IT NEWS

Two former employees at Meta testified against the company at a Senate hearing this week, accusing it of downplaying the dangers of child abuse in its virtual reality (VR) environment.

The whistleblowers say they saw incidents where children were asked for sex acts and nude photos in Facebook’s VR world, which it calls the ‘metaverse’. This is a completely immersive world that people enter by wearing a Meta virtual reality headset. There, they are able to use a variety of apps that that surround them in 360-degree visuals. They can interact with the environment, and with other users.

At the hearing, held by the US Senate Judiciary Subcommittee on Privacy, Technology and the Law, the two former employees warned that Meta deliberately turned a blind eye to potential child harms. It restricted the information that researchers could collect about child safety and even altered research designs so that it could preserve plausible deniability, they said, adding that it also made researchers delete data that showed harm was being done to kids in VR.

“We researchers were directed how to write reports to limit risk to Meta,” said Jason Sattizahan, who researched integrity in Meta’s VR initiative during his six-year stint at the company. “Internal work groups were locked down, making it nearly impossible to share data and coordinate between teams to keep users safe. Mark Zuckerberg disparaged whistleblowers, claiming past disclosures were ‘used to construct a false narrative’”.

“When our research uncovered that underage children using Meta VR in Germany were subject to demands for sex acts, nude photos and other acts that no child should ever be exposed to, Meta demanded that we erase any evidence of such dangers that we saw,” continued Sattizahan. The company, which completely controlled his research, demanded that he change his methods to avoid collecting data on emotional and psychological harm, he said.

“Meta is aware that its VR platform is full of underage children,” said Cayce Savage, who led research on youth safety and virtual reality at Meta between 2019 and 2023. She added that recognizing this problem would force the company to kick them off the system, which would harm its engagement numbers. “Meta purposely turns a blind eye to this knowledge, despite it being obvious to anyone using their products.”

The dangers to children in VR are especially severe, Savage added, arguing that real-life physical movements made using the headsets and their controllers are required to affect the VR environment.

“Meta is aware that children are being harmed in VR. I quickly became aware that it is not uncommon for children in VR to experience bullying, sexual assault, to be solicited for nude photographs and sexual acts by pedophiles, and to be regularly exposed to mature content like gambling and violence, and to participate in adult experiences like strip clubs and watching pornography with strangers,” she said, adding that she had seen these things happening herself. “I wish I could tell you the percentage of children in VR experiencing these harms, but Meta would not allow me to conduct this research.”

In one case, abusers coordinated to set up a virtual strip club in the app Roblox and pay underage users the in-game currency, ‘Robux’, to have their avatars strip in the environment. Savage said she told Meta not to allow the app on its VR platform. “You can now download it in their app store,” she added.

This isn’t the first time that Meta has been accused of ignoring harm to children. In November 2023, a former employee warned that the company had ignored sexual dangers for children on Instagram, testifying that his own child had received unsolicited explicit pictures. In 2021, former employee Frances Haugen accused the company of downplaying risks to young users.

Facebook has reportedly referred to the “claims at the heart” of the hearing as “nonsense”.

Senator Marsha Blackburn, who chaired the meeting, has proposed the Kids Online Safety Act to force platforms into responsible design choices that would prevent harm to children.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Scammers are sending out texts that claim to be from the Bureau of Motor Vehicles (BMV), saying that you have outstanding traffic tickets.

Here’s an example, which was sent to one of our employees.

“Ohio (BMV) Final Notice: Enforcement Begins September 10nd.

Our records indicate that as of today, you still have an outstanding traffic ticket. Pursuant to Ohio Administrative Code 15C-16.003, if you fail to pay by September 9, 20025, we will take the following actions:

1. Report to the BMV violation database

2. Suspend your vehicle registration effective September 9st

3. Suspend your driving privileges for 30 days

4. Pay a 35% service fee at toll booths

5. You may be prosecuted, and your credit score will be affected.

Pay Now:

link

Please pay immediately before enforcement begins to avoid license suspension and further legal trouble. (Reply Y and reopen this message, or copy it to your browser.)

The Ohio Department of Public Safety actually warned about this scam a few months ago, and the Bowling Green (OH) Police Division repeated that warning on Facebook this week.

