Archive for author: makoadmin

Telegram will hand over user details to law enforcement

Last month we reported how Telegram CEO Pavel Durov was indicted on charges of complicity in the distribution of child sex abuse images, aiding organized crime, drug trafficking, fraud, and refusing lawful orders to give information to law enforcement.

Now, in a potentially related development, chat app Telegram has changed its privacy policy to reflect that it will share user’s IP addresses and telephone numbers if they are suspected of committing a crime.

“8.3. Law Enforcement Authorities

If Telegram receives a valid order from the relevant judicial authorities that confirms you’re a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities. If any data is shared, we will include such occurrences in a quarterly transparency report published at: https://t.me/transparency.”

Durov said the changes were made to discourage the criminal abuse of Telegram Search, a feature that is known to be used for buying and selling illegal goods. A dedicated team of moderators will use Artificial Intelligence to make the search safer. These moderators will also go over reports submitted by users through the @SearchReport bot about search terms that can be used to find illegal content.

All these measures together should discourage criminals. Telegram was set up to find friends and news, not to trade illegal goods, Durov emphasized:

“We won’t let bad actors jeopardize the integrity of our platform for almost a billion users.”

It should be clear that this is all a work in progress. The bot for the transparency reports is not yet ready for action, for example.

Transparency report bot is not ready yet
Telgram transparency report is not ready yet

“This bot can give you a Telegram transparency report as per section 8.3 of the Telegram Privacy Policy.

We are updating this bot with current data. Please come back within the next few days.”

All in all, the future will show how adequate the moderators can act on reports and how easy, or difficult, it will be for law enforcement to submit a “valid order.”

But criminals are probably already looking for alternatives as we speak.


We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Don’t share the viral Instagram Meta AI “legal” post

A new variation of a hoax that has been doing the rounds on Facebook for years has crossed over to Instagram.

We’re seeing this post on Instagram Stories a lot suddenly over the last few days. The post is usually posted as a shareable screenshot on Instagram Stories, but it’s also been spotted on Facebook and Threads as a copy-and-paste text.

IG

“Repub

Goodbye Meta AI. Please note an attorney has advised us to put this on, failure to do so may result in legal consequences. As Meta is now a public entity all members must post a similar statement. If you do not post at least once it will be assumed you are okay with them using your information and photos. I do not give Met or anyone else permission to use any of my personal data, profile information or photos.”

The fact that this post has been shared by some celebrities is a possible explanation for the sudden popularity. And, as is often the case, true stories about Facebook scraping photos to train its Artificial Intelligence (AI) can rekindle the popularity and urgency to post this type of useless notifications.

Instagram has started to flag versions of the post as false information which means people need to click ‘see post’ to view it. But what happens often is that somebody will start fresh with a slightly revamped version that will not be flagged.

While some may think it doesn’t hurt to share these posts just to be sure, it really isn’t a good idea. It spreads the false posts further, and people may feel they have opted out of their images being used after posting this, when in reality they haven’t. In many cases it would even be contradictory to the terms and conditions they agreed on.

Meta, the company that owns Facebook and Instagram published new terms and conditions, effective on June 26, 2024, which specifically allow it to use posts, images and online tracking data to train its AI large language model called LLaMa 3.

On inspection of the links in the notification, it became clear that the company will use years of personal posts, private images or online tracking data for a “AI technology” that can ingest personal data from any source and share any information with undefined “third parties.”

European and UK users can opt out of this. For others, sadly, it’s not so easy.

How to opt out of Meta using your images for AI training

Logged in citizens of the EU and the UK can visit the Meta Privacy Center from either their Facebook account or their Instagram account.

How to opt out of Meta using your data to train AI on Facebook

  • Tap on your profile picture after logging in
  • Tap Settings and Privacy
  • Scroll down to the Privacy Center
  • Under Privacy topics, tap AI at Meta
  • Tap Information you’ve shared on Meta products and services
  • From there you’ll be presented with a form to fill out and Submit when you’re done.
AI at Meta in Privacy Center
AI at Meta in the Privacy Center

How to opt out of Meta using your data to train AI on Instagram

  • Tap on the hamburger menu from your profile (three stacked lines)
  • Scroll down to the Privacy Center
  • Under Privacy topics, tap AI at Meta
  • Tap Information you’ve shared on Meta products and services
  • From there you’ll be presented with a form to fill out and Submit when you’re done.

