IT News

Peer-to-peer lending marketplace Prosper detected unauthorized activity on their systems on September 2, 2025.

It published an FAQ page later that month to address the incident. During the incident, the attacker stole personal information belonging to Prosper customers and loan applicants.

As Prosper stated:

“We have evidence that confidential, proprietary, and personal information, including Social Security numbers, was obtained, including through unauthorized queries made on Company databases that store customer and applicant data.”

While Prosper did not share the number of affected people, BleepingComputer reported that it affected 17.6 million unique email addresses.

The stolen data associated with the email addresses reportedly includes customers’ names, government-issued IDs, employment status, credit status, income levels, dates of birth, physical addresses, IP addresses, and browser user-agent details.

Prosper advised that no one gained unauthorized access to customer accounts or funds and that their customer-facing operations continued without interruption.

Even without account access, the stolen data is more than enough to fuel targeted, personalized phishing and even identity theft. The investigation is still ongoing but Prosper has promised to offer free credit monitoring, as appropriate, after determining what data was affected.

Protecting yourself after a data breach

If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

It might surprise some that a security company would choose WordPress as the backbone of its digital content operations. After all, WordPress is often associated with open-source plugins, community themes, and a wide range of deployment practices—some stronger than others. But that perception overlooks what modern WordPress can deliver when it’s architected, operated, and governed with discipline. In our Digital Experience Platform (DXP) at Malwarebytes, WordPress serves as the content layer—an editorial hub that feeds multiple customer experiences.

The reason is pragmatic and security-forward. WordPress offers transparency (open code and ecosystem), control (self-hosted in our environment, with strict governance), and maturity (a seasoned core with an established security model). Combined with a decoupled architecture, strong identity and access controls, rigorous supply chain management, and a hardened infrastructure, WordPress becomes an ideal content engine for an enterprise-grade, security-first DXP within an enterprise-grade MarTech stack.

DXP vision and the role of WordPress

When we say DXP, we mean the orchestration layer that brings together content, personalization, analytics, experimentation, commerce, support experiences, and more. It’s not a single product; it’s the way we coordinate systems to deliver cohesive customer journeys across web, mobile, and product surfaces.

In that model, WordPress is our content authoring hub. Editors draft, review, and publish content once; APIs then power multiple front-ends—websites built with Next.js/React, mobile applications, and support portals. This headless pattern decouples the authoring experience from delivery.

Why decouple?

By delivering both static and server-side rendered (SSR) pages directly from the edge, we meet aggressive latency goals and excel in Core Web Vitals scores on a global scale. This approach ensures content is as close as possible to end users, providing consistently fast load times regardless of location. Our architecture isolates site performance from backend processes, meaning bursts of traffic or complex deployments don’t degrade the visitor experience.

Security isolation is equally foundational to our platform design. The public-facing runtime never exposes the WordPress admin interface or control endpoints—instead, these administrative components reside securely behind private networking, protected by robust access controls and authentication. This segmentation shields both business-critical operations and sensitive data, lowering the attack surface and reducing risk without impeding editors or developers.

This architecture also boosts development velocity. Front-end engineers can iterate rapidly, independently releasing new features or improvements without being bottlenecked by backend deployments. At the same time, content editors retain full publishing agility via the headless CMS, able to launch and update site content at will. This parallel, decoupled workflow ensures that technical and editorial teams each operate at their highest efficiency, supporting an environment of continuous innovation and timely content delivery.

How speed helps security

Rapid and reliable deployments are a cornerstone of our security posture, empowering us to respond quickly to new threats and vulnerabilities. By streamlining and automating our release processes, we can efficiently ship patches and mitigations as soon as issues arise, minimizing the window of exposure. Equally important, our deployment pipelines are built to support safe rollbacks, allowing us to confidently revert any changes that introduce instability or unexpected behavior—maintaining operational continuity no matter how urgent the circumstances.

Shortening our development and deployment cycle is not just about speed—it’s one of the most effective security controls we employ. Frequent, predictable deploys mean our systems are always running the latest protections and bug fixes, dramatically reducing the risks associated with outdated code or configurations. This agility ensures we stay ahead of evolving threats, support innovation without sacrificing safety, and adapt to changing requirements with minimal disruption, making security a continuous, integrated aspect of our delivery workflow.

Why WordPress aligns with security-first

Open-source transparency matters. With WordPress, we can inspect every line of core and plugin code, run our own audits, and make informed decisions about the attack surface. The community’s response to security issues adds resilience through coordinated disclosures, rapid patches, and widely disseminated advisories.

The core platform is mature and stable. The WordPress security team has established processes for responsible disclosure and a consistent patch cadence. Operating close to core (and avoiding heavy core modifications) enables us to adopt updates quickly.

Finally, talent availability accelerates secure outcomes. A large pool of WordPress developers and security practitioners means faster remediation, effective code reviews, and a healthy ecosystem of best practices and tooling.

Architecture that reduces risks

Headless/decoupled architecture

Our public website leverages the powerful combination of a Content Delivery Network (CDN) and a Web Application Firewall (WAF) to deliver a seamless and secure user experience. By distributing static content across global edge locations, the CDN ensures lightning-fast load times while also enabling server-side rendering at the edge for dynamic content. This hybrid approach allows us to serve both static and server-rendered pages efficiently, providing relevant content with minimal latency. Positioned behind the CDN, the WAF offers an added layer of security by blocking malicious traffic and safeguarding our site from threats, ensuring that both performance and protection are at the forefront of our web infrastructure.

To further enhance security and streamline workflows, we utilize single sign-on (SSO) with multi-factor authentication (MFA) for accessing all administrative interfaces and developer endpoints. The WordPress admin area, GraphQL and REST APIs, as well as build hooks, are only accessible through this robust SSO with MFA, ensuring that only authorized team members can reach sensitive controls and data. Access is strictly segmented, treating the admin plane as an internal-only application and fully separating it from the public-facing site. This architecture minimizes risk, protects critical infrastructure, and supports efficient, secure collaboration among our administrative and development teams.

Network and edge security

Our Web Application Firewall (WAF) works in tandem with advanced bot management to protect our site from a wide range of online threats. The WAF actively filters malicious payloads and prevents exploitation attempts, while the bot management system blocks known bad actors and suspicious automated traffic. Together, they help enforce rate limits—ensuring fair usage and preventing abuse that could impact site performance or security. This layered approach allows us to maintain a reliable, secure environment for all our users while shielding our resources from sophisticated cyber threats.