The people in Ohio are not alone. We found similar warnings issued by the Indiana DMV, Colorado DMV, West-Virginia DMV, Hawaii County, Arizona Department of Transportation, and the New Hampshire DMV.

If you click the link in the message, you’ll be taken to a website that mimics that of the department in question. The site contains a form to fill out your personal details and payment information, which can then be used for financial fraud or even identity theft.

The scam messages all look the same except for the domains which are rotated very fast, as is habitual in scams. Because they are all from the same campaign, it’s easy to recognize them though.

Red flags in the scam text:

There are some tell-tale signs in these scams which you can look for to recognize them as such;

1. Spelling and grammar mistakes: the scammers seem to have problems with formatting dates. For example “September 10nd”, “9st” (instead of 9th or 1st).
2. Urgency: you only have one or two days to pay. Or else…..
3. The over-the-top threats: Real agencies won’t say your “credit score will be affected” for an unpaid traffic violation.
4. Made-up legal codes: “Ohio Administrative Code 15C-16.003” doesn’t match any real Ohio BMV administrative codes. When a code looks fake, it probably is!
5. Sketchy payment link: Real BMVs don’t send urgent “pay now or else” links by text. If you pay through the link, your wallet—or worse, your identity—is the real victim here.
6. Vague or missing personalization: Genuine government agencies tend to use your legal name, not a generic scare message sent to many people at the same time.

How to stay safe

Recognizing scams is the most important part of protecting yourself, so always consider these golden rules:

• Always search phone numbers and email addresses to look for associations with known scams.
• When in doubt, go directly to the website of the organization that contacted you to see if there are any messages for you.
• Do not get rushed into decisions without thinking them through.
• Do not click on links in unsolicited text messages.
• Do not reply, even if the text message explicitly tells you to do so.

If you have engaged with the scammers’ website:

• Immediately change your passwords for any accounts that may have been compromised. 
• Contact your bank or financial institution to report the incident and take any necessary steps to protect your accounts, such as freezing them or monitoring for suspicious activity. 
• Consider a fraud alert or credit freeze. To start layering protection, you might want to place a fraud alert or credit freeze on your credit file with all three of the primary credit bureaus. This makes it harder for fraudsters to open new accounts in your name.
• US citizens can report confirmed cases of identity theft to the FTC at identitytheft.gov.

Indicators of Compromise (IOCs)

We found the following domains involved in these scams, but there are probably many, many more. Hopefully it will give you an idea of what type of links the scammers are using:

https://ohio.dtetazt[.]shop/bmv?cdr=Bue4ZZ
https://askasas[.]top/portal
https://dmv.colorado-govw[.]icu/us

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

In a recent article on Cybernews there were two clear signs of how fast the world of AI chatbots is growing. A company I had never even heard of had over 150 million app downloads across its portfolio, and it also had an exposed unprotected Elasticsearch instance.

This needs a bit of an explanation. I had never heard of Vyro AI, a company that probably still doesn’t ring many bells, but its app ImagineArt has over 10 million downloads on Google Play. Vyro AI also markets Chatly, which has over 100,000 downloads, and Chatbotx, a web-based chatbot with about 50,000 monthly visits.

An Elasticsearch instance is a database server running a tool used to quickly store and search lots of data. If it’s unsecured because it lacks passwords, authentication, or network restrictions, it is unprotected against unauthorized visitors. This means it’s freely accessible to access by anyone with internet access that happens to find it. And without any protection like a password or a firewall, anyone who finds the database online can read, copy, change, or even delete all its data.

The researcher that found the database says it covered both production and development environments and stored about 2–7 days’ worth of logs, including 116GB of user logs in real time from the company’s three popular apps.

The information that was accessible included:

• AI prompts that users typed into the apps. AI prompts are the questions and instructions that users submit to the AI.
• Bearer authentication tokens, which function similarly to cookies so the user does not have to log in before every session, and allows the user to view their history and enter prompts. An attacker could even hijack an account using these tokens.
• User agents which are strings of text sent with requests to a server to identify the application, its version, and the device’s operating system. For native mobile apps, developers might include a custom user agent string within the HTTP headers of their requests. This allows developers to identify specific app users, and tailor content and experiences for different app versions or platforms.

