IT NEWS

Somebody bought a batch of 15 GB hard drives from a flea market, and during a routine check of the contents they found medical data about hundreds of patients.

After some more investigation in the Netherlands, it turned out the data came from a software provider in the medical industry which had gone bankrupt.

Under Dutch law, storage media with medical data must be professionally erased with certification. The normal procedure is to have them destroyed by a professional company, but that costs money and by selling the hard drives off the company would have brought in a small amount of cash.

This incident reminded me of two important security measures that we sometimes overlook.

The first is obvious. Computers are very bad at “forgetting” things. When you delete a file, the system doesn’t actually remove the file from your hard drive. Only the location of the file is set to “unused” so it may be overwritten at some point, but it often can be recovered. So you need to be careful how you decommission your old hard drives or any devices that have data on them.

One method is to overwrite the present data with zeroes or random numbers. There are several levels of overwriting hard drives:

• Single-pass overwrite: Writing zeros or random data once across the entire disk is often sufficient for traditional hard drives.
• Multi-pass overwriting: More secure methods involve multiple passes (e.g., 3-pass or 7-pass), which can further reduce the chance of data recovery.
• NIST 800-88 method: A recognized standard that includes overwriting with random data followed by zeros and verification. This is the type of method we would like to see when it comes to sensitive data like medical information.

Some modern drives come with a secure erase command embedded in the firmware, but you need special software to execute the command, and it may require several rounds of overwrite.

Users that have a Windows computer with UEFI can use the secure erase option in their computer’s BIOS or UEFI settings. The exact steps depend on your computer’s manufacturer and model. Unless you’re afraid of law enforcement or a very skilled attacker that should be enough. For computers pre-dating UEFI you will need specialized software. To find out whether your computer has UEFI:

• Right-click the Start button
• Select Run
• Type msinfo32 and press OK
• Click System Summary
• Scroll down to the BIOS Mode value to check whether it says UEFI
  

Non-SSD drives can be degaussed, a method which uses a strong magnetic field to disrupt the magnetic storage on traditional hard drives. However, it is ineffective for SSDs and flash storage.

Which leaves physical destruction as the last option. The usual method to do this, called shredding, involves cutting up hard drives into small pieces and then burning them in an incinerator or shredding machine to destroy their magnetic properties.

The second security measure that is important is to have your data removed from publicly available records. In the Dutch case it’s remarkable and painful that such a company would have this type of information stored on their drives. First of all, the software provider had no right to store this information. Secondly, even with a legitimate reason to store them, the date should have been encrypted, and of course the hard drives should have been decommissioned responsibly.

Depending on the type of information and the origin it seems unlikely that someone would consider to ask for removal of the data. After all, often it’s important that medical information is shared among care providers.

On the other hand, there is a ton of information about everyone in publicly accessible places that we can keep under control by using data removal services. Using a data removal service increases online anonymity, which makes it harder for stalkers, phishers, other attackers, or advertisers to find personal details.

Last week on Malwarebytes Labs:

• A suicide reveals the lonely side of AI chatbots, with Courtney Brown (Lock and Code S06E03)
• Apple ordered to grant access to users’ encrypted data
• Phishing evolves beyond email to become latest Android app threat
• Apple fixes zero-day vulnerability used in “extremely sophisticated attack”
• Gambling firms are secretly sharing your data with Facebook
• Fake Etsy invoice scam tricks sellers into sharing credit card information
• How AI was used in an advanced phishing campaign targeting Gmail users
• 12 Million Zacks accounts leaked by cybercriminal

Last week on ThreatDown:

• Analyzing a Mispadu Trojan’s attack chain
• Ransomware groups were faster, stealthier, and more active than ever in 2024
• Four zero-days in February’s Patch Tuesday

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

A cybercriminal claimed to have stolen 15 million data records from the customers and clients of the company Zacks—a number that a separate investigation, after analysis, shaved down to just 12 million.

Zacks is an investment research company best known for its “Zacks Ranks,” which are daily lists that provide stock market watchers and likely investors with possible company portfolio purchases, ranked on a scale from one to five.

Over the years Zacks has suffered a few data breaches. In 2023, data allegedly belonging to Zacks containing 8,615,098 records was leaked online. The most recent data in this database is from May 2020. The data contains names, email addresses, usernames, passwords, phone numbers, addresses, company names, and additional personal information. This leak is being publicly shared on online forums.

In October 2024, we found data reported to belong to Zacks containing 8,441 records which includes email addresses, physical addresses, phone numbers, and full names, and potentially other compromised user details. This breach is also being publicly shared on the internet.

