VoIP communication equipment from Grandstream Networks is being used by small and medium businesses. The maker's GXP product line is part of the company's high-end offering for businesses, schools, hotels, and Internet Telephony Service Providers (ITSP) around the world.

The vulnerability is tracked as CVE-2026-2329 and received a critical severity score of 9.3. It impacts the following six models of the GXP1600 series of devices that run firmware versions prior to 1.0.7.81:

• GXP1610
• GXP1615
• GXP1620
• GXP1625
• GXP1628
• GXP1630

Even if a vulnerable device is not directly reachable over the public internet, an attacker can pivot to it from another host on the network. Exploitation is silent, and everything works as expected.

In a technical report, Rapid7 researchers explain that the problem is in the device’s web-based API service (/cgi-bin/api.values.get), which is accessible without authentication in the default configuration.

The API accepts a ‘request’ parameter containing colon-delimited identifiers, which is parsed into a 64-byte stack buffer without performing a length check when copying characters into the buffer.

Because of this, an attacker supplying overly long input can cause a stack overflow, overwriting adjacent memory to gain control over multiple CPU registers, such as the Program Counter.

Rapid7 researchers developed a working Metasploit module to demonstrate unauthenticated remote code execution as root by exploiting CVE-2026-2329.

Exploitation enables arbitrary OS command execution, extracting stored credentials of local users and SIP accounts, and reconfiguring the device to use a malicious SIP proxy that allows eavesdropping on calls.

Rapid7 researchers say that successful exploitation requires writing multiple null bytes to construct a return-oriented programming (ROP) chain. However, CVE-2026-2329 permits writing of only one null terminator byte during the overflow.

To bypass the restriction, the researchers used multiple colon-separated identifiers to trigger the overflow repeatedly and write null bytes multiple times.

“Every time a colon is encountered, the overflow can be triggered a subsequent time via the next identifier,” explain the researchers in the technical writeup.

“We can leverage this, and the ability to write a single null byte as the last character in the current identifier being processed, to write multiple null bytes during exploitation.”

The researchers contacted Grandstream on January 6 and again on January 20 after receiving no response.

Eventually, Grandstream fixed the issue on February 3, with the release of firmware version 1.0.7.81.

Technical details and a module for the Metasploit penetration testing and exploitation framework. Users of vulnerable Grandstream products are strongly advised to apply available security updates as soon as possible.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 20 February 2026 at 3:59 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

According to a service alert seen by BleepingComputer, this bug (tracked under CW1226324 and first detected on January 21) affects the Copilot "work tab" chat feature, which incorrectly reads and summarizes emails stored in users' Sent Items and Drafts folders, including messages that carry confidentiality labels explicitly designed to restrict access by automated tools.

Copilot Chat (short for Microsoft 365 Copilot Chat) is the company's AI-powered, content-aware chat that lets users interact with AI agents. Microsoft began rolling out Copilot Chat to Word, Excel, PowerPoint, Outlook, and OneNote for paying Microsoft 365 business customers in September 2025.

"Users' email messages with a confidential label applied are being incorrectly processed by Microsoft 365 Copilot chat," Microsoft said when it confirmed this issue.

"The Microsoft 365 Copilot 'work tab' Chat is summarizing email messages even though these email messages have a sensitivity label applied and a DLP policy is configured."

Microsoft has since confirmed that an unspecified code error is responsible and said it began rolling out a fix in early February. As of Wednesday, the company said it was continuing to monitor the deployment and is reaching out to a subset of affected users to verify that the fix is working.

"A code issue is allowing items in the sent items and draft folders to be picked up by Copilot even though confidential labels are set in place," Microsoft added.

Microsoft has not provided a final timeline for full remediation and has not disclosed how many users or organizations were affected, saying only that the scope of impact may change as the investigation continues.

However, this ongoing incident has been tagged as an advisory, a flag commonly used to describe service issues typically involving limited scope or impact.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 19 February 2026 at 5:45 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Over the past 15 years, password managers have grown from a niche security tool used by the technology savvy into an indispensable security tool for the masses, with an estimated 94 million US adults—or roughly 36 percent of them—having adopted them. They store not only passwords for pension, financial, and email accounts, but also cryptocurrency credentials, payment card numbers, and other sensitive data.

