BreachForums resurfaces on its original .onion domain amid law enforcement crackdowns, raising questions about its admin, safety and future.

The notorious cybercrime and hacker platform BreachForums has mysteriously resurfaced on its original dark web .onion domain. The site appears to be fully restored, including its infrastructure, user-leaked databases, official breach listings and forum posts.

For your information, in early April 2025, both the clearnet and dark web domains of BreachForums went offline without explanation. Members speculated about possible law enforcement action or a forum seizure.

Then, on April 28, as reported by Hackread.com, the forum’s homepage was replaced with a message stating that a MyBB 0-day vulnerability had left the site exposed to infiltration attempts by law enforcement, and it needed to be taken offline until the issue was resolved. That was the last message before BreachForums disappeared.

****Admin N/A?****

However, earlier today, Hackread.com spotted that the platform’s .onion domain had become active again, now under a new admin handle, “N/A.” The identity of “N/A” is unknown, but they claim the forum’s clearnet domain was suspended by the registrar following complaints and pressure from law enforcement.

Additionally, they claim the MyBB vulnerability has been fixed and that the forum was never compromised, with user data remaining protected throughout. “N/A” also addressed reports about the arrests of ShinyHunters members, denying that any original group members have been taken into custody.

For your information, after the arrest of former BreachForums administrator Conor Fitzpatrick, also known as Pompompurin, the forum reemerged under the leadership of the ShinyHunters group. However, in June 2025, authorities claimed to have arrested members of ShinyHunters, along with IntelBroker, another active member who had also served as the group’s administrator.

“N/A” also denied ever giving admin access to IntelBroker, claiming it was part of a strategy to divert law enforcement’s attention away from the original owners. According to the statement, IntelBroker never had administrative access to the forum.

Message from Admin N/A on BreachForums (Image credit: Hackread.com)

****As XSS.IS Falls, BreachForums Reemerges****

The return of BreachForums comes at a time when law enforcement is intensifying efforts against cybercrime. Less than 24 hours ago, in an operation called “Operation Checkmate,” authorities seized the infrastructure of the BlackSuit ransomware group, including two of its .onion domains.

Just a couple of days ago, the Russian-language cybercrime platform XSS.IS was seized following the arrest of its suspected administrator in Ukraine. While its dark web domain remains accessible, posts from admins and moderators suggest plans to revive the forum on other domains. Meanwhile, the return of BreachForums presents yet another challenge for law enforcement agencies.

The return of BreachForums on the dark web, along with plans to restore its clearnet domains, may be seen as good news within cybercrime circles, but it raises serious questions. Is it a honeypot set up by law enforcement? Who is “N/A”? Where is the original admin team if they haven’t been arrested? If you are active on BreachForums, sign in at your own risk, and consider quitting cybercrime for good.

BreachForums Resurfaces on Original Dark Web (.onion) Address

Nudges can be powerful — but they are not immune to overuse or misapplication.

Why Security Nudges Took Off

XSS.IS has been seized after its admin was arrested in Ukraine, however its dark web and mirror domains only show a 504 Gateway Timeout error.

Earlier this morning, it was **reported** that on 22 July 2025, Ukraine arrested a man suspected of being the administrator of XSS.IS, one of the world’s most notorious and sophisticated cybercrime platforms. The arrest was made with the assistance of Europol and French authorities. Now, as seen by Hackread.com, the forum itself has also been seized.

Visitors to XSS.IS now see a seizure notice stating, “This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité with assistance from the SBU Cyber Department.”

The seizure notice on XSS.IS (Image credit: Hackread.com)

The “SBU Cyber Department” refers to the Cyber Security Department of the Security Service of Ukraine (SBU). La Brigade de Lutte Contre la Cybercriminalité (BL2C) is a branch of the French judicial police that specialises in combating cybercrime.

