IT NEWS

On Wednesday June 12, 2024, a well-known dark web data broker and cybercriminal acting under the name “Sp1d3r” offered a significant amount of data allegedly stolen from Truist Bank for sale.

Truist is a US bank holding company and operates 2,781 branches in 15 states and Washington DC. By assets, it is in the top 10 of US banks. In 2020, Truist provided financial services to about 12 million consumer households.

The online handle of the seller immediately raised the suspicion that this was yet another Snowflake related data breach.

The post also mentions Suntrust bank because Truist Bank arose after SunTrust Banks and BB&T (Branch Banking and Trust Company) merged in December 2019.

For the price of $1,000,000, other cybercriminals can allegedly get their hands on:

• Employee Records: 65,000 records containing detailed personal and professional information.
• Bank Transactions: Data including customer names, account numbers, and balances.
• IVR Source Code: Source code for the bank’s Interactive Voice Response (IVR) funds transfer system.

IVR is a technology that allows telephone users to interact with a computer-operated telephone system through the use of voice and Dual-tone multi-frequency signaling (DTMF aka Touch-Tone) tones input with a keypad. Access to the source code may enable criminals to find security vulnerabilities they can abuse.

Given the source and the location where the data were offered, we decided at the time to keep an eye on things but not actively report on it. But now a spokesperson for Truist Bank told BleepingComputer:

“In October 2023, we experienced a cybersecurity incident that was quickly contained.”

Further, the spokesperson stated that after an investigation, the bank notified a small number of clients and denied any connection with Snowflake.

“That incident is not linked to Snowflake. To be clear, we have found no evidence of a Snowflake incident at our company.”

But the bank disclosed that based on new information that came up during the investigation, it has started another round of informing affected customers.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

While matters are still unclear how much information was involved, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Google has notified Pixel users about an actively exploited vulnerability in their phones’ firmware.

Firmware is the code or program which is embedded into hardware devices. Simply put, it is the software layer between the hardware and the applications on the device.

About the vulnerability, Google said there are indications it may be:

“under limited, targeted exploitation.”

This could mean that the discovered attacks were very targeted, for example by state-sponsored actors or industry-grade spyware. However, it’s still a good idea to get these patches as soon as you can. And whether you have a Pixel or not, all Android users should make sure they’re using the latest version available, because the June 2024 security update addresses a total of 50 security vulnerabilities.

Updates to address this issue are available for supported Pixel devices, such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold.

For these Google devices, security patch levels of 2024-06-05 or later address this issue. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app.

You should get notifications when updates are available for you, but it’s not a bad idea to manually check for updates. For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Technical details

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE for this vulnerability is:

CVE-2024-32896: an elevation of privilege (EoP) issue in Pixel firmware.

An elevation of privilege vulnerability occurs when an application gains permissions or privileges that should not be available to them. This can be a key element in an attack chain when a cybercriminal wants to move forward from initial access to a device to a full compromise.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Following days of user pushback that included allegations of forcing a “spyware-like” Terms of Service (ToS) update into its products, design software giant Adobe explained itself with several clarifications.

Apparently, the concerns raised by the community, especially among Photoshop and Substance 3D users, caused the company to reflect on the language it used in the ToS. The adjustments that Adobe announced earlier this month suggested that users give the company unlimited access to all their materials—including materials covered by company Non-Disclosure Agreements (NDAs)—for content review and similar purposes.

As Adobe included in its Terms of Service update:

“As a Business User, you may have different agreements with or obligations to a Business, which may affect your Business Profile or your Content. Adobe is not responsible for any violation by you of such agreements or obligations.

This wording immediately sparked the suspicion that the company intends to use user-generated content to train its AI models. In particular, users balked at the following language:

“[.] you grant us a non-exclusive, worldwide, royalty-free sublicensable, license, to use, reproduce, publicly display, distribute, modify, create derivative works based on, publicly perform, and translate the Content.”

To reassure these users, on June 10, Adobe explained:

“We don’t train generative AI on customer content. We are adding this statement to our Terms of Use to reassure people that is a legal obligation on Adobe. Adobe Firefly is only trained on a dataset of licensed content with permission, such as Adobe Stock, and public domain content where copyright has expired.”