All eight of the top password managers have adopted the term “zero knowledge” to describe the complex encryption system they use to protect the data vaults that users store on their servers. The definitions vary slightly from vendor to vendor, but they generally boil down to one bold assurance: that there is no way for malicious insiders or hackers who manage to compromise the cloud infrastructure to steal vaults or data stored in them. These promises make sense, given previous breaches of LastPass and the reasonable expectation that state-level hackers have both the motive and capability to obtain password vaults belonging to high-value targets.

A bold assurance debunked

Typical of these claims are those made by Bitwarden, Dashlane, and LastPass, which together are used by roughly 60 million people. Bitwarden, for example, says that “not even the team at Bitwarden can read your data (even if we wanted to).” Dashlane, meanwhile, says that without a user’s master password, “malicious actors can’t steal the information, even if Dashlane’s servers are compromised.” LastPass says that no one can access the “data stored in your LastPass vault, except you (not even LastPass).”

New research shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. The researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the server—either administrative or the result of a compromise—can, in fact, steal data and, in some cases, entire vaults. The researchers also devised other attacks that can weaken the encryption to the point that ciphertext can be converted to plaintext.

“The vulnerabilities that we describe are numerous but mostly not deep in a technical sense,” the researchers from ETH Zurich and USI Lugano wrote. “Yet they were apparently not found before, despite more than a decade of academic research on password managers and the existence of multiple audits of the three products we studied. This motivates further work, both in theory and in practice.”

The researchers said in interviews that multiple other password managers they didn’t analyze as closely likely suffer from the same flaws. The only one they were at liberty to name was 1Password. Almost all the password managers, they added, are vulnerable to the attacks only when certain features are enabled.

The most severe of the attacks—targeting Bitwarden and LastPass—allow an insider or attacker to read or write to the contents of entire vaults. In some cases, they exploit weaknesses in the key escrow mechanisms that allow users to regain access to their accounts when they lose their master password. Others exploit weaknesses in support for legacy versions of the password manager. A vault-theft attack against Dashlane allowed reading but not modification of vault items when they were shared with other users.

Staging the old key switcheroo

One of the attacks targeting Bitwarden key escrow is performed during the enrollment of a new member of a family or organization. After a Bitwarden group admin invites the new member, the invitee’s client accesses a server and obtains a group symmetric key and the group’s public key. The client then encrypts the symmetric key with the group public key and sends it to the server. The resulting ciphertext is what’s used to recover the new user’s account. This data is never integrity-checked when it’s sent from the server to the client during an account enrollment session.

The adversary can exploit this weakness by replacing the group public key with one from a keypair created by the adversary. Since the adversary knows the corresponding private key, it can use it to decrypt the ciphertext and then perform an account recovery on behalf of the targeted user. The result is that the adversary can read and modify the entire contents of the member vault as soon as an invitee accepts an invitation from a family or organization.

Normally, this attack would work only when a group admin has enabled autorecovery mode, which, unlike a manual option, doesn’t require interaction from the member. But since the group policy the client downloads during the enrollment policy isn’t integrity-checked, adversaries can set recovery to auto, even if an admin had chosen a manual mode that requires user interaction.

Compounding the severity, the adversary in this attack also obtains a group symmetric key for all other groups the member belongs to since such keys are known to all group members. If any of the additional groups use account recovery, the adversary can obtain the members’ vaults for them, too. “This process can be repeated in a worm-like fashion, infecting all organizations that have key recovery enabled and have overlapping members,” the research paper explained.

A second attack targeting Bitwarden account recovery can be performed when a user rotates vault keys, an option Bitwarden recommends if a user believes their master password has been compromised. When account recovery is on (either manually or automatically), the user client regenerates the recovery ciphertext, which as described earlier involves obtaining a new public key that’s encrypted with the organization public key. The researchers denoted the group public key as pk_org. They denote the public key supplied by the adversary as pk^adv_org, the recovery ciphertext as c_rec, and the user symmetric key as k^′.

The paper explained:

The key point here is that pk_org is not retrieved from the user’s vault; rather the client performs a sync operation with the server to obtain it. Crucially, the organization data provided by this sync operation is not authenticated in any way. This thus provides the adversary with another opportunity to obtain a victim’s user key, by supplying a new public key pk^adv_org, for which they know the sk^adv_org and setting the account recovery enrollment to true. The client will then send an account recovery ciphertext c_rec containing the new user key, which the adversary can decrypt to obtain k^′.

The third attack on the Bitwarden account recovery allows an adversary to recover a user’s master key. It abuses key connector, a feature primarily used by enterprise customers.