****XSS.IS Dark Web (.onion) and Clearnet Domains Show 504 Gateway Timeout Error****

At the time of writing, the main domain of the forum displays a seizure notice, while its dark web domain and clearnet mirror (XSS.AS) both return a “504 Gateway Timeout” error. Notably, the Telegram channel linked to the XSS.IS administrator shows no signs of seizure and is marked as “recently seen.” It remains unclear whether authorities have access to these domains or control over the forum’s Telegram account.

The dark web domain of the XSS.IS forum (Image credit: Hackread.com)

****Background of XSS.IS****

The XSS.IS forum was originally launched in 2004 under the name DaMaGeLaB, a well-regarded Russian-language hacking community. The site was briefly shut down in December 2017 after one of its administrators, Belarusian national Sergey Yarets, known on the forum as “Ar3s,” was arrested.

In late 2018, a prominent forum administrator acquired a backup of the site and relaunched it under the new name XSS, a reference to the web security vulnerability known as **cross-site scripting**.

The name change served two main purposes. First, it distanced the forum from its past associations with law enforcement under the DaMaGeLaB name. Second, it gave the site a more technical and modern image by referencing a vulnerability familiar to its target audience.

Authorities and the cybersecurity community have long suspected that XSS.IS was operated or supported by Russian intelligence agencies, including the Foreign Intelligence Service (SVR), the Federal Security Service (FSB), and the Main Intelligence Directorate (GRU). However, the administrator was found to be in Ukraine. It remains unconfirmed whether the suspect is a Ukrainian or Russian national.

Authorities are analysing the suspect’s electronic devices (Via Europol)

****A Major Blow to Cybercrime****

Although cybercrime forums frequently **appear** and **disappear**, the seizure of XSS.IS marks a significant setback for the global cybercrime community. The forum had more than 50,000 registered users, with membership granted only after a thorough vetting process. In some cases, users were even required to pay a fee to create an account in order to prevent spam.

XSS.IS became a highly prominent and notorious marketplace for **hijacked system access**, malware, stolen credentials, databases, ransomware kits and an encrypted Jabber channel that hackers used to coordinate deals. The forum generated millions of dollars through advertising and facilitation fees.

According to Europol’s **press release**, authorities have also seized user data, which is now being analysed and will be used to track cybercriminals and support ongoing operations against cybercrime both in Europe and globally.

In the end, the message is clear: if you are involved in crime, especially at the scale of running a major cybercrime forum, authorities will eventually catch up. No matter how high-profile the platform may be, it is only a matter of time before it is taken down.

XSS.IS Cybercrime Forum Seized After Admin Arrested in Ukraine

Microsoft was the most impersonated brand in phishing attacks during Q2 2025, accounting for 25% of all attempts, according to Check Point Research.

According to Check Point Research’s (CPR) latest report, cybercriminals spent the second quarter of 2025 impersonating the world’s most familiar brands to steal credentials and payment information. The data shows a mix of predictable targets and a few surprising returns, with Spotify reappearing as a key lure for the first time in years.

Microsoft once again topped the list, featuring in a quarter of all phishing attacks during Q2. Tech brands remained the primary focus, but cybercriminals also went after streaming services and travel platforms that people use daily without a second thought.

Screenshot of a Microsoft 365 phishing email tricking users into calling fake support. This scam was first reported in March 2025.

While the latest research shows Meta no longer at the top as it was in 2024, Microsoft taking the lead again doesn’t come as a surprise. As of 2025, over 1.6 billion people were using the Windows operating system. On top of that, Microsoft 365 had around 345 million paid subscribers and roughly 321 million active users each month.

That massive user base is exactly why Microsoft Office was the most targeted software in malware attacks back in 2022. It also explains why Microsoft was the most impersonated brand in phishing campaigns during Q2 2023, and why it has returned to the top spot now.

Spotify’s return to phishing charts for the first time since 2019 was linked to a spoofing campaign that mimicked the company’s login flow almost perfectly. The fake page, hosted on a malicious URL, asked victims to input credentials before redirecting them to a counterfeit payment form. Both the design and branding were polished enough to fool unsuspecting users, many of whom may have believed they were logging into their real account.

