Archive for author: makoadmin

The short answer is: probably not, but theoretically it’s possible.

Researchers at the University of California found a method they called Mic-E-Mouse, which turns your computer mouse into a spy that can listen in on your conversations.

The method uses high-performance optical sensors in optical mice, combined with artificial intelligence, to filter out background noise and:

“achieve intelligible reconstruction of user speech.”

These sensors are highly sensitive (sometimes up to 20,000 dots per inch) and can detect the tiniest vibrations. And the attack doesn’t require expensive gear—the researchers used a $35 mouse to test their method and achieved 61% accuracy.

This is a classic side-channel attack—a way of stealing secrets not by breaking into software, but by observing physical clues that devices give off during normal use.

For example, let’s suppose you wanted to figure out someone’s bank password. A direct attack might involve trying to guess or steal the password. A side-channel attack, on the other hand, would be more like watching how they type, listening to the rhythm of their keyboard, or even detecting their body language as they log in.

What’s concerning about side-channel attacks is that they often don’t leave obvious clues.

Because the computer keeps working normally, there are usually no traces in logs, security alerts, or signs that anything’s wrong. Traditional defenses like antivirus software or firewalls can’t always detect them because these attacks rely on physical behavior—how a computer uses power, emits signals, or makes noise—which can’t easily be isolated or blocked without changing how the hardware itself works.

But it is possible to counter such an attack, since Mic-E-Mouse requires the target computer to run special software that security tools may detect as malicious. At some point, the software must send the collected data to the attacker, increasing the chance it will be intercepted. To avoid detection, attackers are unlikely to reconstruct speech on the victim’s computer; instead they may transfer the raw mouse-movement files directly to a computer or server they control somewhere on the internet.

For most users, this vulnerability isn’t cause for alarm. It’s noteworthy mainly because it transforms a trusted peripheral into a potential listening device without any visible signs or behavioral changes. But as high-DPI mice are now common in offices and gaming setups, this attack vector could be exploited by cybercriminals or spies to capture personal information, trade secrets, or private conversations. So, if you’re working in environments such as corporate offices, government sites, or home offices used for confidential tasks, the risk is higher.

What can I do about Mic-E-Mouse?

The researchers have notified 26 affected mouse manufacturers, which are now developing fixes to protect sensor data.

Until then, if you’re worried about this type of attack being deployed against you:

• Use a mouse mat or desk cover to reduce the mouse’s ability to collect data via vibrations.
• Work in a noisier environment (we recommend music).
• Keep your mouse firmware and drivers up to date—manufacturers may release security patches.
• Use up-to-date real-time anti-malware, preferably with a web protection component to block malicious software and outgoing traffic to known malicious servers.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

You get a message from a Discord friend. Or maybe an unknown indie developer reaches out to you. “Can you test my game?” they ask. 

The webpage they send over a link to looks legit: screenshots, dev blurb, itch.io-style layout, and the download button is right there, waiting to be clicked.  

The problem is these lookalike pages don’t give you the real game. Instead they drop a stealthy loader that quietly prepares your PC for follow-up malware. 

One lure we’ve seen impersonates the popular 2D platformer Archimoulin (the real game can be found here: nicolasduboc.itch.io/archimoulin). 

How they spread it – social engineering 101 

This scam nails two things gamers trust: friends and downloads. 

1. A trusted delivery channel. The lure often arrives in a DM from someone in your friends list—usually because the attacker used a compromised account. People are far more likely to click links from friends. 

2. Familiar hosting and UI. The impersonators use Blogspot subdomains or cloud links and fake itch-style pages so the site looks legitimate. Sometimes downloads are served via Dropbox or similar service people trust. 

3. A convincing sign-in page. Some variants present a fake Discord sign-in page first to harvest credentials. This hands the attacker control of your account, which they can use to spread the link to your contacts. 

Reddit threads from victims show this pattern again and again: an innocuous “test my game” DM, a convincing page, then account takeover and mass-messaging to the victim’s friends. 

What actually happens when you click? 

Here’s what the user sees, and what the stealth loader is really doing: 

• Double-click the downloaded Setup Game.exe and… nothing obvious happens. No installer UI, no progress bar. (That’s deliberate – the attacker wants the install to happen without alarming you.) 

• The executable spawns PowerShell with a long, encoded command. (Attackers hide commands in encoded strings so the malicious script isn’t obvious at first glance.) 

• The command decodes another script and runs it directly in memory. (Running in memory means the malware doesn’t leave a neat file on disk for antivirus to find, so it’s harder to detect.) 

