Prefer to listen in? Check out our audio companion, where EFF Activist Molly Buckley explains our new resource explaining age verification laws and how you can fight back.Catch the conversation onYouTubeor theInternet Archive.
EFFECTOR 37.18 - 🪪 AGE VERIFICATION IS COMING FOR THE INTERNET
Since 1990 EFF has published EFFector to help keep readers on the bleeding edge of their digital rights. We know that the intersection of technology, civil liberties, human rights, and the law can be complicated, so EFFector is a great way to stay on top of things. The newsletter is chock full of links to updates, announcements, blog posts, and other stories to help keep readers—and listeners—up to date on the movement to protect online privacy and free expression.
Thank you to the supporters around the world who make our work possible! If you're not a member yet, join EFF today to help us fight for a brighter digital future.
An ongoing campaign has been observed targeting Amazon Web Services (AWS) customers using compromised Identity and Access Management (IAM) credentials to enable cryptocurrency mining.
The activity, first detected by Amazon's GuardDuty managed threat detection service and its automated security monitoring systems on November 2, 2025, employs never-before-seen persistence techniques to hamper
Cybersecurity researchers have discovered a new malicious NuGet package that typosquats and impersonates the popular .NET tracing library and its author to sneak in a cryptocurrency wallet stealer.
The malicious package, named "Tracer.Fody.NLog," remained on the repository for nearly six years. It was published by a user named "csnemess" on February 26, 2020. It masquerades as "Tracer.Fody,"
Whether you’re generating data from scratch or transforming sensitive production data, performant test data generators are critical tools for achieving compliance in development workflows.
Identity systems hold modern life together, yet we barely notice them until they fail. Every time someone starts a new job, crosses a border, or walks into a secure building, an official must answer one deceptively simple question: Is this person really who they claim to be? That single moment—matching a living, breathing human to..
Over the past week, enterprise security teams observed a combination of covert malware communication attempts and aggressive probing of publicly exposed infrastructure. These incidents, detected across firewall and endpoint security layers, demonstrate how modern cyber attackers operate simultaneously. While quietly activating compromised internal systems, they also relentlessly scan external services for exploitable weaknesses. Although the
Labeling adversary activity with ATT&CK techniques is a tried-and-true method for classifying behavior. But it rarely tells defenders how those behaviors are executed in real environments.
As organizations accelerate the adoption of Artificial Intelligence, from deploying Large Language Models (LLMs) to integrating autonomous agents and Model Context Protocol (MCP) servers, risk management has transitioned from a theoretical exercise to a critical business imperative. The NIST AI Risk Management Framework (AI RMF 1.0) has emerged as the standard for managing these risks, offering a structured approach to designing, developing, and deploying trustworthy AI systems.
However, AI systems do not operate in isolation. They rely heavily on Application Programming Interfaces (APIs) to ingest training data, serve model inferences, and facilitate communication between agents and servers. Consequently, the API attack surface effectively becomes the AI attack surface. Securing these API pathways is fundamental to achieving the "Secure and Resilient" and "Privacy-Enhanced" characteristics mandated by the framework.
Understanding the NIST AI RMF Core
The NIST AI RMF is organized around four core functions that provide a structure for managing risk throughout the AI lifecycle:
GOVERN: Cultivates a culture of risk management and outlines processes, documents, and organizational schemes.
MAP: Establishes context to frame risks, identifying interdependencies and visibility gaps.
MEASURE: Employs tools and methodologies to analyze, assess, and monitor AI risk and related impacts.
MANAGE: Prioritizes and acts upon risks, allocating resources to respond to and recover from incidents.
The Critical Role of API Posture Governance
While the "GOVERN" function in the NIST framework focuses on organizational culture and policies, API Posture Governance serves as the technical enforcement mechanism for these policies in operational environments.
Without robust API posture governance, organizations struggle to effectively Manage or Govern their AI risks. Unvetted AI models may be deployed via shadow APIs, and sensitive training data can be exposed through misconfigurations. Automating posture governance ensures that every API connected to an AI system adheres to security standards, preventing the deployment of insecure models and ensuring your AI infrastructure remains compliant by design.
How Salt Security Safeguards AI Systems
Salt Security provides a tailored solution that aligns directly with the NIST AI RMF. By securing the API layer (Agentic AI Action Layer), Salt Security helps organizations maintain the integrity of their AI systems and safeguard sensitive data. The key features, along with their direct correlations to NIST AI RMF functions, include:
Alignment: Supports the MAP function by establishing context and recognizing risk visibility gaps.
Outcome: Guarantees a complete inventory of all APIs, including shadow APIs used for AI training or inference, ensuring no part of the AI ecosystem is unmanaged.
Alignment: Operationalizes the GOVERN and MANAGE functions by enabling organizational risk culture and prioritizing risk treatment.
Outcome: Preserves secure APIs throughout their lifecycle, enforcing policies that prevent the deployment of insecure models and ensuring ongoing compliance with NIST standards.
Alignment: Assists in the MEASURE function by assessing system trustworthiness and testing for failure modes.
Outcome: Identifies logic flaws and misconfigurations in AI-connected APIs before they can be exploited by adversaries.
Conclusion
Trustworthy AI requires secure APIs. By implementing API Posture Governance and comprehensive security controls, organizations can confidently adopt the NIST AI RMF and innovate safely. Salt Security provides the visibility and protection needed to secure the critical infrastructure powering your AI. For a more in-depth understanding of API security compliance across multiple regulations, please refer to our comprehensive API Compliance Whitepaper.
Breaking Free from Security Silos in the Modern Enterprise Today’s organizations face an unprecedented challenge: securing increasingly complex IT environments that span on-premises data centers, multiple cloud platforms, and hybrid architectures. Traditional security approaches that rely on disparate point solutions are failing to keep pace with sophisticated threats, leaving critical gaps in visibility and response
SoundCloud confirmed today that it experienced a security incident involving unauthorized access to a supporting internal system, resulting in the exposure of certain user data. The company said the incident affected approximately 20 percent of its users and involved email addresses along with information already visible on public SoundCloud profiles. Passwords and financial information were […]
This article was originally published in T.H.E. Journal on 12/10/25 by Charlie Sander. Device-based learning is no longer “new,” but many schools still lack a coherent playbook for managing it. Many school districts dashed to adopt 1:1 computing during the pandemic, spending $48 million on new devices to ensure every child had a platform to take classes ...
Comparing data breaches is like comparing apples and oranges. They differ on many levels. To news media, the size of the brand, how many users were impacted, and how it was done often dominate the headlines. For victims, what really matters is the type of information stolen. And for the organizations involved, the focus is on how they will handle the incident. So, let’s have a look at the three that showed up in the news feeds today.
700Credit
700Credit is a US provider of credit reports, preliminary credit checks, identity verification, fraud detection, and compliance tools for automobile, recreational vehicle, powersports, and marine dealerships.
In a notice on its website, 700Credit informed media, partners, and affected individuals that it suffered a third-party supply-chain attack in late October 2025. According to the notice, an attacker gained unauthorized access to personally identifiable information (PII), including names, addresses, dates of birth, and Social Security numbers (SSNs). The breach involves data collected between May and October, impacting roughly 5.6 million people.
The supply-chain attack demonstrates the importance of how you handle attacks. Reportedly, 700Credit communicates with more than 200 integration partners through application programming interfaces (APIs). When one of the partners was compromised in July, they failed to notify 700Credit. As a result, unnamed cybercriminals broke into that third-party’s system and exploited an API used to pull consumer information.
700Credit shut down the exposed third-party API, notified the FBI and FTC, and is mailing letters to victims offering credit monitoring while coordinating with dealers and state regulators.
SoundCloud
SoundCloud is a leading audio streaming platform where users can upload, promote, stream, and share music, podcasts, and other audio content.
SoundCloud posted a notice on its website stating that it recently detected unauthorized activity in an ancillary service dashboard. Ancillary services refer to specialized functions that help maintain stability and reliability. When SoundCloud contained the attack, it experienced denial-of-service attacks, two of which were able to temporarily disable its platform’s availability on the web.
An investigation found that no sensitive data such as financial or password data was accessed. The exposed data consisted of email addresses and information already visible on public SoundCloud profiles. The company estimates the incident affected roughly 20% of its user base.
Pornhub
Pornhub is one of the world’s most visited adult video-sharing websites, allowing users to view content anonymously or create accounts to upload and interact with videos.