Whether you use Facebook or Instagram to opt out, you should then receive both an email and a notification on your account confirming whether your request has been successful.

Users in the US or other countries without national data privacy laws don’t have any foolproof ways to prevent Meta from using their data to train AI.

My advice: insist that your politicians make some noise and get you similar opt-out options.

Romance scams costlier than ever: 10 percent of victims lose $10,000 or more

Romance scams continue to plague users, but their costs have risen to staggering heights, according to a Malwarebytes survey carried out last month via our weekly newsletter.

More than 66 percent of 850 respondents have been targeted by a romance scam, and those that were ensnared paid a hefty price, with 10 percent of victims losing $10,000 and up. A shocking 3 percent parted with $100,000 or more. The vast majority of those who lost money were unable to recover it, highlighting the need for increased awareness of evolving romance scam tactics and aggressive new methods of manipulation.

Romance scams, also known as confidence or dating scams, typically involve people being targeted online, with the scammers building their victim’s trust over several months. Victims are led to believe they’re in a committed relationship before being tricked into sending money, valuables, and personal information, or to launder money on the perpetrator’s behalf. In addition, some scammers convince their targets into investing in fraudulent cryptocurrency schemes, a method known as pig butchering.

While these scams are nothing new, their popularity has risen since the pandemic and ensuing loneliness epidemic, driven by an increasing reliance on the internet to connect. However, with the return to in-person gatherings, our survey results show romance scams have hardly petered out. Rather, they’re as pervasive as ever, with 52 percent of respondents targeted in the last year alone. And they’ve advanced, as cybercriminals now tap into global scamming networks for scripts, training, and technology to squeeze more money from victims.

As David Ruiz, Senior Privacy Advocate at Malwarebytes, puts it:

“Romance and dating scams are run by sophisticated cybercriminals who know what they’re doing. They conduct research, and follow a playbook. The more we can remove the stigma surrounding victims and provide education and resources, the faster we can minimize the devastating effects of these scams.”

According to the Federal Trade Commission (FTC), over 64,000 people reported romance scams in 2023, with losses totaling $1.1 billion. The Federal Bureau of Investigation (FBI) received 17,823 complaints last year, costing victims nearly $653 million. However, that data doesn’t capture the recent trend of pig butchering, as romance scammers increasingly incorporate crypto investment fraud for higher payouts. Financial losses from investment fraud totaled $4.6 billion in 2023, the costliest internet crime for consumers.

For a full breakdown of survey results, including demographics, scammer tactics, and financial and emotional impacts, read below.

Demographics of romance scams

The majority of survey respondents were subject to romance scam advances within the last year, with 37 percent saying it happened within the last six months, and an additional 15 percent saying it happened between six months and one year ago.

The majority of targets are over the age of 55 (74 percent) and male (56 percent), a pattern consistent with previous trends. As with most scams, older users are targeted because they typically have more assets but are perhaps less familiar with online security. The Department of Homeland Security says cybercriminals zero in on recently widowed or divorced seniors for their vulnerability and access to cash.

However, 26 percent of victims are between 18 and 54 years old. In fact, the FTC asserts that the most common victims of romance scam sextortion are 18–29 years old.

How romance scammers make contact

Perhaps not surprisingly, the vast majority of phony romantic overtures took place on social media and online dating apps, with 38 and 31 percent of survey respondents targeted on those platforms, respectively. In fact, the proliferation of scams is one reason noted for the decline in social media and dating app use over the last two years. A recent Barclays survey found one third of Brits avoid online dating and dating apps due to romance scam fears.