Spotify phishing login page (Image via CPR)

This renewed targeting of entertainment services shows attackers aren’t just looking at corporate systems anymore. Everyday platforms with large user bases are just as likely to be exploited, especially when those users are less suspicious of messages related to subscriptions or media.

Booking.com was also hit by a surge in impersonation. Researchers flagged over 700 newly registered domains with names resembling real booking confirmation URLs. Compared to previous quarters, that’s a spike by a factor of 100.

As Hackread.com reported on multiple occasions, most recently in June 2025, Booking.com was abused in a ClickFix email scam. Back in April 2025, another ClickFix scam exploited Booking.com to infect unsuspecting users with AsyncRAT.

Booking.com ClickFix phishing scam that delivered AsyncRAT (Image credit: Hackread.com)

These scams used personal details like names and email addresses to create urgency. While the domains have since been taken down, the approach revealed how much more personalised phishing tactics have become.

Outside these two cases, as per CPR’s report, the overall trend remains predictable. The tech sector continues to be the most impersonated, with Microsoft, Google, and Apple taking the top three spots.

Social media platforms like LinkedIn, WhatsApp, and Facebook remain common targets, while retail and travel services like Amazon and Booking.com round out the top ten. It is worth noting that CPR’s report

If you use any of these services, keep in mind that phishing campaigns count on people clicking without thinking. A few simple steps can help protect your data. Start by using multi-factor authentication, double-check URLs, run suspicious links through VirusTotal before opening them, and don’t get caught up in the urgency scammers try to create.

For businesses, keep employees informed and alert on cybersecurity, since phishing is still one of the easiest ways attackers gain access to internal systems. And finally, for ongoing updates and insights on cybersecurity, make sure to follow Hackread.com.

Microsoft Most Phished Brand in Q2 2025, Check Point Research

CloudSEK’s new report uncovers how Chinese cyber syndicates are laundering over $600 million annually in India. Learn about…

CloudSEK’s new report uncovers how Chinese cyber syndicates are laundering over $600 million annually in India. Learn about the shadow banking empire using fake apps, mule accounts, and illegal payment gateways that threaten India’s financial security.

CloudSEK has exposed a large-scale illegal financial operation in India, allegedly run by Chinese cyber syndicates, that’s laundering over $580 million (₹5,000 crores) annually. This shadow banking empire uses illegal payment gateways, fake mobile apps, and a network of mule accounts to move dirty money, posing a significant threat to India’s financial and national security.

Illegal Payment Gateway (Source: CloudSEK)

****How the Scheme Operates****

According to CloudSEK’s investigation, shared with Hackread.com, the operation involves recruiting Indian citizens as money mules. Often, vulnerable individuals like unemployed youth or students are targeted through deceptive earning apps distributed via Telegram and WhatsApp.

These apps trick users into giving up sensitive banking information or even intercepting One-Time Passwords (OTPs), effectively taking control of their accounts. In other cases, people are simply paid to open new bank accounts and hand over debit cards, cheque books, and linked SIM cards to the syndicate.

Once obtained, these mule accounts become part of an illegal payment gateway system controlled by Chinese operators. This system processes funds for various illicit activities, including illegal gambling, Ponzi schemes, predatory digital lending, “digital arrest” scams, and fake stock trading platforms. Unlike legitimate payment gateways regulated by the Reserve Bank of India (RBI), these operate entirely outside legal oversight.

The funds are then laundered through a complex, multi-layered process. Money is rapidly moved between numerous mule accounts to obscure its origin. Finally, the laundered cash is often converted into cryptocurrency, primarily Tether (USDT), moved through informal hawala networks, or disguised as legitimate international trade to exit India’s financial system.

Operation flow (Source: CloudSEK)

****Scale and Impact****

The sheer scale of this operation is staggering. CloudSEK’s analysis of just one such application revealed that around $20 million was laundered through nearly 398,675 transactions involving 34,299 mule bank accounts in a single year. Extrapolating these figures to the wider network suggests the annual laundering volume reaches up to approximately $585 million. The Indian Cybercrime Coordination Centre (I4C) advisory identified approximately 4,000 new mule accounts daily.