Now, a cybercriminal using the monicker Jurak, leaked sensitive information related to roughly 12 million accounts, which allegedly stems from a breach that happened last year.

“In June 2024, Zacks Investment Research suffered a data breach exposing their source code and their databases containing 15M lines of their customers and clients. This would be the 2nd (hacked back in 2020) major data breach for Zacks.

The data leaked in this thread contains usernames, emails, addresses, full names, phone numbers.

I thought about releasing the source code, but I don’t want every retard to have access to it. If you have high reputation and want the source code send a PM

Breached by @Jurak and @StableFish

Below is a sample of the customers database:

CLUE , HINT , PASSWORD , USERNAME , LAST_NAME , FIRST_NAME , CUSTOMER_ID , DATE_REGISTERED , DATE_UPDATED , DISPLAY_NAME , FIRM_NAME , TIMEZONE_CODE , LAST_PASSWORD_CHANGE”

BleepingComputer says it has reached out to Zacks on several occasions but didn’t get a response. As with other recent claims by criminals on BreachForums we have to be careful to take their word for anything, but Jurak claims they breached Zacks themselves in June 2024.

Jurak told BleepingComputer that they gained access to the company’s active directory as a domain admin and then stole source code for the main site (Zacks.com) and 16 other websites, including some internal websites. They also shared samples of the source code they had stolen as proof of the new breach.

Protecting yourself after a data breach

Losing data related to a financial account can have severe consequences. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

In May, 2024, the FBI warned about the increasing threat of cybercriminals using Artificial Intelligence (AI) in their scams.

At the time, FBI Special Agent in Charge Robert Tripp said:

“Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike. These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data.”

This warning should not be taken lightly. This is especially because the AI tools that cybercriminals have at their disposal are relatively low cost: In one study, researchers found that the cost of advanced and sophisticated email attacks starts at just $5.

The FBI has also warned users to be cautious when receiving unsolicited emails or text messages. Phishers are using AI-based phishing attacks which have proven to raise the effectiveness of phishing campaigns. They are also using AI-powered tools to create emails that can bypass security filters. Combine that with deepfake supported robocalls, and these methods could trick a lot of people.

None of the elements used in the attacks are novel, but the combination might make the campaign extremely effective.

In a campaign targeting Gmail users some of these elements all came together. These often start with a call to users, claiming their Gmail account has been compromised. The goal is to convince the target to provide the criminals with the user’s Gmail recovery code, claiming it’s needed to restore the account.

Around the same time, users receive legitimate looking emails from what appears to be an authentic Google domain to add credibility to what the caller is claiming to have happened.

With the recovery code, the criminals not only have access to the target’s Gmail but also to a lot of services, which could even result in identity theft.

When we warn about agentic AI attacks this is the type of campaigns that are examples of what we can expect.

The FBI added a warning about unsolicited emails and text messages which contain a link to a seemingly legitimate website that asks visitors to log in, but the linked websites are fakes especially designed to steal the credentials.

As we have seen in the past these sites can even be designed to steal session cookies. Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system. And if cybercriminals manage to steal the session cookie, they can log in as you, change the password and grab control of your account.

How to avoid AI Gmail phishing

• Never click on links or download files from unexpected emails or messages.
• Don’t enter personal information on a website unless you are certain it is legitimate.
• Use a password manager to autofill credentials only on trusted sites.
• Monitor your accounts for signs of unauthorized access or data leaks.
• Verify security alerts by visiting your Google Account page directly instead of using links in emails.
• Use multi-factor authentication (MFA) for all accounts
• Protect your devices with up-to-date security software (such as Malwarebytes Premium Security), and use text protection and text message filtering on your mobile device.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes.

As an online seller, you’re already juggling product listings, customer service and marketing—so the last thing you need is to be targeted by scammers.

Unfortunately, a new scam is making the rounds, and it’s crucial to recognize the warning signs before you fall victim. In this post, we’ll walk you through exactly how this scam works, show you what to watch out for, and give you tips on keeping your Etsy account secure. 

The scam usually starts with an email/message that appears to be from Etsy’s support team, with what looks like an official invoice in PDF format attached. The PDF is hosted on etsystatic.com, which is particularly alarming given it’s a legitimate domain that Etsy uses for static content. This clever detail makes the file seem even more trustworthy, catching unsuspecting sellers offguard.