Romance scams that start on social media end up costing the most. The FTC found from January 2021 to June 2023, more money was lost to scams originating on social media than by any other contact method. Consumers lost $2.7 billion in social media fraud, with crypto investment and romance scams resulting in the steepest costs, accounting for 67 percent of total losses. In the first six months of 2023, half of those who lost money to romance scams said it began on Facebook, Instagram, or Snapchat.

Romance scammers prefer using social media and dating apps to reach their targets because they can easily create fake profiles and tailor their personas to content victims share and like. Criminals can even use advertising tools to methodically select targets based on personal details such as age, interests, or past purchases. More recent trends involve romance scammers using AI to draft convincing emails, create fake photos in the likeness of their target’s recently-departed spouse, or develop deepfake videos of celebrities endorsing their investment scheme.

In addition, despite having strong anti-scam controls, nearly 16 percent of surveyed romance scam targets were initially contacted by email. Just over 10 percent were reached via text, a popular contact method for pig butchering.

How long does the scam last?

If survey results are an indication, the majority of those targeted by romance scams have become savvy to their ways—though Malwarebytes newsletter subscribers may be particularly well-informed. 55 percent knew it was a scam right away and never responded. Almost 19 percent figured out the scam within one week, meaning nearly three-quarters of respondents demonstrated excellent cybersecurity awareness.

Unfortunately, that leaves 26 percent engaging with romance scammers for more than two weeks, with 12 percent spending several months talking to pretend paramours, and 5 percent in a faux relationship for one year or more. In general, the longer a respondent was “together” with their scammer, the more money they lost. The exceptions were those who recognized the scam immediately, but spent weeks or months leading them on to waste their time. While this might seem like poetic justice, many romance scammers themselves are victims of human trafficking, forced to work up to 15 hours a day extracting enough money from victims to meet impossibly high quotas.

Money lost

User awareness wins the day again, preventing nearly three quarters of those targeted by a romance scam from losing money. However, the majority of those who did part with cash lost a lot of it—10 percent lost $10,000 or more, and 3 percent reported losses in the six figures. An additional 7 percent of survey respondents were scammed out of $1,000–$9,999, and 5 percent lost between $200 and $999. Just 3 percent of victims were scammed out of less than $200.

This means a full 22.5 percent of those targeted by a romance scam end up losing $1,000 and up—enough to make a significant impact on finances, especially for those with lower incomes. In 2023, romance scam victims—not counting those who reported crypto investment fraud—lost a median of $2,000 per person, the highest reported losses for any form of imposter scam, according to the FTC. Romance scams were also the third costliest fraud type reported to the FTC by older Americans (age 60 and over).

The FBI 2023 Internet Crimes Report noted financial losses to investment scams rose from $3.3 billion in 2022 to $4.6 billion in 2023—a 38 percent increase over the 183 percent gained the previous year. Combined, romance and investment scams were the costliest and second-most common internet crimes reported to the FBI last year as well, a fact reflected in Malwarebytes’ survey results and participant testimonials.

Tellingly, 94 percent of those who lost money were unable to recover it. Those who wish to recover cryptocurrency should be aware of additional scams by fraudulent businesses promising to trace and return funds. No private sector company can recover crypto—only legal or internal processes can compel cryptocurrency exchanges to release money back to victims.

Reporting the scam

Stigma is still a problem in dealing with the aftermath of a romance scam. Victims report heightened feelings of betrayal and shame on top of their financial burden. Yet 40 percent of surveyed romance scam victims didn’t tell another soul about what happened. An additional 30 percent only opened up to their closest confidantes. And while research suggests individuals impacted by the stress and trauma of romance scams benefit from counseling or support groups, just 4 percent sought out therapy after their experience.

However, there does appear to be a larger portion of romance scam targets willing to speak out than in the past. One quarter of our survey respondents said they told many others about their ordeal, with 11 percent submitting reports to law enforcement and/or nonprofit organizations. Data obtained by the BBC shows there were 7,660 cases processed in England and Wales by a self-reporting tool last year, up from 4,842 in 2019.