More ways to pilfer vaults

The attack allowing theft of LastPass vaults also targets key escrow, specifically in the Teams and Teams 5 versions, when a member’s master key is reset by a privileged user known as a superadmin. The next time the member logs in through the LastPass browser extension, their client will retrieve an RSA keypair assigned to each superadmin in the organization, encrypt their new key with each one, and send the resulting ciphertext to each superadmin.

Because LastPass also fails to authenticate the superadmin keys, an adversary can once again replace the superadmin public key (pk_adm) with their own public key (pk^adv_adm).

“In theory, only users in teams where password reset is enabled and who are selected for reset should be affected by this vulnerability,” the researchers wrote. “In practice, however, LastPass clients query the server at each login and fetch a list of admin keys. They then send the account recovery ciphertexts independently of enrollment status.” The attack, however, requires the user to log in to LastPass with the browser extension, not the standalone client app.

Several attacks allow reading and modification of shared vaults, which allow a user to share selected items with one or more other users. When Dashlane users share an item, their client apps sample a fresh symmetric key, which either directly encrypts the shared item or, when sharing with a group, encrypts group keys, which in turn encrypt the shared item. In either case, the newly created RSA keypair(s)—belonging to either the shared user or group—isn’t authenticated. The item is then encrypted with the private key(s).

An adversary can supply their own key pair and use the public key to encrypt the ciphertext sent to the recipients. The adversary then decrypts that ciphertext with their corresponding secret key to recover the shared symmetric key. With that, the adversary can read and modify all shared items. When sharing is used in either Bitwarden or LastPass, similar attacks are possible and lead to the same consequence.

Another avenue for attackers or adversaries with control of a server is to target the backward compatibility that all three password managers provide to support older, less-secure versions. Despite incremental changes designed to harden the apps against the very attacks described in the paper, all three password managers continue to support the versions without these improvements. This backward compatibility is a deliberate decision intended to prevent users who haven’t upgraded from losing access to their vaults.

The severity of these attacks is lower than that of the previous ones described, with the exception of one, which is possible against Bitwarden. Older versions of the password manager used a single symmetric key to encrypt and decrypt the user key from the server and items inside vaults. This design allowed for the possibility that an adversary could tamper with the contents. To add integrity checks, newer versions provide authenticated encryption by augmenting the symmetric key with an HMAC hash function.

To protect customers using older app versions, Bitwarden ciphertext has an attribute of either 0 or 1. A 0 designates authenticated encryption, while a 1 supports the older unauthenticated scheme. Older versions also use a key hierarchy that Bitwarden deprecated to harden the app. To support the old hierarchy, newer client versions generate a new RSA keypair for the user if the server doesn’t provide one. The newer version will proceed to encrypt the secret key portion with the master key if no user ciphertext is provided by the server.

This design opens Bitwarden to several attacks. The most severe, allowing reading (but not modification) of all items created after the attack is performed. At a simplified level, it works because the adversary can forge the ciphertext sent by the server and cause the client to use it to derive a user key known to the adversary.

The modification causes the use of CBC (cipher block chaining), a form of encryption that’s vulnerable to several attacks. An adversary can exploit this weaker form using a padding oracle attack and go on to retrieve the plaintext of the vault. Because HMAC protection remains intact, modification isn’t possible.

Surprisingly, Dashlane was vulnerable to a similar padding oracle attack. The researchers devised a complicated attack chain that would allow a malicious server to downgrade a Dashlane user’s vault to CBC and exfiltrate the contents. The researchers estimate that the attack would require about 125 days to decrypt the ciphertext.

Still other attacks against all three password managers allow adversaries to greatly reduce the selected number of hashing iterations—in the case of Bitwarden and LastPass, from a default of 600,000 to 2. Repeated hashing of master passwords makes them significantly harder to crack in the event of a server breach that allows theft of the hash. For all three password managers, the server sends the specified iteration count to the client, with no mechanism to ensure it meets the default number. The result is that the adversary receives a 300,000-fold decrease in the time and resources required to crack the hash and obtain the user’s master password.

Attacking malleability

Three of the attacks—one against Bitwarden and two against LastPass—target what the researchers call “item-level encryption” or “vault malleability.” Instead of encrypting a vault in a single, monolithic blob, password managers often encrypt individual items, and sometimes individual fields within an item. These items and fields are all encrypted with the same key. The attacks exploit this design to steal passwords from select vault items.

