A carmaker has been found to be open to leaking vehicle data and customer information through their dealership portal.

A carmaker’s online dealership portal has been found leaking the private information and vehicle data of its customers. This also meant that anyone with access could remotely break into a car.

Researcher Eaton Zveare shared his discovery with TechCrunch. Although he said he has chosen not to disclose the vendor’s name, he revealed that it is a well-known automaker with several popular sub-brands and more than 1,000 dealerships across the United States.

Zveare says it wasn’t easy to find the flaw, but once he did, it allowed him to modify the code at the portal’s login page so he could bypass the login security checks. This permitted him to create a new national administrator account.

Not only did this allow him to access all the data of these dealerships, he also found a national consumer lookup tool that allowed any logged-in portal user to look-up the vehicle and driver data of that carmaker.

Real life tests learned that taking a vehicle’s unique identification number (VIN) from the windshield of a car allowed anyone with access to the portal to look up the name of the owner. It was also possible to pair any vehicle with a mobile account which could then be used to remotely control a car’s functions, such as unlocking the vehicle.

Since both a VIN or someone’s first and last name were enough to find and transfer ownership of an account to one under control of an attacker, they would—at least—be able to open the car and steal everything inside. The researcher did not test whether he was able to drive away in it.

Although he found no evidence of anyone else exploiting the flaw, the portals were a security nightmare waiting to happen. It even allowed administrator accounts, such as the one he was able to create, access to other dealer systems as if they were that user without needing their logins, and found personally identifiable customer data, some financial information, and telematics systems that allowed the real-time location tracking of rental or courtesy cars.

As we have said before, this is exactly the sort of thing the Federal Communications Commission (FCC) wants car manufacturers to make harder for stalkers, not easier.

Zveare will be presenting his findings at Defcon. He reported the bugs he found to the car maker, and says it took them a week to fix them.

**Tips to keep a stalker from tracking your car**

Not all cars offer these options, and the tips may not apply to your situation, but here are some general tips for people that are afraid they are the target of a stalker:

*   Use the navigation app on your phone (such as Google Maps, Waze, etc), rather than the one built into your car.
*   Do not store places you visit regularly in the car’s navigation.
*   Consider using a VPN when you connect to your car’s hotspot.
*   Find out which devices can access the car or its location data using any “remote access” apps for the car, and remove the devices that are not under your control.
*   Familiarize yourself with the car manufacturer’s privacy policy so you know where your data might be sent. To give you an idea, data might end up with advertisers, law enforcement, service providers, the car manufacturer and its dealers, tech giants like Apple, Google, and Amazon, connected service providers, and government agencies.
*   Keep the software updated to make sure your car is equipped with the latest protection against potential intrusions.
*   If a suspected stalker has been near your vehicle, inspect it thoroughly for trackers and other unfamiliar hardware.
*   Try not to travel alone and always park in a well-lit, busy area if you are concerned about your physical safety.
*   If you have a dashcam that uses cloud storage, check who has access to the images. They can be used to track your movements.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Online portal exposed car and personal data, allowed anyone to remotely unlock cars 

A software developer discovered a way to abuse an undocumented protocol in Amazon's Elastic Container Service to escalate privileges, cross boundaries and gain access to other cloud resources.

Privilege Escalation Issue in Amazon ECS Leads to IAM Hijacking

Cybersecurity researchers have demonstrated an "end-to-end privilege escalation chain" in Amazon Elastic Container Service (ECS) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment.
The attack technique has been codenamed ECScape by Sweet Security researcher Naor Haziz, who presented the findings today at the

Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft

Everest ransomware claims Mailchimp breach, leaks 943,000 lines of data. While limited in size, it adds to a spike in global ransomware activity this July.

The Everest ransomware group is claiming responsibility for breaching Mailchimp, the popular marketing platform used to create, send and manage email campaigns and newsletters.

The group made the announcement earlier today on its dark web leak site, claiming to have stolen a 767 MB database containing 943,536 lines of data. According to Everest, the leak includes “internal company documents” and “a huge variety of personal documents and information of clients.”

A look at the sample data published by Everest shows that the leaked dataset includes structured business information rather than sensitive internal Mailchimp data. The records appear to contain domain names, company emails, phone numbers, city and country details, GDPR region labels, social media links, and information about hosting providers.

Many entries also list the technology stacks used by the companies, such as Shopify, WordPress, Amazon, Google Cloud, and PayPal. The data is organised in spreadsheet-style rows, suggesting it may have come from a marketing or CRM export rather than from Mailchimp’s internal systems.