Alas, several artists found images that reference their work on Adobe’s stock platform.

As we have explained many times, the length and the use of legalese in the ToS does not do either the user or the company any favors. It seems that Adobe understands this now as well.

“First, we should have modernized our Terms of Use sooner. As technology evolves, we must evolve the legal language that evolves our policies and practices not just in our daily operations, but also in ways that proactively narrow and explain our legal requirements in easy-to-understand language.”

Adobe also said in its blog post that it realized it has to earn the trust of its users and is taking the feedback very seriously and it will be grounds to discuss new changes. Most importantly it wants to stress that you own your content, you have the option to opt out of the product improvement program, and that Adobe does not scan content stored locally on your computer.

Adobe expects to roll out new terms of service on June 18th and aims to better clarify what Adobe is permitted to do with its customers’ work. This is a developing story, and we’ll keep you posted.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

“When things go wrong” is a troubling prospect for most couples to face, but the internet—and the way that romantic partners engage both with and across it—could require that this worst-case scenario become more of a best practice.

In new research that Malwarebytes will release this month, romantic partners revealed that the degree to which they share passwords, locations, and devices with one another can invite mild annoyances—like having an ex mooch off a shared Netflix account—serious invasions of privacy—like being spied on through a smart doorbell—and even stalking and abuse.

Importantly, this isn’t just about jilted exes. This is also about people in active, committed relationships who have been pressured or forced into digital sharing beyond their limit.

The proof is in the data.

When Malwarebytes surveyed 500 people in committed relationships, 30% said they regretted sharing location tracking with their partner, 27% worried about their partners tracking them through location-based apps and services, and 23% worried that their current partner had accessed their accounts without their permission.

Plenty of healthy, happy relationships share digital access through trust and consent. For those couples, mapping out how to digitally separate and insulate their accounts from one another “when things go wrong” could seem misguided.

But for the many spouses, girlfriends, boyfriends, and partners who do not fully trust their significant other—or who are still figuring out how much to trust someone new—this exercise should serve as an act of security.

Here’s what people can think about when working through just how much of their digital lives to share.

Inconvenient, annoying, and just plain bothersome

A great deal of digital sharing within couples occurs on streaming platforms. One partner has Netflix, the other has Hulu, the two share Disney+, and years down the line, the couple can’t quite tell who is in charge of Apple Music and who is supposed to cancel the one-week free trial to Peacock.

This logistical nightmare, already difficult for people who are not in a committed relationship, is further complicated after a breakup (or during the relationship if one partner is particularly sensitive about their weekly algorithmic recommendations from Spotify).

If an ex maintains access to your streaming accounts even after a breakup, there’s little chance for abuse, but the situation can be aggravating. Maybe you don’t want your ex to know that you’re watching corny rom-coms, or that you’re absolutely going through it on your seventh replay of Spotify’s “Angry Breakup Mix.” These are valid annoyances that will require a password reset to boot your ex out of the shared account.

But there’s one type of shared account that should raise more caution than those listed above: A shared online shopping account, like Amazon.

With access to a shared online shopping account, a spiteful ex could purchase goods using your saved credit card. They could also keep updates on your location should you ever move and change addresses in the app. This isn’t the same threat as an ex having your real-time location, but for some individuals—particularly survivors of domestic abuse who have escaped their partner—any leak of a new address presents a major risk.

Non-consensual tracking, monitoring, and spying

When couples move into the same home, it can make sense to start sharing a variety of location-based apps.

Looking for a vacation rental online for your next getaway? You’re (hopefully) lodging together. Ordering delivery because nobody wants to make dinner? That order is being sent to the same shared address. Even some credit cards offer specific bonuses on services like Lyft, incentivizing some couples to rely more heavily on one account to score extra credits.

While sharing access between these types of accounts can increase efficiency, it’s important to know—and this may sound obvious—that many of these same shared location-based apps can reveal locations to a romantic partner, even after a breakup.