How to spot and avoid a romance scam

Romance scams aren’t going away, so here’s how to spot signs that someone isn’t who they say they are.

  • Their profile and picture seem too good to be true
  • They profess love and affection very quickly
  • They share a lot about themselves in the first meeting
  • They claim to be overseas and cannot stay in one place for long
  • They try to lure you from whatever platform you are on to talk to you via email or video chat
  • They claim to need money for something

Here’s what you can do to keep yourself safe:

  • Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in. Use tools such as the Malwarebytes Personal Data Remover to minimize the amount of data accessible through search engine results, spam lists, and people search sites.
  • Perform an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait, and stolen identities are rife.
  • Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible before moving in for the money-themed kill.
  • Never give money to anyone you’ve met online
  • Get a second opinion from someone you trust
  • If in doubt, back away and report the account.

If you’ve been impacted by a romance scam, pig butchering, or crypto investment fraud, you can report the crime to the Internet Crimes Complaint Center (IC3), which is run by the FBI, or the FTC on its reporting and resources page.

To talk with other romance scam victims in safe online forums, go to the reddit thread r/Romancescam, or apply to the private Facebook Support Group for Romance Scam Victims.

Malwarebytes Personal Data Remover: A new way to help scrub personal data online 

There’s an awful lot about you online that some awful groups want to exploit.  

The right combination of personal data points could help an identity thief fool a bank into opening a new, fraudulent line of credit in your name. Your alma mater, salary, and email address could help an online scammer craft the perfect phishing lure to trick you into donating to a bogus school fund. Your new address could be vulnerable to obsessive stalkers, your phone number could attract countless robocalls, and even your recent divorce status could make you a target for romance scammers.  

There’s now a way to fight back, with Malwarebytes Personal Data Remover. 

For years, the public have had few defenses to evolving online scams, as sensitive, personal details are all too easy to find online. Some of this data gets exposed through the major, corporate data breaches that now punctuate our lives, but some of this data isn’t “exposed” at all.  

Instead, it’s traded through a bustling network of “data brokers” that work tirelessly to collect and sell people’s names, addresses, phone numbers, bankruptcy records, salaries, marital statuses, and more. This can generate easy money though hyper-precise online advertising, or it can be done to power “people search” sites that leave nearly nothing to a scammer’s imagination.  

People deserve better.  

Today, Malwarebytes is simplifying your security and privacy with the release of our new Personal Data Remover.  

For people in the United States, Malwarebytes Personal Data Remover provides:   

  • Immediate, deep scans across roughly 175 databases to find your personal data. 
  • Personalized, in-depth reports on what data is being sold and who is selling it.  
  • Automatic data removal requests for subscribers, which can save 300+1 hours of manual work in wiping sensitive details off the internet, along with free DIY guides to tackle each site individually.  
  • Recurring scans and data removal requests that will make it harder for invasive websites to rebuild their digital portraits of you.2  

Malwarebytes Personal Data Remover represents our latest advancement in extending cybersecurity beyond antivirus.  

The truth is that modern threats to your privacy and your security have changed dramatically in a few short years, as cybercriminals are no longer focused only on infecting and controlling your device with viruses and malware. Rather, online scammers and thieves can glean relevant, personal details about your life to make it easier to steal your identity, take your money, or frighten you with empty ransom demands.  

This is why, almost a year ago, we launched Identity Theft Protection to help people prevent and recover from online identity theft, followed by the release of our free Digital Footprint Portal that provides free, in-depth reports about what data of yours is currently exposed online.  

With Malwarebytes Personal Data Remover, we hope to provide security and privacy beyond your device and into your entire experience online.  

Try Malwarebytes Personal Data Remover today.  Take back control of your data.

1. Based on historical user data on the average time it takes to search, remove, and monitor re-exposure.  

2. Available for paid subscribers in the United States only.    

100 million+ US citizens have records leaked by background check service

A background check left a huge database unprotected online containing 2.2TB of people’s data, according to research by Cybernews.

