IT News

Last week on Malwarebytes Labs:

• From threats to apology, hackers pull child data offline after public backlash
• Your Meta AI conversations may come back as ads in your feed
• Scam Facebook groups send malicious Android malware to seniors
• Sendit tricked kids, harvested their data, and faked messages, FTC claims
• Gemini AI flaws could have exposed your data
• Tile trackers plagued by weak security, researchers warn
• Apple fixes critical font processing bug. Update now!
• 260 romance scammers and sextortionists caught in huge Interpol sting
• Amazon pays $2.5B settlement over deceptive Prime subscriptions
• Sex offenders, terrorists, drug dealers, exposed in spyware breach

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week we yelled at some “hackers” that threatened parents after stealing data from their children’s nursery.

This followed a BBC report that a group calling itself “Radiant” claimed to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the UK, US, China, and India.

To prove their possession of the data, the criminals posted samples on their darknet website, including pictures and profiles of ten children. They then issued a ransom demand to Kido, threatening to release more sensitive data unless they were paid.

A few days later, they added profiles of another ten children and threatened to keep going until Kido paid their ransom demand. The group also published the private data of dozens of employees including names, addresses, National Insurance numbers, and contact details.

The criminals then reportedly contacted parents directly with threatening phone calls whilst pushing to get their ransom paid.

But after massive pushback from the general public and some prominent members of the malware community, the attackers initially blurred the children’s images but left the data online. Soon after, they pulled everything offline and issued an apology.

They even claim to have deleted all the children’s data. One of the cybercriminals told the BBC:

“All child data is now being deleted. No more remains and this can comfort parents.”

But, as we have mentioned many times before, computers—and the internet in particular—are not very good at “forgetting” things. Data tends to pop up in unexpected places. Remember when supposedly deleted iPhone photos showed up again after an iOS update?

And, of course, all we have to go on is the word of a criminal with such a bad reputation that even they seemed ashamed of what they did.

They might be feeling a bit sorry for themselves, as they claim to have paid an initial access broker (IAB) for the access to Kido’s systems and will likely see no return on that “investment”.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

Meta has announced that conversations with its AI assistant will soon be used for targeted advertising. If you’re the kind of person that notices ads for products just after you spoke about them, you won’t be happy about this update.

Meta AI is the company’s generative AI assistant, built into Facebook, Instagram, WhatsApp, Messenger, and Threads. It can answer questions, generate text or images, and recommend content.

Users will soon start to receive notifications about how their interactions with Meta’s generative AI features will be used for targeted advertising. So, ask Meta AI about vacations, hobbies, or new gadgets, for example, and you might soon find related ads in your feed.

Certain topics are excluded—religious views, sexual orientation, political views, health, racial or ethnic origin, philosophical beliefs, or trade union membership—but everything else is fair game.

Meta said this update takes effect on December 16, 2025, and will start notifying users on October 7, 2025 through in-product notifications and emails.

Thanks to stricter privacy laws, users in the EU, UK, and South Korea are exempt, The Register reports.

According to Meta, over 1 billion people use its AI every month. And as we all know, targeted ads bring in more money than generic ones. So, this is how Meta plans to earn back all the money it spent on AI development.

Because, like it or not, Meta isn’t really about connecting friends all over the world. Its business model is almost entirely based on selling targeted advertising space across its platforms.

Generative AI providers are increasingly weaving advertising into their products, especially in free or freemium offerings. Many companies now use AI to create personalized ads directly within user interactions. For example, AI-powered recommendation engines analyze user data and behavior to deliver highly targeted ads, boosting relevancy and engagement. Done well, this approach makes ads feel less intrusive and more like natural content suggestions tailored to individual preferences.

Still, the industry faces big ethical and privacy challenges. Brands and AI providers must balance personalization with transparency and user control, especially as AI tools collect and analyze sensitive behavioral data. Many are turning to opt-in mechanisms, clearer privacy settings, and responsible data use policies to maintain user trust while taking advantage of AI’s ability to deliver relevant, personalized ads.