• That inner script hides the PowerShell window using a tiny .NET trick, so there’s no black console popping up to make you suspicious. (With no visible window there’s nothing to make you stop and ask what’s running.) 

• The code tries to relaunch itself with admin rights (runAs) and compiles a small helper on the fly using csc.exe. (You’ll see temp folders and RES*.tmp files while it runs.) 

• It unpacks a Node.js runtime and native modules into your user cache (C:Users<you>.cachepkg...). (The malware is giving itself a toolkit, making it more flexible in what it can do next.) 

• The installer even runs taskkill to force-close major browsers (Chrome, Brave, Firefox, Edge, and Opera). (That stops you from immediately googling what’s happening and then stopping the install.) 

• In our sandbox run it didn’t phone home right away; instead it performed checks (net session, registry queries, BIOS/network checks) to confirm it’s on a “real” machine, then waits for the right moment to download the main payload. (Malware often avoids sandboxes, looking for signs it’s on a real user’s computer before unleashing the main payload.) 

Bottom line: The Setup Game.exe is a stager/loader – quiet on purpose, ready to pull down follow-up malware (backdoors, keyloggers, coinminers, or worse) when conditions match what the attacker wants.  

What to watch out for 

• Unexpected DM with a download link: If you get a message offering an indie game you didn’t expect, verify it with the sender on another channel first. 

• No installer UI but strange behavior after running: If there’s no installer window or progress bar, but your browsers crash or you see temporary compile folders appear, that’s a red flag. 

• Unexpected folders appear: Look for new folders you didn’t create, like C:Users<you>.cachepkg… or %TEMP%xlfvhkx3… especially if you haven’t installed developer tools. 

• PowerShell showing -EncodedCommand: Check running processes logs for signs a hidden script is running. 

What to do if you already ran it 

Act quickly and use a different, clean device for the first steps. 

• From another device, change your passwords (Discord, email, Steam) and enable 2FA. 

• Log out all sessions and revoke authorised apps/tokens. 

• Disconnect the infected PC and run a full Malwarebytes scan. 

• Remove obvious new files/folders (e.g., C:Users<you>.cachepkg…, %TEMP%xlfvhkx3…). 

• Tell your friends not to click links from your account and report the pages to the host (Blogger/Dropbox) and your platform (Discord/Steam). 

• If you see signs of deeper compromise, back up essentials and do a clean reinstall or get professional help. 

Final note—indie communities are built on trust 

Archimoulin is an indie game; the fake pages are not. Scammers are exploiting the goodwill between players and creators. That’s the worst bit of all: it weaponizes the community itself. 

A quick sanity check—to pause, verify the URL, and ask the sender via another app—is all it takes to avoid the hassle of cleaning up a compromised PC (or losing your account and friends). Share this with your clan: one click is all it takes for an attacker to turn a fun, indie moment into a mess. 

Indicators of compromise (IOCs) 

cakewind[.]blogspot.com 

carnagev1[.]blogspot.com 

kelarigame[.]blogspot.com 

klorigame[.]blogspot.com 

meraliagame[.]blogspot.com 

ravielchy[.]blogspot.com 

ravielchygame[.]blogspot.com 

tamunagame[.]blogspot.com 

veriliagame[.]blogspot.com 

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Phishers and scammers can’t get enough of sending their feeble attempts to Malwarebytes’ employees. For which we can’t thank them enough because it means we can warn you, our readers.

This time the scammers tried to impersonate Best Wallet—an app that lets people store, send, and receive cryptocurrencies like Bitcoin and Ethereum directly on their own device, without needing a middleman or a bank.

The aim of this scam: to trick people into connecting their cryptocurrency wallets to a fake site, giving scammers a way to steal private keys, seed phrases, or other payment details.

There are many cryptocurrency-based scams around, but this one is a little different.

“BestWallet : You are eligible for our event !”

The shortened URL leads to https://bestwallet-event[.]com/.

To avoid detection by bots and researchers, the website is behind a Captcha—which also builds a bit of false trust, since it’s something visitors expect to see.

Solving the Captcha brings the target to a rather convincing copy of the real bestwallet(.com) website, featuring the so-called event.

For those new to cryptocurrencies, an “airdrop” is a giveaway of a new or existing cryptocurrency to promote awareness or reward supporters of a project or platform.

On the surface the site looks very similar to the legitimate one, right down to the branding, visual assets, and even the FAQ content. But one thing stood out: the “Connect a Wallet” button in the top right-hand corner.

The real site only provides links to official app stores for downloads. It doesn’t include wallet connect options or payment forms.