The database was left passwordless and easily accessible to anyone on the internet by background check firm MC2 Data. MC2 Data gathers publicly available data to provide decision makers with information whether someone can rent a house, work at their firm, or be granted a loan.

The data is usually gathered from online sources like criminal records, employment history, family data, and contact details.

Just like the huge National Public Data breach, this is another example of companies that most of us have never heard having extensive databases with an enormous amount of personal data. In this case, the researchers found 106,316,633 records containing private information about US citizens.

Cybernews estimates that at least 100 million individuals are affected, meaning approximately one in three US citizens can expect to find their data in the data set.

The websites that MC2 Data operates include:

  • PrivateRecords
  • PrivateReports
  • PeopleSearcher
  • ThePeopleSearchers
  • PeopleSearchUSA

And the leaked data included:

  • Names
  • Emails
  • IP addresses
  • User agents
  • Encrypted passwords
  • Partial payment information
  • Home addresses
  • Dates of birth
  • Phone numbers
  • Property records
  • Legal records
  • Property records
  • Family, relatives, neighbors data
  • Employment history

To make things even worse, the data of 2,319,873 users who subscribed to MC2 Data services were leaked as well.

It is incomprehensible that services like these are allowed to exist without any kind of control or sense of responsibility. Regardless of all the regulations and laws these companies need to abide by, we find time and again that their security measures are below par.

As the researchers put it:

“While background-check services keep trying to prevent such cases, they haven’t been able to stop such use of their services completely. Such a leak is a goldmine for cybercriminals as it eases access and reduces risk for them, allowing them to misuse these detailed reports more effectively.”

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Relationship broken up? Here’s how to separate your online accounts

Breaking up is hard to do. The internet has made it harder.

With couples today regularly sharing access to one another’s email accounts, streaming services, social media platforms, online photo albums, and more, the risk of a bad breakup isn’t just heartache. Equipped with unfettered access into sensitive, shared online accounts, a vindictive ex could track someone who is actively using services like DoorDash, Uber, or Airbnb, spy on someone through a Ring doorbell, raise the temperature on a Nest thermostat, or shout obscenities through a baby monitor.

As every relationship is different, there’s no one-size-fits-all solution to safely disentangling your digital life from your ex, but there are a few rules that can make the process easier.

And, because this can be a lot of work, here are a few things that can help you along the way:

  • A password manager that will help you create and store unique passwords for each online account.
  • The use of multifactor/two-factor authentication on every sensitive account that allows it.
  • A friend who can go through these exercises side-by-side with you.

Further down is a more comprehensive checklist of many considerations you can take in separating your digital life from your ex, but, here’s a quick, handy guide:

Digital breakup checklist

It’s important to remember that this work won’t be completed in a day. That’s entirely okay. Instead of trying to accomplish everything in one weekend, prioritize the most sensitive work—cutting off access to email accounts, online banking, shared photo albums, social media, and any services or apps that can reveal your location.

As Malwarebytes recently discovered in research conducted this year, 56% of people in committed relationships in the United States agreed that they “would like to see more guidance on how to handle shared logins, accounts, and apps in a relationship or during a breakup,” and 45% agreed that they “would have a hard time knowing where to begin if I no longer wanted to share location-based apps or services with my partner or in the event of a breakup.”

We hope this digital breakup checklist, which is not comprehensive, can provide some of that guidance.

Here is the Modern Love Digital Breakup Checklist.

1. Review shared devices

  • Log out of personal accounts on shared devices, including laptops, tablets, e-readers, smartphones, smart TVs, and Internet of Things devices. This includes:
    • Email, social media, and online banking accounts on shared tablets, computers, and smartphones.
    • Email, social media, and online banking accounts on the shared devices of children/the entire family.
    • Entertainment accounts (Hulu, Netflix, Disney+, Spotify, etc.) on smart TVs and streaming devices such as Roku, Google Chromecast, Apple TV, etc.
  • Remove your ex’s accounts from any device you share that you will maintain ownership of after the breakup. Here’s are guides on how to remove someone from:

2. Review shared accounts

  • For shared accounts where you and your ex had one set of login credentials, log out of those shared accounts on your own device.
  • If you want to continue using those services, create a new personal account with a unique password.