Meta promises that affected users can continue to adjust the content and ads they’re seeing at any time with tools like Ad Preferences and other feed controls.

The Register jokingly suggested we start our Meta AI chats with something from the “excluded” list, hoping to keep the whole conversation from being used for targeted advertising. Their example:

“Oh, Lord, Meta really thought this was a good idea?”

In the end, it might be better not to share anything too personal with Meta AI, or any chatbot for that matter, and stick to kittens and puppies instead.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

An infostealer and banking Trojan rolled into one is making the rounds in Facebook groups aimed at “active seniors”.

Attackers used social engineering methods to lure targets into joining fake Facebook groups that appeared to promote travel and community activities—such as trips, dance classes, and community gatherings. Once people joined, they were invited to download an Android app to “register” for those offered activities.

Researchers at ThreatFabric found numerous Facebook groups created under this pretense, stocked with AI-generated content to appear authentic and trick users into downloading the malware. App names included Senior Group, Lively Years, ActiveSenior, and DanceWave. In some cases, victims were also asked to pay a sign-up fee on the same website, leading to phishing and card detail theft.

One of the servers hosting these downloads was located at download.seniorgroupapps[.]com.

Sometimes the cybercriminals sent a follow-up message through Messenger or WhatsApp, sharing the download links for the malicious apps.

Often this would be the Datzbro Trojan, but sometimes victims were hit with Zombinder, a Trojan dropper capable of bypassing the security restrictions Google introduced in Android 13 and later versions.

What Datzbro can do

The researchers found that Datzbro had capabilities similar to both spyware and banking Trojans—specifically designed to drain bank accounts.

Once installed, this Android malware can:

• Record audio and video, and access files and photos.
• Display phishing overlays that mimic other apps to steal passwords and send them to the attackers.
• Let attackers remotely control infected Android devices, including locking or unlocking the screen.

Researchers analyzed the code and suspect that it was likely developed in China, but later leaked and was reused by broader cybercriminal groups. The campaign has reached victims worldwide, including Australia, Singapore, Malaysia, Canada, South Africa, and the UK.

How to stay safe in Facebook groups

Although many of the Facebook groups involved in this campaign have been taken down, there might be others. To protect yourself:

• Check a Facebook group’s history and avoid those might have freshly set up for malicious purposes. Unfortunately, it’s not possible to check the age of a group before you join, but once you’re a member, look at the dates of historical posts or pinned posts.
• Don’t click on links or install apps provided by such groups or by private messages from people you don’t really know.
• Use up-to-date real-time anti-malware protection, especially on your mobile devices.
• Be wary of groups offering suspicious or too-good-to-be-true promises.
• Check a group’s description and rules for professionalism or red flags.

It’s worth noting that many of the groups also included a button to download an “iOS application.” These were just placeholders at the time, but might be an indication that there are plans to target iPhone users as well.

Indicators of Compromise (IOCs)

The malicious app used these names:

Senior Group

Lively Years

ActiveSenior

DanceWave

and these package names:

twzlibwr.rlrkvsdw.bcfwgozi

orgLivelyYears.browses646

com.forest481.security

inedpnok.kfxuvnie.mggfqzhl

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

The Federal Trade Commission (FTC) has sued Sendit’s parent company, saying it signed up children under 13, collected their personal data, and misled them with fake messages and recurring bills.

The lawsuit, filed against the app’s owner Iconic Hearts Holdings Inc and CEO Hunter Rice, alleges the company let users under the age of 13 sign up for Sendit and collected personal information about these users without parental consent—violating the Children’s Online Privacy Protection Rule (COPPA).

Sendit is an add-on for Snapchat and Instagram, rather than a standalone app. Its primary feature is to allow users to post prompts or questions (called a Sendit) on their social media stories and receive anonymous replies from other users.

In 2022, the app registered 116,000 people who self-declared that they were under 13 years old, according to the suit. Even after parents complained, the company continued to collect children’s phone numbers, birthdates, photos, and usernames for Snapchat, Instagram, TikTok and other accounts.