If you were to tap that “Connect a Wallet” button, you’ll see these options:

This is the same menu you’ll see if you click the “Claim Token” or “Check Eligibility” buttons, by the way.

The code on the fake website also includes JavaScript elements that could copy/paste or intercept user inputs during wallet connections or transactions—unlike the official site, which directs users to app stores for all sensitive actions.

From all this it seems obvious the scammers’ goal is to phish wallet credentials, private keys, seed phrases or steal payment details. These attacks are often disguised in interactive buttons/forms that the real site never uses outside the regulated app or store environments.

How to stay safe

Besides the golden rule–that when it sounds too good to be true, it probably is, or at least deserves extra scrutiny–there are a few other tips to stay out of the scammers’ claws:

• Don’t respond to unsolicited text messages.
• Never click on links in messages before verifying the destination. Scammers use shortened URLs to hide impersonation domains.
• Use up-to-date real-time protection on your devices, preferably with a web protection component:
  
• If you see any prompt for wallet connection, seed phrase, or card details directly in the browser, close the tab immediately. That’s a strong sign the site is fake and attempting to steal your cryptocurrency.
• If you’re unsure whether a message is a scam, submit it to Malwarebytes Scam Guard and it will help you decide and provide advice.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

In December 2024, CPAP Medical Supplies and Services Inc. (CPAP), a Jacksonville—a Florida-based provider of sleep therapy services and CPAP machines—experienced a cybersecurity incident that compromised the personal data of over 90,000 patients.

Since CPAP Medical specializes in tailored sleep apnea equipment for the US military, most of the patients are military members, veterans, and their families.

An unauthorized actor accessed CPAP’s network between December 13 and December 21, 2024. The breach wasn’t discovered until late June 2025, and affected parties were notified by mid-August. The stolen data includes:

• Full names
• Birth dates
• Social Security numbers
• Health insurance information
• Medical history
• Treatment plans

The impact is particularly severe for military personnel and their families, many of whom rely on medical equipment and services like those CPAP provides. Exposure of personal and health data can have serious consequences, including risks to personal security, eligibility for benefits, future job applications, and trust in healthcare providers.

CPAP says it is unaware of any misuse of patient data as a result of the incident, but the affected individuals have been offered free credit monitoring and identity theft protection as a precaution.

Healthcare data breaches are unfortunately common, often affecting tens or even hundreds of thousands of people each year. Cybercriminals frequently target healthcare organizations because of the sensitive data they store—information that can be exploited for identity theft, fraud, or blackmail.

Protecting yourself after a data breach

CPAP has sent personalized notifications to the affected patients. If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Popular social platform Discord has suffered a data breach—though technically, it wasn’t Discord itself that was hacked. A third-party customer support provider was compromised, allowing attackers to access Discord’s user data. Either way, it’s Discord users who feel the impact.

The breach, which happened on September 20, didn’t involve a direct attack on Discord’s servers. Instead, attackers gained access through a customer support partner. Criminals claimed they breached Zendesk, the help desk service Discord uses for customer support, according to reports.

Attackers stole data including real names, Discord usernames, email addresses, and other contact details provided to customer support. The breach appears to have been financially motivated and included a ransom demand.

In some cases, “limited billing information” was also taken—including payment type, the last four digits of credit card numbers, and purchase histories. Customer IP addresses and messages with support agents were also exposed.

More concerning is that some users had especially sensitive information stolen. Discord said in its advisory:

“The unauthorized party also gained access to a small number of government-ID images (e.g., driver’s license, passport) from users who had appealed an age determination. If your ID may have been accessed, that will be specified in the email you receive.”

Attacks like this show how large the fallout can be when consumer-focused services are hit.

Discord, once known mainly for gaming communities, now hosts more than 200 million monthly active users and is widely used by companies to host customer and community channels.

According to vendor risk management firm Rescana, the attackers identified themselves as Scattered Lapsu$ Hunters (SLH). BleepingComputer reported this too, but later said SLH changed its story, pointing to another group it knows and interacts with.

The problem with these kinds of groups is that they often share techniques and even members, muddying the waters.

Rescana described SLH as a coalition—combining tactics from Scattered Spider, Lapsu$, and ShinyHunters: groups known for stealing data from third-party partners like support vendors or software suppliers. The attacks relied on social engineering rather than malware.

Discord disclosed the incident 13 days later, on October 3. It has since revoked its support provider’s access, launched an internal investigation with a forensics firm, and notified affected users.

The company reminded users that any communication about the breach will come only from noreply@discord.com and that it will never call users directly.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

In a very recent and well-targeted phishing attempt, scammers tried to get hold of the 1Password credentials belonging to a Malwarebytes’ employee.