To further secure our infrastructure, we have robust DDoS mitigation controls in place, designed to identify and absorb large-scale volumetric attacks before they reach our application. Coupled with customizable geo-blocking and ASN (Autonomous System Number) policies, we can restrict or filter access from high-risk regions and networks known for hostile activity. This proactive combination not only helps protect against both widespread and targeted attacks, but also ensures the continued availability and performance of our services for legitimate users around the globe.

We enforce modern transport security standards across our entire platform by mandating TLS 1.3 for all connections. This ensures data transmitted between users and our site is encrypted using the latest, most secure protocol available. In addition, HTTP Strict Transport Security (HSTS) is enabled, compelling browsers to interact with our site only via secure HTTPS connections. Together, TLS 1.3 and HSTS provide strong guarantees of data integrity, confidentiality, and protection against common interception or downgrade attacks, giving our users peace of mind with every interaction.

Service isolation and least privilege

Our security framework is built on the principle of least-privilege access, ensuring that databases, object storage, and service accounts are tightly controlled. Each system and user is granted only the permissions essential for their specific role—nothing more. This minimizes the potential impact of accidental or malicious activity, as access is segmented and strictly limited across all layers of our architecture. By aligning permissions closely with functional requirements, we significantly reduce the risk of data exposure or unauthorized operations, reinforcing the integrity and confidentiality of our platform.

Hardening at the application layer

Secure configuration

In our production WordPress environment, we implement a series of stringent measures to protect both the core application and user data. File editing through the wp-admin interface is completely disabled, eliminating a common attack vector and reducing the risk of unauthorized code changes. We enforce the use of strong, unique salts and keys, enhancing the integrity and security of authentication cookies and stored data. Additionally, the core filesystem is kept strictly read-only in production, preventing alterations to critical files and ensuring that even in the event of a compromise, attackers cannot modify system-level code or inject persistent threats.

To further reduce the platform’s attack surface, we restrict XML-RPC functionality—often abused for brute-force attacks—and limit exposed REST API endpoints strictly to those required by our headless WordPress clients. User enumeration patterns, which attackers may exploit to gather account names, are actively blocked, thereby safeguarding user identities. On the front end, we enforce robust security headers, including a finely scoped Content Security Policy (CSP) to mitigate XSS threats, strict X-Frame-Options and Frame-Ancestors to prevent clickjacking, X-Content-Type-Options to block MIME-type attacks, and a privacy-friendly Referrer-Policy to minimize information leakage. Together, these layered controls ensure our site remains resilient against a broad spectrum of web threats.

Auth and session security

We integrate Single Sign-On (SSO) through industry-standard protocols such as SAML and OIDC, streamlining secure access for our teams while reducing the risks associated with password proliferation. Automated user provisioning and deprovisioning are managed via SCIM, ensuring that access is immediately granted to new team members and promptly revoked when it’s no longer needed. MFA is mandatory for all privileged users, significantly strengthening the security of critical accounts and administrative functions, and defending against credential-based attacks.

Access within our environment is granted based on granular, role- and capability-based policies. Custom roles are carefully tailored so that editors, contributors, and admins receive only the permissions essential to their responsibilities, minimizing exposure and preventing privilege creep. We further secure administrative access by enforcing short-lived sessions, reducing the window of opportunity for session hijacking or misuse. This approach ensures that even if an administrative session is compromised, the potential for abuse is tightly constrained, keeping our site and its data safe.

Data handling

Security is at the forefront of our development practices, with a strong emphasis on protecting both our site and its users from application-level threats. We enforce the use of prepared statements for all database queries to defend against SQL injection, mandate thorough output escaping to prevent cross-site scripting (XSS), and ensure rigorous input sanitization in every layer of custom code and approved plugins. For protection against cross-site request forgery (CSRF), we implement nonces, providing an additional safeguard to validate user actions and prevent unauthorized commands. This multifaceted approach applies to every custom solution and trusted extension, reinforcing the reliability and trustworthiness of our platform.

Data privacy and compliance round out our security strategy. We are committed to minimizing the storage of personally identifiable information (PII), classifying data sensitivity, and applying data retention policies that align with both regulatory requirements and customer expectations. Consent management is thoughtfully integrated into both our publishing workflow and the front-end user experience, so we can uphold privacy standards without sacrificing usability. This ensures users remain informed and in control of their data—supporting compliance with privacy laws and building trust through transparency and respect for user choices.

Plugin and supply chain governance

Controlled ecosystem

Our approach to plugin management is deliberately conservative, maintaining a strict allowlist to ensure only vetted and essential plugins are present within our environment. We prioritize the use of “must-use” (mu-) plugins for enforcing global policies and delivering critical functionality, as these plugins are always active and centrally managed. This strategy prevents unauthorized or unnecessary code from entering our system, supports consistency across environments, and enables us to embed security controls directly into our platform’s foundational layers.

Before any plugin or theme is deployed to production, it undergoes a comprehensive code review process to assess security, performance, and compatibility. We are proactive in curbing plugin sprawl, regularly auditing our stack and removing redundant or unsupported components to minimize complexity and reduce our attack surface. By keeping our codebase lean and disciplined, we not only defend against potential vulnerabilities found in third-party additions but also streamline maintenance and updates, ensuring the long-term stability and security of our production environment.

Dependency management

We take a comprehensive approach to dependency management and software supply chain integrity by generating Software Bill of Materials (SBOMs) for both PHP and JavaScript codebases. SBOMs allow us to track all direct and transitive dependencies, as well as their associated licenses, ensuring greater visibility and control over the components that make up our application. Dependencies are always pinned and locked to specific, approved versions, reducing the risk of introducing vulnerabilities through unintentional upgrades or changes. Automated tools like Dependabot continuously monitor for updates and propose them, but nothing reaches production unless it successfully passes through our continuous integration (CI) security gates.

Our CI/CD pipeline is fortified with robust security controls at every stage. Every update, whether a dependency or code change, triggers automated Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) to identify potential vulnerabilities both before and during runtime. We employ secret scanning to prevent accidental exposure of credentials and keys, and every build is evaluated for license compliance and regulatory conformance. This layered approach ensures that our development processes are secure by default, continually verifying software quality, integrity, and compliance before anything is deployed to production.