This illicit activity has severe consequences for the Indian economy. It funnels vast sums of untaxed wealth out of the economy, potentially weakening the Indian Rupee, and erodes public trust in digital payments. Indian citizens are victimised twice: first by the initial scam, and then by facing legal consequences for unknowingly participating as money mules.

Recent investigations by Indian law enforcement, such as the Hyderabad Police and the Enforcement Directorate (ED), have already uncovered similar large-scale money laundering operations linked to foreign nationals, freezing hundreds of millions of dollars.

“These illegal payment gateways are not just financial crimes; they’re a direct attack on India’s digital economy and citizen trust. Our research arms stakeholders with actionable intelligence to disrupt these networks and protect India’s financial sovereignty,” said Mayank Sahariya, Cyber Threat Analyst at CloudSEK.

Dismantling this shadow economy requires a strong, multi-dimensional approach. This includes enhanced AI-powered monitoring by financial institutions, stricter regulations for fintech companies, improved international cooperation among law enforcement, and widespread public awareness campaigns to educate citizens on these evolving threats and how to protect themselves.

Chinese Groups Launder $580M in India Using Fake Apps and Mule Accounts

Meta executives settled a shareholders' lawsuit alleging continuous disregard of privacy regulations for the price of $8 billion.

Meta chief Mark Zuckerberg and several other members of the social media giant’s top brass agreed to settle increasingly heated privacy violation claims for the price of $8 billion.

It is far from the first time that the company, its subsidiary Facebook, or its executives have responded to alleged user privacy violations with billions upon billions of dollars.

The lawsuit at hand accused Zuckerberg and other Meta leaders of failing to prevent years of violations of Facebook users’ privacy. The claims, which were originally filed in September 2018, took years to process, eventually resulting in a trial at the Delaware Court of Chancery. But on just the second day of proceedings, with Zuckerberg himself set to testify early next week, the multibillion-dollar settlement was announced, to timing that many observers found suspicious and revealing.

While nobody at Meta will confirm that the settlement was reached to avoid having to testify, it very much looks like it to yours truly.

The case was brought by shareholders who accused Meta executives of many years’ worth of negligence and failure to enforce a 2012 agreement that was reached by the US Federal Trade Commission, which was designed to safeguard user data. The shareholders who filed the lawsuit claimed that Zuckerberg and former Meta Chief Operating Officer Sheryl Sandberg “knowingly ran Facebook as an illegal data harvesting operation.”

The shareholders wanted the 11 defendants they sued to use their personal wealth to reimburse the company after years of alleged reputational damage due to compiling privacy fiascos. The defendants denied the allegations, which they called “extreme claims.” The parties did not disclose details of the settlement. The plaintiffs’ lawyer, Sam Closic, said the agreement “just came together quickly.”

In 2019, Facebook paid a record-breaking $5.1 billion penalty after the FTC found the company had deceived users about control over their personal data. The FTC ordered Facebook to implement new restrictions and overhaul its corporate structure, ensuring greater accountability in decisions related to user privacy. This fine was imposed by the FTC after the agency concluded that Facebook had violated the earlier 2012 FTC order by deceiving users about their ability to control the privacy of their personal information. The investigation was triggered by the Cambridge Analytica meltdown which showed the data of 50 million users was obtained without express permission and used for political purposes.

The $5 billion penalty explains a large part of the $8 billion demanded by the shareholders this week. In addition, Meta faced several fines in the European Union (EU). Among others, a 1.2 billion euro ($1.4 billion) fine for Meta’s transfers of personal data to the US without explicit consent.

All this is why the shareholders wanted Zuckerberg and others to reimburse Meta an estimated $8 billion or more for the FTC fine and other legal costs. The shareholders also questioned the timing of share sales by the executives.

By settling, Zuckerberg and other defendants avoid having to answer probing questions under oath. In January, former Meta COO Sandberg was sanctioned for deleting sensitive emails related to the Cambridge Analytica investigation, complicating her testimony.