Stealing someone’s 1Password login would be like hitting the jackpot for cybercriminals, because they potentially export all the saved logins the target stored in the password manager.

The phishing email looked like this:

“Your 1Password account has been compromised

Unfortunately, Watchtower has detected that your 1Password account password has been found in a data breach. This password protects access to your entire vault.

Take action immediately

To keep your account secure, please take the following actions:

– Change your 1Password account password

– Enable two-factor authentication

– Review your account activity

Secure my account now

If you need help securing your account, or have any questions, contact us. Our team is on hand to provide expert, one-on-one support.”

While the email looks convincing enough, you can spot a few red flags.

• The sender’s address watchtower@eightninety[.]com does not belong to 1Password, which typically use the domain @1password.com.
• If you hover over the “Secure my account now” button you’ll notice that it points to: https://mandrillapp[.]com/track/click/30140187/onepass-word[.]com?p={long-identifier}

Although 1Password’s Watchtower feature can send alerts about compromised passwords, it does so by checking its database of known data breaches and then notifying you directly within the 1Password app or through very specific emails about the breach—not by sending a generic message like this.

Obviously, the onepass-word[.]com is a feeble attempt to make it look legitimate. I guess all the good typosquats were already taken or protected. What’s interesting is that the “Contact us” link goes to the legitimate support.1password.com, although it also flows through a redirect through mandrillapp.

Mandrillapp is a transactional email API and delivery service provided by Mailchimp. It enables organizations to send automated, event-driven emails like order confirmations, password resets, and shipping notifications. Mandrill also provides delivery tracking and statistics to their customers.

What the scammers may not have realized is that Mandrillapp doesn’t forward people to known phishing websites.

Shortly after the emails went out on October 2, the domain was already classified as a phishing site by several vendors. By October 3, anyone that clicked the button would end up viewing an error message on mandrillapp[.]com saying bad url - reference number: {23 character string}.

But early birds would have seen this form:

Anyone who fell for this scam would have sent their 1Password credentials straight to the phishing crew.

On September 25, 2025, Hoax-Slayer reported about a very similar phishing expedition. This might indicate that this was the first—and probably is not the last—attempt, so be warned.

With the key to your password vault, cybercriminals could take over all your important accounts and potentially steal your identity, so be very careful about where and when you use these credentials.

Our advice:

• Do not click any links or buttons in an unsolicited email
• Do not provide any of your 1Password credentials or personal information.
• If you are concerned about your 1Password account, go directly to the official 1Password website or app and check your account status there.
• Use up-to-date real-time protection which includes a web protection module.

Indicators of compromise (IOCs)

Email address:

watchtower@eightninety[.]com

Domain Phishing website:

onepass-word[.]com

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This week on the Lock and Code podcast…

“Connection” was the promise—and goal—of much of the early internet. No longer would people be separated from vital resources and news that was either too hard to reach or made simply inaccessible by governments. No longer would education be guarded behind walls both physical and paid. And no longer would your birthplace determine so much about the path of your life, as the internet could connect people to places, ideas, businesses, collaborations, and agency.

Somewhere along the line though, “connection” got co-opted. The same platforms that brought billions of people together—including Facebook, Twitter, Instagram, TikTok, and Snapchat—started to divide them for profit. These companies made more money by showing people whatever was most likely to keep them online, even if it upset them. More time spent on the platfrom meant more likelihood of encountering ads which meant more advertising revenue for Big Tech.

Today, these same platforms are now symbols of some of the worst aspects of being online. Nation-states have abused the platforms to push disinformation campaigns. An impossible sense of scale allows gore and porn and hate speech to slip by even the best efforts at content moderation. And children can be exposed to bullying, peer pressure, and harassment.

So, what would it take to make online connection a good thing?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Rabble—an early architect of social media, Twitter’s first employee, and host of the podcast Revolution.Social—about what good remains inside social media and what steps are being taken to preserve it.

“ I don’t think that what we’re seeing with social media is so much a set of new things that are disasters that are rising up from this Pandora’s box… but rather they’re all things that existed in society and now they’re not all kept locked away. So we can see them and we have to address them now.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

While two-factor authentication (2FA) is not completely fool-proof, it is one of the best ways to protect your accounts from hackers. It adds an extra step when logging in, which is a small extra effort for you, but it dramatically boosts your security.

With 2FA, you’ll be asked for a special login code when signing in from a device or browser Facebook doesn’t recognize—even if someone already knows your password.

Here’s how to enable 2FA on Facebook for Android, iOS, and the web.