Reportedly, Pornhub disclosed that on November 8, 2025, a security breach at third-party analytics provider Mixpanel exposed “a limited set of analytics events for certain users.” Pornhub stressed that this was not a breach of Pornhub’s own systems, and said that passwords, payment details, and financial information were not exposed. Mixpanel, however, disputes that the data originated from its November 2025 security incident.
According to reports, the ShinyHunters ransomware group claims to have obtained about 94 GB of data containing more than 200 million analytics records tied to Pornhub Premium activity. ShinyHunters shared a data sample with BleepingComputer that included a Pornhub Premium member’s email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred.
ShinyHunters has told BleepingComputer that it sent extortion demands to Pornhub, and the nature of the exposed data creates clear risks for blackmail, outing, and reputational harm—even though no Social Security numbers, government IDs, or payment card details are in the scope of the breach.
Comparing apples and oranges
As you can see, these are three very different data breaches. Not just in how they happened, but in what they mean for the people affected.
While email addresses and knowing that someone uses SoundCloud could be useful for phishers and scammers, it’s a long way from the leverage that comes with detailed records of Pornhub Premium activity. If that doesn’t get you on the list of a “hello pervert” scammer, I don’t know what will.
But undoubtedly the most dangerous one for those affected is the 700Credit breach which provides an attacker with enough information for identity theft. In the other cases an attacker will have to penetrate another defense layer, but with a successful identity theft the attacker has reached an important goal.
Aspect
SoundCloud
700Credit
Pornhub
People affected
Estimated ~28–36 million users (about 20% of users)
~5.6 million people
“Select” Premium users; ~201 million activity records (not 201 million people)
Leaked data
Email addresses and public profile info
Names, addresses, dates of birth, SSNs
Search, watch, and download activity; attacker-shared samples include email addresses, timestamps, and IP/geo-location data
Sensitivity level
Low (mostly already public contact/profile data)
Very high (classic identity‑theft PII)
Very high (intimate behavioral and preference data, blackmail/extortion potential)
Breach cause
Unauthorized access to an internal service dashboard
Third‑party API compromise (supply‑chain attack)
Disputed incident involving third-party analytics data (Mixpanel), following a smishing campaign
We don’t just report on threats—we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.
Android users spent 2025 walking a tighter rope than ever, withmalware, data‑stealing apps, and SMS‑borne scams all climbing sharply while attackers refined their business models around mobile data and access.
Looking back, we may view 2025 as the year when one-off scams were replaced on the score charts by coordinated, well-structured, attack frameworks.
Comparing two equal six‑month periods—December 2024 through May 2025 versus June through November 2025—our data shows Android adware detections nearly doubled (90% increase), while PUP detections increased by roughly two‑thirds and malware detections by around half.
The strong rise in SMS-based attacks we flagged in June indicates that 2025 is the payoff year. The capabilities to steal one‑time passcodes are no longer experimental; they’re being rolled into campaigns at scale.
The shift from nuisances to serious crime
Looking at the preceding full year, malware and PUPs together made up almost 90% of Android detections, with malware rising to about 43% of the total and potentially unwanted programs (PUPs) to 45%, while adware slid to around 12%.
That mix tells an important story: Attackers are spending less effort on noisy annoyance apps and more on tools that can quietly harvest data, intercept messages, or open the door to full account takeover.
But that’s not because adware and PUP numbers went down.
Shahak Shalev, Head of AI and Scam Research at Malwarebytes pointed out:
The holiday season may have just kicked off, but cybercriminals have been laying the groundwork for months for successful Android malware campaigns. In the second half of 2025, we observed a clear escalation in mobile threats. Adware volumes nearly doubled, driven by aggressive families like MobiDash, while PUP detections surged, suggesting attackers are experimenting with new delivery mechanisms. I urge everyone to stay vigilant over the holidays and not be tempted to click on sponsored ads, pop-ups or shop via social media. If an offer is too good to be true, it usually is.”
For years, Android/Adware.MobiDash has been one of the most common unwanted apps on Android. MobiDash comes as an adware software development kit (SDK) that developers (or repackagers) bolt onto regular apps to flood users with pop‑ups after a short delay. In 2025 it still shows up in our stats month after month, with thousands of detections under the MobiDash family alone.
So, threats like MobiDash are far from gone, but they increasingly become background noise against more serious threats that now stand out.
Over that same December–May versus June–November window, adware detections nearly doubled, PUP detections rose by about 75%, and malware detections grew by roughly 20%.
In the adware group, MobiDash alone grew its monthly detection volume by more than 100% between early and late 2025, even as adware as a whole remained a minority share of Android threats. In just the last three months we measured, MobiDash activity surged by about 77%, with detections climbing steadily from September through November.
A more organized approach
Rather than relying on delivering a single threat, we found cybercriminals are chaining components like droppers, spying modules, and banking payloads into flexible toolkits that can be mixed and matched per campaign.
What makes this shift worrying is the breadth of what information stealers now collect. Beyond call logs and location, many samples are tuned to monitor messaging apps, browser activity, and financial interactions, creating detailed behavioral profiles that can be reused across multiple fraud schemes. As long as this data remains monetizable on underground markets, the incentive to keep these surveillance ecosystems running will only grow.
“Just like phishing emails, phishing apps trick users into handing over their usernames, passwords, and two-factor authentication codes. Stolen credentials can be sold or used by cybercriminals to steal valuable information and access restricted resources.”
Predatory finance apps like SpyLoan and Albiriox typically use social engineering (sometimes AI-supported) promising fast cash, low-interest loans, and minimal checks. Once installed, they harvest contacts, messages, and device identifiers, which can then be used for harassment, extortion, or cross‑platform identity abuse. Combined with access to SMS and notifications, that data lets operators watch victims juggle real debts, bank balances, and private conversations.
One of the clearest examples of this more organized approach is Triada, a long-lived remote access Trojan (RAT) for Android. In our December 2024 through May 2025 data, Triada appeared at relatively low but persistent levels. Its detections then more than doubled in the June–November period, with a pronounced spike late in the year.
Triada’s role is to give attackers a persistent foothold on the device: Once installed, it can help download or launch additional payloads, manipulate apps, and support on‑device fraud—exactly the kind of long‑term ‘infrastructure’ behavior that turns one‑off infections into ongoing operations.
Seeing a legacy threat like Triada ramp up in the same period as newer banking malware underlines that 2025 is when long‑standing mobile tools and fresh fraud kits start paying off for attackers at the same time.
If droppers, information stealers, and smishing are the scaffolding, banking Trojans are the cash register at the bottom of the funnel. Accessibility abuse, on‑device fraud, and live screen streaming, can make transactions happen inside the victim’s own banking session rather than on a cloned site. This approach sidesteps many defenses, such as device fingerprinting and some forms of multi-factor authentication (MFA). These shifts show up in the broader trend of our statistics, with more detections pointing to layered, end‑to‑end fraud pipelines.
Compared to the 2024 baseline, where phishing‑capable Android apps and OTP stealers together made up only a small fraction of all Android detections, the 2025 data shows their share growing by tens of percentage points in some months, especially around major fraud seasons.
What Android users should do now
Against this backdrop, Android users need to treat mobile security with the same seriousness as desktop and server environments. This bears repeating, as Malwarebytes research shows that people are 39% more likely to click a link on their phone than on their laptop.
A few practical steps make a real difference:
Prefer official app stores, but do not trust them blindly. Scrutinize developer reputation, reviews, and install counts, especially for financial and “utility” apps that ask for sensitive permissions.
Be extremely cautious with permissions like SMS access, notification access, Accessibility, and “Display over other apps,” which show up again and again in infostealers, banking Trojans, and OTP-stealing campaigns.
Avoid sideloading and gray‑market firmware unless absolutely necessary. When possible, choose devices with a clear update policy and apply security patches promptly.
Treat unexpected texts and messages—particularly those about payments, deliveries, or urgent account issues—as hostile until proven otherwise and never tap links or install apps directly from them.
Run up-to-date real-time mobile security software that can detect malicious apps, block known bad links, and flag suspicious SMS activity before it turns into full account compromise.
Mobile threats in 2025 are no longer background noise or the exclusive domain of power users and enthusiasts. For many people, the phone is now the main attack surface—and the main gateway to their money, identity, and personal life.
We don’t just report on phone security—we provide it
Photo booths are great. You press a button and get instant results. The same can’t be said, allegedly, for the security practices of at least one company operating them.