Screenshot from the dark web leak site of the Everest ransomware group (Image credit: Hackread.com)

Everest ransomware is a relatively obscure strain that emerged around 2020. It follows the double extortion model, where attackers encrypt a victim’s files and also steal data to pressure victims by threatening public exposure.

While Everest never reached the notoriety of groups like REvil or Conti, it did claim responsibility for a breach of Coca-Cola in May 2025 and later leaked employee data online.

Nevertheless, whether small or large, ransomware attacks are peaking. On July 30, 2025, the INC ransomware claimed to have stolen 1.2 terabytes of data from Dollar Tree. On the same day, another group called GLOBAL GROUP announced a breach of the Miami-based media company Albavision, claiming to have taken 400 GB of data. These claims came just days after NASCAR acknowledged a data breach following Medusa ransomware’s demand for a $4 million ransom.

Hackread.com has reached out to Mailchimp. This article will be updated accordingly.

Everest Ransomware Claims Mailchimp as New Victim in Relatively Small Breach

The Trump Administration is working with 60 companies on a plan to have Americans voluntarily upload their healthcare and medical data.

US President Donald Trump announced a loose plan Wednesday to allow Americans to voluntarily upload and port their medical records across hospitals, clinics, technology companies, and health apps, with broad participation from Google, Apple, OpenAI, Amazon, and more.

While the system could help Americans connect disparate pieces of health data currently siloed behind separate companies and healthcare providers, some privacy experts have warned that the data’s segmentation is in fact paramount to its privacy.

“\[This\] private health tracking system w/ Big Tech should worry all Americans,” said Georgetown University professor Lawrence Gostin, who also serves as the Director of the World Health Organization Collaborating Center on National and Global Health Law.

> “There are few privacy safeguards. Medical records are personal \[and\] intimate. Health records might be shared with insurers, businesses, ICE, \[and\] law enforcement.”

But, according to the Trump Administration, being able to more easily share this data is a boon to Americans who want to, say, directly hand their personal Apple Health data to their doctor, or approve certain weight loss providers, like Noom, to obtain access to their medical records.

A total of 60 companies have signed onto the effort, ranging from traditional healthcare insurers such as UnitedHealth to artificial intelligence developers such as Anthropic and OpenAI. The latter group’s participation is part of the Trump Administration’s efforts to roll out AI chatbots that can steer Americans into healthier recommendations for daily living—a goal pushed by Health and Human Services Secretary Robert F. Kennedy following a recent visit to Indonesia.

“There are other apps in Indonesia that allow you to choose good foods when you go to the grocery store and turn your app on on your phone and get information,” Kennedy said at a televised event Wednesday. “Now, if you have your medical records, you can get personalized advice, and that allows you to get better advice about a better alternative.”

Still, the prospect of increasing the accessibility of healthcare data creates new risks.

First, while it is unknown if participating companies can store a person’s data, their access to the new database could make them highly attractive targets for cybercriminals who want to abuse that access to ransack Americans’ sensitive information. Already, third-party companies that support healthcare providers are at high risk for cyberattacks—a reality that nearly gridlocked two ambulance operators after a shared technology provider was attacked.

Further, it’s far too common for companies that already handle medical data to expose private information, like when a radiological imaging provider failed to protect tens of thousands of patient files.  

Second, there is also the question about whether the data will be used in new, privacy-invasive ways to track Americans. Already, Americans’ browsing habits, online searches, clicks, scrolls, opened emails, and shopping wish lists are mined for advertising revenue. As warned by Jeff Chester, executive director for the Center for Digital Democracy in speaking with the AP:

> “This scheme is an open door for the further use and monetization of sensitive and personal health information.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Trump Administration and Big Tech want you to share your health data 

A hacker injected a malicious prompt into Amazon Q via GitHub, aiming to delete user files and wipe AWS data, exposing a major security flaw.

A security vulnerability recently surfaced involving Amazon’s AI coding assistant, ‘Q’, integrated with VS Code. The incident, reported by 404 Media, revealed a lapse in Amazon’s security protocols, allowing a hacker to insert malicious commands into a publicly released update.

The hacker, using a temporary GitHub account, managed to submit a pull request that granted them administrative access. Within this unauthorised update, destructive instructions were embedded, directing the AI assistant to potentially delete user files and wipe clean Amazon Web Services (AWS) environments.