The FTC also alleges that Sendit misled users about its paid “Diamond Membership.” The feature promised to allow users to see who had sent certain messages. In practice, it didn’t reveal the senders, according to the suit. Worse still, the company and its CEO faked some of these messages, the FTC alleges. According to the complaint:

“Defendants trick users into believing that they have received provocative and sometimes sexual or romantic messages from their social media contacts, when in reality it is often Defendants themselves who have sent those messages.”

Iconic Hearts also failed to disclose recurring charges clearly, according to the FTC—charging up to $9.99 every week after making it look like users were paying a single fee to disclose a user’s identity.

Normally, cases like this end in a settlement. This time, the FTC referred the case to the Department of Justice (DoJ). It does this when it believes that the defendants are violating or about to violate the law, and that referring the case would be in the public interest. So now, the Central District of California will decide the case.

Iconic Hearts also publishes the apps Noteit, Starmatch, and Locksmith. Launched in 2018, Sendit has been downloaded more than five million times on Google Play, and the company claims a total user base of around 25 million. The company has claimed Sendit is “the top Gen Alpha social networking app.”

This isn’t the only case where anonymous messaging apps have run afoul of COPPA violations. In July 2024, the FTC settled with NGL Labs and its founders for $5 million. That app was accused of marketing to kids and teens, sending fake messages to drive up usage, tricking users into paid upgrades, and sneaking in recurring charges.

“Company executives told employees to reach out to high school kids directly,” said the FTC at the time. NGL Labs also falsely claimed that AI content moderation filtered harmful messages like cyber bullying, the Commission added. The settlement banned NGL from marketing its app to anyone under 18.

What could this mean for Iconic Hearts? The current maximum penalty enforceable by courts for failing to comply with COPPA is $53,088 per violation, according to the FTC.

DoJ COPPA-related suits on the FTC’s behalf are not unheard of. Epic Games got a record $275 million penalty for COPPA violations in December 2022 after the DOJ sued it on behalf of the FTC (alongside another $245 million penalty for using ‘dark patterns’ to mislead users).

Epic Games was aware that many children were playing its Fortnite game, yet it collected personal data from children without first obtaining parents’ verifiable consent, the suit said. The company also made it difficult for parents to delete their children’s personal information, and sometimes didn’t do as asked.

The takeaway from this story? Try to keep kids under 13 off social media apps as long as possible, and when the time does come, stay involved. Talk to them about online safety, monitor their usage, and keep the conversation open.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

Security researchers discovered three vulnerabilities in Google’s Gemini artificial intelligence (AI) assistant. Although now patched, this “Trifecta”, as the researchers called it, raises important questions about how safe AI tools really are, especially as they become a part of services many of us use on a daily basis.

The flaws were found in three different Gemini components:

• Gemini Cloud Assist, which summarizes logs for cloud services, could be tricked by hidden prompts inside web requests. Attackers could exploit this flaw to sneak malicious instructions into the system, potentially gaining control over cloud resources.
• Gemini Search Personalization Model could inject harmful prompts into a user’s Chrome browsing history by getting them to visit a special website. If the user later interacted with Gemini’s personalized search AI, the injected commands could force the AI leak to personal data, including saved information and location.
• Gemini Browsing Tool could be tricked into sending stored user information and location data to a malicious server through its web page summarization feature.

Google fixed these issues by blocking Gemini from rendering dangerous links and strengthening its defenses against such prompt injections. But if you used Google services that rely on Gemini AI, there is a chance these vulnerabilities were exploited before the patch—especially if you visited a malicious website or used Gemini features tied to cloud services.

These vulnerabilities are prime examples of how AI, despite its benefits, can open new attack avenues. Attackers may hide malicious instructions inside ordinary files and web requests, fooling AI into performing harmful actions without any obvious warning signs.

For everyday users, the risk is low—Google has already patched these vulnerabilities. But this news reminds all of us that AI security is an evolving concern, especially as new features and use-cases may be developed with security as an afterthought.

How to safely use AI

These flaws show that AI systems themselves can be used as a method for attacks, not just a target. This is important as AI becomes more embedded in cloud services and applications.