Your vacation could be revealed to an ex who is abusing their previously shared login privileges into services like Airbnb or Vrbo, or by someone peering into the trip history of a shared Uber account that discloses that a car was recently taken to the airport. Food delivery apps, similarly, can reveal new addresses after a move—a particular risk for survivors of domestic abuse who are trying to escape their physical situation.

In fact, any account that tracks and provides access to location—including Google’s own “Timeline” feature and fitness tracking devices made by Strava—could, in the wrong hands, become a security risk for stalking and abuse.

The vulnerabilities extend farther.

With the popularity of Internet of Things devices like smart doorbells and baby monitors, some partners may want to consider how safe they are from spying in their own homes. Plenty of user posts on a variety of community forums claim that exes and former spouses weaponized video-equipped doorbells and baby monitors to spy on a partner.

These scenarios are frightening, but they are part of a larger question about whether you should share your location with your partner. With the proper care and discussion, your location-sharing will be consensual, respected, and convenient for all.

Stalking and abuse

When discussing the risks around digital sharing between couples, it’s important to clarify that trustworthy partners do not become abusive simply because of their access to technology. A shared food delivery app doesn’t guarantee that a partner will be spied on. A baby monitor with a live video stream is sometimes just that—a baby monitor.

But many of the stories shared here expose the dangers that lie within arm’s reach for abusive partners. The technology alone cannot be blamed for the abuse. Instead, the technology must be scrutinized simply because of its ubiquitous use in today’s world.

The most serious concerns regarding digital access are the potential for stalking and abuse.

For partners that share devices and device passcodes, the notorious threat of stalkerware makes it easy for an abusive partner to pry into a person’s photos, videos, phone calls, text messages, locations, and more. Stalkerware can be installed on a person’s device in a matter of minutes—a low barrier of entry for couples that live with one another and who share each other’s device passcodes.

For partners who share a vehicle, a recent problem has emerged. In December, The New York Times reported on the story of a woman who—despite obtaining a restraining order against her ex-husband—could not turn off her shared vehicle’s location tracking. Because the car was in her husband’s name, he was able to reportedly continue tracking and harassing her.

Even shared smart devices have become a threat. According to reporting from The New York Times in 2018, survivors of domestic abuse began calling support lines with a bevvy of new concerns within their homes:

“One woman had turned on her air-conditioner, but said it then switched off without her touching it. Another said the code numbers of the digital lock at her front door changed every day and she could not figure out why. Still another told an abuse help line that she kept hearing the doorbell ring, but no one was there.”

The survivors’ stories all pointed to the abuse of shared smart devices.

Whereas the solutions to many of the inconveniences and annoyances that can come with shared digital access are simple—a reset password, a removal of a shared account—the “solutions” for technology-enabled abuse are far more complex. These are problems that cannot be solely addressed with advice and good cybersecurity hygiene.

If you are personally experiencing this type of harassment, you can contact the National Network to End Domestic Violence on their hotline at 1-800-799-SAFE.

Making sure things go right

Sharing your life with your partner should be a function of trust, and for many couples, it is. But, in the same way that it is impossible for a cybersecurity company to ignore even one ransomware attack, it’s also improper for this cybersecurity and privacy company to ignore the reality facing many couples today.

There are new rules and standards for digital access within relationships. With the right information and the right guidance, hopefully more people will feel empowered to make the best decisions for themselves.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The British and Canadian privacy authorities have announced they will undertake a joint investigation into the data breach at global genetic testing company 23andMe that was discovered in October 2023.

On Friday October 6, 2023, 23andMe confirmed via a somewhat opaque blog post that cybercriminals had “obtained information from certain accounts, including information about users’ DNA Relatives profiles.”

Later, an investigation by 23andMe showed that an attacker was able to directly access the accounts of roughly 0.1% of 23andMe’s users, which is about 14,000 of its 14 million customers. The attacker accessed the accounts using credential stuffing which is where someone tries existing username and password combinations to see if they can log in to a service. These combinations are usually stolen from another breach and then put up for sale on the dark web. Because people often reuse passwords across accounts, cybercriminals buy those combinations and then use them to login on other services and platforms.

For a subset of these accounts, the stolen data contained health-related information based on the user’s genetics.