Vulnerability intelligence and patching

We actively monitor CVE feeds and WordPress-focused security advisories, such as WPScan, to stay ahead of emerging vulnerabilities and threats. By keeping a close eye on both general and platform-specific intelligence sources, we’re able to rapidly identify potential risks relevant to our infrastructure. Upon detection, vulnerabilities are triaged and addressed according to well-defined Service Level Agreements (SLAs) based on severity—ensuring that critical issues receive immediate attention and routine patches are managed efficiently. This structured, proactive posture helps us mitigate risk and maintain the ongoing security and stability of our environment.

In the rare event that a critical vulnerability threatens operational security or integrity, we are prepared with fast rollback plans that allow us to swiftly revert to a secure state. These procedures are designed to be executed with minimal disruption, ensuring urgent patches can be applied without causing extended downtime for users or administrators. By integrating rapid response capabilities into our workflows, we’re able to act decisively and minimize exposure, all while maintaining service availability and reliability at the highest standard.

Infrastructure security operations

Secrets and data

We enforce strict secret management practices by using a centralized vault or cloud-native secret store to handle all sensitive credentials, API keys, and configuration secrets. No secrets are ever embedded in source code or stored within deployment images, reducing the risk of accidental exposure. Secret rotation is scheduled regularly as part of our operational cadence, ensuring that credentials remain fresh and limiting the window of opportunity for misuse even if a secret were somehow compromised.

All data is secured with encryption both at rest and in transit, leveraging strong cryptographic controls across storage and networking layers. Where supported, our databases rely on IAM-based authentication instead of static credentials, further minimizing the risk associated with traditional username-password pairs. This approach not only enhances security but also streamlines access control and auditability, underpinning our commitment to robust, modern data protection practices throughout the stack.

Backups and disaster recovery

Our disaster recovery strategy rests on maintaining versioned, immutable backups that cannot be altered or deleted, providing a reliable safeguard against data loss, corruption, or ransomware attacks. These backups are created on a regular schedule and include not only application data, but also content, media assets, and configuration files. We conduct periodic restore drills to validate that our backups are effective and to ensure our team is prepared to execute recovery procedures smoothly. Explicit Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) are defined, routinely tested, and adjusted as needed to meet the demands of our operations and regulatory obligations.

Data recovery playbooks are meticulously maintained and encompass every critical aspect of our environment, from core content and media to infrastructure-as-code templates that can quickly and predictably rebuild our systems. These playbooks provide step-by-step guidance for recovering data and restoring services, whether in response to accidental deletion, hardware failure, or a targeted attack. By rigorously documenting and testing these processes, we ensure a high degree of resilience and confidence in our ability to restore normal operations with minimal disruption, safeguarding both our assets and the experience of our users.

Observability and response

We maintain a comprehensive observability stack with centralized, structured logging that aggregates data from all key layers—Nginx, PHP-FPM, WordPress, and supporting services. This logging is enriched with real-time metrics and distributed traces, giving us end-to-end visibility into application performance and user activity across our digital experience platform (DXP). All logs are funneled into a Security Information and Event Management (SIEM) system, which acts as the nerve center for detecting and investigating potential threats. Hosts and containers are further protected by Endpoint Detection and Response (EDR) solutions, providing continuous monitoring and the ability to quickly isolate and remediate suspicious behavior.

To enhance detection and incident response, we employ automated anomaly detection and maintain detailed runbooks, dramatically reducing our mean time to detect (MTTD) and mean time to respond (MTTR) to issues. Our security posture is continually tested and validated through regular penetration tests and an active bug bounty program that focus on the entire surface of our DXP, not just on isolated components. This holistic approach ensures we proactively identify vulnerabilities, address weaknesses before they can be exploited, and ultimately maintain a resilient, trustworthy platform for our users and customers.

Certifications Obtained

When it comes to building or selecting hosting for your organization’s sensitive data and mission-critical applications, certifications matter—a lot. Obtaining FedRAMP Moderate certified ensures compliance with rigorous federal security standards, making it a necessity for government-related workloads and a great standard for any organization to abide. Similarly, a SOC 2 Type 1 certification demonstrates that a hosting provider has established robust systems and controls to protect data and ensure privacy, fostering client trust and accountability.

GovRAMP Moderate is critical for U.S. government contractors working with state and local government workloads, ensuring additional layers of compliance and security. If your data processing touches on European clients or users, GDPR and the Data Privacy Framework offer reassurance that personal data is handled and processed lawfully, transparently, and securely. Equally important is the Microsoft SSPA, a must-have for vendors providing services to Microsoft or handling its data. Lastly, WCAG 2.0 AA compliance ensures that your hosted applications and websites are accessible to users and employees with disabilities, strengthening your commitment to inclusivity and expanding your reach. By prioritizing these certifications, organizations not only safeguard compliance and security, but also demonstrate a dedication to transparency, privacy, and accessibility in today’s digital landscape.

Editorial workflow governance

Workflow controls

Every administrative and content-related event is thoroughly audit-logged, capturing a detailed trail of actions for review and oversight. These logs are fully exportable, supporting compliance with regulatory requirements and internal governance policies. By maintaining comprehensive and accessible audit records, we provide the transparency necessary to facilitate investigations, enforce accountability, and demonstrate adherence to best practices and legal obligations—ensuring peace of mind for our organization and stakeholders alike.

Secure content operations

We prioritize security awareness by providing editors with ongoing training on critical topics, such as phishing recognition, safe link practices, and our governance policies for embedded scripts and third-party widgets. This continual education helps staff identify and avoid social engineering attacks, understand the risks associated with external content, and adhere to protocols that maintain the integrity and security of our web platform. By empowering editors with the knowledge to make secure decisions, we reduce the likelihood of errors that could compromise the site or expose sensitive information.

To further protect user interactions, especially on forms, we deploy layered anti-spam defenses, implement bot challenges like CAPTCHAs, and set server-side rate limits to prevent abuse. All form inputs are validated on the server, ensuring robust protection even if client-side checks are bypassed or disabled. This disciplined approach to input handling and abuse prevention ensures our forms remain a secure channel for legitimate user engagement while blocking malicious actors and automated attacks.