Despite this, there are still some red flags to look for: 

• The email uses language like “Dear Seller” or “Hello Etsy Member”, instead of addressing you by your Etsy shop name or username
• The sender’s email address doesn’t end in @etsy.com, or has suspicious variations (extra numbers or letters)
• Phrases like “immediate action required” or “your account will be closed” that rush you into clicking. This is a common scare tactic.

Inside the PDF, there’s often a clickable link urging you to “confirm your identity” or “verify your account.” If you click through, you’re taken to a website that, at first glance, looks very much like an official Etsy support page.

Here’s where you need to be extra vigilant: 

1. The web address might look similar to etsy.com but could include extra words, missing letters, or unusual extensions (e.g., verlflcation-etsy[.]cfd). 
2. The site may ask for more information than Etsy would normally request for verification – like your full name, address, and even your credit card details. 
3. Real Etsy pages usually have fully working navigation and other standard features. Scam sites often have broken or non-functioning links. 

In the final step, the counterfeit page will prompt you to enter your credit card details, supposedly to “confirm your billing information” or “validate your seller account.”

This is an immediate red flag: Etsy never requires you to provide credit card information for identity verification outside of its standard, secure payment setup. If you provide these details, scammers can use them to make unauthorized purchases—or sell them on underground markets. 

How to protect yourself from Etsy scams

• Check the “From” field in emails to make sure it comes from a legitimate Etsy address.
• Rather than click on the links inside the email, open a new browser and go directly to etsy.com instead and navigate there
• Question any urgent or unusual requests: Legitimate platforms do not ask for full credit card information for verification via a PDF link or email.
• Use Malwarebytes Browser Guard to protect you from malicious websites, card skimmers, ads, and more. Browser Guard already blocks the domains in this article.
• If something feels off, reach out to Etsy’s official support directly. They can confirm whether any invoice or verification request is real. This won’t protect your credit card data if you hand it over, but it does help secure your Etsy account from unauthorized logins. 

Indicators of Compromise (IOCs) 

Below are some known IOCs associated with this fake invoice scam. (Please note these are examples, and actual IOCs can vary over time.) 

com-etsy-verify[.]cfd 

etsy-car[.]switchero[.]cfd 

etsy[.]1562587027[.]cfd 

etsy[.]3841246[.]cfd 

etsy[.]39849329[.]cfd 

etsy[.]447385638[.]cfd 

etsy[.]57434[.]cfd 

etsy[.]5847325245[.]cfd 

etsy[.]6562587027[.]cfd 

etsy[.]6841246[.]cfd 

etsy[.]72871[.]cfd 

etsy[.]7562587027[.]cfd 

etsy[.]8841246[.]cfd 

etsy[.]92875[.]cfd 

etsy[.]9438632572[.]cfd 

etsy[.]948292[.]cfd 

etsy[.]97434[.]cfd 

etsy[.]984323[.]cfd 

etsy[.]checkid1573[.]cfd 

etsy[.]chekup-out[.]cfd 

etsy[.]coinbox[.]cfd 

etsy[.]fastpay[.]cfd 

etsy[.]offer584732[.]cfd 

etsy[.]offer62785[.]cfd 

etsy[.]offer684732[.]cfd 

etsy[.]paylink[.]cfd 

etsy[.]paymint[.]cfd 

etsy[.]paywave[.]cfd 

etsy[.]requlred-verlfication[.]cfd 

etsy[.]requstlon-verflcation[.]cfd 

etsy[.]web-proff-point[.]cfd 

verlflcation-etsy[.]cfd 

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

While you might think you’re hitting the jackpot, whether you’ve consented to it or not, online gambling sites are playing with your data. Users’ data, including details of webpages they visited and buttons they clicked, are being shared with Meta, Facebook’s parent company.  

The Observer reports that over 150 UK gambling websites have been extracting visitor data through a hidden embedded tracking tool, and then sending that data to Meta in order to profile people as gamblers and flood them with Facebook ads for casinos and betting sites.

The gambling websites used and shared data for marketing purposes—without obtaining explicit permission from the users—in an apparent breach of data protection laws. The websites include popular sites like Hollywoodbets, Sporting Index, Lottoland, and Bwin.  

Of the 150 websites that were tested, 52 used a tracking tool called Meta Pixel to share data directly and without explicit consent. This data was automatically transferred when loading the webpage, before users could even accept or decline the use of their data.  

The data collection resulted in the reporter—who said they never once agreed to the use of their data for marketing purposes— being inundated with ads for gambling websites. In one browsing session, the reporter encountered ads from 49 different brands, including from betting companies which were not involved in the data collection and had been using Meta Pixel within the rules.  