A security researcher spent weeks trying to warn a photo booth operator about a vulnerability in its system. The flaw reportedly exposed hundreds of customers’ private photos to anyone who knew where to look.
The researcher, who goes by the name Zeacer, said that a website operated by photo kiosk company Hama Film allowed anyone to download customer photos and videos without logging in. The Australian company provides photo kiosks for festivals, concerts, and commercial events. People take a snap and can both print it locally and also upload it to a website for retrieval later.
You would expect that such a site would be properly protected, so only you get to see yourself wearing nothing but a feather boa and guzzling from a bottle of Jack Daniels at your mate’s stag do. But reportedly, that wasn’t the case.
You get a photo! You get a photo! Everyone gets a photo!
According to TechCrunch, which has reviewed the researcher’s analysis, the website suffered from a well-known and extremely basic security flaw. TechCrunch stopped short of naming it, but mentioned sites with similar flaws where people could easily guess where files were held.
When files are stored at easily guessable locations and are not password protected, anyone can access them. Because those locations are predictable, attackers can write scripts that automatically visit them and download the files. When these files belong to users (such as photos and videos), that becomes a serious privacy risk.
At first glance, random photo theft might not sound that dangerous. But consider the possibilities. Facial recognition technology is widespread. People at events often wear lanyards with corporate affiliations or name badges. And while you might shrug off an embarrassing photos, it’s a different story if it’s a family shot and your children are in the frame. Those pictures could end up on someone’s hard drive somewhere, with no way to get them back or even know that they’ve been taken.
Companies have an ethical responsibility to respond
That’s why it’s so important for organizations to prevent the kind of basic vulnerability that Zeacer appears to have identified. They can do that by properly password-protecting files, limiting how quickly one user can access large numbers of files, and making the locations impossible to guess.
They should also acknowledge researchers and fix vulnerabilities quickly when they’re reported. According to public reports, Hama Film didn’t reply to Zeacer’s messages, but instead shortened its file retention period from roughly two to three weeks down to about 24 hours. That might narrow the attack surface, but doesn’t stop someone from scraping all images daily.
So what can you do if you used one of these booths? Sadly, little more than assume that your photos have been accessed.
Organizations that hire photo booth providers have more leverage. They can ask how long images are retained, what data protection policies are in place, whether download links are password protected and rate limited, and whether the company has undergone third-party security audits.
Hama Film isn’t the only company to fall victim to these kinds of exploits. TechCrunch has previously reported on a jury management system that exposed jurors’ personal data. Payday loan sites have leaked sensitive financial information, and in 2019, First American Financial Corp exposed 885 million files dating back 16 years.
In 2021, right-wing social network Parler saw up to 60 TB of data (including deleted posts) downloaded after hacktivists found an unprotected API with sequentially numbered endpoints. Sadly, we’re sure this latest incident won’t be the last.
We don’t just report on data privacy—we help you remove your personal information
Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.
Urban VPN Proxy, which claims to protect users' privacy, collects data from conversations with ChatGPT, Claude, Gemini, Copilot and other AI assistants.
Amazon Web Services (AWS) has attributed a persistent multi-year cyber espionage campaign targeting Western critical infrastructure, particularly the energy sector, to a group strongly linked with Russia’s Main Intelligence Directorate (GRU), known widely as Sandworm (or APT44).
In a report released Monday, the cloud giant’s threat intelligence teams revealed that the Russian-nexus actor has maintained a "sustained focus" on North American and European critical infrastructure, with operations spanning from 2021 through the present day.
Misconfigured Devices are the Attackers' Gateway
Crucially, the AWS investigation found that the initial successful compromises were not due to any weakness in the AWS platform itself, but rather the exploitation of customer misconfigured devices. The threat actor is exploiting a fundamental failure in network defense, that of, customers failing to properly secure their network edge devices and virtual appliances.
The operation focuses on stealing credentials and establishing long-term persistence, often by compromising third-party network appliance software running on platforms like Amazon Elastic Compute Cloud (EC2).
AWS CISO CJ Moses commented in the report, warning, "Going into 2026, organizations must prioritize securing their network edge devices and monitoring for credential replay attacks to defend against this persistent threat."
Persistence and Credential Theft, Part of the Sandworm Playbook
AWS observed the GRU-linked group employing several key tactics, techniques, and procedures (TTPs) aligned with their historical playbook:
Exploiting Misconfigurations: Leveraging customer-side mistakes, particularly in exposed network appliances, to gain initial access.
Establishing Persistence: Analyzing network connections to show the actor-controlled IP addresses establishing persistent, long-term connections to the compromised EC2 instances.
Credential Harvesting: The ultimate objective is credential theft, enabling the attackers to move laterally across networks and escalate privileges, often targeting the accounts of critical infrastructure operators.
AWS’s analysis of infrastructure overlaps with known Sandworm operations—a group infamous for disruptive attacks like the 2015 and 2016 power grid blackouts in Ukraine—provides high confidence in the attribution.
Recently, threat intelligence company Cyble had detected advanced backdoors targeting the defense systems and the TTPs closely resembled Russia's Sandworm playbook.
The targeting profile analyzed by AWS' threat intelligence teams demonstrates a calculated and sustained focus on the global energy sector supply chain, including both direct operators and the technology providers that support them:
Energy Sector: Electric utility organizations, energy providers, and managed security service providers (MSSPs) specializing in energy clients.
Technology/Cloud Services: Collaboration platforms and source code repositories essential for critical infrastructure development.
Telecommunications: Telecom providers across multiple regions.
The geographic scope of the targeting is global, encompassing North America, Western and Eastern Europe, and the Middle East, illustrating a strategic objective to gain footholds in the operational technology (OT) and enterprise networks that govern power distribution and energy flow across NATO countries and allies.
From Cloud Edge to Credential Theft
AWS’ telemetry exposed a methodical, five-step campaign flow that leverages customer misconfiguration on cloud-hosted devices to gain initial access:
Compromise Customer Network Edge Device hosted on AWS: The attack begins by exploiting customer-side vulnerabilities or misconfigurations in network edge devices (like firewalls or virtual appliances) running on platforms like Amazon EC2.
Leverage Native Packet Capture Capability: Once inside, the actor exploits the device's own native functionality to eavesdrop on network traffic.
Harvest Credentials from Intercepted Traffic: The crucial step involves stealing usernames and passwords from the intercepted traffic as they pass through the compromised device.
Replay Credentials Against Victim Organizations’ Online Services and Infrastructure: The harvested credentials are then "replayed" (used) to access other services, allowing the attackers to pivot from the compromised appliance into the broader victim network.
Establish Persistent Access for Lateral Movement: Finally, the actors establish a covert, long-term presence to facilitate lateral movement and further espionage.
Secure the Edge and Stop Credential Replay
AWS has stated that while its infrastructure remains secure, the onus is on customers to correct the foundational security flaws that enable this campaign. The report strongly advises organizations to take immediate action on two fronts:
Secure Network Edge: Conduct thorough audits and patching of all network appliances and virtual devices exposed to the public internet, ensuring they are configured securely.
Monitor for Credential Replay: Implement advanced monitoring for indicators of compromise (IOCs) associated with credential replay and theft attacks, which the threat actors are leveraging to move deeper into target environments.
China is already the world’s largest exporter of AI powered surveillance technology; new surveillance technologies and platforms developed in China are also not likely to simply stay there. By exposing the full scope of China’s AI driven control apparatus, this report presents clear, evidence based insights for policymakers, civil society, the media and technology companies seeking to counter the rise of AI enabled repression and human rights violations, and China’s growing efforts to project that repression beyond its borders.
The report focuses on four areas where the CCP has expanded its use of advanced AI systems most rapidly between 2023 and 2025: multimodal censorship of politically sensitive images; AI’s integration into the criminal justice pipeline; the industrialisation of online information control; and the use of AI enabled platforms by Chinese companies operating abroad. Examined together, those cases show how new AI capabilities are being embedded across domains that strengthen the CCP’s ability to shape information, behaviour and economic outcomes at home and overseas.
Because China’s AI ecosystem is evolving rapidly and unevenly across sectors, we have focused on domains where significant changes took place between 2023 and 2025, where new evidence became available, or where human rights risks accelerated. Those areas do not represent the full range of AI applications in China but are the most revealing of how the CCP is integrating AI technologies into its political control apparatus.
Amazon's threat intelligence team has disclosed details of a "years-long" Russian state-sponsored campaign that targeted Western critical infrastructure between 2021 and 2025.