How to set up 2FA for Facebook on Android

1. Open the Facebook app (make sure you’re signed in).
2. Tap the menu (three horizontal lines).
3. Choose Settings & Privacy > Settings.
4. In the Accounts Center tap Password and security.
5. Tap Two-factor authentication and select your account your want to protect.
6. Re-enter your password. Facebook will send a one-time code to your phone or email to confirm it’s you.
7. Pick your preferred security method:
   • Authentication app (recommended) – such as Google Authenticator or Authy.
   • Text message (SMS) or WhatsApp – codes sent to your phone number.
   • Security key – a USB or Bluetooth device.
   • Recovery codes – backup codes to use if other methods aren’t available.
8. Follow on-screen instructions to complete the setup.

How to set up 2FA for Facebook on iPhone or iPad

1. Open the Facebook app (make sure you’re signed in).
2. Tap your profile picture in the bottom right corner.
3. Go to Settings & Privacy > Settings.
4. Tap on Accounts Center, then Password and security.
5. Tap Two-factor authentication and select your account.
6. Re-enter your password. Facebook will send a one-time code to your phone or email to confirm your identity.
7. Choose your preferred method:
   • Authentication app (recommended) – such as Google Authenticator or Authy.
   • Text message (SMS) or WhatsApp – codes sent to your phone number.
   • Security key – a USB or Bluetooth device.
   • Recovery codes – backup codes to use if other methods aren’t available.
8. Follow on-screen instructions to complete the setup.

How to set up 2FA for Facebook on the web

1. Go to facebook.com/settings (or from the home screen, click your profile picture and then Settings & privacy).
2. Navigate to Password and security.
   
3. Click Two-factor authentication, then select your account.
4. Facebook will send a one-time code to your WhatsApp or email to confirm it’s you, and may ask you to re-enter your password.
5. Choose your preferred method:
   • Authentication app (recommended) – such as Google Authenticator or Authy.
   • Text message (SMS) or WhatsApp – codes sent to your phone number.
   • Security key – a USB or Bluetooth device.
   • Recovery codes – backup codes to use if other methods aren’t available.
6. Follow on-screen instructions to complete the setup.

Why you should enable it today

Even the strongest password can be stolen. With 2FA, attackers would also need access to your additional factor to be able to log in to your account, whether that’s a code on a physical device or a security key. That makes hijacking your account much harder.

We recommend you set up 2FA on all your important accounts, including messaging and social media accounts. It only takes a few minutes, but can save you from hours or even days of stress later. It’s currently the best password advice we have.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

Last week on Malwarebytes Labs:

• From threats to apology, hackers pull child data offline after public backlash
• Your Meta AI conversations may come back as ads in your feed
• Scam Facebook groups send malicious Android malware to seniors
• Sendit tricked kids, harvested their data, and faked messages, FTC claims
• Gemini AI flaws could have exposed your data
• Tile trackers plagued by weak security, researchers warn
• Apple fixes critical font processing bug. Update now!
• 260 romance scammers and sextortionists caught in huge Interpol sting
• Amazon pays $2.5B settlement over deceptive Prime subscriptions
• Sex offenders, terrorists, drug dealers, exposed in spyware breach

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week we yelled at some “hackers” that threatened parents after stealing data from their children’s nursery.

This followed a BBC report that a group calling itself “Radiant” claimed to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the UK, US, China, and India.

To prove their possession of the data, the criminals posted samples on their darknet website, including pictures and profiles of ten children. They then issued a ransom demand to Kido, threatening to release more sensitive data unless they were paid.

A few days later, they added profiles of another ten children and threatened to keep going until Kido paid their ransom demand. The group also published the private data of dozens of employees including names, addresses, National Insurance numbers, and contact details.

The criminals then reportedly contacted parents directly with threatening phone calls whilst pushing to get their ransom paid.

But after massive pushback from the general public and some prominent members of the malware community, the attackers initially blurred the children’s images but left the data online. Soon after, they pulled everything offline and issued an apology.

They even claim to have deleted all the children’s data. One of the cybercriminals told the BBC:

“All child data is now being deleted. No more remains and this can comfort parents.”

But, as we have mentioned many times before, computers—and the internet in particular—are not very good at “forgetting” things. Data tends to pop up in unexpected places. Remember when supposedly deleted iPhone photos showed up again after an iOS update?

And, of course, all we have to go on is the word of a criminal with such a bad reputation that even they seemed ashamed of what they did.

They might be feeling a bit sorry for themselves, as they claim to have paid an initial access broker (IAB) for the access to Kido’s systems and will likely see no return on that “investment”.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.