An adversary mounts an attack by replacing the ciphertext in the URL field, which stores the link where a login occurs, with the ciphertext for the password. To enhance usability, password managers provide an icon that helps visually recognize the site. To do this, the client decrypts the URL field and sends it to the server. The server then fetches the corresponding icon. Because there’s no mechanism to prevent the swapping of item fields, the client decrypts the password instead of the URL and sends it to the server.

“That wouldn’t happen if you had different keys for different fields or if you encrypted the entire collection in one pass,” Kenny Paterson, one of the paper co-authors, said. “A crypto audit should spot it, but only if you’re thinking about malicious servers. The server is deviating from expected behavior.

The following table summarizes the causes and consequences of the 25 attacks they devised:

Credit: Scarlata et al.

A psychological blind spot

The researchers acknowledge that the full compromise of a password manager server is a high bar. But they defend the threat model.

“Attacks on the provider server infrastructure can be prevented by carefully designed operational security measures, but it is well within the bounds of reason to assume that these services are targeted by sophisticated nation-state-level adversaries, for example via software supply-chain attacks or spearphishing,” they wrote. “Moreover, some of the service providers have a history of being breached—for example, LassPass suffered breaches in 2015 and 2022, and another serious security incident in 2021.

They went on to write: “While none of the breaches we are aware of involved reprogramming the server to make it undertake malicious actions, this goes just one step beyond attacks on password manager service providers that have been documented. Active attacks more broadly have been documented in the wild.”

Part of the challenge of designing password managers or any end-to-end encryption service is the tendency for a false sense of security of the client.

“It’s a psychological problem when you’re writing both client and server software,” Paterson explained. “You should write the client super defensively, but if you’re also writing the server, well of course your server isn’t going to send malformed packets or bad info. Why would you do that?”

Marketing gimmickry or not, “zero-knowledge” is here to stay

In many of the cases, engineers have already fixed the weaknesses described after receiving private reports from the researchers. Engineers are still patching other vulnerabilities. In statements, Bitwarden, Lastpass, and Dashlane representatives noted the high bar of the threat model, despite statements on their websites that assure customers their wares will withstand it. Along with 1Password representatives, they also noted that their products regularly receive stringent security audits and undergo red-team exercises.

A Bitwarden representative wrote:

Bitwarden continually evaluates and improves its software through internal review, third-party assessments, and external research. The ETH Zurich paper analyzes a threat model in which the server itself behaves maliciously and intentionally attempts to manipulate key material and configuration values. That model assumes full server compromise and adversarial behavior beyond standard operating assumptions for cloud services.

LastPass said, “We take a multi‑layered, ongoing approach to security assurance that combines independent oversight, continuous monitoring, and collaboration with the research community. Our cloud security testing is inclusive of the scenarios referenced in the malicious-server threat model outlined in the research.”

Specific measures include:

• Annual penetration testing (available through NDA) with reputable experts across all our apps and infrastructure.
• A bug bounty program
• Internal penetration testing to validate controls in our corporate environment
• Participation in AWS’s Security Improvement Program, where we conduct an annual in-depth review with AWS Security specialists and define a roadmap for continued improvement of our cloud infrastructure
• Continuous, dynamic application testing

A statement from Dashlane read, “Dashlane conducts rigorous internal and external testing to ensure the security of our product. When issues arise, we work quickly to mitigate any possible risk and ensure customers have clarity on the problem, our solution, and any required actions.”

1Password released a statement that read in part:

Our security team reviewed the paper in depth and found no new attack vectors beyond those already documented in our publicly available Security Design White Paper.

 

We are committed to continually strengthening our security architecture and evaluating it against advanced threat models, including malicious-server scenarios like those described in the research, and evolving it over time to maintain the protections our users rely on.

1Password also says that the zero-knowledge encryption it provides “means that no one but you—not even the company that’s storing the data—can access and decrypt your data. This protects your information even if the server where it’s held is ever breached.” In the company’s white paper linked above, 1Password seems to allow for this possibility when it says:

At present there’s no practical method for a user to verify the public key they’re encrypting data to belongs to their intended recipient. As a consequence it would be possible for a malicious or compromised 1Password server to provide dishonest public keys to the user, and run a successful attack. Under such an attack, it would be possible for the 1Password server to acquire vault encryption keys with little ability for users to detect or prevent it.

1Password’s statement also includes assurances that the service routinely undergoes rigorous security testing.