Targets of the campaign included energy sector organizations across Western nations, critical infrastructure providers in North America and Europe, and entities with cloud-hosted network infrastructure. The activity has
AI-assisted coding and AI app generation platforms have created an unprecedented surge in software development. Companies are now facing rapid growth in both the number of applications and the pace of change within those applications. Security and privacy teams are under significant pressure as the surface area they must cover is expanding quickly while their staffing levels remain largely
Threat actors have begun to exploit two newly disclosed security flaws in Fortinet FortiGate devices, less than a week after public disclosure.
Cybersecurity company Arctic Wolf said it observed active intrusions involving malicious single sign-on (SSO) logins on FortiGate appliances on December 12, 2025. The attacks exploit two critical authentication bypasses (CVE-2025-59718 and CVE-2025-59719
The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security.
"KSwapDoor is a professionally engineered remote access tool designed with stealth in mind," Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said in a
Photo booths are great. You press a button and get instant results. The same can’t be said, allegedly, for the security practices of at least one company operating them.
A security researcher spent weeks trying to warn a photo booth operator about a vulnerability in its system. The flaw reportedly exposed hundreds of customers’ private photos to anyone who knew where to look.
The researcher, who goes by the name Zeacer, said that a website operated by photo kiosk company Hama Film allowed anyone to download customer photos and videos without logging in. The Australian company provides photo kiosks for festivals, concerts, and commercial events. People take a snap and can both print it locally and also upload it to a website for retrieval later.
You would expect that such a site would be properly protected, so only you get to see yourself wearing nothing but a feather boa and guzzling from a bottle of Jack Daniels at your mate’s stag do. But reportedly, that wasn’t the case.
You get a photo! You get a photo! Everyone gets a photo!
According to TechCrunch, which has reviewed the researcher’s analysis, the website suffered from a well-known and extremely basic security flaw. TechCrunch stopped short of naming it, but mentioned sites with similar flaws where people could easily guess where files were held.
When files are stored at easily guessable locations and are not password protected, anyone can access them. Because those locations are predictable, attackers can write scripts that automatically visit them and download the files. When these files belong to users (such as photos and videos), that becomes a serious privacy risk.
At first glance, random photo theft might not sound that dangerous. But consider the possibilities. Facial recognition technology is widespread. People at events often wear lanyards with corporate affiliations or name badges. And while you might shrug off an embarrassing photos, it’s a different story if it’s a family shot and your children are in the frame. Those pictures could end up on someone’s hard drive somewhere, with no way to get them back or even know that they’ve been taken.
Companies have an ethical responsibility to respond
That’s why it’s so important for organizations to prevent the kind of basic vulnerability that Zeacer appears to have identified. They can do that by properly password-protecting files, limiting how quickly one user can access large numbers of files, and making the locations impossible to guess.
They should also acknowledge researchers and fix vulnerabilities quickly when they’re reported. According to public reports, Hama Film didn’t reply to Zeacer’s messages, but instead shortened its file retention period from roughly two to three weeks down to about 24 hours. That might narrow the attack surface, but doesn’t stop someone from scraping all images daily.
So what can you do if you used one of these booths? Sadly, little more than assume that your photos have been accessed.
Organizations that hire photo booth providers have more leverage. They can ask how long images are retained, what data protection policies are in place, whether download links are password protected and rate limited, and whether the company has undergone third-party security audits.
Hama Film isn’t the only company to fall victim to these kinds of exploits. TechCrunch has previously reported on a jury management system that exposed jurors’ personal data. Payday loan sites have leaked sensitive financial information, and in 2019, First American Financial Corp exposed 885 million files dating back 16 years.
In 2021, right-wing social network Parler saw up to 60 TB of data (including deleted posts) downloaded after hacktivists found an unprotected API with sequentially numbered endpoints. Sadly, we’re sure this latest incident won’t be the last.
We don’t just report on data privacy—we help you remove your personal information
Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.
Google has announced that early next year they are discontinuing the dark web report, which was meant to monitor breach data that’s circulating on the dark web.
The news raised some eyebrows, but Google says it’s ending the feature because feedback showed the reports didn’t provide “helpful next steps.” New scans will stop on January 15, 2026, and on February 16, the entire tool will disappear along with all associated monitoring data. Early reactions are mixed: some users express disappointment and frustration, others seem largely indifferent because they already rely on alternatives, and a small group feels relieved that the worry‑inducing alerts will disappear.
All those sentiments are understandable. Knowing that someone found your information on the dark web does not automatically make you safer. You cannot simply log into a dark market forum and ask criminals to delete or return your data.
But there is value in knowing what’s out there, because it can help you respond to the situation before problems escalate. That’s where dark web and data exposure tools show their use: they turn vague fear (“Is my data out there?”) into specific risk (“This email and password are in a breach.”).
The dark web is often portrayed as a shady corner of the internet where stolen data circulates endlessly, and to some extent, that’s accurate. Password dumps, personal records, social security numbers (SSNs), and credit card details are traded for profit. Once combined into massive credential and identity databases accessible to cybercriminals, this information can be used for account takeovers, phishing, and identity fraud.
There are no tools to erase critical information that is circulating on dark web forums but that was never really the promise.
Google says it is shifting its focus towards “tools that give you more actionable steps,” like Password Manager, Security Checkup, and Results About You. Without doubt, those tools help, but they work better when users understand why they matter. Discontinuing dark web report removes a simple visibility feature, but it also reminds users that cybersecurity awareness means staying careful on the open web and understanding what attackers might use against them.
How can Malwarebytes help?
The real value comes from three actions: being aware of the exposure, cutting off easy new data sources, and reacting quickly when something goes wrong.
This is where dedicated security tools can help you.
Malwarebytes Personal Data Remover assists you in discovering and removing your data from data broker sites (among others), shrinking the pool of information that can be aggregated, resold, or used to profile you.
Our Digital Footprint scan gives you a clearer picture of where your data has surfaced online, including exposures that could eventually feed into dark web datasets.
Malwarebytes Identity Theft Protection adds ongoing monitoring and recovery support, helping you spot suspicious use of your identity and get expert help if someone tries to open accounts or take out credit in your name.
We don’t just report on data privacy—we help you remove your personal information
Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.
The coming shift to Post-Quantum Cryptography (PQC) is not a distant, abstract threat—it is the single largest, most complex cryptographic migration in the history of cybersecurity. Major breakthroughs are being made with the technology. Google announced on October 22nd, “research that shows, for the first time in history, that a quantum computer can successfully run a verifiable algorithm on hardware, surpassing even the fastest classical supercomputers (13,000x faster).” It has the potential to disrupt every industry. Organizations must be ready to prepare now or pay later.
Why fixing every vulnerability is impossible—and unnecessary. Learn how risk-based vulnerability management prioritizes what to patch, what to defer, and why context matters more than CVSS.
In early December 2025, the React core team disclosed two new vulnerabilities affecting React Server Components (RSC). These issues – Denial-of-Service and Source Code Exposure were found by security researchers probing the fixes for the previous week’s critical RSC vulnerability, known as “React2Shell”. While these newly discovered bugs do not enable Remote Code Execution, meaning […]
Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.
Adobe ColdFusion is a rapid web application development platform that uses the ColdFusion Markup Language (CFML).
Adobe Experience Manager (AEM) is a content management and experience management system that helps businesses build and manage their digital presence across various platforms.
The Adobe DNG Software Development Kit (SDK) is a free set of tools and code from Adobe that helps developers add support for Adobe's Digital Negative (DNG) universal RAW file format into their own applications and cameras, enabling them to read, write, and process DNG images, solving workflow issues and improving archiving for digital photos.
Adobe Acrobat is a suite of paid tools for creating, editing, converting, and managing PDF documents.
The Adobe Creative Cloud desktop app is the central hub for managing all Adobe creative applications, files, and assets.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.
Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
A vulnerability in the React Server Components (RSC) implementation has been discovered that could allow for remote code execution. Specifically, it could allow for unauthenticated remote code execution on affected servers. The issue stems from unsafe deserialization of RSC “Flight” protocol payloads, enabling an attacker to send a crafted request that triggers execution of code on the server. This is now being called, “React2Shell” by security researchers.
A vulnerability has been discovered SonicOS, which could allow for Denial of Service (DoS). SonicOS is the operating system that runs on SonicWall's network security appliances, such as firewalls. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash. This vulnerability ONLY impacts the SonicOS SSLVPN interface or service if enabled on the firewall.