The researcher found that the database was first indexed by IoT search engines in mid-February. IoT search engines actively find and list devices or servers that anyone can access on the internet. They help users discover vulnerable devices (such as cameras, printers, and smart home gadgets) and also locate open databases.

This means that attackers have had a chance to “stumble” over this open database for months. And with the information there they could have taken over user accounts, accessed chat histories and generated images, and made fraudulent AI credit purchases.

How does this happen all the time?

Generative AI has found a place in many homes and even more companies, which means there is a lot of money to be made.

But the companies delivering these AI chatbots feel they can only be relevant when they push out new products. So, their engineering efforts are put there where they can control the cash flow. Security and privacy concerns are secondary at best.

Just looking at the last few months, we have reported about:

• Prompt injection vulnerabilities, where someone inserts carefully crafted input in the form of an ordinary conversation or data, to nudge or outright force an AI into doing something it wasn’t meant to do.
• An AI chatbot used to launch a cybercrime spree where cybercriminals were found to be using a chatbot to help them defraud people and breach organizations.
• AI chats showing up in Google search results. These findings concerned Grok, ChatGPT, and Meta AI (twice).
• An insecure backend application that exposed data about chatbot interactions of job applicants at McDonalds.

As diverse as the causes of the data breaches are—they stem from a combination of human error, platform weaknesses, and architectural flaws—the call to do something about them is starting to get heard.

Hopefully, 2025 will be remembered as a starting point for compliance regulations in the AI chatbots landscape.

The AI Act is a European regulation on artificial intelligence (AI). The Act entered into force on August 1, 2024, and is the first comprehensive regulation on AI by a major regulator anywhere.

The Act assigns applications of AI to three risk categories. First, applications and systems that create an unacceptable risk, such as government-run social scoring of the type used in China, are banned. Second, high-risk applications, such as a CV-scanning tool that ranks job applicants, are subject to specific legal requirements. But lastly, applications not explicitly banned or listed as high-risk are largely left unregulated.

Although not completely ironed out, the NIS2 Directive is destined to have significant implications for AI providers, especially those operating in the EU or serving EU customers. Among others, AI model endpoints, APIs, and data pipelines must be protected to prevent breaches and attacks, ensuring secure deployment and operation.

And, although not cybersecurity related, the California State Assembly took a big step toward regulating AI on September 10, 2025, passing SB 243: a bill that aims to regulate AI companion chatbots in order to protect minors and vulnerable users. One of the major requirements is repeated warnings that the user is “talking to” an AI chatbot and not a real person, and that they should take a break.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

A Japanese octogenarian from Hokkaido Island lost thousands of dollars after being scammed by someone who described himself as a desperate astronaut in need of help.  

According to Hokkaidō Broadcasting, police in Sapporo say the fraudster contacted the woman on social media in July. After several weeks of exchanging messages, the ‘astronaut’ claimed he was under attack in space and asked her to send money for “life-saving oxygen” through prepaid systems at five different convenience stores in the city.

The money requests escalated as the woman got more romantically attached to the scammer, resulting in a total loss of around 1 million Yen (US$6,700). At that point she told her family and reported the scam to the police.

Romance scammers typically target individuals on social media or online dating platforms, building trust over time, before convincing victims to send money, personal information, or valuable items—sometimes to help the scammer launder funds or goods. 

These scams have grown significantly in recent years, driven by the widespread loneliness epidemic and the increase in online activity. 

Police in Sapporo’s Teine district are now treating the case as a romance scam and have warned residents to be cautious of similar social media encounters. 

.wp-block-kadence-advancedheading.kt-adv-heading309287_2bc2ac-57, .wp-block-kadence-advancedheading.kt-adv-heading309287_2bc2ac-57[data-kb-block=”kb-adv-heading309287_2bc2ac-57″]{font-style:normal;}.wp-block-kadence-advancedheading.kt-adv-heading309287_2bc2ac-57 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading309287_2bc2ac-57[data-kb-block=”kb-adv-heading309287_2bc2ac-57″] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}

How to stay safe from romance scammers 

It’s very easy to look at a case like this and think “How could they not know they were being scammed?” But anyone can fall for a scam, especially as scammers get more and more sophisticated and their use of AI increases.

