(Credit: Getty Images)
It’s been another big week for hacks, as the ShinyHunters ransomware group breached video platform Vimeo and home security company ADT. The hackers primarily got video metadata, titles, and email addresses from Vimeo. The ADT hack was worse: ShinyHunters obtained over 10 million records, including 5.5 million email addresses, names, physical addresses, and telephone numbers. In some cases, they got the last four digits of customers' Social Security numbers and their birthdates. Keep tabs on your identity out there.
Identity theft isn’t the only thing you have to be worried about when your data is lost in a hack, however. In many cases, and especially now that AI is in the mix, you also have to be on the lookout for scams and phishing attempts that use the lost data to target you specifically. That’s why this week, we rounded up the best scam protection tools that can help steer you away from scammy websites, emails, and more.
In other security news, OpenAI is ditching passwords in favor of hardware security keys, which is a welcome change considering how valuable ChatGPT accounts can be, especially for those willing to shell out money for pro-level accounts. That’s a good security move, but a not-so-good one came a few weeks back when Microsoft said that Microsoft Defender is enough antivirus for most people. PCMag's principal security writer, Neil Rubenking, who has tested hundreds of antivirus products over the years, thinks Microsoft is mistaken, and the company’s definition of “most people” deliberately omits the vast majority of users.
That’s a lot! But there’s more. Let’s take a look at what else is happening in the infosec world this week.
Claude-Powered AI Coding Agent Deletes Entire Company Database in Seconds
You may remember almost a year ago, when Replit’s AI agent went rogue, deleted a company’s entire codebase, and then apologized for it. Well, now it’s happened again, just with a different AI: In this case, it was Claude that took out an entire company’s database and its backups in just under nine seconds, according to Tom’s Hardware. Even worse, once PocketOS, the company in question, managed to recover and the news broke, representatives said they would try to learn from the situation but weren’t planning to reconsider using AI in their workflows. I suppose that’s emblematic of this new era: Things that would normally get developers fired are just par for the course when it comes to AI.
Perhaps what makes this story so wild is that when the developer who discovered the issue asked the AI why it did what it did, the agent generated a pretty unhinged response that indicated it “knew” that it was wrong, but it took the action anyway in order to complete another task it was given, even though the actions were supposed to be outside of its guardrails. Meanwhile, the CEOs and representatives of all the involved companies—Anthropic, which makes Claude; Railway, the cloud service provider that hosted the backups; and PocketOS—are pointing fingers at each other. For the rest of us, though, the message is pretty clear: This isn’t the first time AI has brought entire companies to its knees, and it won’t be the last.
Woman’s Talkspace Therapy App Sessions Exposed in Court
When you talk to a mental health professional, you usually assume that those conversations are private and privileged, meaning that they can’t be used against you except in rare, extreme circumstances. If you’re seeing an actual therapist either in person or through telehealth that’s offered through a practice, that’s a fair assumption. But the proliferation of apps like Talkspace and Betterhelp, all admirably designed to combat the lack of mental health resources for many people, isn’t an actual medical practice. They’re tech companies with apps that work with mental health professionals to deliver their services through the app. That also means that any data those apps collect isn’t stored or protected to the same standards as actual medical records or patient files.
That leads us to this investigation by Proof, in which a woman’s texts, conversation transcripts, and more were unearthed by her previous employer in court and used against her in an employment discrimination case she had filed. Because she had used Talkspace, offered through her former employer as a mental health resource, the company was able to get Talkspace to turn over everything it had on her. For its part, Talkspace proudly tells investors that, while the data is supposedly anonymized and held to HIPAA standards, it also boasts about having “one of the largest mental health data banks in the world,” with over 140 million messages between patients and their therapists. That’s led some analysts to worry that the company aims to use that information to train AI and sell the information to AI companies as training data.
We’ve already discussed why you shouldn’t tell chatbots your personal business, but considering the healthcare sector is a frequent target of hackers and data thieves, and companies like TalkSpace (which didn’t comment on Proof’s investigation) manage to walk the line between operating in the tech space and the healthcare space, security and privacy are especially important. Meanwhile, Talkspace has aggressively pushed local governments and cities to use the company’s app and its TalkAI chatbot as always-available mental health options for teens and others who need them, including in places like New York City and Seattle.
Leader of Online Swatting Ring Gets Four Years in Prison
Many years ago, I sat in a meeting with some former police officers about their new startup dedicated to protecting journalists from harm and harassment. I asked them about the issue of “swatting,” when a malicious actor calls in a false bomb threat or a hostage situation to their home, prompting an aggressive, armed police response. It’s essentially attempted murder using the police as a weapon, and it’s a problem we’ve covered before. They nodded along, but their expressions revealed that they had no idea what I was talking about.
Hopefully, they’ve learned since then, because swatting as an issue hasn’t gone anywhere. If anything, it’s gotten worse. Bleeping Computer reports that the 27-year-old Romanian leader of a group that coordinated swatting attempts and threats against government officials, judges, including congressional representatives, cabinet members, and threats against synagogues, and then-President-Elect Joe Biden, going back to 2020, was just sentenced to four years in federal prison and three more years of supervised release. Other members of the group have also been extradited to the US and face similar proceedings.