Despite the severe nature of these commands, which were also intended to log the actions in a file named /tmp/CLEANER.LOG, Amazon reportedly merged and released the compromised version without detection.

The company later removed the flawed update from its records without any public announcement, raising questions about transparency. Corey Quinn, Chief Cloud Economist at The Duckbill Group, expressed scepticism regarding Amazon’s “security is our top priority” statement in light of this event.

“If this is what it looks like when security is the top priority, I can’t wait to see what happens when it’s ranked second,” Quinn wrote in his post on LinkedIn.

****The Mechanism of the Attack****

The core of the issue lies in how the hacker manipulated an open-source pull request. By doing so, they managed to inject commands into Amazon’s Q coding assistant. While these instructions were unlikely to auto-execute without direct user interaction, the incident critically exposed how AI agents can become silent carriers for system-level attacks.

It highlighted a gap in the verification process for code integrated into production systems, especially for AI-driven tools. The malicious code aimed to exploit the AI’s capabilities to perform destructive actions on a user’s system and cloud resources.

> Yesterday’s incident with Amazon Q was a wake-up call about how AI agents can be attacked.
> 
> PromptKit is trying to solve similar problems and help prevent them from happening again.
> 
> read full post👇https://t.co/atOWfilWFq
> 
> — Mr. Ånand (Studio1HQ) (@Astrodevil\_) July 24, 2025

****A New Solution Emerges****

In response to such vulnerabilities, Jozu has released a new tool called “PromptKit.” This system, accessible via a single command, offers a local reverse proxy to record OpenAI-compatible traffic and provides a command-line interface (CLI) and text-based user interface (TUI) for exploring, tagging, comparing, and publishing prompts.

Jozu announced on X.com that PromptKit is a local-first, open-source tool aiming to provide auditable and production-safe prompt management, addressing a systemic risk as reliance on generative AI grows.

> Today, we’re releasing a first version of Jozu PromptKit
> 
> → a local-first tool for capturing, reviewing, and managing LLM prompt interactions.
> 
> It ensures policy-controlled workflows for verified, auditable prompt artifacts in production
> 
> Free to try and open source. pic.twitter.com/0Up4mc1Vy9
> 
> — Jozu (@Jozu\_AI) July 24, 2025

Görkem Ercan, CTO of Jozu, told Hackread.com that PromptKit is designed to bridge the gap between prompt experimentation and deployment. It establishes a policy-controlled workflow, ensuring that only verified and audited prompt artefacts, unlike the raw, unverified text that impacted AWS, reach production.

Ercan further emphasised that this tool would have replaced the failed human verification process with a strict, policy- and signing-based workflow, effectively catching the malicious intent before it went live.

Hacker Added Prompt to Amazon Q to Erase Files and Cloud Data

Newly appointed Amazon Web Services CISO Amy Herzog believes security culture goes beyond frameworks and executive structures. Having the right philosophy throughout the organization is key.

Can Security Culture Be Taught? AWS Says Yes

Microsoft was the most impersonated brand in phishing attacks during Q2 2025, accounting for 25% of all attempts, according to Check Point Research.

According to Check Point Research’s (CPR) latest report, cybercriminals spent the second quarter of 2025 impersonating the world’s most familiar brands to steal credentials and payment information. The data shows a mix of predictable targets and a few surprising returns, with Spotify reappearing as a key lure for the first time in years.

Microsoft once again topped the list, featuring in a quarter of all phishing attacks during Q2. Tech brands remained the primary focus, but cybercriminals also went after streaming services and travel platforms that people use daily without a second thought.

Screenshot of a Microsoft 365 phishing email tricking users into calling fake support. This scam was first reported in March 2025.

While the latest research shows Meta no longer at the top as it was in 2024, Microsoft taking the lead again doesn’t come as a surprise. As of 2025, over 1.6 billion people were using the Windows operating system. On top of that, Microsoft 365 had around 345 million paid subscribers and roughly 321 million active users each month.

That massive user base is exactly why Microsoft Office was the most targeted software in malware attacks back in 2022. It also explains why Microsoft was the most impersonated brand in phishing campaigns during Q2 2023, and why it has returned to the top spot now.

Spotify’s return to phishing charts for the first time since 2019 was linked to a spoofing campaign that mimicked the company’s login flow almost perfectly. The fake page, hosted on a malicious URL, asked victims to input credentials before redirecting them to a counterfeit payment form. Both the design and branding were polished enough to fool unsuspecting users, many of whom may have believed they were logging into their real account.