Here are some tips to stay safe:

• Don’t send money or disclose sensitive information to anyone you have never met in person. 
• Take it slow and read back answers. Scammers usually have a playbook, but sometimes you can spot inconsistencies in their answers. 
• Cut them off early. As soon as you expect you are dealing with a scammer, stop responding. Don’t fall for sob stories or even physical threats they’ll use to keep the connection alive. 
• Check their profile picture using an online search. You may find other profiles with the same picture (a huge red flag) or even reports of scammers using that picture.
• If they ask you to move to another platform to chat, this is another red flag. They are not doing this for privacy reasons, but to stay under the radar of the platform where they first contacted you. 
• Consult with a financial advisor or investment professional who can provide an objective opinion if you’re offered an investment opportunity. 
• Share examples (anonymized) to help others. One way to do this is to use Malwarebytes Scam Guard, which also helps you assess if a message is a scam or not. 
• Don’t do this alone. If you have any doubts, share your concerns with someone in your life that you trust. Their perspective may keep your feet on the ground. 
• If you encounter something suspicious, report it to the appropriate authorities—such as local law enforcement or the FBI via its Internet Crime Complaint Center. Your actions could prevent others from falling victim.   

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

A blood center has begun sending data breach notifications to its users after suffering a ransomware attack and theft of personal data.

The New York Blood Center’s (NYBC) suffered the ransomware attack in January, in which an unauthorized party gained access to its network and acquired copies of a subset of files. The security incident was first noticed on January 26, 2025, but this week NYBC has started notifying victims.

NYBC publicly acknowledged the scale but has not issued a precise number of affected people due to ongoing investigations and limitations in contact information for all service recipients. Based on documents that NYBC submitted to regulators in several states, hackers could have stolen information belonging to at least tens of thousands of people.

NYBC ranks among the largest independent community-based blood collection organizations in the US. It serves over 75 million people across more than 17 states and delivers about one million lifesaving blood products annually.

The information varies per affected individual but can include:

• Name
• Social Security number
• Driver’s license or other government identification card number.
• Financial account information if you participated in direct deposit.

NYBC also provides clinical services, and diagnostic blood testing, for which it needs clinical information from healthcare providers. New York Blood Center Enterprises said some of this information was also accessed by the attackers during the cyber incident.

So far it is unknown which ransomware group might have been behind the attack, and we have seen no threats to publish or sell the acquired data. But this could change quickly once negotiations about the ransom come to an end without the cybercriminals getting paid what they demand.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

A co-worker received a text which is, unfortunately, becoming more common. The text pretends to come from a doctor and states a weight-loss medication prescription has been approved.

“Good morning. This is Dr. Santos. I pre-approved your GLP1 prescription. You may start treatment as of 09/04. {followed by a link}”

Signs it’s a scam

1. The message claims to be from “Dr. Santos,” a doctor the recipient does not know.
2. The text references a GLP-1 prescription. GLP-1 drugs (like Ozempic, Wegovy, and Mounjaro) are legitimate prescription medications for diabetes and weight loss, but they should only be prescribed by a health professional after an in-person consultation. No real provider would cold-text a random person about starting such treatment.
3. The sender’s number appears to be in Texas while our co-worker lives in California. That is one long-distance prescription.
4. The linked website does not match any real medical or pharmacy provider and is not a site known for drug fulfillment.

what’s more, when we visited the page with a US IP address, we received a Browser Guard warning:

The site tried to redirect me to a known Phishing domain while sending some information in the URL which might be used to identify which of the targets clicked the link.

The use of a dedicated tracker subdomain (track.savezmeet[.]com) matches common phishing infrastructure, where user data is collected as soon as the victim clicks and before further redirection occurs.

URL parameters are routinely used in phishing to uniquely identify visitors and record who clicked which phishing SMS. In this case we suspect:

• {var1} may refer to the vector or campaign type (“txt1” = SMS/text campaign).
• {var2} is empty, possibly reserved for an additional variable (such as a tracking code or message ID)
• {var3} is a 10-digit number meeting the format of a US phone number, which may be mapped to the target.