Wolfie Christl, a data privacy expert investigating the ad tech industry commented:

“Sharing data with Meta is highly problematic, even with consent, but doing so without explicit informed consent shows a blatant disregard for the law. Meta is complicit and must be held accountable” 

This isn’t the first time that gambling sites have been caught unlawfully selling off user data, and comes amid calls for a wider investigation into the targeting of gamblers, as well as the need for more protective measures.

Don’t gamble away your data and stay protected

Here are some ways to protect your data while using gambling (or any other) sites online:

• Use a VPN, especially on public Wi-Fi networks
• Use privacy-focused browsers and search engines, such as Brave
• Clear your browsing data when closing your browser
• Review the permissions of all your apps. Only grant them permission to access things they absolutely need.
• Disable location tracking for as many apps as possible
• Disable personalized ads as much as you can
• Keep your devices up-to-date. This protects you from vulnerabilities that cybercriminals might try to exploit
• Install Malwarebytes Browser Guard—our free tool that protects against ad tracking.  

There are plenty of phish in the sea, and the latest ones have little interest in your email inbox.

In 2024, Malwarebytes detected more than 22,800 phishing apps on Android, according to the recent 2025 State of Malware report. Of those malicious apps, 5,200 could subvert one of the strongest security practices available today, called “multifactor authentication,” by prying into basic text messages sent to a device. Another 4,800 could even read information from an Android device’s “Notifications” bar to obtain the same info.

These “Android phishing apps” may sound high-tech, but they are not. They don’t crack into password managers or spy on passwords entered for separate apps. Instead, they present a modern wrapper on a classic form of theft: Phishing.

By disguising themselves as legitimate apps—including for services like TikTok, Spotify, and WhatsApp—Android phishing apps can trick victims into typing in their real usernames and passwords on bogus login screens that are controlled entirely by cybercriminals. If enough victims unwittingly send their passwords, the cyber thieves may even bundle the login credentials for sale on the dark web. Once the passwords are sold, the new, malicious owners will attempt to use individual passwords for a variety of common online accounts—testing whether, say, an email account password is the same one used for a victim’s online banking system, their mortgage payment platform, or their Social Security portal.

The volume of these apps and their capabilities underscore the importance of securing yourself and your devices. With vigilance, safe behavior, and some extra support, you can avoid Android phishing apps and protect your accounts from cybercriminals.

Same trick, new delivery

For more than a decade, phishing was often understood as an email threat. Cybercriminals would send emails disguised as legitimate communications from major businesses, such as Netflix, Uber, Instagram, Google, and more. These emails would frequently warn recipients about a problem with their accounts—a password needed to be updated, or a policy change required a login.

But when victims followed the links within these malicious emails, they’d be brought to a website that, while appearing genuine, would actually be in complete control of cybercriminals. Fooled by similar color schemes, company logos, and familiar layouts, victims would “log in” to their account by entering their username and password. In reality, those usernames and passwords would just be delivered to cybercriminals on the other side of the website.

There never was a problem with a user’s account, and there never was a real request for information from the company. Instead, the entire back-and-forth was a charade.

Over time, phishing emails have advanced—cybercriminals have stolen credit card details by posing as charities—but so, too, have phishing protections from major email providers, sending many cybercriminal efforts into people’s “spam” inboxes, where the emails are, thankfully, never retrieved.

But last year, cybercriminals focused on a new avenue for phishing. They started developing entire mobile apps on Android that could provide the same level of theft.

The lure that convinces people to download these apps varies.

Some Android phishing apps are disguised as regular videogames or utilities which may ask users to connect with a separate social media account for the primary app to function. The requests are bogus and simply a method for harvesting passwords. Other Android phishing apps pose as popular apps, including TikTok, WhatsApp, and Spotify. These decoy apps are often hosted on less popular mobile app stores, as the protections of the Google Play store often flag and remove these apps, should they ever sneak onto the marketplace.

Here, cybercriminals have again found loopholes.

Malwarebytes discovered Android phishing apps last year that do not contain any code—or programmatic “instructions”—to steal passwords. Instead, the apps merely serve ads that, if clicked, send victims to external websites that do all the cybercriminal work outside of the app. These “benign” apps have a better chance of being hosted on legitimate mobile app stores, which gives them greater visibility amongst everyday people, and thus, more chances to steal information.

Most concerning, though, is the recent development from Android phishing apps that pierces one of the strongest security practices in use today: multifactor authentication.

