Security

Conor Brian Fitzpatrick, aka PomPompurin, is linked to crimes including the 2021 breach that sent out fake cybersecurity warning emails from the FBI. After pleading guilty to one count of access device conspiracy, one count of access device solicitation, and one count of possession of child sexual abuse material, he was originally sentenced to 20 years of supervised release.

Six of the major AI chatbots - Grok, ChatGPT, Meta AI, Claude, DeepSeek, and Gemini - effectively guided a team of Reuters reporters through the steps of simulating a phishing scam, down to describing a good time to send a message intended to trick older adults into clicking on a fraudulent link.

In a blog post, Google addresses several recent reports that incorrectly state it sent out a widespread security notification about Gmail, calling them “entirely false:”

During the Cheeky Pint podcast, Coinbase CEO Brian Armstrong said the new safeguard comes in response to the wave of North Korean hackers who are snapping up remote IT jobs around the US, allowing them to obtain sensitive company information and funnel paychecks to the North Korean regime.

A vulnerability (CVE-2025-43300) stemming from Apple’s image processing framework, “may have been exploited in an extremely sophisticated attack against specific targeted individuals,” according to Apple.

This is just a fun little series of Mastodon posts about a security breach at a “highly secure” data center... by a female mallard.

Politico reports that the courts’ case filing system was accessed. The breach was discovered last month, but its full extent is still unknown — one fear is that hackers may have accessed the identities of confidential informants, while a source told Politico that court dockets may have been tampered with.

After 404 Media reported that an app meant to help women exchange dating information for safety purposes was breached, TechCrunch reports that a rival app targeted at men has been exposing users’ personal data including government IDs. “The security lapse will likely affect any user who signed up or shared identity documents with the app,” TechCrunch writes about TeaOnHer, adding that the app has about 53,000 users.

This Wired article shows how an indirect prompt injection attack against a Gemini-powered AI assistant could cause the bot to curse in responses and take over smart home controls by turning on the heat unexpectedly or opening blinds in response to saying “thanks.”

If you also use 1Password and have an Android device, you may have also been dealing with autofill problems lately. However, updating to version 8.11.4 or higher and following the instructions to make sure Chrome is set to use third-party autofill seems to have worked on my phone to make the app more reliable again.

As well as class schedules, scholarship disbursements, and student loan information. Neat! At least Bloomberg finally got around to telling its audience that the alleged hacker’s X account “includes a racist handle and racist remarks.” I wonder what a Nazi can accomplish with all this sensitive information? I guess we’ll find out.

Microsoft is announcing Project Ire today, an autonomous AI agent that can analyze and classify malware without assistance. Developed by Microsoft Research, Microsoft Defender Research, and Microsoft Discovery & Quantum, Project Ire is the first agent at Microsoft to independently author a conviction case “strong enough to justify automatic blocking” of an APT malware sample.

Microsoft’s hacking event, Zero Day Quest, is back and accepting nominations today until October 4th. This year there is up to $5 million in bounty awards, up $1 million on last year’s figure. Microsoft is even offering multiplied bounty awards for the most critical issues in products like Azure, Copilot, and Microsoft 365. Security researchers will also get a chance to qualify for a live hacking event at Microsoft’s headquarters in spring 2026.

The company has introduced Proton Authenticator, an open-source two-factor authentication app that can sync 2FA codes across devices using end-to-end encryption. Though Proton’s password manager already comes with a built-in 2FA feature, Proton says using its standalone Authenticator offers an “extra layer of security” by generating codes in a separate app.

Until now it’s stayed quiet on whether it received the same order to open a backdoor to user data as Apple, but a spokesperson confirmed to TechCrunch that it never did. If it had, Google wouldn’t be allowed to say so.

The vulnerability (CVE-2025-31199), which Apple patched in a March 31st update, could give bad actors access to files inside a device’s Downloads folder and data cached by Apple Intelligence. That includes geolocation data, media metadata, and facial recognition info, according to a report from Microsoft Threat Intelligence.

I appeared on On the Media to discuss our story about the Anime Nazi who allegedly hacks universities. I explain why the identity of the alleged hacker is important, why the Times’ obfuscation of its sources is troubling, and what’s at stake in the Republican war on higher education: upward mobility.

Senate Commerce Committee Ranking Member Maria Cantwell (D-WA) is hunting for answers about the state of US telecom network security after the Salt Typhoon hack first reported late last year. The attack was so massive that US officials encouraged Americans to use encrypted apps to prevent their conversations from being seen by hackers. Cantwell is asking digital forensics firm Mandiant to hand over assessments behind AT&T and Verizon’s claims that their networks are now secure.