So we visited the URL after replacing the receiving phone number with the sender’s, and lo and behold, we got what we expected.

According to our telemetry, we first saw the track.savezmeet[.]com with this format on August 2. Malwarebytes has blocked MyStartHealth.com since March 2025.

What you will get if you decide to buy there is probably not recommended. The website explicitly uses compounded GLP-1 products (not FDA approved), with the disclaimer buried in legalese and clear acknowledgment that these are not branded or FDA-validated versions of Ozempic, Wegovy or any other GLP-1s.

And it’s not just an issue in the US, the EU recently sent out a warning about a sharp rise in illegal medicine sold in the EU.

“In recent months there has been a sharp rise in the number of illegal medicines marketed as GLP-1 receptor agonists such as semaglutide, liraglutide and tirzepatide for weight loss and diabetes. These products, often sold via fraudulent websites and promoted on social media, are not authorised and do not meet necessary standards of quality, safety and efficacy.”

So, besides social media, we can add cold texts as a means of promoting these products in the US.

Avoiding weight-loss scams

Before buying weight-loss products, there are a few pointers you can use:

• Never follow unsolicited links in social media posts, text messages, or emails.
• Don’t let anybody rush you into buying anything.
• Read the fine print. Often this will tell you that you are signing up for a monthly subscription model instead of a one-time payment.
• Research the name of the product the scammers are selling. In many cases you will find the name associated with scams.
• If you have bought one of these products, keep an eye on your financial accounts, because some scammers might use your card for other transactions.
• If you’re not sure if a text message is trustworthy, submit it to Malwarebytes Scam Guard and we will tell you if it’s likely genuine or a scam.
• Use an active security solution that blocks malicious domains.

Indicators of compromise (IOCs)

Phone number: +1(682) 416-2557

Domains:

andkovz[.]com

savezmeet[.]com

mystarthealth[.]com

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Media streaming platform Plex has warned customers about a data breach, advising them to reset their password.

Plex said an attacker broke into one of its databases, allowing them to access a “limited subset” of customer data. This included email addresses, usernames, hashed passwords, and authentication data.

“Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account… Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.”

Hashing is a way to protect users’ passwords by transforming them into a scrambled and unreadable format before storing them. Think of it like turning a password into a unique “fingerprint” made of random letters and numbers that doesn’t resemble the original password. This scrambled form is called a hash, and it is created using a special mathematical process called a hash function.

The main point about hashing is that it is a one-way process: once a password is hashed, it cannot be reversed or decrypted back into the original password. When you log in, the system hashes the password you enter and compares that to the stored hash. If they match, you get access. This means companies never store your real, plain text password, which helps keep your credentials safe even if their database is hacked.

The downside is that some systems are vulnerable to pass-the-hash attacks where an attacker can sign in by only knowing the hash. But those are mainly a concern in Windows network environments.

In the case of the Plex breach, pass-the-hash attacks are less of a worry for regular users. Plex uses hashed passwords mainly for user login access to its streaming platform, not for network-level authentication. Plex doesn’t directly enable attackers to authenticate anywhere else without cracking those hashes first.

However, as a precaution, Plex users should still follow the instructions from the company, below.

What Plex asks users to do

If you normally log in using a password: Reset your Plex account password immediately by visiting https://plex.tv/reset. During the reset process you’ll see a checkbox to “Sign out connected devices after password change,” which the company recommends you enable. This will sign you out of all your devices (including any Plex Media Server you own). After the reset you’ll need to sign back in with your new password.

If you normally log in using Single Sign-On: Log out of all active sessions by visiting http://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

For further account protection, we also recommend enabling two-factor authentication 2FA on your Plex account if you haven’t already done so.

Look out for any phishing attempts that may try to prey on this incident. Plex has said that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Two ethical hackers say they have uncovered massive security vulnerabilities in the platforms hosted by Restaurant Brands International (RBI).