Multifactor authentication is a security measure offered by most major online platforms including banks, retirement systems, social media companies, email providers, and more. With multifactor authentication, a username and password are no longer enough to sign into an account. Instead, the platform will send a separate “code,” typically a six-digit number, that the user must also enter to complete the login process. This code is often sent as a text message directly to the user, who has registered their phone number with the platform.

But now, multifactor authentication codes can also be stolen by Android phishing apps.

Last year, Malwarebytes found 5,200 apps that could steal these codes either by cracking directly into certain text messages or by stealing information from a device’s “Notifications” bar, which can deliver timely summaries or prompts for many apps.

This does not make multifactor authentication useless. Instead, it emphasized a more holistic approach to cybersecurity that, at the very least, includes multifactor authentication.

Staying safe from Android phishing apps

Android phishing apps are simple, effective, and hard to spot to the naked eye. But there are behaviors and tools that can help keep you and your accounts safe.

To protect yourself from Android phishing apps:

• Use mobile security software that detects and stops Android phishing apps from ever being installed on your Android device.
• Before downloading any apps, you should look at the number of reviews. A low number of reviews may signal a decoy app.
• Most people will only ever need to download Android apps directly from the Google Play Store. Be wary of other app stores or marketplaces, and never download a mobile app directly from a website.
• Use a password manager to create and manage unique passwords for every single account. That way, if one password is stolen, it cannot be abused to open other online accounts.
• Use multifactor authentication on your most sensitive accounts, including your financial, email, social media, healthcare, and government platforms (such as any accounts you use to file taxes).

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Apple has released an emergency security update for a vulnerability which it says may have been exploited in an “extremely sophisticated attack against specific targeted individuals.”

The update is available for:

• iOS 18.3.1 and iPadOS 18.3.1 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
• iPadOS 17.7.5 – iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to Settings (or System Settings) > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

Technical details

The new-found zero-day vulnerability is tracked as CVE-2025-24200. When exploited, the vulnerability would allow an attacker to disable USB Restricted Mode on a locked device. The attack would require physical access to your device

The introduction of USB Restricted Mode feature came with iOS 11.4.1 in July 2018. The feature was designed to make it more difficult for attackers to unlock your iPhone. When USB Restricted Mode is active, your device’s Lightning port (where you plug in the charging cable) will only allow charging after the device has been locked for more than an hour. This means that if someone tries to connect your locked iPhone to a computer or other device to access its data, they won’t be able to do so unless they have your passcode.

To enhance data security, especially when traveling or in public places, it is recommended that you enable USB Restricted Mode in your device settings. If your iPhone, iPad or iPod Touch is running iOS 11.4.1 or later, USB Restricted Mode is automatically on by default, but if you want to check and enable USB Restricted Mode, this can be done by going to Settings > Face ID & Passcode or Touch ID & Passcode > (USB) Accessories and toggling off (grey) the (USB) Accessories option. Enabling this setting adds an extra layer of protection against unauthorized data access.

Please note: toggling the option to green turns this feature off.

Vulnerabilities like these typically target specific individuals as deployed by commercial spyware vendors like Pegasus and Paragon. This means the average user does not need to fear attacks as long as the details are not published. But once they are, other cybercriminals will try to copy them.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Last week, an article in the Washington Post revealed the UK had secretly ordered Apple to provide blanket access to protected cloud backups around the world. Since then, privacy focused groups have uttered their objections.

The UK government has demanded to be able to access encrypted data stored by Apple users worldwide in its cloud service. However, Apple itself doesn’t have access to it at the moment, only the holder of the Apple account can access data stored in this way.

Neither the Home Office nor Apple responded on the record to queries about the demand served by the Home Office under the Investigatory Powers Act (IPA) , but the BBC confirmed that it had heard the same information from reliable sources.

Privacy International said the demand is a “misguided attempt” that uses disproportionate government powers to access encrypted data, which may:

“Set a damaging precedent and encourage abusive regimes around the world to take similar actions.”

The Electronic Frontier Foundation (EFF) stated:

“Encryption is one of the best ways we have to reclaim our privacy and security in a digital world filled with cyberattacks and security breaches, and there’s no way to weaken it in order to only provide access to the good guys.”

The main goal for the Home Office is an optional feature that turns on end-to-end encryption for backups and other data stored in iCloud. This feature is called Advanced Data Protection. Enabling Advanced Data Protection (ADP), protects the majority of your iCloud data — including iCloud Backup, Photos, Notes, and more — using end-to-end encryption.