The finding that most data was accessed through credential stuffing led to 23andMe sending a letter to legal representatives of victims blaming the victims themselves.

Privacy Commissioner of Canada Philippe Dufresne and UK Information Commissioner John Edwards say they will investigate the 23andMe breach jointly, leveraging the combined resources and expertise of their two offices.

The privacy watchdogs are going to investigate:

• the scope of information that was exposed by the breach and potential harms to affected individuals;
• whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and
• whether the company provided adequate notification about the breach to the two regulators and affected individuals as required under Canadian and UK privacy and data protection laws.               

The joint investigation will be conducted in accordance with the Memorandum of Understanding between the ICO and OPC.

Scan for your exposed personal data

You can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report. If your data was part of the 23andMe breach, we’ll let you know.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Despite protests, Google is rolling out changes in the Chrome browser that make it harder for ad blockers to do their job.

Starting last Monday, June 3, 2024, Chrome Beta, Dev, and Canary channels will see the effects of the implementation of the new extension platform Manifest V3. The gradual disabling of V2 extensions will later follow for all Chrome users.

For those not familiar with the terms, Manifest V2 and V3 are the “rules” that browser extension developers are required to follow if they want their extensions to get accepted into the Google Play Store.

Manifest V2 is the old model. The Chrome Web Store no longer accepts Manifest V2 extensions, but browsers can still use them. For now. Google explained that the goal of the new extension platform:

“Is to protect existing functionality while improving the security, privacy, performance and trustworthiness of the extension ecosystem as a whole.”

That’s commendable, because it stops criminals from hiding the malicious intentions of their extensions when they submit them for the Google Play Store.

However, the part of the transition that hinders ad blockers lies in the fact that extensions will now have limitations on how many rules they include. Google has made some compromises after initial objections, but the limitations are still present and have a large effect on ad blockers since they historically rely on a large number of rules. That’s because, generally speaking, each blocked domain or subdomain is one rule, and cybercriminals set up new domains by the dozen.

Google has tried to address developers’ concerns by adding support for user scripts and increasing the number of rulesets for the API used by ad blocking extensions. But this might not be enough.

Users can temporarily re-enable their Manifest V2 extensions, but this option will eventually disappear.

One of the affected ad blockers is the one incorporated in our own Malwarebytes Browser Guard.

We talked to one of the developers about the plans for Browser Guard and how it will deal with the Manifest V3 rules. They told us that the new Browser Guard, which is already available in beta, will use a mix of static and dynamic rules to protect our users.

Static rules are rules that are contained in the ruleset files which can be seen as block lists. These files are declared in the manifest file.

Dynamic rules are rules that can be added and removed at runtime. Chrome allows up to 30k dynamic rules. Browser Guard uses dynamic rules for two purposes:

• Session rules are dynamic rules that can be added and removed at runtime, but they are session-scoped and are cleared when the browser shuts down and when a new version of the browser is installed.
• And dynamic rules can be used to store allow lists, user blocked content, and general rules that block more than one domain. Take, for example, the IP address of a server that is known to host nothing but phishing sites.

And, to deal with urgent situations, we can use ruleset overrides, which are a mechanism by which we can override the static rules shipped with Browser Guard without requiring our users to add exclusions.

If you want to help Malwarebytes get ready for the transition, you can test the beta version of Browser Guard for Manifest V3.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Google will start deleting location history
• Advance Auto Parts customer data posted for sale
• Husband stalked ex-wife with seven AirTags, indictment says
• Microsoft Recall snapshots can be easily grabbed with TotalRecall tool
• Financial sextortion scams on the rise
• Say hello to the fifth generation of Malwarebytes
• Big name TikTok accounts hijacked after opening DM
• US residents targeted by utility scammers on Google
• Debt collection agency FBCS leaks information of 3 million US citizens
• 800 arrests, 40 tons of drugs, and one backdoor, or what a phone startup gave the FBI, with Joseph Cox: Lock and Code S05E12
• WhatsApp cryptocurrency scam goes for the cash prize

Last week on ThreatDown:

• Ransomware drives healthcare provider into administration
• FBI has 7,000 LockBit decryption keys available
• Microsoft calls time on NTLM, so should you
• Why complexity has become a security issue
• Azure Service Tags vulnerability could allow attackers to access private data
• ClearFake walkthrough

Stay safe!