Reliable and secure performance

Caching strategy

Our performance strategy centers on comprehensive caching and efficient data handling to deliver a fast, reliable experience for both users and administrators. Edge and page-level caching shield our origin servers by intercepting and serving frequent requests directly at the edge, dramatically reducing the number of dynamic requests that reach the core infrastructure. Object caching solutions like Redis, coupled with thoughtfully optimized queries, keep the admin interface responsive and ensure APIs remain quick even under load. We routinely profile database queries and set strict performance budgets for the slowest paths, preventing regressions that could degrade performance or escalate into broader availability issues. This layered approach ensures our platform stays speedy, stable, and scalable as demands grow.

Build pipeline

Every code change in our workflow is subjected to automated testing, with comprehensive suites that verify functionality, performance, and security. Security gates are tightly integrated into the CI/CD pipeline, ensuring that no changes are merged if any issues or vulnerabilities are detected. Our deployment processes are fully automated and repeatable, significantly reducing the potential for human error and guaranteeing that releases are consistent, predictable, and recoverable.

By managing our infrastructure as code, we further ensure that all environments—from development to production—are consistent, auditable, and easily reproducible. This approach not only accelerates the provisioning of resources and the rollout of updates, but also strengthens compliance and traceability, providing a solid foundation for scalability, reliability, and continuous improvement.

UX and SEO

We finely tune our security headers and Content Security Policies (CSPs) to deliver robust protection without disrupting the user experience, ensuring that all site functionality remains seamless and accessible. Our commitment to performance extends to advanced image optimization, responsive asset delivery, and strict adherence to accessibility standards, enabling our content to load quickly and be usable by everyone. By consistently delivering fast, accessible pages, we not only enhance user engagement but also enable rapid, safe deployment cycles—minimizing potential attack windows through swift rollouts and efficient rollbacks, and maintaining both security and usability at the core of our platform.

Alternatives considered

Proprietary Digital Experience Platforms (DXPs) present a compelling all-in-one suite of features that can streamline operations for many organizations. However, their advantages often come with trade-offs: these platforms tend to be resource intensive, both in terms of infrastructure and licensing fees, and may lack the granular transparency required for deep security audits or targeted customizations. The inherent complexity and tightly-coupled nature of these solutions can slow the pace of change—making it challenging to adapt or patch emergent threats rapidly, which is itself a significant security and business risk in dynamic environments.

Headless-only SaaS CMSes, on the other hand, are designed for flexibility and API excellence, offering developers modern tooling and a frictionless integration experience. Despite these strengths, organizations may encounter challenges such as vendor lock-in, which can limit strategic choices and agility over time. Control over patching and updates is usually in the hands of the SaaS provider, potentially creating gaps between issue discovery and remediation. Further, these platforms may present hurdles in regions with strict data residency or compliance requirements, making them less suitable for regulated industries or global enterprises with nuanced jurisdictional needs.

Systems like Drupal or fully-custom CMS architectures can undoubtably satisfy enterprise requirements for scale, extensibility, and security. However, in our evaluation, team expertise, the maturity and momentum of the adjacent tooling ecosystem, and a clear view of total cost of ownership all ultimately favored the adoption of WordPress. WordPress’s balance of flexibility, a wealth of existing integrations, well-understood operational paradigms, and strong community support enables us to deliver on our goals efficiently while ensuring we maintain the adaptability, security, and cost-effectiveness our organization requires.

WordPress provides the best mix of transparency, control, ecosystem breadth, and speed—when paired with our security architecture and operating model.

Lessons learned and best practices

• Start headless and isolate the admin plane from day one.
• Enforce SSO and MFA, least privilege roles, and formal change approval.
• Treat plugins as third-party code: audit, monitor, and patch under SLAs.
• Invest in observability and rehearse incident response regularly.
• Keep WordPress core close to vanilla; extend through vetted plugins and mu-plugins, not core forks.

Security is not a property of a tool; it’s the outcome of architecture, governance, and culture. With a decoupled design, rigorous controls, and a disciplined operational posture, WordPress is a strong foundation for the content layer of an enterprise DXP—combining the openness and speed teams want with the security and control the business requires of its MarTech stack.

The Cybernews research team found that video call app Huddle01 exposed email addresses, real names, and other identifiers through an unprotected Kafka broker.

Think of an unprotected Kafka broker like a post office that stores and delivers confidential mail. Now, imagine the manager leaves the front doors wide open, with no locks, guards, or ID checks. Anyone can walk in, look through private letters and photos, and grab whatever catches their eye.

Huddle01 is a video call app that focuses on decentralized Web Real-Time Communication (WebRTC). WebRTC is appealing because it lets people talk and share data directly between devices without using a central server. Done right, this can reduce latency, cut costs, and improve privacy.

But leaving your Kafka broker open to anyone who happens to stumble upon it does not qualify as “doing privacy right.” The Kafka broker operated without authentication or encryption, meaning anyone could listen in, collect logs, or potentially alter data if write access existed. This demonstrates a fundamental misconfiguration that puts both users and the platform at risk.

The Kafka instance contained over 621,000 log entries from the last 13 days, belonging to Huddle01, including:

• Usernames (sometimes real names)
• Email addresses
• Crypto wallet addresses (Huddle01 supports many wallets across blockchains like Bitcoin and Ethereum)
• Detailed activity data, such as which users joined specific calls, participants in each call, country, time, date, and duration
• Other identifiers

The app is popular among cryptocurrency users, but in this case the open Kafka instance could have deanonymized their wallets by tying their crypto wallets to usernames and email addresses. Which also paints a target on their back as potentially high-value targets.

It also makes users more vulnerable to social engineering since attackers can craft credible emails or messages using real names and meeting data.

And hold on for the worst part. Cybernews states it responsibly disclosed the data leak to the company behind Huddle01…

“However, it did not respond to the initial disclosure and subsequent attempts. After one month, the exposed server remained accessible. It’s unclear how many other third parties might have accessed the data.”

Security tips for affected users

Knowing that the exposed information goes back about two weeks doesn’t help much, since anyone with access could have set up a data collector, listening in on the real-time data streaming and processing going on.

