(Credit: Getty Images)
When you think about hacking and information security, you generally think of leaked databases, app vulnerabilities, ransomware, stuff like that. However, the most effective way to break into any organization remains the simplest: social engineering. And apparently, that’s exactly what a group of hackers did to a Best Buy employee to force him to let them make off with over 40 PS5s and other consoles, worth more than $40,000.
Meanwhile, a massive database containing over 149 million stolen passwords surfaced this week, including credentials for everything from Gmail and Instagram to OnlyFans and Binance, with plenty of other sites among them, including banking and credit card logins. Over 1.4 million of those accounts had .edu email addresses. Jeremiah Fowler, the researcher who found the database just sitting live on the web, couldn’t tell if the credentials were obtained by hackers or owned by another security researcher, but after a month of pestering the company hosting the database, it was removed.
In other news, if you have WinRAR installed on your computer, you might want to update it. A vulnerability identified ages ago and patched six months ago continues to be a significant problem, mostly because WinRAR doesn’t have auto-update capabilities. Also, if you use Google Assistant on your phone or smart home devices, keep an eye on your inbox: The company has agreed to pay $68 million to settle claims that Google Assistant has been listening to and recording user conversations, even when trigger phrases like “Hey, Google” or “OK, Google” were never said. Personally, I’ve lost count of the number of times mine has come to life with the traditional chime to tell me it’s listening even when no one in the room is talking, so maybe I’ll finally be able to retire.
Last but not least, this week we explained why changing your passwords too often is actually a bad idea, especially when a strong password that’s not used anywhere else is much, much better for your security. We also explained why you shouldn’t trust your browser (or random websites) to store your credit card information. Additionally, we took a look at TikTok’s new privacy policy, now that it’s owned by a joint US/UAE venture, and users noticed some changes to the level of data the new company is allowed to collect from their posts.
Oh, and if nothing else, don’t miss senior writer Kim Key’s experience trying to close a hotel rewards account she opened in 2008, and why companies make it so easy to open accounts but hard to close them. Spoiler: It involves existential dread.
If You Don’t Control Your Keys, You Don’t Control Your Data
Earlier this week, we reported that Microsoft handed over BitLocker decryption keys to the FBI, effectively giving the government a backdoor to any system encrypted with BitLocker that stores its keys on Microsoft’s servers via a Microsoft account. Backdooring encryption tools is a very slippery slope, and Microsoft says this isn’t new: the company told Forbes that it hands over encryption keys whenever it receives a valid order from law enforcement, but this is the first time it’s been publicly disclosed. Most companies, including Apple and Google, have resisted requests for backdoors in their encryption products, knowing that doing so would undermine their trustworthiness.
After all, encryption only works if you can trust that no one else can decrypt your files. Over at CyberScoop, an op-ed by John Ackerly, the CEO of Virtru, one of the best email encryption tools, makes exactly that case: namely, that if you don’t control your encryption keys, you don’t control your data, regardless of whether it’s encrypted. With BitLocker, you can choose not to store your encryption keys on Microsoft’s servers, but when you set it up, the default configuration is to let Microsoft hold those keys for you, ultimately (and especially now that this news is out) trading your security for convenience.
How We Discovered a Campaign of 16 Malicious Extensions Built to Steal ChatGPT Accounts
It really does seem like every week there’s some new threat targeting AI chatbots and their users. In this case, researchers at LayerX Security uncovered 16 malicious browser extensions designed to steal ChatGPT accounts right out from under their users. No, not these ones that steal your chat logs, which we reported on last month. These ones are new and are marketed to users as tools to improve the ChatGPT experience. Luckily, most of these have only a few dozen installations, with one close to 600, but they all seem to be part of a coordinated effort to steal credentials and accounts from unsuspecting users, including those who may even have paid ChatGPT Plus accounts.
The whole explainer is fairly technical, so if you’re curious how the researchers discovered the extensions in the first place, not to mention how they’re all related to one another, definitely give it a full read. If you’re more concerned about which extensions are the bad ones, so you can avoid them, just scroll down to the list. Personally, I’d recommend avoiding third-party chatbot extensions or tools with your preferred AI platform, if you have to use one. After all, we’ve reported several times that they’re generally prone to security issues. Oh, and speaking of LayerX, last week we covered another batch of data-stealing extensions they found, so look out for those too (and uninstall them if you see one you use).
Microsoft Illegally Installed Cookies on Schoolkid’s Tech, Data Protection Ruling Finds
Remember last week when we mentioned that Google had to settle a lawsuit over child tracking for over $8 million? Well, now it’s Microsoft’s turn. According to The Register, an Austrian court found that Microsoft violated students' privacy and unlawfully tracked them using Microsoft 365 Education with tracking cookies, in breach of the EU’s General Data Protection Regulation (GDPR). As a result, Microsoft now has four weeks to stop tracking the minor in the complaint that started the whole thing, which should, in general, apply broadly to all children in the EU protected under GDPR.
The original complaint, brought to Austrian courts by a group named noyb (short for “none of your business”), dates back to the Covid-19 pandemic, when schools around the world switched quickly to remote learning. The group eventually asked Austria’s data regulation authority to look into the case in 2024, when it became clear that Microsoft either didn’t know or wouldn’t disclose what information it specifically collected from minors, what happened to that data, or whether it was in compliance with GDPR. For its part, Microsoft’s statement following the ruling says that Microsoft 365 for Education meets GDPR standards.