Google announced that it will reduce the amount of personal data it is storing by automatically deleting old data from “Timeline”—the feature that, previously named “Location History,” tracks user routes and trips based on a phone’s location, allowing people to revisit all the places they’ve been in the past.

In an email, Google told users that they will have until December 1, 2024 to save all travels to their mobile devices before the company starts deleting old data. If you use this feature, that means you have about five months before losing your location history.

Moving forward, Google will link the Location information to the devices you use, rather than to the user account(s). And, instead of backing up your data to the cloud, Google will soon start to store it locally on the device.

As I pointed out years ago, Location History allowed me to “spy” on my wife’s whereabouts without having to install anything on her phone. After some digging, I learned that my Google account was added to my wife’s phone’s accounts when I logged in on the Play Store on her phone. The extra account this created on her phone was not removed when I logged out after noticing the tracking issue.

That issue should be solved by implementing this new policy. (Let’s remember, though, that this is an issue that Google formerly considered a feature rather than a problem.)

Once effective, unless you take action and enable the new Timeline settings by December 1, Google will attempt to move the past 90 days of your travel history to the first device you sign in to your Google account on. If you want to keep using Timeline:

• Open Google Maps on your device.
• Tap your profile picture (or initial) in the upper right corner.
• Choose Your Timeline.
• Select whether to keep you want to keep your location data until you manually delete it or have Google auto-delete it after 3, 18, or 36 months.

In April of 2023, Google Play launched a series of initiatives that gives users control over the way that separate, third-party apps stored data about them. This was seemingly done because Google wanted to increase transparency and control mechanisms for people to control how apps would collect and use their data.

With the latest announcement, it appears that Google is finally tackling its own apps.

Only recently, Google agreed to purge billions of records containing personal information collected from more than 136 million people in the US surfing the internet using its Chrome web browser. But this was part of a settlement in a lawsuit accusing the search giant of illegal surveillance.

It’s nice to see the needle move in the good direction for a change. As Bruce Schneier pointed out in his article Online Privacy and Overfishing:

“Each successive generation of the public is accustomed to the privacy status quo of their youth. What seems normal to us in the security community is whatever was commonplace at the beginning of our careers.”

This has led us all to a world where we don’t even have the expectation of privacy anymore when it comes to what we do online or when using modern technology in general.

If you want to take firmer control over how your location is tracked and shared, we recommend reading How to turn off location tracking on Android.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

A cybercriminal using the handle Sp1d3r is offering to sell 3 TB of data taken from Advance Auto Parts, Inc. Advance Auto Parts is a US automotive aftermarket parts provider that serves both professional installers and do it yourself customers.

Allegedly the customer data includes:

• Names
• Email addresses
• Phone numbers
• Physical address
• Orders
• Loyalty and gas card numbers
• Sales history

The data set allegedly also includes information about 358,000 employees and candidates—which is a lot more than are currently employed by Advance Auto Parts (69,000 in 2023).

The cybercriminal is asking $1.5 Million for the data set.

Advance Auto Parts has not disclosed any information about a possible data breach and has not responded to inquiries. But BleepingComputer confirms that a large number of the Advance Auto Parts sample customer records are legitimate.

Interestingly enough, the seller claims in their post that the data comes from Snowflake, a cloud company used by thousands of companies to manage their data. On May 31st, Snowflake said it had recently observed and was investigating an increase in cyber threat activity targeting some of its customers’ accounts. It didn’t mention which customers.

At the time, everybody focused on Live Nation / Ticketmaster, another client of Snowflake which said it had detected unauthorized activity within a “third-party cloud database environment” containing company data.

The problem allegedly lies in the fact that Snowflake lets each customer manage the security of their environments, and does not enforce multi-factor authentication (MFA).

Online media outlet TechCrunch says it has:

“Seen hundreds of alleged Snowflake customer credentials that are available online for cybercriminals to use as part of hacking campaigns, suggesting that the risk of Snowflake customer account compromises may be far wider than first known.”