The Delaware Chancery Court will likely manage access to full court documents for this case through its case files or release them via public interest or watchdog groups as the settlement process concludes. Until then, speculation about the settlement’s magnitude will run rampant. What will remain unrevealed is the true reason why Meta’s executives chose to settle. But it stands to reason that they expected the damages of a continued trial and the associated testimonies would have been even more damaging.

In a time where Meta sees many WhatsApp users actively switching to other messaging platforms, primarily Signal and Telegram, due to growing concerns about privacy and data sharing practices and a data breach at Instagram which sparked global privacy concerns, the last thing the company needs is a magnifying glass due to an ongoing lawsuit.

What has become very clear, even without knowing all the details, is that those in the know feel that Meta keeps abusing users’ personal data for monetary gain.

Despite promises to obtain specific user consent, offer privacy settings, and improve practices, Meta has consistently disregarded users’ privacy.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Meta execs pay the pain away with $8 billion privacy settlement 

Meme coins started as internet jokes, but by 2025, they’ve become one of the most volatile and talked-about…

Meme coins started as internet jokes, but by 2025, they’ve become one of the most volatile and talked-about parts of the crypto world. Once dismissed as unserious, these tokens now account for a major part of trading activity. According to analytics from CoinGecko and LunarCrush, meme coins made up close to one-third of all crypto-related social engagement earlier this year, despite representing only 2.5% of total market value in 2024.

****Constant Flood of New Tokens****

The pace of upcoming meme coins launches hasn’t slowed down. Thousands of tokens hit the market daily, often built on copy-paste codebases or anonymous developer teams. While a few turn into massive hits, most disappear just as quickly. This flood of projects creates space for both fast profits and equally fast losses.

Older names like Dogecoin and Shiba Inu remain relatively stable and continue to build use cases. They’ve managed to build loyal communities that give them staying power. That success has encouraged newer projects to combine humour with actual utility, from staking features to integrations with payment apps.

Price swings remain common. Some meme coins double within hours, only to crash days later. Others hold value thanks to strong community support or added features. It’s never just about the coin anymore; it’s about who’s holding it and why.

****Political Meme Coins and Market Manipulation****

One of the biggest shifts in 2025 has been the arrival of political meme coins. A recent example tied to former President Donald Trump brought in nearly $100 million in trading fees within two weeks, according to data compiled by blockchain analytics firms like Arkham Intelligence and Lookonchain. While those behind the coin profited heavily, tens of thousands of retail traders ended up in the red.

Political coins ride waves of attention during election cycles and major news events, creating unpredictable spikes in volume and volatility. Some are launched with genuine ideological motives, but many are just cash grabs. The risks go beyond financial loss. These projects are increasingly targeted by phishing campaigns, fake token clones, and wallet-draining scams.

The cybersecurity angle is serious. Hackers now follow the political coin trend, launching fake airdrop links and malicious browser extensions disguised as “wallet boosters” or “token claim” tools. Telegram and Twitter are loaded with scam bots pushing fake liquidity pools that drain connected wallets instantly.

****Strong Communities Make the Difference****

The most successful meme coins have one thing in common: strong, active communities. Projects like Bonk and Pepe grew large followings that did more than just speculate. These communities produce memes, build tools, hold contests, and organise meetups.

That activity creates value. It also acts as a first line of defence against scams. When a fake version of a token shows up, it’s usually the community that sounds the alarm first.

Many of these groups also publish guides on how to avoid common traps, like fake presale links or copycat contract addresses. As meme coins attract new investors, education from within the community has become more important than ever.

****Security Risks Beyond the Jokes****

Meme coins often get written off as harmless fun, but the reality is far more complicated. The low barrier to entry makes them a favourite target for cybercriminals. In 2024 alone, nearly $500 million was lost in meme coin rug pulls and contract exploits, based on estimates from Merkle Science.

Most of these scams follow the same pattern: an anonymous team hypes a token, builds a Telegram group overnight, then pulls the liquidity once enough buyers join. Other times, the contract contains backdoors that allow minting unlimited tokens or draining funds.

