Health insurance giant Kaiser has announced it will notify millions of patients about a data breach after sharing patients’ data with advertisers. Kaiser said that an investigation led to the discovery that “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.” In the required notice with the US government, Kaiser lists 13.4 million affected individuals. Among these third-party ad vendors are Google, Microsoft, and X. Kaiser said it subsequently removed the tracking code from its websites an ..read more

Last week on Malwarebytes Labs: Ring agrees to pay $5.6 million after cameras were used to spy on customers TikTok comes one step closer to a US ban Google ad for Facebook redirects to scam “Substantial proportion” of Americans may have had health and personal data stolen in Change Healthcare breach Picking fights and gaining rights, with Justin Brookman: Lock and Code S05E09 Billions of scraped Discord messages up for sale Last week on ThreatDown: MITRE breached through Ivanti Connect Secure vulnerabilities Microsoft warns about actively abused vulnerability in Windows Print Spooler servic ..read more

Amazon’s Ring has settled with the Federal Trade Commission (FTC) over charges that the company allowed employees and contractors to access customers’ private videos, and failed to implement security protections which enabled hackers to take control of customers’ accounts, cameras, and videos. The FTC is now sending refunds totaling more than $5.6 million to US consumers as a result of the settlement. Ring LLC, which was purchased by Amazon in February 2018, sells internet-connected, home security cameras and video doorbells. However, in a shocking lapse of security protection, it turned out t ..read more

The US Senate has approved a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance gives up its share of the immensely popular app. Social video platform TikTok has experienced explosive growth since it first appeared in 2017, and is now said to have well over 1.5 billion users, with an estimated 170 million of them in the US. Essentially, the bill says that TikTok has to find a new owner that is not based in a foreign adversarial country within the next 180 days or face a ban until it does comply. President Biden has committed to sign it into law as ..read more

Today, we are looking at a malicious ad campaign targeting Facebook users via Google search. It is well-known that tech support scammers attract new victims by buying ads for certain keywords related to their audience. What is perhaps less known is how it is even possible to impersonate top brands and get away with it. We will try to respond to the ‘how they do it’ and the ‘why is Google allowing this’ questions. Such malvertising attacks are not new and the damage they cause to consumers is growing every day. There is no one way to stop all of them, but public reporting will hopefully drive t ..read more

UnitedHealth Group has given an update on the February cyberattack on Change Healthcare, one of its subsidiaries. In the update, the company revealed the scale of the breach, saying: “Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.” UnitedHealth also announced support for affected people. On Wednesday February 21, 2024, Change Healthcare experienced serious system outages due to the cyberattack. The incident ..read more

This week on the Lock and Code podcast… Our Lock and Code host, David Ruiz, has a bit of an apology to make: “Sorry for all the depressing episodes.” When the Lock and Code podcast explored online harassment and abuse this year, our guest provided several guidelines and tips for individuals to lock down their accounts and remove their sensitive information from the internet, but larger problems remained. Content moderation is failing nearly everywhere, and data protection laws are unequal across the world. When we told the true tale of a virtual kidnapping scam in Utah, though the teenaged v ..read more

Four billions public Discord messages are for sale on an internet scraping service called Spy.pet. At first sight there doesn’t seem to be much that is illegal about it. The messages were publicly accessible and there are no laws against scraping data. However, it turns out the site did disregard some laws: more on that later. To get this amount of data the platform gathered information from 14,201 servers about 627,914,396 users. The way in which Spy.pet organized the information could turn out to be problematic for certain users. It built a database based on user profiles which contains all ..read more

Last week on Malwarebytes Labs: Law enforcement reels in phishing-as-a-service whopper Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million Cannabis investment scam JuicyFields ends in 9 arrests Should you share your location with your partner? Giant Tiger breach sees 2.8 million records leaked Last week on ThreatDown: What makes some zero-day vulnerabilities more valuable than others? Turning back the clock on encryption: How to perform ransomware backups in one-click ThreatDown earns highest ratings across EDR and MDR categories in G2 Spring 2024 r ..read more

A major international law enforcement effort involving agencies from 19 countries has disrupted the notorious LabHost phishing-as-a-service platform. Europol reports that the organization’s infrastructure has been compromised, its website shut down, and 37 suspects arrested, including four people in the UK linked to the running of the site, which also allegedly included the original developer of the service. Europol’s announcement also hints that this isn’t the end of the story, and users of the platform should ready themselves for some uncomfortable encounters with law enforcement in the futu ..read more