So, any Huddle01 users should:

• Change passwords on accounts linked to the exposed email or username, and use strong, unique passwords for each site.
• Set up two-factor authentication (2FA) wherever possible to prevent unauthorized access.
• Monitor inboxes for suspicious messages. Be extra cautious of emails or texts asking for crypto transactions or sensitive information, as targeted phishing is a possibility. Be especially wary of social engineering attempts that reference details from meeting logs, such as who you spoke to or when meetings occurred.
• Stay updated on official statements from Huddle01 or news coverage, as they may release more guidance later.

Pro tip: Did you know that you can submit suspicious messages like these to Malwarebytes Scam Guard, which instantly flags known scams?

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

The state of Florida has accused Roku, which powers many smart TVs and streaming devices, of selling children’s data to third parties without their consent. According to the Florida Attorney General James Uthmeier, Roku collected viewing habits, voice recordings, and precise geolocation from kids without approval from parents.

Roku, which reaches around 145 million people across half of US households, allegedly gathered children’s data despite clear signals that the viewers were minors, the AG said.

After collecting the data, Roku made it available to advertisers and sold it to data brokers, including Kochava, according to the Florida government. Kochava is already facing its own lawsuit from the Federal Trade Commission, which claims the company sells highly sensitive consumer information.

Uthmeier’s office said in a news release:

“The State contends that Roku’s practices violated Florida’s privacy and consumer-protection laws by failing to obtain parental consent before selling or processing children’s data and by misrepresenting the effectiveness of its privacy controls and opt-out tools.”

In the complaint filed in court, the AG’s office accused Roku of turning a blind eye to the collection of minors’ data.

“Roku knows that some of its users are children but has consciously decided not to implement industry-standard user profiles to identify which of its users are children.”

The lawsuit claims Roku ignored obvious indicators, such as when users installed its Kids Screensaver or Kids Theme Pack products.

Uthmeier’s office also said that although Roku sells deidentified data to brokers (that is, data that has identifying information removed), it’s still possible for brokers like Kochava to reidentify users. Brokers often have troves of information of their own, such as device IDs linked to potentially identifying information, which can allow them to match records to specific people.

Florida has filed the lawsuit under the Florida Digital Bill of Rights (FDBR), which came into effect on July 1, 2024. The law protects Florida residents’ privacy, including children’s data rights, and gives parents the ability to opt out of data processing for their kids.

The penalty for violating the FDBR is up to $50,000 per violation, but that triples for violations where the consumer involved is a known child. That includes cases of “willful disregard of a child’s age.”

This isn’t the only case that Roku must navigate in court. In April, Michigan Attorney General Dana Nessel also sued Roku for similar violations, accusing it of violating laws including the Children’s Online Privacy Protection Act (COPPA), along with federal and state privacy laws. Roku is fighting the suit.

Smart TV advertising is big business in the US. So much, in fact, that Roku appears to sell its devices at a loss to power its platform revenues, which include not just subscriptions, but advertising. In fiscal 2024, it lost $80.3 million on device sales, up from $43.9 million in device-based losses the prior year. Yet it made $1.9 billion profit from its platform business, up from $1.567 billion in 2023.

According to reports, Roku’s Automatic Content Recognition (ARC) technology captures thousands of images each hour from smart TVs. These can be used to help track viewing activity.

In January, Roku launched its Data Cloud, a service that allows its partners to use the company’s proprietary TV data. It was the latest step in a multi-year strategy to build out its data offering. In 2022, it launched a ‘clean room’ product that allowed other companies to combine their data with Roku’s own, conducting queries about viewer behavior while preserving privacy (this is how companies access its Data Cloud). Then, in 2024, it launched Roku Exchange—an advertising hub for partners.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

Mango has reported a data breach at one of its external marketing service providers. The Spanish fashion retailer says that only personal contact information has been exposed—no financial data.

The breach took place at the service provider and did not affect Mango’s own systems. According to the breach notification, the stolen information was limited to:

• First name (not your last name)
• Country
• Postal code
• Email address
• Telephone number

“Under no circumstances has your banking information, credit cards, ID/passport, or login credentials or passwords been compromised.”

Because Mango operates in more than 100 countries, affected individuals could be located across multiple regions where Mango markets to customers through its external partner. As Mango has not named the third-party provider or disclosed how many customers were affected, we cannot precisely identify where these customers are located.

Mango has not released any details about the attackers behind the breach. Although the stolen data itself does not pose an immediate risk, cybercriminals often follow breaches like this with phishing campaigns, exploiting the limited personal information they obtained.

We’ll update this story if Mango releases more information about the breach or the customers impacted.

Protecting yourself after a data breach

Affected customers say they have received a data breach notification of which we have seen screenshots in Spanish and English.

If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

This scam starts in your TikTok DMs. A brand-new account drops a melodramatic message—terminal illness, last goodbye, “I left you some assets.” At the bottom: a ready-made username and password for a crypto site you’ve never used. It’s designed to feel urgent and personal so you tap before you think. The whole funnel is built for phones: big tap targets, short copy, sticky chat bubbles—perfect for someone arriving straight from TikTok.

Thanks to our community for spotting this one. This exact scam was shared on our Malwarebytes subreddit by user Ok-Internal-2110, who posted a warning for TikTok users after encountering it firsthand.

I walked through the flow so you don’t have to.

What the site shows vs. what actually exists

The illusion:
The moment you log in with the credentials from that TikTok DM, a glossy, mobile-friendly dashboard flashes a huge balance. There’s motion (numbers “update”), a believable “history,” and a big Withdraw button right where your thumb expects it. On a small screen, it looks like a real account with real money.

The trap:
When you try to send that balance to your own wallet, the site asks for a withdrawal key belonging to the original account holder—the one from the DM. You don’t have that key, and support won’t give it to you. External withdrawals are a dead end by design.

The detour they push you to take:
Support suggests using Internal Transfer instead. Conveniently, they also offer to help you create a new user “in seconds,” and this new account will have its own key (because you created it). That makes it feel like you’re finally doing something legitimate: “I’ll just transfer the funds to my new account and then withdraw.”

The paywall you only meet once you’re invested:
Internal transfers only work on “VIP” accounts. To upgrade to VIP, you must pay for a membership. Many victims pay here, assuming it’s a one-time hurdle before they can finally withdraw.