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Two recent cybersecurity incidents involving financial services providers have exposed the personal information of millions of individuals, highlighting ongoing risks across the fintech and credit reporting ecosystem.
The larger of the two incidents involves Prosper Marketplace cybersecurity incident, confirmed last week by the San Francisco-based fintech company.
Prosper disclosed that 13.1 million people were affected after unauthorized activity was discovered on its systems on September 1, 2025. A subsequent investigation revealed that attackers accessed data between June and August 2025.
In its official notice, Prosper stated, "On September 1, 2025, Prosper discovered unauthorized activity on our systems. We acted quickly to stop the activity and enhance our security measures, and we began working with a leading cybersecurity firm to investigate what happened."
While Prosper emphasized that there was no evidence of unauthorized access to customer accounts or funds, attackers were able to obtain a wide range of sensitive personal and financial data.
The exposed information includes names, Social Security numbers, national ID numbers, dates of birth, bank account numbers, Prosper account numbers, financial application details, driver’s license numbers, passports, tax information, and payment card numbers.
Regulatory filings show the scale of the exposure across states, with more than 1.1 million affected individuals in Texas, 236,000 in South Carolina, and 249,000 in Washington state.
Prosper said it has begun notifying affected individuals and is offering two years of credit monitoring and identity restoration services through Experian. The company also confirmed that law enforcement was notified about cybersecurity incidents, and additional security and monitoring controls have been deployed.
Founded in 2005, Prosper is best known for its peer-to-peer lending platform, through which more than 2 million customers have borrowed over $28 billion in personal loans. The company also offers home equity loans, lines of credit, and credit card products.
700Credit Security Incident Impacts Over 5.8 Million People
In a separate cybersecurity incident, Michigan-based 700Credit data exposure affected 5,836,521 individuals, according to a notice issued on Friday. The incident was discovered on October 25, 2025, when the company’s IT team identified unauthorized access to its systems.
700Credit provides credit reports, compliance solutions, identity verification, and fraud detection services to car dealerships across the U.S. The company said attackers made copies of data stored within its systems.
The compromised information includes names, Social Security numbers, dates of birth, and physical addresses.
Following the incident, 700Credit confirmed it will file a consolidated breach notice with the FTC on behalf of its affected dealership clients, after receiving approval from the agency.
“We timely notified the FBI and the FTC and confirmed with the FTC that 700Credit’s filing on behalf of all dealers is sufficient to meet dealer obligations to notify the FTC. In addition, we will be notifying State AG offices on behalf of dealers. Impacted consumers will also be notified and offered credit monitoring services and assistance they may need. 700Credit has also been working directly with NADA,” the company said in a notice.
As a result, dealers are not required to file separate FTC breach notifications related to this incident. However, dealers are still responsible for complying with state-level breach notification requirements, which remain unaffected by the FTC’s decision. Dealers have been advised to consult legal counsel to ensure compliance with applicable state laws.
The Prosper and 700Credit incidents come just weeks after a cyberattack on SitusAMC, a company used by major banks for real estate loan and mortgage services. That incident, discovered on November 12, 2025, involved stolen accounting records and legal agreements.
Together, these cybersecurity incidents emphasise a growing trend: financial services providers and fintech companies are increasingly targeted for the volume and sensitivity of data they hold.
While no threat actor has publicly claimed responsibility for either the Prosper Marketplace or 700Credit incidents, the scale of exposure raises concerns about identity theft, financial fraud, and long-term consumer risk.
Both companies have urged affected individuals to remain vigilant, monitor their credit reports, and report any suspicious activity.
India's Central Bureau of Investigation uncovered and disrupted a large-scale cyber fraud infrastructure, which it calls a "phishing SMS factory," that sent lakhs of smishing messages daily across the country to trick citizens into fake digital arrests, loan scams, and investment frauds.
The infrastructure that was operated by a registered company, M/s Lord Mahavira Services India Pvt. Ltd., used an online platform to control approximately 21,000 SIM cards that were obtained by violating the Department of Telecommunications rules.
The organized cyber gang operating from Northern India provided bulk SMS services to cybercriminals including foreign operators targeting Indian citizens. The CBI arrested three individuals associated to the cyber gang as part of the broader Operation Chakra-V, which is focused on breaking the backbone of cybercrime infrastructure in India.
The investigation began when CBI studied the huge volume of fake SMS messages people receive daily that often lead to serious financial fraud. Working closely with the Department of Telecommunications and using information from various sources including the highly debated Sanchar Saathi portal, investigators identified the private company allegedly running the "phishing SMS factory.
Active System Seized
CBI conducted searches at several locations of North India including Delhi, Noida, and Chandigarh, where it discovered a completely active system used for sending phishing messages. The infrastructure included servers, communication devices, USB hubs, dongles, and thousands of SIM cards operating continuously to dispatch fraud messages.
The messages offered fake loans, investment opportunities, and other financial benefits aimed at stealing personal and banking details from innocent people. The scale of operations enabled lakhs of fraud messages to be distributed every day across India.
Telecom Channel Partner Involvement
Early findings of the investigations suggested an involvement of certain channel partners of telecom companies and their employees who helped illegally arrange SIM cards for the fraudulent operations. This insider facilitation allowed the gang to obtain the massive quantity of SIM cards despite telecommunications regulations designed to prevent such accumulation.
The 21,000 SIM cards were controlled through an online platform specifically designed to send bulk messages, the CBI said.
Digital Evidence and Cryptocurrency Seized
CBI also seized important digital evidence, unaccounted cash, and cryptocurrency during the operation. The seizures provide investigators with critical data to trace financial flows, identify additional conspirators, and understand the full scope of the fraud network's operations.
The discovery that foreign cyber criminals were using this service to cheat Indian citizens highlights the transnational nature of the operation, with domestic infrastructure being leveraged by overseas fraudsters to target vulnerable Indians.
Operation Chakra-V Targets Infrastructure
The dismantling of this phishing SMS factory demonstrates CBI's strategy under Operation Chakra-V to attack the technical backbone of organized cybercrime rather than merely arresting individual fraudsters. By disrupting the infrastructure enabling mass fraud communications, authorities aim to prevent thousands of potential victims from receiving deceptive messages.
As part of Operation Chakra-V crackdown, on Sunday, CBI also filed charges against 17 individuals including four likely Chinese nationals and 58 companies for their alleged involvement in a transnational cyber fraud network operating across multiple Indian states.
CBI said a single cybercrime syndicate was behind this extensive digital and financial infrastructure that has already defrauded thousands of Indians worth more than ₹1,000 crore. The operators used misleading loan apps, fake investment schemes, Ponzi and MLM models, fake part-time job offers, and fraudulent online gaming platforms for carrying out the cyber fraud.
Google advertisements, bulk SMS campaigns, SIM-box based messaging systems, cloud infrastructure, fintech platforms and multiple mule bank account were all part of the modus operandi of this cybercriminal network.
Earlier last week, the CBI had filed similar charges against 30 people including two Chinese nationals who ran shell companies and siphoned money from Indian investors through fake cryptocurrency mining platforms, loan apps, and fake online job offers during the COVID-19 lockdown period.
SoundCloud has confirmed a cyberattack on its platform after days of user complaints about service disruptions and connectivity problems. In what is being reported as a SoundCloud cyberattack, threat actors gained unauthorized access to one of its systems and exfiltrated a limited set of user data.
“SoundCloud recently detected unauthorized activity in an ancillary service dashboard,” the company said. “Upon making this discovery, we immediately activated our incident response protocols and promptly contained the activity.”Reports of trouble began circulating over several days, with users reporting that they were unable to connect to SoundCloud or experiencing access issues when using VPNs. After the disruptions persisted, the company issued a public statement on its website acknowledging the SoundCloud cyberattack incident.
DoS Follows Initial SoundCloud Cyberattack
According to the music hosting service provider, the SoundCloud cyberattack was followed by a wave of denial-of-service attacks that further disrupted access to the platform. The company said it experienced multiple DoS incidents after the breach was contained, two of which were severe enough to take the website offline and prevent users from accessing the service altogether.SoundCloud stated that it was ultimately able to repel the attacks, but the interruptions were enough to draw widespread attention from users and the broader technology community. These events highlighted the cascading impact of a cyberattack on SoundCloud, where an initial security compromise was compounded by availability-focused attacks designed to overwhelm the platform.