RBI is one of the world’s largest quick service restaurant companies. It was formed in 2014 through a $12.5 billion merger of the American fast food chain Burger King and the Canadian coffee and restaurant chain Tim Hortons. Since then, RBI has expanded its brand portfolio to include Popeyes Louisiana Kitchen, acquired in 2017, and Firehouse Subs. It operates a global network of over 32,000 restaurants across more than 120 countries and territories.

The two researchers that scrutinized the security were far from impressed. Their, now removed but archived, blog states:

“Their security was about as solid as a paper Whopper wrapper in the rain.
We stumbled upon vulnerabilities so catastrophic that we could access every single store in their global empire. From a Burger King in Times Square to that lonely Tim Hortons where Bugs Bunny shoulda taken a left turn at Albuquerque. Oh, and did we mention we could listen to your actual drive-thru conversations? Yeah, that happened too.”

The researchers say they found that RBI uses AWS Cognito but forgot to turn off user signups. AWS Cognito is a managed service from Amazon Web Services that helps developers handle user signups, sign-ins, and access control without building these features from scratch.

Disabling user signups is important to make sure that only authorized personnel get accounts, which may be created and managed centrally by IT administrators. This approach reduces the attack surface by blocking open self-registration and unauthorized account creation, which is critical for protecting sensitive internal resources and services. Administrators can then validate and approve accounts before enabling user access to applications managed via Cognito.

After managing their way in through that gateway, the researchers said they realised they could have saved themselves the trouble because they found an even easier signup endpoint that completely bypassed email verification, resulting in an email with the password in plain text.

The researchers say they found three assistant platforms (domains bk.com, popeyes.com, and timhortons.com) were all vulnerable and could enable an attacker to:

• Access voice recordings of customer orders
• Add/remove/manage franchise stores
• View and edit employee accounts
• Access store analytics and sales data
• Upload files and send notifications to any store’s systems
• Use a self-install device ordering system (with the password hard coded into the HTML)

They also say they found that the voice recordings of customer orders, raw audio files of real people ordering food, complete with background conversations, car radios, and sometimes personally identifiable information (PII), were fed into an AI to analyze things like:

• Customer sentiment
• Employee friendliness levels
• Upsell success rates
• Order processing times
• How many times employees said “You rule” (because that’s definitely a crucial business metric)

The only good thing about this story is that despite the researchers finding all these vulnerabilities in one day, RBI fixed them the same day. But apparently without acknowledging the researchers or commenting on the vulnerabilities.

If you were involved in this or any other data breach, please read: Involved in a data breach? Here’s what you need to know.

Do not share further personal information. Avoid sharing additional personal details publicly on social media or online directories that could be linked to your exposed information. You can check what information is already out there about you by using our free Digital Footprint Scanner.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A court has ordered Google to pay $425m in a class action lawsuit after it was found to have misled users about their online privacy.

In July 2020, Google user Anibal Rodriguez filed a lawsuit against the search giant, arguing that it misled users with its “Web & App Activity” setting. The setting was supposed to stop Google collecting data about users’ activities online and in apps.

In reality, Google continued to collect data about how people were using their apps, even after they had switched off data collection in the Web & App Activity setting. Although it said that it was anonymizing that data.

The company collected this information via Firebase, a database that it uses to monitor activities across 1.5 million apps for analytics purposes which operates separately to the Web & App Activity setting. It’s reportedly in 97% of the top thousand Android apps, and 54% of leading iOS apps. Google harvested data from apps including Uber, Venmo, Shazam, the New York Times, Duolingo, and Instagram.

This arrangement created a dual data collection system. It misled 98 million Google users into thinking that their actions were completely private, argued the case, which became a class action suit.

Google’s lawyers protested that users were properly informed about how the company collects information and what it does with it. They pointed out that when confirming their choice, Google displays an “Are You Sure?” prompt that lets them check on what information Google collects, according to Bloomberg Law.

This clearly didn’t resonate with jurors, one of whom said after the verdict that Google needed to be clearer in how it communicated its data handling to its users. They’re generally “skimmers, not readers” he said.

Plaintiffs originally asked for $31bn in damages, but the amount awarded is far less, equating to around $4 per user.