The growing interest in political and celebrity-backed coins has only increased this risk. Attackers now mimic the branding of real tokens, launch fake versions, and promote them through impersonated social accounts or hijacked YouTube channels.

Investors need to be alert. Always check the contract address from verified sources and avoid interacting with unknown links, especially during high-traffic token launches.

****Smarter Investing Requires Strategy****

Despite the chaos, it’s still possible to make money with meme coins, but not without a strategy. The best investors don’t chase hype blindly. They set clear profit goals and stop-loss points before entering any trade.

Diversification helps reduce damage from individual coin collapses. Spreading funds across several meme coins, ideally those with solid track records and active communities,  makes more sense than betting everything on a single trending token.

Social media can help with timing. Tools that track sentiment across Reddit, X (formerly Twitter), and Telegram are now widely used to predict spikes in interest. That said, traders should always check whether a pump is organic or just a result of influencer promotions.

****Influencer Hype and Paid Promotions****

Influencers still have a strong effect on meme coin markets. A single post from a high-profile figure can boost a token’s value instantly. But not all promotions are genuine. Many influencers are paid to push projects, and not all disclose it.

Smart investors learn to look past the hype. Reputable influencers share disclaimers, explain their reasoning, and warn followers about risks. The best ones avoid making wild promises or price predictions.

Due diligence remains key. Always assume a shill unless proven otherwise.

****Regulations and the Road Ahead****

The regulatory side of meme coins is catching up. In 2025, the US Securities and Exchange Commission released more detailed guidance on what qualifies as a security. Some meme coins now fall under this definition, which brings tighter rules but also more legitimacy.

Other countries vary widely. In Europe, meme coins are mostly unregulated unless tied to financial services. In parts of Asia, they’re outright banned. Traders need to know their jurisdiction’s stance before jumping in.

There’s also a push for greater transparency around developer identity and tokenomics. Several exchanges have begun requiring KYC for project listings to cut down on rug pulls.

Nevertheless, Meme coins in 2025 are no longer just jokes. They’ve become speculative assets that carry real risks and real opportunities. But they’ve also become a major attack surface in crypto, targeted by scammers, exploited by anonymous devs, and manipulated by hype cycles.

Success with meme coins now depends as much on cybersecurity awareness and research as it does on timing or community hype. If you’re jumping in, know the risks, read the contract, question the promo, and don’t assume fun equals safe.

Meme Coins in 2025: High Risk, High Reward, and Rising Security Threats

A list of topics we covered in the week of July 7 to July 13 of 2025

July 10, 2025 - Deepfake attacks aren't just for recruitment and banking fraud; they've now reached the highest levels of government.

July 10, 2025 - The job applicants' personal information could be accessed by simply guessing a username and using the password “12345.”

July 9, 2025 - Researchers have discovered a campaign of malicious browser extensions that were available in the official Chrome and Edge web stores.

July 8, 2025 - Google says its Gemini AI will soon be able to access your messages, WhatsApp, and utilities on your phone. But we're struggling to see that as a good thing.

July 8, 2025 - If someone is going to negotiate with criminals for you, that person should at least be on your side.

 A week in security (July 7 &#8211; July 13) 

Basic security flaws left the personal info of tens of millions of McDonald’s job-seekers vulnerable on the “McHire” site built by AI software firm Paradox.ai.

If you want a job at McDonald’s today, there’s a good chance you'll have to talk to Olivia. Olivia is not, in fact, a human being, but instead an AI chatbot that screens applicants, asks for their contact information and résumé, directs them to a personality test, and occasionally makes them “go insane” by repeatedly misunderstanding their most basic questions.

Until last week, the platform that runs the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald's applicants—including all the personal information they shared in those conversations—with tricks as straightforward as guessing the username and password “123456."

On Wednesday, security researchers Ian Carroll and Sam Curry revealed that they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald's website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with a long track record of independent security testing, discovered that simple web-based vulnerabilities—including guessing one laughably weak password—allowed them to access a Paradox.ai account and query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers.