Scope of Exposed Data and User Impact
While the SoundCloud cyberattack raised immediate concerns about user privacy, the company stresses that the exposed data was limited. SoundCloud said its investigation found no evidence that sensitive information had been accessed.“We understand that a purported threat actor group accessed certain limited data that we hold,” the company said. “We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed.”Instead, the data involved consisted of email addresses and information already visible on public SoundCloud profiles. According to the company, approximately 20 percent of SoundCloud users were affected by the breach. Although SoundCloud described the data as non-sensitive, the scale of the exposure is notable. Email addresses can still be leveraged in phishing campaigns or social engineering attacks, even when other personal details remain secure.SoundCloud added that it is confident the attackers’ access has been fully shut down. “We are confident that any access to SoundCloud data has been curtailed,” the company said.
Security Response and Ongoing Connectivity Issues
The company did not attribute the SoundCloud cyberattack to a specific hacking group but confirmed that it is working with third-party cybersecurity experts and has fully engaged its incident response protocols. As part of its remediation efforts, the company said it has enhanced monitoring and threat detection, reviewed and reinforced identity and access controls, and conducted a comprehensive audit of related systems.Some of these security upgrades had unintended consequences. SoundCloud acknowledged that changes made to strengthen its defenses contributed to the VPN connectivity issues reported by users in recent days.“We are actively working to resolve these VPN related access issues,” the company said.
PornHub is facing renewed scrutiny after confirming that some Premium users’ activity data was exposed following a security incident at a third-party analytics provider. The PornHub data breach disclosure comes as the platform faces increasing regulatory scrutiny in the United States and reported extortion attempts linked to the stolen data.
The issue stems from a data breach linked not to PornHub’s own systems, but to Mixpanel, an analytics vendor the platform previously used. On December 12, 2025, PornHub published a security notice confirming that a cyberattack on Mixpanel led to the exposure of historical analytics data, affecting a limited number of Premium users. According to PornHub, the compromised data included search and viewing history tied to Premium accounts, which has since been used in extortion attempts attributed to the ShinyHunters extortion group.
“A recent cybersecurity incident involving Mixpanel, a third-party data analytics provider, has impacted some Pornhub Premium users,” the company stated in its notice dated December 12, 2025. PornHub stresses that the incident did not involve a compromise of its own systems and that sensitive account information remained protected. “Specifically, this situation affects only select Premium users. It is important to note that this was not a breach of Pornhub Premium’s systems. Passwords, payment details, and financial information remain secure and were not exposed.”According to PornHub, the affected records are not recent. The company said it stopped working with Mixpanel in 2021, indicating that any stolen data would be at least four years old. Even so, the exposure of viewing and search behavior has raised privacy concerns, particularly given the stigma and personal risk that can accompany such information if misused.
The root of the incident was a PornHub cyberattack by proxy, a supply-chain compromise. Mixpanel disclosed on November 27, 2025, that it had suffered a breach earlier in the month. The company detected the intrusion on November 8, 2025, after a smishing (SMS phishing) campaign allowed threat actors to gain unauthorized access to its systems. Mixpanel CEO Jen Taylor addressed the incident in a public blog post, stressing transparency and remediation.“On November 8th, 2025, Mixpanel detected a smishing campaign and promptly executed our incident response processes,” Taylor wrote. “We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts. We engaged external cybersecurity partners to remediate and respond to the incident.”Mixpanel said the breach affected only a “limited number” of customers and that impacted clients were contacted directly. The company outlined an extensive response that included revoking active sessions, rotating compromised credentials, blocking malicious IP addresses, performing global password resets for employees, and engaging third-party forensic experts. Law enforcement and external cybersecurity advisors were also brought in as part of the response.
OpenAI and PornHub Among Impacted Customers
PornHub was not alone among Mixpanel’s customers caught up in the incident. OpenAI disclosed on November 26, 2025, one day before Mixpanel’s public announcement, that it, too, had been affected. OpenAI clarified that the incident occurred entirely within Mixpanel’s environment and involved limited analytics data related to some API users.“This was not a breach of OpenAI’s systems,” the company said, adding that no chats, API requests, credentials, payment details, or government IDs were exposed. OpenAI noted that it uses Mixpanel to manage web analytics on its API front end.PornHub denoted a similar assurance in its own disclosure, stating that it had launched an internal investigation with the support of cybersecurity experts and had engaged with relevant authorities. “We are working diligently to determine the nature and scope of the reported incident,” the company said, while urging users to remain vigilant for suspicious emails or unusual activity.Despite those assurances, the cyberattack on PornHub, albeit indirect, has drawn attention due to the sensitive nature of the exposed data and the reported extortion attempts now linked to it.
PornHub Data Breach Comes Amid Expanding U.S. Age-Verification Laws
The PornHub data breach arrives at a time when the platform is already under pressure from sweeping age-verification laws across the United States. PornHub is currently blocked in 22 states, including Alabama, Arizona, Arkansas, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Mississippi, Montana, Nebraska, North Carolina, North Dakota, Oklahoma, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, and Wyoming. These restrictions stem from state laws requiring users to submit government-issued identification or other forms of age authentication to access explicit content.Louisiana was the first state to enact such a law, and others followed after the U.S. Supreme Court ruled in June that Texas’s age-verification statute was constitutional. Although PornHub is not blocked in Louisiana, the requirement for ID verification has had a significant impact. Aylo, PornHub’s parent company, said that the traffic in the state dropped by approximately 80 percent after the law took effect.Aylo has repeatedly criticized the implementation of these laws. “These people did not stop looking for porn. They just migrated to darker corners of the internet that don’t ask users to verify age, that don’t follow the law, that don’t take user safety seriously,” the company said in a statement.Aylo added that while it supports age verification in principle, the current approach creates new risks. Requiring large numbers of adult websites to collect highly sensitive personal information, the company argued, puts users in danger if those systems are compromised.
For years, data privacy in India lived in a grey zone. Mobile numbers demanded at checkout counters. Aadhaar photocopies lying unattended in hotel drawers. Marketing messages that arrived long after you stopped using a service. Most of us accepted this as normal, until the law caught up.That moment has arrived.The Digital Personal Data Protection Act (DPDP Act), 2023, backed by the Digital Personal Data Protection Rules, 2025 notified by the Ministry of Electronics and Information Technology (MeitY) on 13 November 2025, marks a decisive shift in how personal data must be treated in India. As the country heads into 2026, businesses are entering the most critical phase: execution.Companies now have an 18-month window to re-engineer systems, processes, and accountability frameworks across IT, legal, HR, marketing, and vendor ecosystems. The change is not cosmetic. It is structural.As Sandeep Shukla, Director, International Institute of Information Technology Hyderabad (IIIT Hyderabad), puts it bluntly:
“Well, I can say that Indian Companies so far has been rather negligent of customer's privacy. Anywhere you go, they ask for your mobile number.”
The DPDP Act is designed to ensure that such casual indifference to personal data does not survive the next decade.Below are eight fundamental ways the DPDP Act will change how Indian companies handle data in 2026, with real-world implications for businesses, consumers, and the digital economy.
1. Privacy Will Movefromthe Back Office to the Boardroom
Until now, data protection in Indian organizations largely sat with compliance teams or IT security. That model will not hold in 2026.The DPDP framework makes senior leadership directly accountable for how personal data is handled, especially in cases of breaches or systemic non-compliance. Privacy risk will increasingly be treated like financial or operational risk.
According to Shashank Bajpai, CISO & CTSO at YOTTA, “The DPDP Act (2023) becomes operational through Rules notified in November 2025; the result is a staggered compliance timetable that places 2026 squarely in the execution phase. That makes 2026 the inflection year when planning becomes measurable operational work and when regulators will expect visible progress.”
In 2026, privacy decisions will increasingly sit with boards, CXOs, and risk committees. Metrics such as consent opt-out rates, breach response time, and third-party risk exposure will become leadership-level conversations, not IT footnotes.
2. Consent Will Become Clear, Granular, and Reversible
One of the most visible changes users will experience is how consent is sought.Under the DPDP Act, consent must be specific, informed, unambiguous, and easy to withdraw. Pre-ticked boxes and vague “by using this service” clauses will no longer be enough.
As Gauravdeep Singh, State Head (Digital Transformation), e-Mission Team, MeitY, explains, “Data Principal = YOU.”
Whether it’s a food delivery app requesting location access or a fintech platform processing transaction history, individuals gain the right to control how their data is used—and to change their mind later.
