicly available map, and annotates things such as yield or speed limit signs, damaged roads, and other hazards.

This level of access and data management should come with a healthy, corporate security stance. But, according to the hacker who breached the company’s systems, Nexar is an absolute privacy nightmare with embarrassing security. Allegedly, it only took the hacker 2 hours to breach Nexar systems, and they stated:

>  “I would be very surprised if no one (foreign government or just bad actor) wasn’t already tapping their customer data.”

In one clip the hacker provided to 404 Media as proof, a Nexar camera is faced inwards for a car, capturing what appears to be a rideshare driver picking up passengers. Like in many other videos, people’s faces are clearly visible.

Nexar co-founder and CTO Bruno Fernandez-Ruiz told 404 Media in an email that, per Nexar’s privacy policy, users who contribute to the CityStream feature do so with either opt-in—or opt-out—consent, depending on the jurisdiction.

Besides the personal implications, 404Media also mentioned and highlighted some potential national security risks that could be found in the evidence the hacker provided.

The hacker found all the videos on an improperly secured Amazon Web Services (AWS) bucket. An AWS bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There, the hacker found more than 130 TB worth of data.

The hacker were able to access the AWS bucket because embedded in every Nexar dashcam was a key to this database. And this key came with high privileges—too high. These access privileges not only allowed anyone with the key to upload their own camera’s data, but to also access those of everyone else.

Another find by the hacker was a file showing the companies and organizations that Nexar says have had access to the company’s data. According to the document, these include Apple, Microsoft, Amazon, Google, Pokémon Go creator Niantic, transportation companies Lyft and Waymo, the cities of Los Angeles and Austin, the NYPD, and many AI- and logistics-focused companies.

Nexar fixed this issue after being contacted by 404 Media this week, but the level of trust that should be expected from a company that stores dashcam or CCTV images has taken a serious hit.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication** **(2FA****).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring****.** Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Nexar dashcam video database hacked 

Roblox announced plans to roll out age estimation for using the communication features on the platform to help fight sexual predators.

Roblox is an online platform that allows users to build, play and share online worlds and 3D games. Unfortunately, it’s also a popular platform among predators reaching out to kids and seducing them using game features such as messaging, avatar customization, and role-play.

Over the years, the company has faced several lawsuits and backlash for not doing enough to protect kids on its gaming services. Recently, Louisiana sued the Roblox, alleging the wildly popular site has perpetuated an environment where sexual predators “thrive, unite, hunt, and victimize kids.” And back in February Roblox, along with Discord, was sued in California. The law suit referred to it as a “real life nightmare for children.”

The initial response by Roblox’s CEO, Dave Baszucki, was “if you’re not comfortable, don’t let your kids be on Roblox.” But apparently, the company thought better of it, and so yesterday Roblox announced a plan to expand age estimation to all Roblox users who access its on-platform communication features by the end of this year.

Roblox defines age estimation as follows:

> “We estimate your age by analyzing a selfie of your face and examining your facial features. Your estimated age helps place you in the appropriate age group (under 13, 13+ and 18+) to customize your experience on Roblox. If you are placed in the under 13 age group based on facial age estimation, certain personal data, including your email and phone number, will be removed from Roblox.”

While we understand the move, which aims to strengthen communication safety and prevent inappropriate interactions between adults and minors on the platform, we wonder if this will be enough to stop predators.

But the goal is clear: Limit communication between minors and adults that do no know each other in the real world. So, by using methods like facial age estimation, ID verification, and parental consent, Roblox aims to ensure users only access features and content suitable for their age group, and with that create a safer environment, ensuring that young users aren’t exposed to content or interactions that might be inappropriate for their developmental stage.

With governments demanding actual age verification on websites with adult content, and platforms like social media and Roblox introducing restrictions based on a user’s age, the controversy about different types of age verification and those implications is growing.

While Roblox didn’t release any details about how its age estimation technology works, the age estimation processes we know are based on Artificial Intelligence (AI) tools that scan selfies or short videos and compare them to a database to estimate the user’s age. Needless to say, they are not always right and it opens up the system to deepfakes, and spoofing.

This kind of technology is definitely more effective than asking the user to provide their birthday or check a box that they are over 18, but it’s not foolproof.

And methods like facial scans, ID verification, and so on, will store information on servers which can be breached. We would prefer websites to use “double-anonymity” solutions, but it seems to be hard to convince them. Double anonymity basically separates the information of two providers from each other. The first provider (website asking for age confirmation) would only get the requester’s age and no other information. The second provider (the age verifier) wouldn’t receive information about the service or website the age verification is needed for. That enters the user into the appropriate age group, but keeps sensitive information away from servers that are not secure enough to hold it.

Roblox also acknowledges another danger:

>   
> “Unfortunately, bad actors will try to circumvent our systems to try to direct users off the platform, where safety standards and moderation practices may differ. We continuously work to block those efforts and to enhance our moderation approaches to promote a safe and enjoyable environment for all users.”

In defense to the Louisiana lawsuit, Roblox rolled out an AI system to help detect early signs of possible child endangerment, such as sexually exploitive language. Roblox said the system led it to submit 1,200 reports of potential attempts at child exploitation to the National Center for Missing and Exploited Children in the first half of 2025.

**How to keep your kids safe on Roblox**

Since it’s not likely you’ll be able to guide your children 24/7 in their online journey, here are some tips you can use to keep them safe:

*   **Take control.** Use Roblox’s Parental Controls to limit access to age-appropriate games and content and enable features like daily screen-time limits.
*   **Anonymize.** When setting up your child’s Roblox account, avoid using real names, and use an appropriate date of birth to enable the relevant restrictions.
*   **Friend requests.** Access the settings of your child’s account to limit or disable friend requests and online chat capabilities.
*   **Stay on the platform.** Tell your child to refuse requests to take chats offline or to another platform. Predators will do this to avoid Roblox’s restrictions about sharing images.
*   **Education.** Teach children about online safety, including not sharing personal information and avoiding suspicious links, and make sure they are comfortable sharing their online experiences with you.
*   **Play with them.** What’s more fun than beating your parents in your favorite game? Spending some quality time with them makes it fun to keep an eye on them and the games they enjoy.
*   **Information.** Stay on top of information about Roblox’s updates, features, and changes**.**
*   **Protect the device.** Make sure they are playing on a device that is fully up-to-date and actively protected.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

Source

Malwarebytes