Why nothing real ever leaves the site:
After you upgrade and attempt the internal transfer, the site can:

• demand another fee (a “limit lift,” “tax,” or “security key”),
• fail silently and push you to support, or
• “complete” the transfer inside the fake ledger while still blocking any external withdrawal.

Victims end up paying for the privilege of moving fake numbers between fake accounts—then paying again to “unlock” a withdrawal that never happens.

The scam in a nutshell

This scam is built for volume. DMs and comments via a huge platform like TikTok seed the same gift-inheritance story to thousands of people at once.

Two things do the heavy lifting:

• Shock value: That huge, unexpected number on the dashboard delivers a little jolt of surprise mixed with excitement, which lowers skepticism and pushes you into fast, emotional decision-making.
• Foot-in-the-door: Small steps (log in > try withdraw > hit a roadblock > “just upgrade to VIP”) nudge you toward paying a fee that now feels reasonable.

With borrowed authenticity from a big on-screen balance, the scammers sell you VIP access to move that fake balance around internally while keeping you forever one step away from a real, on-chain withdrawal.

Why do people keep paying up?

• The balance looks real, so every new hurdle feels like bureaucracy, not fraud.
• Paying once creates sunk cost: “I’ve already invested—one more step and I’m done.”
• Internal movements inside their dashboard mimic progress, even though no on-chain transfer ever occurs.
• A mobile flow encourages momentum—it’s always “one more tap” to finish.

Any system that makes you pay to receive money that allegedly already belongs to you is likely to be a scam.

The part most people miss is that you’re also handing over personal data. Even if you never send crypto, the site and the chat funnel collect a surprising amount of information, including your name, email, and phone number.

That data is valuable on its own and makes follow-up scams easier. Phishing that references the earlier “account,” extortion threats, fake “refund” offers that ask for remote access, SIM-swap attempts tied to your number, or simple resale of your details to other crews—and sadly, getting hooked once increases the odds you’ll be targeted again.

How to recognize this family of scams

• You’re asked to log into a site with credentials someone else gave you.
• A big balance appears instantly, but external withdrawals require a mystery key or never complete.
• You’re told internal transfers are possible only after buying VIP or a membership.
• The support bubble is quick to reply about upgrades and silent about on-chain withdrawals.
• Any “proof” of funds exists only inside their dashboard—no public ledger, no small test withdrawal.

How to stay safe

There are safer ways to test claims (without losing money):

1. Never pay to “unlock” money. If funds are yours, you don’t buy permission to move them.
2. Ask for on-chain proof. Real balances live on a public ledger. If they can’t show it, it doesn’t exist.
3. Attempt a tiny withdrawal first to a wallet you control—on legitimate platforms, that’s routine after verifying your identity (know you customer, or KYC) and enabling two-factor authentication (2FA).
4. Search the flow, not just the brand. Scam kits change names and domains, but the “VIP to withdraw” mechanic stays the same.

What to do if you already engaged:

• Stop sending funds. The next fee is not the last fee.
• Lock down accounts: change passwords, enable 2FA, reset app passwords, and review recovery phone/email.
• Reduce future targeting: consider a new email/number for financial accounts and remove your number from public profiles.
• Document everything (screenshots, timestamps, any wallet addresses or TXIDs if you paid).
• Report the TikTok account and the website, and file with your local cybercrime or consumer-protection channel.
• Tell someone close to you. Shame keeps people quiet; silence helps the scammers.

If a platform says there’s a pile of crypto waiting for you but you must buy VIP to touch it, you’re not withdrawing funds; you’re buying a story. TikTok brings you in on your phone; the mobile UI keeps you tapping. Close the tab, report the DM, and remember: dashboards can be faked, public ledgers can’t.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

A short while ago, our friends at Malwaretips wrote about a text scam impersonating Robinhood, a popular US-based investment app that lets people trade stocks and cryptocurrencies. The scam warns users about supposed “suspicious activity” on their accounts.

As if to demonstrate that this phishing campaign is still very much alive, one of our employees received one of those texts.

“Alert!

Robinhood Securities Risk Warning:

Our automated security check system has detected anomalies in your account, indicating a potential theft. A dedicated security check link is required for review. Please click the link below to log in to your account and complete the security check.

Immediate Action: https://www-robinhood.cweegpsnko[.]net/Verify

(If the link isn’t clickable, reply Y and reopen this message to click the link, or copy it into your browser.)

Robinhood Securities Official Security Team”

As usual, we see some red flags:

• Foreign number: The country code +243 belongs to the Democratic Republic of the Congo, not the US, where the real Robinhood is based.
• Urgency: The phrase “Immediate Action” is designed to pressure you.
• Fake domain: The URL that tries to look like the legitimate robinhood.com website.
• Reply: The instructions to reply “Y” if a link isn’t clickable are a common phishing tactic.

But if the target follows the instructions to visit the link, they would find a reasonably convincing copy of Robinhood’s login page. It wouldn’t be automatically localized like the real one, but nobody in the US would know the difference. Logging in there hands the scammers your Robinhood login credentials and allows them to clean out your account.

According to Malwaretips, some of the fake websites even redirected you to the legitimate site after showing the “verification complete” message.

They also warned that some scammers will try to harvest additional personal data from the account, including:

• Tax documents
• Full name
• Social Security Number (if on file)
• Bank account information

How to stay safe

What to do if you receive texts like these

The best tip to stay safe is to make sure you’re aware of the latest scam tactics. Since you’re reading our blog, you’re off to a good start.

• Never reply to or follow links in unsolicited tax refund texts, calls, or emails, even if they look urgent.
• Never share your Social Security number or banking details with anyone claiming to process your tax refund.
• Go direct. If in doubt, contact the company through official channels.
• Use an up-to-date real-time anti-malware solution, preferably with a web protection component.

Pro tip: Did you know that you can submit suspicious messages like these to Malwarebytes Scam Guard, which instantly flags known scams?

What to do if you clicked the phishing link

• Change your Robinhood password
• Enable two-factor authentication (2FA) if you haven’t already.
• Contact Robinhood support through the official support channels.
• Report the scam to Robinhood and other relevant authorities.