Carroll says he only discovered that appalling lack of security around applicants' information because he was intrigued by McDonald's decision to subject potential new hires to an AI chatbot screener and personality test. “I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more,” says Carroll. “So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years.”

When WIRED reached out to McDonald’s and Paradox.ai for comment, a spokesperson for Paradox.ai shared a blog post the company planned to publish that confirmed Carroll and Curry’s findings. The company noted that only a fraction of the records Carroll and Curry accessed contained personal information, and said it had verified that the account with the “123456” password that exposed the information “was not accessed by any third party” other than the researchers. The company also added that it’s instituting a bug bounty program to better catch security vulnerabilities in the future. “We do not take this matter lightly, even though it was resolved swiftly and effectively,” Paradox.ai’s chief legal officer, Stephanie King, told WIRED in an interview. “We own this.”

In its own statement to WIRED, McDonald’s agreed that Paradox.ai was to blame. “We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us,” the statement reads. “We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection.”

One of the exposed interactions between a job applicant and “Olivia.”

Courtesy of Ian Carroll and Sam Curry

Carroll says he became interested in the security of the McHire website after spotting a Reddit post complaining about McDonald's hiring chatbot wasting applicants' time with nonsense responses and misunderstandings. He and Curry started talking to the chatbot themselves, testing it for “prompt injection” vulnerabilities that can enable someone to hijack a large language model and bypass its safeguards by sending it certain commands. When they couldn't find any such flaws, they decided to see what would happen if they signed up as a McDonald's franchisee to get access to the backend of the site, but instead spotted a curious login link on McHire.com for staff at Paradox.ai, the company that built the site.

On a whim, Carroll says he tried two of the most common sets of login credentials: The username and password “admin," and then the username and password “123456.” The second of those two tries worked. “It's more common than you'd think,” Carroll says. There appeared to be no multifactor authentication for that Paradox.ai login page.

With those credentials, Carroll and Curry could see they now had administrator access to a test McDonald's “restaurant” on McHire, and they figured out all the employees listed there appeared to be Paradox.ai developers, seemingly based in Vietnam. They found a link within the platform to apparent test job postings for that nonexistent McDonald's location, clicked on one posting, applied to it, and could see their own application on the backend system they now had access to. (In its blog post, Paradox.ai notes that the test account had “not been logged into since 2019 and frankly, should have been decommissioned.”)

That's when Carroll and Curry discovered the second critical vulnerability in McHire: When they started messing with the applicant ID number for their application—a number somewhere above 64 million—they found that they could increment it down to a smaller number and see someone _else_'s chat logs and contact information.

The two security researchers hesitated to access too many applicants' records for fear of privacy violations or hacking charges, but when they spot-checked a handful of the 64-million-plus IDs, all of them showed very real applicant information. (Paradox.ai says that the researchers accessed seven records in total, and five contained personal information of people who had interacted with the McHire site.) Carroll and Curry also shared with WIRED a small sample of the applicants' names, contact information, and the date of their applications. WIRED got in touch with two applicants via their exposed contact information, and they confirmed they had applied for jobs at McDonald's on the specified dates.

The personal information exposed by Paradox.ai's security lapses isn't the most sensitive, Carroll and Curry note. But the risk for the applicants, they argue, was heightened by the fact that the data is associated with the knowledge of their employment at McDonald's—or their intention to get a job there. “Had someone exploited this, the phishing risk would have actually been massive,” says Curry. “It's not just people's personally identifiable information and résumé. It's that information for people who are looking for a job at McDonald's, people who are eager and waiting for emails back.”

That means the data could have been used by fraudsters impersonating McDonald's recruiters and asking for financial information to set up a direct deposit, for instance. “If you wanted to do some sort of payroll scam, this is a good approach,” Curry says.

The exposure of applicants' attempts—and in some cases failures—to get what is often a minimum-wage job could also be a source of embarrassment, the two hackers point out. But Carroll notes that he would never suggest that anyone should be ashamed of working under the Golden Arches.