3. Review personal accounts

  • Before resetting passwords, check the recovery settings on your personal account to ensure that any attempts to reset your password will be sent to your personal email account and not to an email account owned by your ex.
  • Before resetting passwords, consider using a password manager to help create, store, and remember unique passwords for each account.
  • Reset and create unique passwords for sensitive accounts, including:
    • Email accounts
    • Online banking and financial accounts (Chase, Wells Fargo, Venmo, PayPal, Zelle, Cash App, etc.)
    • Online shopping accounts (Amazon, Etsy, Shein, Temu, etc.)
    • Social media accounts (TikTok, Instagram, Facebook, etc.)
    • Shared cloud accounts for photos (Google Photos, iCloud)
    • Shared cloud accounts for file storage (Dropbox, Box, etc.)
    • Streaming entertainment accounts (Netflix, Disney+, Hulu, Spotify, Apple Music, etc.)
    • Parental monitoring apps (Life360, Bark, Qustodio)
    • Online forums and chat services (Reddit, Discord, etc.)
  • Reset and create unique passwords for accounts that can expose your location to users who are logged into the same account, including:
    • Food and grocery delivery apps (Uber Eats, DoorDash, Postmates, etc.)
    • Ride-sharing apps (Uber, Lyft, etc.)Vacation rental apps (Airbnb, Vrbo, etc.)
    • Health and fitness tracking apps (FitBit, Strava, etc.)
    • Connected apps for modern cars with anti-theft location tracking
  • Enable multifactor authentication on sensitive accounts and accounts that can expose your location, when provided as an option.

4. Review/remove your signed-in devices

  • Check your security settings in your online accounts to review what devices are currently logged into the same account. If you see a device that does not belong to you, force that device to be logged out.
    • If you take this step after successfully resetting your password, those devices will be required to use the new password (which only you should know).
    • These settings can often be found in “security” or “privacy and security” tabs in most apps.

5. Review the location settings of your device

6. Review “Find My/Find My Device” settings

  • Modern devices come pre-installed with anti-theft services called “Find My” on iPhones and “Find My Device” on Android phones. These are the same services that many couples use to track one another’s location, and turning these services off will shut off access that other people (including exes, friends, and family) have to your location.

7. Review the location settings of individual apps

  • If you want to keep location sharing on for convenience, you can review individual apps on your device and select how you would like your location to be accessed by those apps.
    • iPhones allow you to choose one of several options for how frequently apps will access and use your location: Never, Ask Next Time Or When I Share, While Using the App, or Always. You can review location sharing settings on iPhone here.
    • Android phones allow you to choose one of several options for how frequently apps will access and use your location: Allowed all the time, Allowed only while in use, and Not allowed.
    • You can review location sharing settings on Android here.

8. Maintain your ongoing security and privacy

  • If you find it safe and necessary, block your ex on certain social media platforms, messaging apps, etc.
  • Review the privacy settings of social media apps to ensure that your posts are not inadvertently shared with an ex.
    • Consider whether your ex could see your posts because you have mutual friends who may reveal your posts to your ex.
  • Review automatic cloud backups for photos you take with your smartphone.
    • If your ex compromises your iCloud or Google Photos account—and your photos are automatically backed up to those accounts—they could retrieve sensitive photos that you want to keep private.
  • When entering a new relationship, have a conversation about consensually and safely sharing your location (or choosing not to).

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

San Francisco’s fight against deepfake porn, with City Attorney David Chiu (Lock and Code S05E20)

This week on the Lock and Code podcast…

On August 15, the city of San Francisco launched an entirely new fight against the world of deepfake porn—it sued the websites that make the abusive material so easy to create.

“Deepfakes,” as they’re often called, are fake images and videos that utilize artificial intelligence to swap the face of one person onto the body of another. The technology went viral in the late 2010s, as independent film editors would swap the actors of one film for another—replacing, say, Michael J. Fox in Back to the Future with Tom Holland.