3. Data Hoarding Will Turnintoa Liability
For many Indian companies, collecting more data than necessary was seen as harmless. Under the DPDP Act, it becomes risky.Organizations must now define why data is collected, how long it is retained, and how it is securely disposed of. If personal data is no longer required for a stated purpose, it cannot simply be stored indefinitely.
Shukla highlights how deeply embedded poor practices have been, “Hotels take your aadhaar card or driving license and copy and keep it in the drawers inside files without ever telling the customer about their policy regarding the disposal of such PII data safely and securely.”
In 2026, undefined retention is no longer acceptable.
4. Third-Party Vendors Will Come Under the Scanner
Data processors like cloud providers, payment gateways, CRM platforms, will no longer operate in the shadows.The DPDP Act clearly distinguishes between Data Fiduciaries (companies that decide how data is used) and Data Processors (those that process data on their behalf). Fiduciaries remain accountable, even if the breach occurs at a vendor.This will force companies to:
Audit vendors regularly
Rewrite contracts with DPDP clauses
Monitor cross-border data flows
As Shukla notes, “The shops, E-commerce establishments, businesses, utilities collect so much customer PII, and often use third party data processor for billing, marketing and outreach. We hardly ever get to know how they handle the data.”
In 2026, companies will be required to audit vendors, strengthen contracts, and ensure processors follow DPDP-compliant practices, because liability remains with the fiduciary.
5. Breach Response Will Be Timed, Tested, and Visible
Data breaches are no longer just technical incidents, they are legal events.The DPDP Rules require organizations to detect, assess, and respond to breaches with defined processes and accountability. Silence or delay will only worsen regulatory consequences.
As Bajpai notes, “The practical effect is immediate: companies must move from policy documents to implemented consent systems, security controls, breach workflows, and vendor governance.”
Tabletop exercises, breach simulations, and forensic readiness will become standard—not optional.
6. SignificantData Fiduciaries (SDFs) Will Face Heavier Obligations
Not all companies are treated equally under the DPDP Act. Significant Data Fiduciaries (SDFs)—those handling large volumes of sensitive personal data, will face stricter obligations, including:
Data Protection Impact Assessments
Appointment of India-based Data Protection Officers
Regular independent audits
Global platforms like Meta, Google, Amazon, and large Indian fintechs will feel the pressure first, but the ripple effect will touch the entire ecosystem.
7. A New Privacy Infrastructure Will Emerge
The DPDP framework is not just regulation—it is ecosystem building.
As Bajpai observes, “This is not just regulation; it is an economic strategy to build domestic capability in cloud, identity, security and RegTech.”
Consent Managers, auditors, privacy tech vendors, and compliance platforms will grow rapidly in 2026. For Indian startups, DPDP compliance itself becomes a business opportunity.
8. Trust Will Become a Competitive Advantage
Perhaps the biggest change is psychological. In 2026, users will increasingly ask:
Why does this app need my data?
Can I withdraw consent?
What happens if there’s a breach?
One Reddit user captured the risk succinctly, “On paper, the DPDP Act looks great… But a law is only as strong as public awareness around it.”
Companies that communicate transparently and respect user choice will win trust. Those that don’t will lose customers long before regulators step in.
Preparing for 2026: From Awareness to Action
As Hareesh Tibrewala, CEO at Anhad, notes, “Organizations now have the opportunity to prepare a roadmap for DPDP implementation.”
For many businesses, however, the challenge lies in turning awareness into action, especially when clarity around timelines and responsibilities is still evolving.The concern extends beyond citizens to companies themselves, many of which are still grappling with core concepts such as consent management, data fiduciary obligations, and breach response requirements. With penalties tiered by the nature and severity of violations—ranging from significant fines to amounts running into hundreds of crores, this lack of understanding could prove costly.In 2026, regulators will no longer be looking for intent, they will be looking for evidence of execution. As Bajpaipoints out, “That makes 2026 the inflection year when planning becomes measurable operational work and when regulators will expect visible progress.”
What Companies Should Do Now: A Practical DPDP Act Readiness Checklist
As India moves closer to full DPDP enforcement, organizations that act early will find compliance far less disruptive. At a minimum, businesses should focus on the following steps:
Map personal data flows: Identify what personal data is collected, where it resides, who has access to it, and which third parties process it.
Review consent mechanisms: Ensure consent requests are clear, purpose-specific, and easy to withdraw, across websites, apps, and internal systems.
Define retention and deletion policies: Establish how long different categories of personal data are retained and document secure disposal processes.
Assess third-party risk: Audit vendors, cloud providers, and processors to confirm DPDP-aligned controls and contractual obligations.
Strengthen breach response readiness: Put tested incident response and notification workflows in place, not just policies on paper.
Train employees across functions: Build awareness beyond IT and legal teams, privacy failures often begin with everyday operational mistakes.
Assign ownership and accountability: Clearly define who is responsible for DPDP compliance, reporting, and ongoing monitoring.
These steps are not about ticking boxes; they are about building muscle memory for a privacy-first operating environment.
2026 Is the Year Privacy Becomes Real
The DPDP Act does not promise instant perfection. What it demands is accountability.By 2026, privacy will move from policy documents to product design, from legal fine print to leadership dashboards, and from reactive fixes to proactive governance. Organizations that delay will not only face regulatory penalties, but they also risk losing customer trust in an increasingly privacy-aware market.
As Sandeep Shukla cautions, “It will probably take years before a proper implementation at all levels of organizations would be seen.”
But the direction is clear. Personal data in India can no longer be treated casually.The DPDP Act marks the end of informal data handling, and the beginning of a more disciplined, transparent, and accountable digital economy.
Google has announced that it's discontinuing its dark web report tool in February 2026, less than two years after it was launched as a way for users to monitor if their personal information is found on the dark web.
To that end, scans for new dark web breaches will be stopped on January 15, 2026, and the feature will cease to exist effective February 16, 2026.
"While the report offered general
Rapid7 Labs has identified a new malware-as-a-service information stealer being actively promoted through Telegram channels and on underground hacker forums. The stealer is advertised under the name “SantaStealer” and is planned to be released before the end of 2025. Open source intelligence suggests that it recently underwent a rebranding from the name “BluelineStealer.”
The malware collects and exfiltrates sensitive documents, credentials, wallets, and data from a broad range of applications, and aims to operate entirely in-memory to avoid file-based detection. Stolen data is then compressed, split into 10 MB chunks, and sent to a C2 server over unencrypted HTTP.
While the stealer is advertised as “fully written in C”, featuring a “custom C polymorphic engine” and being “fully undetected,” Rapid7 has found unobfuscated and unstripped SantaStealer samples that allow for an in-depth analysis. These samples can shed more light on this malware’s true level of sophistication.
Discovery
In early December 2025, Rapid7 identified a Windows executable triggering a generic infostealer detection rule, which we usually see triggered by samples from the Raccoon stealer family. Initial inspection of the sample (SHA-256 beginning with 1a27…) revealed a 64-bit DLL with over 500 exported symbols (all bearing highly descriptive names such as “payload_main”, “check_antivm” or “browser_names”) and a plethora of unencrypted strings that clearly hinted at credential-stealing capabilities.
While it is not clear why the malware authors chose to build a DLL, or how the stealer payload was to be invoked by a potential stager, this choice had the (presumably unintended) effect of including the name of every single function and global variable not declared as static in the executable’s export directory. Even better, this includes symbols from statically linked libraries, which we can thus identify with minimal effort.
The statically linked libraries in this particular DLL include:
cJSON, an “ultralightweight JSON parser”
miniz, a “single C source file zlib-replacement library”
sqlite3, the C library for interfacing with SQLite v3
Another pair of exported symbols in the DLL are named notes_config_size and notes_config_data. These point to a string containing the JSON-encoded stealer configuration, which contains, among other things, a banner (“watermark”) with Unicode art spelling “SANTA STEALER” and a link to the stealer Telegram channel, t[.]me/SantaStealer.
Figure 1: A preview of the stealer’s configuration
Figure 2: A Telegram message from November 25th advertising the rebranded SantaStealer
Figure 3: A Telegram message announcing the rebranding and expected release schedule
Visiting SantaStealer’s Telegram channel, we observed the affiliate web panel, where we were able to register an account and access more information provided by the operators, such as a list of features, the pricing model, or the various build configuration options. This allowed us to cross-correlate information from the panel with the configuration observed in samples, and get a basic idea of the ongoing evolution of the stealer.