TechCrunch also says it found more than 500 credentials containing employee usernames and passwords, along with the web addresses of the login pages for Snowflake environments, belonging to Santander, Ticketmaster, at least two pharmaceutical giants, a food delivery service, a public-run freshwater supplier, and others.

Meanwhile, Snowflake has urged its customers to immediately switch on MFA for their accounts.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

While the Advance Auto Parts data has yet to be confirmed, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Following their divorce, a husband carried out a campaign of stalking and abuse against his ex-wife—referred to only as “S.K.”—by allegedly hiding seven separate Apple AirTags on or near her car, according to documents filed by US prosecutors for the Eastern District of Pennsylvania.

The documents, unearthed by 404 Media in collaboration with Court Watch, reveal how everyday consumer tools, like Bluetooth trackers, are sometimes leveraged for abuse against spouses and romantic partners.

 “The Defendant continued to adapt and use increasingly sophisticated efforts to hide the AirTags he placed on S.K.’s car,” US attorneys said. “It is clear from the timing of the placement of the AirTags and corroborating cell-site data, that he was monitoring S.K.’s movements.”

On May 8, the US government filed an indictment against the defendant, Ibodullo Muhiddinov Numanovich, with one alleged count of stalking against his ex-wife, S.K.

The stalking at the center of the government’s indictment allegedly began around March 27, when the FBI first learned about S.K. finding and removing an AirTag from her car. Less than a month later, on April 18, the FBI found a second AirTag that “was taped underneath the front bumper of S.K.’s vehicle with white duct tape.”

The very next day, the FBI found a third AirTag. This time, it was “wrapped in a blue medical mask and secured under the vehicle near the rear passenger side wheel well.”

This pattern of finding an AirTag, removing it, and then finding another was punctuated by physical and verbal intimidation, the government wrote. After a fourth AirTag was removed, the government said that Numanovich called S.K., followed her to a car wash, and “banged on her windows, and demanded to know why S.K. was not answering his calls.” Less than one week later, during a period of just 10 minutes, the government said that Numanovich left five threatening voice mails on S.K.’s phone, calling her “disgusting” and “worse than an animal.”

During the investigation, the FBI retrieved seven AirTags in total. Here is where those AirTags were found:

1. Found by S.K. with no detail on specific location
2. Duct-taped underneath the front bumper of S.K.’s car
3. Underneath S.K.’s car, near the passenger-side wheel well, wrapped in a blue medical mask
4. Within the frame of SK’s driver-side mirror, wedged between the mirror itself and the casing around it
5. “An opening within the vehicle’s frame” which, documents say, was previously sealed by a rubber plug that was removed
6. Underneath the license plate on S.K.’s car
7. Undisclosed

For two of the retrieved AirTags, the FBI deactivated the trackers and then, away from S.K., placed the AirTags at separate locations. At an undisclosed location in Philadelphia where the FBI placed one AirTag, FBI agents later saw Numanovich “exit his vehicle with his phone in his hand, and begin searching for the AirTag.” At a convenience store where the FBI placed a second AirTag, agents said they again saw Numanovich.

The FBI also received information about attempted pairings and successful unpairings with Numanovich’s Apple account for three of the Apple AirTags.

In addition to the alleged pattern of stalking, the government also accused Numanovich of abusing SK both physically and emotionally, threatening her in person and over the phone, and recording sexually explicit videos of her to use as extortion. After a search warrant was authorized on May 13, agents found “approximately 140 sexually explicit photographs and videos of S.K.” stored on Numanovich’s phone, along with records for “numerous” financial accounts that transferred more than $4 million between 2022 and 2023.

In a follow-on request from the government to detain Numanovich before his trial begins, prosecutors also revealed that S.K. may have been brought into the US through a “Russian-based human smuggling network”—a network of which Numanovich might be a member.

According to 404 Media, a jury trial for Numanovich is scheduled to start on June 8.

Improving AirTag safety

Just last month, Apple and Google announced an industry specification for Bluetooth tracking devices such as AirTags to help alert users to unwanted tracking. The specification will make it possible to alert users across both iOS and Android if a device is unknowingly being used to track them. We applaud this development.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.