You should be cautious about:

• Avoid visiting unknown or suspicious websites, especially those that prompt you to interact with AI assistants.
• Keeping software, browsers, and apps up to date to benefit from security patches.
• Be mindful of the information you share with AI tools.
• Use a real-time anti-malware solution, preferably with web protection.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers at the Georgia Institute of Technology scrutinized the security of the popular Tile tracker and came out disappointed.

Bluetooth trackers are a steadily growing market, and Life360 is one of the major players. In 2021, Amazon expanded its Sidewalk network to include Tile. That means Ring cameras and Echo devices can act as relays, picking up the location of Tile trackers and phones running the Tile app.

Reportedly, some 88 million Tile trackers are in use worldwide, but researchers reported that Tile trackers were not as safe as they hoped. The major problem the researchers found is that the trackers broadcast an unencrypted, static MAC address and unique ID. To allow users to find their wallet or lost items, other Bluetooth devices or radio-frequency antennas in a tracker’s vicinity can pick up these signals to follow the movements of the tracker.

That’s the whole point, you’d think. But let me clarify what’s wrong with this method.

Other trackers don’t broadcast their actual MAC address. Instead, they send out a temporary ID based on it, which makes long-term tracking harder. Tile does things differently: while it rotates the unique ID, it still transmits the same MAC address. Researchers also found the rotating ID generation was weak and could allow continuous tracking.

The receiver then sends the tracker’s location, MAC address, and unique ID to a server without encryption. The researchers believed the server stored this information in cleartext, which would mean Life360 could continuously monitor the location of trackers and their owners who have the app installed.

As one of the researchers put it while warning about the dangers:

“An attacker only needs to record one message from the device … to fingerprint it for the rest of its lifetime.”

This could pose a major problem in case of a breach or if your tracker was caught in a mass scan. In other tracker systems, the information about the location of a tag is decrypted by using a key only available on the user’s phone, so only the owner can see this information.

Another issue is Tile’s anti-stalking feature. After concerns were raised about the ability to stalk persons with these trackers, most manufacturers added automatic alerts that warn the user if a tracker that is not theirs is following them around.

With Tile, the app doesn’t scan in the background—the user has to start the scan manually. Even then, it only works if the user keeps moving around for 10 minutes.

This behavior could be due to a feature that Tile offers and others don’t: anti-theft mode. Tile users have the ability to make their trackers invisible to others, so would-be thieves can’t scan an area to see if there are any items with a Tile in the vicinity.

But stalkers could abuse the same feature. They would still see the tag’s location, while the victim’s scan would not detect it, leaving them unaware of a rogue device.

To enable Anti-Theft Mode, Tile requires a government-issued ID, a live photo of the user, and agreement to a $1 million fine if convicted of stalking. While this could deter some abusers, researchers note it isn’t clear whether the penalty is enforceable.

The researchers concluded that many of the problems they found with Tile trackers could be solved by encrypting the signals it broadcasts, and they didn’t understand why the company apparently hadn’t followed the example of its competitors.

That sounds easier than it might be though. In February 2025, researchers found a way to track any Bluetooth device using nRootTag vulnerability in the “Find My” network. Apple has a partial fix out, but full protection may take years. This shows that a redesign from (almost) scratch could be a lengthy and costly process.

In a statement to The Verge, a spokesperson for Life360 said the company had “made a number of improvements” since researchers reported the issue last November, although didn’t provide any details about the fixes. From the statement:

Using a Tile to track someone’s location without their knowledge is never okay and is against our terms of service.

To help you find the main differences between Tile and other trackers, we constructed this overview.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Apple has released important security updates to address a critical vulnerability in FontParser—the part of MacOS/iOS/iPadOS that processes fonts.

Identified as CVE-2025-43400, the flaw was discovered internally by Apple and allows an attacker to craft a malicious font that can cause apps to crash or corrupt process memory, potentially leading to arbitrary code execution.

While Apple hasn’t said it’s being actively exploited, similar bugs have been used in jailbreaks and spyware attacks in the past, so it’s smart to patch it promptly.