Nevertheless, Google plans to appeal. “This decision misunderstands how our products work,” its spokesperson Jose Castaneda reportedly said. “Our privacy tools give people control over their data, and when they turn off personalization, we honor that choice.”

A history of questionable tactics

This isn’t the first time that Google has been found guilty of misleading users. In February 2023, it agreed to pay $392m in a settlement with 40 states for storing users’ locations when it told them it wouldn’t. It coughed up another $40m in a separate arrangement with Washington state later that year and also settled with Arizona for $85m.

In December 2023, the search giant also settled in a class action over alleged misleading language in its incognito mode service, which promised not to collect data about browsing activity but actually did. It deleted records costing it at least $5bn to settle that claim, but didn’t pay damages to users. However, in May this year it settled with Texas to pay $1.38bn to resolve the state’s own claims in the location and incognito mode affairs.

One interesting snippet is that Google has a habit of internally playing down its privacy claims because it knows that explaining exactly what it keeps might alarm users. In a ruling that denied a motion to dismiss the Web & App Activites-related case in January, district judge Richard Seeborg said:

“Internal Google communications also indicate that Google knew it was being ‘intentionally vague’ about the technical distinction between data collected within a Google account and that which is collected outside of it because the truth ‘could sound alarming to users.’”

Google executives had also privately discussed the need to soften up the privacy language in the company’s services to avoid alarming users of incognito mode. The message here to Joe and Jane Public is even clearer now than it was before; take privacy claims from big tech vendors with the skepticism they deserve, and adopt the ‘mom rule’ when dealing with them: never let them see anything you wouldn’t want them to know.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Once again, phishers are targeting PayPal users by abusing existing legitimate infrastructure. Only this time they’re not abusing PayPal’s platform, but iCloud Calendar invites.

Our friends over at BleepingComputer unraveled a call-back phishing scam which was sent to one of their readers.

“Pedro McCarthy invited you to ‘Purchase Invoice’.

Purchase Invoice

Hello Customer,
Your PayPal account has been billed $599.00
We’re confirming receipt of your recent payment. Below are the details:
Invoice ID: AFER13VD

Date: AUG 28, 2025

Amount: USD 599.00

If you wish to discuss or make changes to this payment, please contact our support team at +1 +1 (786) 902 8579”

The sender email address shows as noreply@email.apple.com which helps it pass every imaginable email security check since it actually came from an Apple server. This happens because it is an iCloud Calendar invite, with the phishing text written in the “Notes” field.

To the recipient it shows a Microsoft 365 account controlled by the phishers. When creating such an iCloud Calendar event with external people added to the invite, an email is sent from Apple’s servers from the iCloud Calendar owner’s name with the email address noreply@email.apple.com.

The Microsoft 365 account is very likely a mailing list holding the email addresses of the targets in this campaign. This method allows the phishers to use the Microsoft Sender Rewriting Scheme (SRS), a technical method used to make email forwarding work smoothly without breaking anti-spoofing protections.

Because the rewritten sender address now belongs to the forwarding domain (e.g., Microsoft 365) it doesn’t trigger any alarms. Meanwhile, the “From” address you see in your email program remains the same as the original sender, so the email looks legitimate to the recipient—especially when that address belongs to Apple.

A call-back phishing campaign is usually set up to entrap targets that decide to call the number listed in the invitation. They’ll be asked to download something under false pretences, which often turns out to be a remote desktop client or information-stealing malware—which will then be used to drain all your accounts.

How to stay safe

Don’t be fooled by the legitimate sender email address. Besides spoofing a sender email address, criminals are finding other ways to abuse big tech infrastructure and make it look as if an email came from a legitimate company.

The email has many of the usual signs of a phishing mail:

• Urgency is imposed by a large amount being billed
• Generic greetings: “Hello customer” and not your name.
• The receiver’s email address is not yours.
• The spelling error in the phone number (twice the +1)

What you can do:

• Always search phone numbers and email addresses to look for associations with known scams.
• Login directly to PayPal.com to see if there are any messages in your account.
• Enable two-factor authentication (2FA) on your Paypal account to add an extra layer of security to your financial accounts and help prevent scammers getting in.
• Report suspicious emails and phishing emails to phishing@paypal.com. Then delete them.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!