All four companies defended their use of the term “zero knowledge.” As used in this context, the term can be confused with zero-knowledge proofs, a completely unrelated cryptographic method that allows one party to prove to another party that they know a piece of information without revealing anything about the information itself. An example is a proof that shows a system can determine if someone is over 18 without having any knowledge of the precise birthdate.

The adulterated zero-knowledge term used by password managers appears to have come into being in 2007, when a company called SpiderOak used it to describe its cloud infrastructure for securely sharing sensitive data. Interestingly, SpiderOak formally retired the term a decade later after receiving user pushback.

“Sadly, it is just marketing hype, much like ‘military-grade encryption,’” Matteo Scarlata, lead author of the paper, said. “Zero-knowledge seems to mean different things to different people (e.g., LastPass told us that they won’t adopt a malicious server threat model internally). Much unlike ‘end-to-end encryption,’ ‘zero-knowledge encryption’ is an elusive goal, so it’s impossible to tell if a company is doing it right.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 18 February 2026 at 12:23 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

The new mechanism landed in Notepad++ version 8.9.2, announced yesterday, although work on it began in version 8.8.9 with implementing the verification of the signed installer from GitHub.

The second part of the double-lock system is checking the signed XML from the notepad-plus-plus.org domain. In practice, this means that the XML file returned from the update service is digitally signed (XMLDSig).

The combination of the two verification mechanisms adds to a more robust "and effectively unexploitable" update process, says the team behind the massively popular open-source text and source code editor.

Additional security-oriented changes applied to the auto-updater include:

• Removal of libcurl.dll to eliminate DLL side-loading risk
• Removal of two unsecured cURL SSL options: CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE
• Restriction of plugin management execution to programs signed with the same certificate as WinGUp

The new announcement also notes that users can exclude the auto-updater during UI installation or deploy the MSI package with: msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1

Earlier this month, Notepad++  and Rapid7 researchers disclosed that the update infrastructure was compromised in a six-month-long campaign attributed to Lotus Blossom, a threat group linked to China.

Starting in June 2025, the bad actor compromised the hosting provider that ran the Notepad++ updater and selectively redirected update requests from specific users to malicious servers.

The attacks exploited weak update verification controls used in older versions of the software, and continued until their discovery on December 2, 2025.

Rapid7’s analysis revealed that the Chinese hackers used a custom backdoor called “Chrysalis” as part of the attack chain.

Apart from the newly introduced security measures, the project immediately switched to a different hosting provider, rotated credentials, and fixed flaws exploited in the discovered attacks.

The recommended action for all Notepad++ users is to upgrade to version 8.9.2, and ensure that installers are always downloaded from the official domain, notepad-plus-plus.org.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 18 February 2026 at 6:29 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

On February 5, 2026, five Illinois residents filed a class action lawsuit against Microsoft in a federal court in Washington. The plaintiffs, including Alex Basich, Kristin Bondlow, and three others, claimed that Microsoft, through its video conferencing platform (Teams), was illegally collecting voice data in violation of the Illinois Biometric Information Privacy Act (BIPA).

The class action suit claims that the software giant illegally collected voice data through Teams' real-time transcription feature, which was shipped in 2021 and captures speakers' voices during online meetings and even assesses pitch, tone, and timbre to easily identify who made a certain comment or idea.

While this isn't necessarily illegal, Microsoft's failure to inform users about the collection of their voice data violates BIPA.

According to the plaintiffs, the company should have categorically informed users, elaborated on how the data would be used, and how long it would be stored. Perhaps more interestingly, they claimed that Microsoft would require a user's written consent to collect their voice data.

The plaintiffs seek to represent a class of Microsoft Teams users in Illinois whose biometric data was unlawfully collected through the platform’s transcription feature beginning March 1, 2021.

The class action lawsuit requests either actual damages or statutory damages of $1,000 per negligent violation, whichever is greater. If the court determines that Microsoft willfully or recklessly violated the BIPA, damages could increase to $5,000 per violation.

Elsewhere, an Austrian privacy regulator has ruled that Microsoft illegally set tracking cookies on a school‑issued device used by a child, even though the issue stemmed from how the school deployed Microsoft 365 services rather than anything Microsoft directly controlled.

Should companies face higher penalties when they intentionally misuse biometric data? Let me know in the comments.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 18 February 2026 at 6:28 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Bad actors and hackers have identified a loophole that allows them use fake CAPTCHA pages to trick Windows users into launching "Stealthy StealC Information Stealer" malware.