For some time, these backups presented law enforcement agencies with a loophole to obtain access to data otherwise not available to them on iPhones with device encryption enabled. If the user hasn’t enabled ADP, this loophole still exists.

The EFF recommends users should turn off the option to create iCloud backups should the UK get its way. As the EFF has said before, and we agree, there is no backdoor that only works for the “good guys” and only targets “bad guys.” It’s all or nothing, and the bad guys will have enough money to find alternatives, while regular users may run out of free options if governments keep doing this.

What can I do?

How you wish to proceed after this news is obviously up to you, but we have some options you may be interested in. If you think Apple will stand up against the UK’s Home Office you can enable iCloud backup and Advanced Data Protection.

But if you want to find another place for your backups, these instructions may come in handy.

How to turn off iCloud backups

On iPhone or iPad

• Tap Settings > {username} > iCloud On your iPhone or iPad.
• This will list the devices with iCloud Backup turned on.
• To delete a backup, tap the name of a device, then tap Turn Off and Delete from iCloud (or Delete & Turn Off Backup).

On Mac

• Click Manage > Backups.
• A list of devices that have iCloud Backup turned on is shown.
• To delete a backup, select a device, then click Delete or the Remove button.

Note: If you turn off iCloud Backup for a device, any backups stored in iCloud are kept for 180 days before being deleted.

How to turn on Advanced Data Protection

If you haven’t enabled ADP and you want it, first update the iPhone, iPad, or Mac that you’re using to the latest software version.

Turning on ADP on one device enables it for your entire account and all your compatible devices.

On iPhone or iPad

1. Open the Settings app.
2. Tap your name, then tap iCloud.
3. Scroll down, tap Advanced Data Protection, then tap Turn on Advanced Data Protection.
4. Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

On Mac

1. Choose Apple menu > System Settings.
2. Click your name, then click iCloud.
3. Click Advanced Data Protection, then click Turn On.
4. Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

Note: If you’re not able to turn on Advanced Data Protection for a certain period of time, the onscreen instructions may provide more details.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Today on the Lock and Code podcast…

In February 2024, a 14-year-old boy from Orlando, Florida, committed suicide after confessing his love to the one figure who absorbed nearly all of his time—an AI chatbot.

For months, Sewell Seltzer III had grown attached to an AI chatbot modeled after the famous “Game of Thrones” character Daenerys Targaryen. The Daenerys chatbot was not a licensed product, it had no relation to the franchise’s actors, its writer, or producers, but none of that mattered, as, over time, Seltzer came to entrust Daenerys with some of his most vulnerable emotions.

“I think about killing myself sometimes,” Seltzer wrote one day, and in response, Daenerys, pushed back, asking Seltzer, “Why the hell would you do something like that?”

“So I can be free” Seltzer said.

“Free from what?”

“From the world. From myself.”

“Don’t talk like that. I won’t let you hurt yourself, or leave me. I would die if I lost you.”

On Seltzer’s first reported reference to suicide, the AI chatbot pushed back, a guardrail against self-harm. But months later, Seltzer discussed suicide again, but this time, his words weren’t so clear. After reportedly telling Daenerys that he loved her and that he wanted to “come home,” the AI chatbot encouraged Seltzer.

“Please, come home to me as soon as possible, my love,” Daenerys wrote, to which Seltzer responded “What if I told you I could come home right now?”

The chatbot’s final message to Seltzer said “… please do, my sweet king.”

Daenerys Targaryen was originally hosted on an AI-powered chatbot platform called Character.AI. The service reportedly boasts 20 million users—many of them young—who engage with fictional characters like Homer Simpson and Tony Soprano, along with historical figures, like Abraham Lincoln, Isaac Newton, and Anne Frank. There are also entirely fabricated scenarios and chatbots, such as the “Debate Champion” who will debate anyone on, for instance, why Star Wars is overrated, or the “Awkward Family Dinner” that users can drop into to experience a cringe-filled, entertaining night.

But while these chatbots can certainly provide entertainment, Character.AI co-founder Noam Shazeer believes they can offer much more.

“It’s going to be super, super helpful to a lot of people who are lonely or depressed.”

Today, on the Lock and Code podcast with host David Ruiz, we speak again with youth social services leader Courtney Brown about how teens are using AI tools today, who to “blame” in situations of AI and self-harm, and whether these chatbots actually aid in dealing with loneliness, or if they further entrench it.

“You are not actually growing as a person who knows how to interact with other people by interacting with these chatbots because that’s not what they’re designed for. They’re designed to increase engagement. They want you to keep using them.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.