Spotify phishing login page (Image via CPR)

This renewed targeting of entertainment services shows attackers aren’t just looking at corporate systems anymore. Everyday platforms with large user bases are just as likely to be exploited, especially when those users are less suspicious of messages related to subscriptions or media.

Booking.com was also hit by a surge in impersonation. Researchers flagged over 700 newly registered domains with names resembling real booking confirmation URLs. Compared to previous quarters, that’s a spike by a factor of 100.

As Hackread.com reported on multiple occasions, most recently in June 2025, Booking.com was abused in a ClickFix email scam. Back in April 2025, another ClickFix scam exploited Booking.com to infect unsuspecting users with AsyncRAT.

Booking.com ClickFix phishing scam that delivered AsyncRAT (Image credit: Hackread.com)

These scams used personal details like names and email addresses to create urgency. While the domains have since been taken down, the approach revealed how much more personalised phishing tactics have become.

Outside these two cases, as per CPR’s report, the overall trend remains predictable. The tech sector continues to be the most impersonated, with Microsoft, Google, and Apple taking the top three spots.

Social media platforms like LinkedIn, WhatsApp, and Facebook remain common targets, while retail and travel services like Amazon and Booking.com round out the top ten. It is worth noting that CPR’s report

If you use any of these services, keep in mind that phishing campaigns count on people clicking without thinking. A few simple steps can help protect your data. Start by using multi-factor authentication, double-check URLs, run suspicious links through VirusTotal before opening them, and don’t get caught up in the urgency scammers try to create.

For businesses, keep employees informed and alert on cybersecurity, since phishing is still one of the easiest ways attackers gain access to internal systems. And finally, for ongoing updates and insights on cybersecurity, make sure to follow Hackread.com.

Microsoft Most Phished Brand in Q2 2025, Check Point Research

Ring users on TikTok, Reddit, and X are reporting multiple unauthorized device logins all dating back to May 28.

In the last week, countless Amazon Ring users on TikTok, Reddit, and X have been saying they believe their Ring cameras were hacked starting May 28.

Many posted screenshots of their accounts, showing multiple unauthorized device logins, making these claims hard to ignore. Forbes looked into the issue and even the journalist found several logins on his own device.

However, on Friday Ring claimed it’s just a minor issue with the displayed date:

> “We are aware of a bug that incorrectly displays prior login dates as May 28, 2025.

Visitors who go to Ring’s site are shown the following (correct at the time of writing):

> “We are aware of an issue where information is displaying inaccurately in Control Center. This is the result of a backend update, and we’re working to resolve this. We have no reason to believe this is the result of unauthorized access to customer accounts.”

This message was posted on Friday, July 18. We spoke to one user who let us know that, as of Monday morning (July 21), he was unable to log in through the website. He was, however, able to log in through the app and saw no May 28 logins.

So, what’s Ring claiming here? That it did an update and messed up the database? In a later message it claimed:

> “Ring made a backend update that resulted in prior login dates for client devices to be inaccurately displayed as May 28, 2025, and device names to be incorrectly displayed as ‘Device name not found’.“

But if you look at any of the plethora of screenshots, you’ll see that there are plenty of device names displayed.

The Ring software release notes show no updates for the doorbells on or around May 28, so we think it’s safe to assume that Ring is right about it being a backend update that caused this.

There is one other thing that’s interesting in this puzzle. On July 17, founder and now CEO Jamie Siminoff announced some drastic changes. Siminoff reinstated Ring’s original mission statement, “Make neighborhoods safer,” which might suggest the business is going back to its founding identity as a crime prevention tool.

Before Siminoff came back as CEO he wasn’t working for Ring, and in that time the company leaned into a more community-focused brand, distancing itself from the surveillance tool image. Last year, the company discontinued “Request for Assistance,” a feature that allowed law enforcement officers to ask people for camera footage through Ring’s Neighbors app. At the time, the company said it would only let police request footage during “emergencies.”

However, in April, Ring announced a partnership with Axon that effectively reintroduces video sharing with law enforcement.

The two issues could be completely unrelated, but reintroducing this functionality does sound like it would need a backend update.

Either way, Amazon will not be happy about this issue, shortly after having to warn over 200 million Prime customers that their accounts are under attack.