Indicators of compromise (IOCs)

www-robinhood.cweegpsnko[.]net

www-robinhood.fflroyalty[.]com

robinhood-securelogin[.]com

robinhood-verification[.]net

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Scientists from several US universities intercepted unencrypted broadcast through geostationary satellites using only off-the-shelf equipment on a university rooftop.

Geostationary satellites move at the same speed as the Earth’s rotation so it seems as though they are always above the same exact location. To maintain this position, they orbit at an altitude of roughly 22,000 miles (36,000 kilometers).

This makes them ideal for relaying phone calls, text messages, and internet data. Since these satellites can cover vast areas—including remote and hard-to-reach areas—they provide reliable connectivity for everything from rural cell towers to airplanes and ships, even where cables don’t reach.

That same stability makes them convenient for people who want to eavesdrop, because you only need to point your equipment once. The researchers who did this described their findings in a paper called “Don’t Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites.”

The team scanned the IP traffic on 39 GEO satellites across 25 distinct longitudes with 411 transponders using consumer-grade equipment. About half of the signals they captured contained clear text IP traffic.

This means there was no encryption at either the link layer or the network layer. This allowed the team to observe internal communications from organizations that rely on these satellites to connect remote critical infrastructure and field operations.

Among the intercepted data were private voice calls, text messages, and call metadata sent through cellular backhaul—the data that travels between cell towers and the central network.

Commercial and retail organizations transmitted inventory records, internal communications, and business data over these satellite links. Banks leaked ATM-related transactions and network management commands. Entertainment and aviation communications were also intercepted, including in-flight entertainment audio and aircraft data.

The researchers also captured industrial control signals for utility infrastructure, including job scheduling and grid monitoring commands. Military (from the US and Mexico) communications were exposed, revealing asset tracking information and operational details such as surveillance data for vessel movements.

The research reveals a pervasive lack of standardized encryption protocols, leaving much of this traffic vulnerable to interception by any technically capable individual with suitable equipment. They concluded that despite the sensitive nature of the data, satellite communication security is often neglected, creating substantial opportunities for eavesdropping, espionage, and potential misuse.

The researchers stated:

“There is a clear mismatch between how satellite customers expect data to be secured and how it is secured in practice; the severity of the vulnerabilities we discovered has certainly revised our own threat models for communications.”

After the scientists reported their findings, T-Mobile took steps to address the issue, but other unnamed providers have yet to patch the vulnerabilities.

This study highlights the importance of making sure your communications are encrypted before they leave your devices. Do not rely solely on providers to keep your data safe. Use secure communication apps like Signal or WhatsApp, choose voice-over-internet (VoIP) providers that encrypt calls and messages, and protect your internet data with a VPN that creates a secure, encrypted tunnel.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Gone are the days when extortion was only the plot line of crime dramas—today, these threatening tactics target anyone with a smartphone. As AI makes fake voices and videos sound and look real, high-pressure plays like sextortion, deepfakes, and virtual kidnapping feel more believable than ever before, tricking even the most digitally savvy users. Gen Z and Millennials are most at risk, accounting for two in three victims of extortion scams. These scammers prey on what’s personal, wreaking havoc on their victims’ privacy, reputations, and peace of mind.

Our latest research shows that one in three mobile users has been targeted by an extortion scam, and nearly one in five has fallen victim. Gen Z is hit hardest: more than half (58%) have been targets, and over 1 in 4 (28%) have been a victim. Sextortion—threatening to leak nude photos or videos or expose pornographic search history— is particularly notable, with one in six mobile users reporting they’ve been a target. Among Gen Z, that number jumps to 38%.

Five things to know about mobile extortion scams

1. Who’s most at risk: Gen Z and Millennials with a risk tolerant profile

Compared to victims and targets of other types of mobile scams, extortion victims tend to be younger, male, and mobile-first. Their profile:

• Young: 69% of victims and 64% of targets are Gen Z or Millennial (vs. 52%/40% of victims and targets of other types of scams, respectively)
• Male: 65% of victims and 60% of targets are male (vs. 48%/45%)
• Parents: 45% of victims and 41% of targets are parents (vs. 36%/26%)
• Minorities: 53% of victims are non-white (vs. 39%)
• Mobile-first: 52% of victims and 46% of targets agree “I’m more likely to click a link on my phone than on my laptop” (vs. 42%/36%)

However, this simply shows how targets and victims skew. Behaviors typically play a bigger role in overall risk.

2. What the damage looks like: emotional and deeply personal

Extortion criminals use personal, high-stakes threats in their scams. Victims and targets of extortion scams in our survey report experiences ranging from scammers threatening to expose nude photos and videos to claims that a family member was in an accident.

These personalized, high-pressure threats make extortion victims especially vulnerable, and while victims of all mobile scams suffer serious emotional, financial, and functional fallout at the hands of their scammers, extortion victims experience outsized impact:

• Nearly 9 in 10 extortion victims reported emotional harm because of the scam they experienced
• 35% experienced blackmail or harassment
• 21% experienced damage to their reputation
• 19% faced consequences at work or school

Even when targets don’t fall victim, the threats alone can cause emotional harm:

“I didn’t lose anything, I was just scared because they wanted to inform all my friends, family, and employers how perverted I was because I supposedly watched porn.”   

—Gen Z survey respondent, DACH region

3. Why it’s getting worse: AI is raising the stakes

AI is increasingly good at making fake feel real, giving criminals even more of an advantage when manipulating and extorting victims. One in five mobile users has been the target of a deepfake scam and nearly as many have encountered a virtual kidnapping scam (a decades-old tactic that now often uses AI voice cloning). Two in five (43%) Gen Z users have been a target of one of these.

 Who AI scams hit: Victims and targets skew Gen Z and iPhone users with a deep digital footprint. This could leave their personal information, images, or even voice more accessible to cybercriminals who want to use it as part of a scam.

• Gen Z: 45% (vs. 31% for extortion victims and targets overall)
• iPhone users: 62% (vs. 51% overall)
• Data sharers*: 81% (vs. 71% overall)

*Agree with the statement: “I understand that sharing personal information with apps, on social media, or on messaging services can be risky, but I am okay with that risk”

So why might exposure be higher for Gen Z? Digital natives are most entrenched in mobile-first behavior and most active in low-oversight casual commerce (DMing for deals, using buy/sell/trade groups, clicking on ads to purchase or download, sending money for a future service). They also show up more on alternative platforms like Discord, Tumblr, Twitch, and Mastodon, where identity checks are lighter and parasocial trust runs high, creating a sweet spot for scammers. 