But very soon into the technology’s debut, it began being used to create pornographic images of actresses, celebrities, and, more recently, everyday high schoolers and college students. Similar to the threat of “revenge porn,” in which abusive exes extort their past partners with the potential release of sexually explicit photos and videos, “deepfake porn” is sometimes used to tarnish someone’s reputation or to embarrass them amongst friends and family.

But deepfake porn is slightly different from the traditional understanding of “revenge porn” in that it can be created without any real relationship to the victim. Entire groups of strangers can take the image of one person and put it onto the body of a sex worker, or an adult film star, or another person who was filmed having sex or posing nude.

The technology to create deepfake porn is more accessible than ever, and it’s led to a global crisis for teenage girls.

In October of 2023, a reported group of more than 30 girls at a high school in New Jersey had their likenesses used by classmates to make sexually explicit and pornographic deepfakes. In March of this year, two teenage boys were arrested in Miami, Florida for allegedly creating deepfake nudes of male and female classmates who were between the ages of 12 and 13. And at the start of September, this month, the BBC reported that police in South Korea were investigating deepfake pornography rings at two major universities.

While individual schools and local police departments in the United States are tackling deepfake porn harassment as it arises—with suspensions, expulsions, and arrests—the process is slow and reactive.

Which is partly why San Francisco City Attorney David Chiu and his team took aim at not the individuals who create and spread deepfake porn, but at the websites that make it so easy to do so.

Today, on the Lock and Code podcast with host David Ruiz, we speak with San Francisco City Attorney David Chiu about his team’s lawsuit against 16 deepfake porn websites, the city’s history in protecting Californians, and the severity of abuse that these websites offer as a paid service.

“At least one of these websites specifically promotes the non-consensual nature of this. I’ll just quote: ‘Imagine wasting time taking her out on dates when you can just use website X to get her nudes.’”

David Chiu, San Francisco City Attorney

Tune in today for the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

SpaceX, CNN, and The White House internal data allegedly published online. Is it real?

A cybercriminal has released internal data online that they say has come from leaks at several high-profile sources, including SpaceX, CNN, and the White House.

However, there are some questions around the reliability and usefulness of the released data, so we took a closer look.

When it comes to the the SpaceX data set, the poster is apparently not a big fan of Elon Musk.

BreachForums post about SpaceX
BreachForums post about SpaceX data

Their post on data leak site BreachForums says:

“Today I present data from Spacex, because F*** you elon musk, thats why LOL

The leak contains, Emails, Hashes, Numbers, Hosts, IP’s”

But looking at the data we spotted some strange looking entries.

For example, by searching for Elon’s email address we found all these:

collection of possible email addresses for Elon Musk at SpaceX
Now I still don’t know where to send the pitch for my brilliant Mars colonization idea.

SpaceX has not acknowledged this data breach, and it doesn’t seem likely that it will.

Moving on to the White House data set, we also found something that looked odd while looking at the email addresses. A lot of them seem to be composed of German words followed by the @whitehouse.gov domain name.

fabricated whitehouse.gov email addresses
Potentially fabricated whitehouse.gov email addresses

Again, the breach claim has not been acknowledged, nor do we expect it to be.

The same poster claims to have breached another company, Up North Pride, by impersonating a police officer:

“I sent them a fake data request from a law enforcement email, and they handed over what they had and this is what they handed over”

In this case, looking at the data, the email addresses of the partnering organizations at least look real.

The motive of the cybercriminal for posting the way they did is unclear. Many of these posters are just looking for attention, potentially hoping to sell some of the data by getting their name out there. Or they are trying to annoy some of the people they don’t like.

For now, we wait and see, but it’s probably not worth giving it the time of day.

Check your digital footprint

If you want to find out if your personal data was exposed through a data breach, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you use most frequently to sign up for sites and services) and we’ll send you a free report.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A week in security (September 16 – September 22)

Last week on Malwarebytes Labs:

Last week on ThreatDown:

Stay safe!