**Worried your Ring camera has been hacked?**

Again, we should reiterate that Ring says that its cameras have not been hacked. However, if you’re worried, there are some things you can do:

*   Since there is no evidence of an actual breach yet, the best thing to do for now is wait and keep an eye on the updates by Ring about this issue.
*   In the Ring app’s **Control Center**, check the list of authorized devices that have access to your account and remove any unfamiliar ones.
*   If you’re worried about unauthorized access and you have an alternative camera or can cope without one for a bit, you could temporarily disable your Ring doorbell and/or cameras until we hear more on the situation.
*   Consider resetting your Ring account password using a strong, unique password that you have never used before and enable two step verification. There’s no harm in doing this so you may as well take this extra security step.
*   Phishers and other scammers might try to take advantage of the situation by sending you emails or messages hoping to get you to click or hand over personal details. If you receive a message that appears to come from Ring, double check via another means that it really is from Ring.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 &#8220;Ring cameras hacked&#8221;? Amazon says no, users not so sure 

BADBOX variant BADBOX 2.0 found preinstalled on Android IoT devices in 222 countries, turning them into proxy nodes used in fraud and large-scale malicious activity.

A new series of Android-based malware, BADBOX 2.0, is turning everyday smart devices into a botnet, often before they even reach users’ homes. The FBI has now flagged this malware as a global threat, and recent analysis from Point Wild’s Lat61 Threat Intelligence Team reveals over 1 million devices across 222 countries and territories have already been compromised.

Led by Dr. Zulfikar Ramzan, the Lat61 team traced the infection chain to its core: a native backdoor library named libanl.so, embedded deep within device firmware. The malware is designed to survive factory resets, carry out stealthy operations, and generate profit through hidden ad-click activity.

****Malware Hidden in Plain Sight****

What makes BADBOX 2.0 especially dangerous is how it spreads. It’s not just pushed through malicious downloads or fake apps. Many of the infected devices come preloaded or pre-installed with the malware straight from the factory. This means users are exposed from the moment they power on a new device.

BADBOX was first identified in October 2023, found in low-cost Android TV boxes that were compromising home networks. In the latest attack as well, most victims are users of low-cost Android-based IoT devices like generic-brand smart TVs, streaming boxes, digital projectors, or tablets, often purchased from online marketplaces and in some cases also available on Amazon. These devices are typically manufactured through unregulated supply chains and shipped worldwide without proper security checks.

Malicious T95 TV Boxes ready to be shipped through Amazon back in 2023 (Screenshot: Hackread.com)

****What the Malware Actually Does****

Once active, BADBOX 2.0 turns the device into a node in a residential proxy network. These nodes are then sold to criminal groups who use them to hide their tracks during click fraud, credential stuffing, and other types of cyberattacks.

According to Point Wild’s blog post shared with Hackread.com, the key components identified by analysts include:

*   **libanl.so**: A native backdoor that triggers malware modules on boot
*   **p.jar and q.jar**: Java modules responsible for downloading new payloads and maintaining persistence
*   **com.hs.app**: A system-level Android app that loads the backdoor
*   **catmore88(.)com and ipmoyu(.)com**: Command and control (C2) domains used to communicate with infected devices

The malware is capable of operating silently in the background. Victims may only notice symptoms like high CPU usage, overheating, sluggish performance, or unusual internet traffic when the device is idle.

****Stealth and Scale****

Point Wild’s telemetry shows infections spread across more than 222 countries, with many occurring out of the box. Users don’t need to download anything or click a malicious link. Just plugging in the device is enough to become part of a botnet.

What’s worse, the design allows for persistent access, encrypted communication with remote servers, and revenue generation through invisible ad-click modules, all without the user’s knowledge.

****Signs You Might Be Infected****

If your device feels sluggish, heats up unexpectedly, or shows signs of unusual internet activity even when idle, it might be infected. Other red flags include Google Play Protect being disabled or missing entirely, unfamiliar apps appearing on their own, or the device being from an off-brand manufacturer without verified firmware. These signs could point to malware like BADBOX 2.0 running silently in the background.

Users should also avoid buying unbranded or ultra-cheap devices from unknown sellers. Stick to manufacturers that offer ongoing firmware support and publish clear security documentation.

Remember, BADBOX 2.0 isn’t just some run-of-the-mill malware. It’s part of a large, coordinated operation that’s quietly turning cheap consumer devices into tools for cybercriminals, renting them out for fraud and other attacks.

The groups behind it are likely based in China, and what makes it especially dangerous is how deeply it’s embedded. Since the malware is often pre-installed during manufacturing, spotting or removing it is far more difficult than dealing with typical infections.

Tag

#amazon