“The scammer makes you believe it is a legit conversation. They/He/She talk to you like they know you. Trying to convince you they are supporting/helping you in some way to fix something. When they are just fishing for more information!”

— Gen Z US Survey Respondent   

For victims of AI-driven scams, the fallout is even more extreme: 32% suffered reputation damage (vs. 21% for extortion victims overall), 29% suffered work/school consequences (vs. 11%), 24% had their personal information stolen (vs. 14%), and 21% had financial accounts opened in their name (vs. 13%), underscoring the threat of these evolving scams. 

4. Where the risk lives: constant, cross-channel exposure   

Scammers know the more they approach a target, the more likely they are to create a victim. 78% of extortion victims and 63% of targets experience scam attempts daily (vs. 44%/36% in other scam groups), driving alert fatigue and making it more likely that a scammer will slip through the cracks.

Extortion victims and targets also over-index on using informal buying and selling channels—spaces like social media where identity is fuzzy, protections are lacking, and decisions are quick. Being in more casual spaces more frequently increases the odds of a scam landing for anyone.

5. How mindset shapes risk: overconfident and under-protected

Seven in ten extortion victims say they’re confident they can spot a scam, more than half believe they could recoup any financial losses, and most trust their phone’s safety features. At the same time, many victims and targets simply don’t worry about mobile scams at all, resulting in a lack of protective measures. Adoption of security basics (security software, strong/unique passwords, multi-factor authentication, timely system updates, permission hygiene, data backups) remains low, even after painful firsthand experience.

How to cut the risk

Most of us use our phones to shop, find deals, and pay—and we deserve to be able to do that safely. Adopting preventative security measures (such as using mobile security software), practicing good mobile hygiene (such as checking app permissions), and remembering STOP, our simple scam response framework, can keep scammers at bay: 

S—Slow down: Don’t let urgency or pressure push you into action. Take a breath before responding. Legitimate businesses like your bank or credit card don’t push immediate action.

T—Test them: If you answered the phone and are feeling panicked about the situation, likely involving a family member or friend, ask a question only the real person would know—something that can’t be found online.  

O—Opt out: If it feels off, hang up or end the conversation. You can always say the connection dropped.

P—Prove it: Confirm the person is who they say they are by reaching out yourself through a trusted number, website, or method you’ve used before.

The criminals behind extortion scams pour time and money into targeting their victims, constantly evolving their tactics to make the scams more believable and hard-hitting. If you’ve been the victim of an extortion scam, sharing your story can help others spot the signs before it’s too late, reduce the stigma of being a victim, and put the shame where it belongs: on the criminals.

As Malwarebytes Global Head of Scam and AI Research Shahak Shalev puts it:

“If we can remove the stigma and silence around scams, I think we can help everyone take a step back and pause before acting on one of these threats”

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Researchers at US universities have demonstrated how a malicious Android app can trick the system into leaking pixel data. That may sound harmless, but imagine if a malicious app on your Android device could glimpse tiny bits of information on your screen—even the parts you thought were secure, like your two-factor authentication (2FA) codes.

That’s the chilling idea behind “Pixnapping” attacks described in the research paper coming from University of California (Berkeley and San Diego), University of Washington, and Carnegie Mellon University.

A pixel is one of the tiny colored dots that make up what you see on your device’s display. The researchers built a pixel-stealing framework that bypasses all browser protections and can even lift secrets from non-browser apps such as Google Maps, Signal, and Venmo—as well as websites like Gmail. It can even steal 2FA codes from Google Authenticator.

Pixnapping is a classic side-channel attack—stealing secrets not by breaking into software, but by observing physical clues that devices give off during normal use. Pixel-stealing ideas date back to 2013, but this research shows new tricks for extracting sensitive data by measuring how specific pixels behave.

The researchers tested their framework on modern Google Pixel phones (6, 7, 8, 9) and a Samsung Galaxy S25 and succeeded in stealing secrets from both browsers and non-browser apps. They disclosed the findings to Google and Samsung in early 2025. As of October 2025, Google has patched part of the vulnerability, but some workarounds remain and both companies are still working on a full fix. Other Android devices may also be vulnerable.

The technical knowledge required to perform such an attack is enormous. This isn’t “script kiddie” territory: Attackers would need deep knowledge of Android internals and graphics hardware. But once developed, a Pixnapping app could be disguised as something harmless and distributed like any other piece of Android malware.

To perform an attack, someone would have to convince or trick the target into installing the malicious app on their device.

This app abuses Android Intents—a fundamental part of how apps communicate and interact with each other on Android devices. You can think of an intent like a message, or request, that one app sends either to another app or to the Android operating system itself, asking for something to happen.

The malicious app’s programming will stack nearly transparent windows over the app it wants to spy on and watch for subtle timing signals that depend on pixel color.

It doesn’t take long—the paper shows it can steal temporary 2FA codes from Google Authenticator in under 30 seconds. Once stolen, the data is sent to a command-and-control (C2) server controlled by the attacker.

How to stay safe

From the steps it takes to perform such an attack we can list some steps that can keep your 2FA codes and other secrets safe.

1. Update regularly: Make sure your device and apps have the latest security updates. Google and Samsung are rolling out fixes; don’t ignore those update prompts. The underlying vulnerability is tracked as CVE-2025-48561.
2. Be cautious installing apps: Only install apps from trusted sources like Google Play and check reviews and permissions before installing. Avoid sideloading unknown APKs and ask yourself if the permissions an app asks for are really needed for what you want it to do.
3. Review permissions: Android improved its permission system, but check regularly what apps can do, and don’t hesitate to remove permissions of the ones you don’t use often.
4. Use app screenshots wisely: Don’t store or display sensitive info (like codes, addresses, or logins) in apps unless needed, and close apps after use.
5. Monitor security news: Look for announcements from Google and Samsung about patches for this vulnerability, and act on them.
6. Enable Play Protect: Keep Play Protect active to help spot malicious apps before they’re installed.
7. Use up-to-date real-time anti-malware protection on your Android device, preferably with a web protection module.

If you’re worried about your 2FA codes getting stolen, consider switching to hardware token 2FA options.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.