Apart from Telegram, the stealer can be found advertised also on the Lolz hacker forum at lolz[.]live/santa/. The use of this Russian-speaking forum, the top-level domain name of the web panel bearing the country code of the Soviet Union (su), and the ability to configure the stealer not to target Russian-speaking victims (described later) hints at Russian citizenship of the operators — not at all unusual on the infostealer market.
Figure 4: A list of features advertised in the web panel
As the above screenshot illustrates, the stealer operators have ambitious plans, boasting anti-analysis techniques, antivirus software bypasses, and deployment in government agencies or complex corporate networks. This is reflected in the pricing model, where a basic variant is advertised for $175 per month, and a premium variant is valued at $300 per month, as captured in the following screenshot.
Figure 5: Pricing model for SantaStealer (web panel)
In contrast to these claims, the samples we have seen until now are far from undetectable, or in any way difficult to analyze. While it is possible that the threat actor behind SantaStealer is still developing some of the mentioned anti-analysis or anti-AV techniques, having samples leaked before the malware is ready for production use — complete with symbol names and unencrypted strings — is a clumsy mistake likely thwarting much of the effort put into its development and hinting at poor operational security of the threat actor(s).
Interestingly, the web panel includes functionality to “scan files for malware” (i.e. check whether a file is being detected or not). While the panel assures the affiliate user that no files are shared and full anonymity is guaranteed, one may have doubts about whether this is truly the case.
Figure 6: Web panel allows to scan files for malware.
Some of the build configuration options within the web panel are shown in Figures 7 through 9.
Figure 7: SantaStealer build configuration
Figure 8: More SantaStealer build configuration options
Figure 9: SantaStealer build configuration options, including CIS countries detection
One final aspect worth pointing out is that, rather unusually, the decision whether to target countries in the Commonwealth of Independent States (CIS) is seemingly left up to the buyer and is not hardcoded, as is often the case with commercial infostealers.
Technical analysis of SantaStealer
Having read the advertisement of SantaStealer’s capabilities by the developers, one might be interested in seeing how they are implemented on a technical level. Here, we will explore one of the EXE samples (SHA-256 beginning with 926a…), as attempts at executing the DLL builds with rundll32.exe ran into issues with the C runtime initialization. However, the DLL builds (such as SHA-256 beginning with 1a27…) are still useful for static analysis and cross-referencing with the EXE.
At the moment, detecting and tracking these payloads is straightforward, due to the fact that both the malware configuration and the C2 server IP address are embedded in the executable in plain text. However, if SantaStealer indeed does turn out to be competitive and implements some form of encryption, obfuscation, or anti-analysis techniques (as seen with Lumma or Vidar) these tasks may become less trivial for the analyst. A deeper understanding of the patterns and methods utilized by SantaStealer may be beneficial.
Figure 10: Code in the send_upload_chunk exported function references plaintext strings
The user-defined entry point in the executable corresponds to the payload_main DLL export. Within this function, the stealer first checks the anti_cis and exec_delay_seconds values from the embedded config and behaves accordingly. If the CIS check is enabled and a Russian keyboard layout is detected using the GetKeyboardLayoutList API, the stealer drops an empty file named “CIS” and ends its execution. Otherwise, SantaStealer waits for the configured number of seconds before calling functions named check_antivm, payload_credentials, create_memory_based_log and creating a thread running the routine named ThreadPayload1 in the DLL exports.
The anti-VM function is self-explanatory, but its implementation differs across samples, hinting at the ongoing development of the stealer. One sample checks for blacklisted processes (by hashing the names of running process executables using a custom rolling checksum and searching for them in a blacklist), suspicious computer names (using the same method) and an “analysis environment,” which is just a hard-coded blacklist of working directories, like “C:\analysis” and similar. Another sample checks the number of running processes, the system uptime, the presence of a VirtualBox service (by means of a call to OpenServiceA with "VBoxGuest") and finally performs a time-based debugger check. In either case, if a VM or debugger is detected, the stealer ends its execution.
Next, payload_credentials attempts to steal browser credentials, including passwords, cookies, and saved credit cards. For Chromium-based browsers, this involves bypassing a mechanism known as AppBound Encryption (ABE). For this purpose, SantaStealer embeds an additional executable, either as a resource or directly in section data, which is either dropped to disk and executed (screenshot below), or loaded and executed in-memory, depending on the sample.
Figure 11: Execution of an embedded executable specialized in browser hijacking
The extracted executable, in turn, contains an encrypted DLL in its resources, which is decrypted using two consecutive invocations of ChaCha20 with two distinct pairs of 32-byte key and 12-byte nonce. This DLL exports functions called ChromeElevator_Initialize, ChromeElevator_ProcessAllBrowsers and ChromeElevator_Cleanup, which are called by the executable in that order. Based on the symbol naming, as well as usage of ChaCha20 encryption for obfuscation and presence of many recognizable strings, we assess with moderate confidence that this executable and DLL are heavily based on code from the "ChromElevator" project (https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption), which employs direct syscall-based reflective process hollowing to inject code into the target browser. Hijacking the security context of a legitimate browser process this way allows the attacker to decrypt AppBound encryption keys and thereby decrypt stored credentials.
Figure 12: The embedded EXE decrypts and loads a DLL in-memory and calls its exports.
The next function called from main, create_memory_based_log, demonstrates the modular design of the stealer. For each included module, it creates a thread running the module_thread routine with an incremented numerical ID for that module, starting at 0. It then waits for 45 seconds before joining all thread handles and writing all files collected in-memory into a ZIP file named “Log.zip” in the TEMP directory.
The module_thread routine simply takes the index it was passed as parameter and calls a handler function at that index in a global table, for some reason called memory_generators in the DLL. The module function takes only a single output parameter, which is the number of files it collected. In the so helpfully annotated DLL build, we can see 14 different modules. Besides generic modules for reading environment variables, taking screenshots, or grabbing documents and notes, there are specialized modules for stealing data from the Telegram desktop application, Discord, Steam, as well as browser extensions, histories and passwords.
Figure 13: A list of named module functions in a SantaStealer sample
Finally, after all the files have been collected, ThreadPayload1 is run in a thread. It sleeps for 15 seconds and then calls payload_send, which in turn calls send_zip_from_memory_0, which splits the ZIP into 10 MB chunks that are uploaded using send_upload_chunk.
The file chunks are exfiltrated over plain HTTP to an /upload endpoint on a hard-coded C2 IP address on port 6767, with only a couple special headers:
User-Agent: upload
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary[...]
auth: [...]
w: [...]
complete: true (only on final request)
The auth header appears to be a unique build ID, and w is likely the optional “tag” used to distinguish between campaigns or “traffic sources”, as is mentioned in the features.
Conclusion
The SantaStealer malware is in active development, set to release sometime in the remainder of this month or in early 2026. Our analysis of the leaked builds reveals a modular, multi-threaded design fitting the developers’ description. Some, but not all, of the improvements described in SantaStealer’s Telegram channel are reflected in the samples we were able to analyze. For one, the malware can be seen shifting to a completely fileless collection approach, with modules and the Chrome decryptor DLL being loaded and executed in-memory. On the other hand, the anti-analysis and stealth capabilities of the stealer advertised in the web panel remain very basic and amateurish, with only the third-party Chrome decryptor payload being somewhat hidden.
To avoid getting infected with SantaStealer, it is recommended to pay attention to unrecognized links and e-mail attachments. Watch out for fake human verification, or technical support instructions, asking you to run commands on your computer. Finally, avoid running any kind of unverified code from sources such as pirated software, videogame cheats, unverified plugins, and extensions.
Stay safe and off the naughty list!
Rapid7 Customers
Intelligence Hub
Customers using Rapid7’s Intelligence Hub gain direct access to SantaStealer IOCs, along with ongoing intelligence on new activity and related campaigns. The platform also has detections for a wide range of other infostealers, including Lumma, StealC, RedLine, and more, giving security teams broader visibility into emerging threats.
You’ve spent weeks, maybe months, crafting your dream Electron app. The UI looks clean, the features work flawlessly, and you finally hit that Build button. Excited, you send the installer to your friend for testing. You’re expecting a “Wow, this is awesome!” Instead, you get: Windows protected your PC. Unknown Publisher.” That bright blue SmartScreen… Read More How to Sign a Windows App with Electron Builder?
Login
_AlexPhotoStock_alamy.png?width=1280&auto=webp&quality=80&disable=upscale)