How to update your devices

How to update your iPhone or iPad

For iOS and iPadOS users, you can check if you’re using the latest software version, go to Settings > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

How to update macOS on any version

To update macOS on any supported Mac, use the Software Update feature, which Apple designed to work consistently across all recent versions. Here are the steps:

• Click the Apple menu in the upper-left corner of your screen.
• Choose System Settings (or System Preferences on older versions).
• Select General in the sidebar, then click Software Update on the right. On older macOS, just look for Software Update directly.
• Your Mac will check for updates automatically. If updates are available, click Update Now (or Upgrade Now for major new versions) and follow the on-screen instructions. Before you upgrade to macOS Tahoe 26, please read these instructions.
• Enter your administrator password if prompted, then let your Mac finish the update (it might need to restart during this process).
• Make sure your Mac stays plugged in and connected to the internet until the update is done.

How to update Apple Watch

• Ensure your iPhone is paired with your Apple Watch and connected to Wi-Fi.
• Keep your Apple Watch on its charger and close to your iPhone.
• Open the Watch app on your iPhone.
• Tap General > Software Update.
• If an update appears, tap Download and Install.
• Enter your iPhone passcode or Apple ID password if prompted.

Your Apple Watch will automatically restart during the update process. Make sure it remains near your iPhone and on charge until the update completes.

How to update Apple TV

• Turn on your Apple TV and make sure it’s connected to the internet.
• Open the Settings app on Apple TV.
• Navigate to System > Software Updates.
• Select Update Software.
• If an update appears, select Download and Install.

The Apple TV will download the update and restart as needed. Keep your device connected to power and Wi-Fi until the process finishes.

Updates for your particular device

Technical details

The vulnerability tracked as CVE-2025-43400 was described as an out-of-bounds write issue in FontParser that, when exploited, could cause the processing of a maliciously crafted font to lead to unexpected app termination or corrupt process memory.

An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

Typically, fonts are safe and standardized files used daily in countless apps and websites, but due to this vulnerability an attacker can create a specially crafted font file containing manipulated data that exploits vulnerabilities in the font processing engine of the operating system. When this malicious font is loaded by an app or system process, it can trigger memory corruption or crashes. In worst-case scenarios, this can enable attackers to execute harmful code remotely, gaining control over the device.

Given that fonts are widely used and often processed silently in the background, font vulnerabilities pose a significant risk vector for attackers aiming to compromise devices.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Online crime of all kinds is deplorable, but romance scammers and sextortionists who target the most vulnerable victims are among the worst. Now, there’s likely a place for 260 of them in jail, thanks to international law enforcement.

Interpol’s Operation Contender 3.0 targeted alleged criminals from several countries across Africa. It arrested 260 people and captured 1,235 electronic devices. Investigators linked 1,463 victims to the scams, and said their losses amounted to around $2.8 million.

The images from Interpol’s press release tell just as lurid a story as the numbers do. In one, over 30 phones lie on a table, each with a different case. These were the devices that the scammers likely used to carry out their crimes, which focused on romance scams and extortion.

Criminals lured victims with fake online identities built from stolen photos and forged documents, then exploited victims through romance scams that demanded bogus courier or customs fees. Others ran sextortion schemes, secretly recording explicit video chats to extort money.

What to watch for

Romance scams are all too familiar to those in the know, but still catch out plenty of lonely people looking for affection online. A criminal half a world away will get to know a victim, often beginning the relationship via an ‘accidental’ text message, or via a dating site or social media. A fake social media account, usually with a stolen photo, lends them credibility. They will gradually get to know the victim, luring them into what seems like a romantic relationship. If you’re talking to someone who claims to be in the military and therefore unable to travel, be very wary. This is a common scam tactic.

Eventually the request for money will come, in some form or other. In some scams, it’ll be a recommendation to invest in a fraudulent investment scheme (this used to be called ‘pig butchering’ but now Interpol prefers the more humane term ‘romance baiting’).