“I have nothing but respect for McDonald’s workers,” he says. “I go to McDonald's all the time.”

_Updated at 5 pm ET, July 9, 2025 to make clear that the phishing risks would only be possible if someone had the opportunity to exploit the data._

McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’

Google says it's Gemini AI will soon be able to access your messages, WhatsApp, and utilities on your phone. But we're struggling to see that as a good thing.

If you’re an Android user, you’ll need to take action if you don’t want Google’s Gemini AI to have access to your apps. That’s because, regardless of your previous settings, Google now allows Gemini to interact with third-party apps.

Through Gemini extensions, it already had the ability to integrate with apps to lend a helping hand and make Google Assistant obsolete. From an email I received in April from Google Gemini:

> **Gemini uses info from your devices and services to help you**
> 
> Gemini uses this info to provide more customized and context-aware help. Gemini accesses certain system permissions and data, like call and message logs, contacts (to help you keep in touch), and screen content (to help you act on it).
> 
> **Gemini works with apps**  
> Gemini can respond with real-time info from other tools, apps, and services like Google Keep and YouTube. To allow connected apps to generate helpful responses, Gemini shares some of your info with them. You can manage your apps in your settings.  

Then further on, it said:

> **Gemini activity and your choices**    
> When you use Gemini, Google collects your activity, like your chats (including recordings of your Gemini Live interactions), what you share with Gemini (like files, images, and screens), product usage information, feedback, and info about your location. This data is stored in Activity (if it’s on), reviewed by trained reviewers, and used to improve Google services, including generative AI.

The bit about trained reviewers was enough for me to decide against using it. There are many AI options that offer a lot more privacy.

But now, according to a Ars Technica, Google has sent an email to Android users that takes it one step further.

_Image courtesy of ArsTechnica_

> “We’ve made it easier for Gemini to interact with your device  
> We’re updating how Gemini interacts with some of the apps on your Android device.  
> Gemini will soon be able to help you use your Phone, Messages, WhatsApp, and utilities on your phone, **whether your Gemini Apps Activity is on or off**.
> 
> This change will **start automatically rolling out** on July 7, 2025.  
> If you don’t want to use these features, you can turn them off in the Apps settings page.
> 
> **If you have already turned these features off, they will remain off.**
> 
> For more details on how these features work with your data, please see the Gemini Apps Privacy Hub.”

_Note: I did not receive this email and the Gemini app is not on my phone. That could be because I’m using a Samsung phone and Samsung offers Bixby as a virtual assistant. It might be my location: sometimes Europe gets these features later. Or potentially the phone is too old (2019)._

**Good news or not?**

While Google presents this as happy news, we’re not in full agreement. Google enabling Gemini to access third-party apps promises exciting AI-driven features but also introduces significant privacy, security, and control challenges.

Android users who want to protect their data and limit AI access should check their app permissions and disable unnecessary AI integrations. However, it turns out, this is not easy. First off, there is a contradiction in Google’s statements. In one place it says the change will automatically start rolling out and will give Gemini access to apps such as WhatsApp, Messages, and Phone “whether your Gemini apps activity is on or off.” But in another place it claims, “If you have already turned these features off, they will remain off.”

This is confusing, and even well-versed users are having problems finding the appropriate settings.

All we can do is advise you to make your own, informed, decisions as much as you can:

*   If Android introduces notifications or permission prompts for Gemini access, pay close attention and deny access where possible.
*   Regularly check app permissions in **Settings** > **Privacy** > **Permission Manager** and revoke permissions that are not essential, especially those related to sensitive data (contacts, messages, microphone, camera).
*   If possible, keep your Android OS and apps updated to benefit from security patches and improved privacy controls.
*   Don’t underestimate the importance of an active anti-malware solution on your Android phone.

If Google wants users to be happy about new features, than we’d prefer it announce them and then explain how those who like them can enable them. Don’t turn on settings that we’ve never asked for.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#sap