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

“Simply staggering” surveillance conducted by social media and streaming services, FTC finds

The US Federal Trade Commission (FTC) released a report that examines the data collection and use practices of major social media and video streaming services, finding that—and this will not come as a surprise to our regular readers—the companies engaged in vast surveillance of consumers in order to monetize their personal information while failing to adequately protect users online, especially children and teens.

The report, called A Look Behind the Scenes: Examining the Data Practices of Social Media and Video Streaming Services, is based on responses from nine companies to questions about how the companies collect, track, and use personal and demographic information, how they determine which ads and other content are shown to consumers, whether and how they apply algorithms or data analytics to personal and demographic information, and how their practices impact children and teens.

The companies that were ordered to respond own some of the household social media and streaming service names. They are Amazon (Twitch), Meta (Facebook and Instagram), YouTube, X (Twitter), Snap (Snapchat), ByteDance (TikTok), Discord, Reddit, and WhatsApp.

Some of the specific information that the FTC was looking for included:

  • How social media and video streaming services collect, use, track, estimate, or derive personal and demographic information.
  • How they determine which ads and other content are shown to consumers.
  • Whether they apply algorithms or data analytics to personal information.
  • How they measure, promote, and research user engagement.
  • How their practices affect children and teens.

The conclusions seemed to upset the FTC, but we weren’t even mildly surprised:

“The amount of data collected by large tech companies is simply staggering. They track what we read, what websites we visit, whether we are married and have children, our educational level and income bracket, our location, our purchasing habits, our personal interests, and in some cases even our health conditions and religious faith. They track what we do on and off their platforms, often combining their own information with enormous data sets purchased through the largely unregulated consumer data market.”

The FTC also mentions that some of these companies increasingly rely on hidden pixels and other means of tracking visitors, not only on their own, but also on other websites, to track our behavior down to every click.

Some of the responders were even unable to identify all the data points they collected or all of the third parties they shared that data with.

The report comes to the conclusion that self-regulation is not the answer to these problems. We can see all around the news that with the rise of the artificial platforms that many of these companies are developing, the incentive to use our data for their own purposes is only growing.

“Predicting, shaping, and monetizing human behavior through commercial surveillance is extremely profitable.”

US Federal Trade Commission, “A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services”

This has created a number of companies that have a huge influence on our economy, our democracy, and our society as a whole. Companies that, it appears, believe they can dodge the obligation to provide the Commission with complete answers while hiding their collection practices with limited, incomplete, or unhelpful responses that appear to have been carefully crafted to be self-serving, and to avoid revealing key pieces of information.

While their services provide us with the option to connect with the world from the palm of your hand, many of them have been at the forefront of building the infrastructure for mass commercial surveillance. They have access to information about every aspect of our lives and our behavior.

This comes not only with costs to our privacy, it harms our competitive landscape and affects the way we communicate and our well-being, especially the well-being of children and teens.

Some of the key findings of the report are:

  • Many of the companies collected and could indefinitely retain troves of data from and about users and non-users, and they did so in ways consumers might not expect.
  • Many of the responding companies relied on selling advertising services to other businesses based largely on using the personal information of their users. The technology powering this ecosystem took place behind the scenes and out of view to consumers, posing significant privacy risks.
  • Algorithms, data analytics, and/or AI were applied to users’ and non-users’ personal information. These technologies controlled everything from content recommendation to search, advertising, and inferring personal details about users, while the users lacked any meaningful control over how personal information was used for AI-fueled systems.
  • The trend among the responding companies was that they failed to adequately protect children, but especially teens, who are not covered by the Children’s Online Privacy Protection Rule (COPPA).

The recommendations of the FTC focus on legislation about the transparency of the data-usage, disclosure of sensitive personal data for advertising purposes, and the need to protect young users from the information-absorbing tech giants.

For more details and specific answers from each of the companies, you can check the 129 page report.

I want to close this off with a quote from the report that we whole-heartedly agree with:

“Our privacy cannot be the price we pay to accomplish ordinary basic daily activities”

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.