In other variations of the scam, there will be a plan to visit the victim – except, of course, there’s some financial hurdle that the perpetrator must overcome before they can travel. If the victim sends the money, the requests will keep coming, always with another excuse for why they can’t make the trip just yet.

Talking with someone you’ve never met who’s asking for financial help with a medical emergency, or to solve a legal or business issue? Think twice before sending the funds. Then think a third time. Then don’t do it.

A loneliness epidemic

In an era where people are increasingly lonely, romance scams are a surprisingly effective tactic. Americans lost $1.2 billion to romance scammers last year, with medium losses hitting $2,000.

The extortion side of things is even more horrid. People aren’t just lonely these days; they’re lusty. That leads to many people doing things online with strangers that they shouldn’t, including sharing intimate images or videos of themselves. Once a criminal has those assets, they can use them to extort the victims by threatening to send the material to their friends, family, and professional contacts.

Romance scams and other forms of financial fraud can come from anywhere, including in your own country. But Africa does seem to be a hotbed for it. Last year’s Interpol Africa Cyberthreat Assessment Report found that cybercrime accounted for 30% of all reported crime in Western and Eastern Africa. Criminals engage in many kinds of digital crime, according to the report, including business email compromise and banking malware, but online scams are especially popular—as is digital sextortion and harassment.

Interpol arrested eight people a year ago in Nigeria and Côte d’Ivoire for financial fraud including romance scams as part of its Contender 2.0 operation. And in 2022, it dismantled a South African gang for swindling companies, but also suspected it of being involved in romance scams.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Another day, another settlement. Amazon has settled a lawsuit filed by the Federal Trade Commission (FTC) over misleading customers who signed up for Amazon Prime—though it claims it did nothing wrong.

The FTC alleged that Amazon used deceptive methods to sign up consumers for Prime subscriptions—and made it exceedingly difficult to cancel.

In the settlement, Amazon will be required to pay a $1 billion civil penalty, provide $1.5 billion in refunds back to consumers harmed by their deceptive Prime enrollment practices, and cease unlawful enrollment and cancellation practices for Prime.

The FTC claimed in its lawsuit that Amazon had used:

“manipulative, coercive, or deceptive user-interface designs known as ‘dark patterns’ to trick consumers into enrolling in automatically-renewing Prime subscriptions.” 

Dark patterns are tricks on websites or in apps to nudge or mislead people toward choices they wouldn’t normally make, like spending more money or signing up for recurring services without realizing it. Instead of helping users, these designs obscure, confuse, or pressure viewers to act quickly or accidentally.

Some common examples are:

• Large, colorful “Yes” buttons, but almost hidden “No” options
• Confusing cancellation steps with unclear language
• Pre-checked boxes for paid extras
• Endless popups urging one not to leave a page

Former FTC commissioner Alvaro Bedoya described Amazon’s “End Your Prime Membership” method as:

“a 4-page, 6-click, 15-option cancellation journey that Amazon itself compared to that slim airport read, Homer’s Iliad.”

Due to Amazon’s use of dark patterns, millions of people ended up signing up for Prime, some without realizing they’d agreed to recurring charges. Others gave up trying to cancel due to the exhausting steps.

The FTC found this to be a violation of the Restore Online Shoppers’ Confidence Act, which was signed into law in 2010 to prevent companies using deception to prompt or encourage online purchases.

Amazon issued a statement saying:

“Amazon and our executives have always followed the law and this settlement allows us to move forward and focus on innovating for customers. We work incredibly hard to make it clear and simple for customers to both sign up or cancel their Prime membership, and to offer substantial value for our many millions of loyal Prime members around the world. We will continue to do so, and look forward to what we’ll deliver for Prime members in the coming years.”

Customers who enrolled in Prime between June 23, 2019 and June 23, 2025 may be eligible for a refund. Those who rarely used Prime benefits will automatically get back their fees—capped at $51—while others who meet the criteria can apply for a refund of up to the same amount.

As we argued a few days ago, settlements like these highlight a worrying trend: big tech pays off privacy violations, class actions grab headlines, and lawyers collect fees—while consumers hand over personal details again for a token payout.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.