According to security sleuths at LevelBlue, “StealC exfiltrates browser credentials, cryptocurrency wallets, Steam accounts, Outlook credentials, system information, and screenshots to a command-and-control (C2) server using RC4-encrypted HTTP traffic.”

The social engineering campaign leverages fake CAPTCHA verification pages on compromised websites, which feature realistic Cloudflare-style security checks. As a result, unsuspecting Windows users end up manually executing malicious PowerShell commands disguised as routine verification (via TechRepublic).

I’ve never fully understood the true essence of a CAPTCHA. Yet, as we move deeper into the AI era, proving that an online user is human rather than a bot has become increasingly important. CAPTCHAs are designed to safeguard users by preventing spam and blocking password‑cracking attempts.

How bad actors use the StealC campaign

The vulnerability, tracked as CVE-2026-2441, was discovered and reported by security researcher Shaheen Fazim on February 11. Google quickly released the security fix two days later, on Friday. This vulnerability is a high-severity use-after-free bug, with a CVSS score of 8.8.

A use-after-free occurs when Chrome attempts to access memory that has already been freed or deleted. This process leaves empty memory space that allows attackers to manipulate it and execute malicious code.

This particular vulnerability targets the part of Chrome that deals with CSS, more precisely, the CSSFontFeatureValuesMap engine for handling advanced fonts. Hackers can create a sneaky web page, possibly featuring special fonts, that could trick the browser into running their malicious code. The worst part is that a potential exploit doesn’t require you to click or download anything. Simply loading an infected web page could trigger the attack and run malicious code in Chrome’s memory.

Google confirmed that the flaw is exploited "in the wild," which means that attackers are actively using it, though real-world cases weren't explicitly mentioned. The good news is that Chrome’s built-in sandbox limits the potential damage to some extent. Unlike vulnerabilities inside native OS components, this one doesn’t directly allow attackers to easily gain control over the entire computer, but they could very well access users’ browsing data, spy on open tabs, or try further tricks to escape the sandbox.

Google released the patch for Chrome 145.0.7632.75/76 (Windows/macOS) and 144.0.7559.75 (Linux), with a gradual global rollout. Users are highly advised to update their browsers immediately. To update your Google Chrome version, go to Help > About Google Chrome and check for updates. Once the update appears, wait for Chrome to install it, relaunch the browser, and you should be in the clear.

You can check out the entire CVE-2026-2441 changelog on the National Vulnerability Database website.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 17 February 2026 at 4:11 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

These days, rather than showing you the traditional list of links when you run a search query, Google is intent on throwing up AI Overviews instead: synthesized summaries of information scraped off the web, with some word-prediction magic added, and packaged together in a way to sound as accurate and reliable as possible.

We've written before about some of the problems with these AI Overviews, which regularly contain mistakes or nonsense, and of course rip off the work of the human writers who actually know the answers to the questions you're putting into Google. There's another problem though—these AI answers can actually be dangerous.

As with every other new technology through history, scams are now making their way into AI Overviews as well, apparently injecting Google's AI answers with fraudulent phone numbers that you shouldn't trust. Here's what's happening, and how you can make sure you stay safe.

How AI Overview Scams Work

Both The Washington Post and Digital Trends have spotted instances of scam support numbers showing up in Google AI Overviews, reports of which appeared on Facebook and Reddit respectively. Credit unions and banks are also warning their customers about these scams.

It doesn't seem to be a completely new problem, but the way Google Search works now, it's been given a new twist.

Here's what happens: The unfortunate victim Googles a company name looking for a contact number, then calls the number thrown up by AI. This doesn't actually lead to the company in question, but rather to someone pretending to be that company, who then tries to take payment information or other sensitive details from the caller.

It's not clear exactly how these fake numbers are being planted, but the best guess is that they're being published in multiple low-profile places online, alongside the names of major companies. AI Overviews then comes along and scoops them up, without running the proper checks to verify the information.

The planting of misleading phone numbers by bad actors is not a completely new danger of course; misinformation has been a part of the web for a long, long time. But the design of AI Overviews, which picks out information from the web and presents it as fact rather than encouraging you to do the research yourself, is making people much more susceptible to this kind of con.

Google says it's actively fighting these scammers and that it’s continuing to roll out updates that make its spam-detection systems stronger. “Our anti-spam protections are highly effective at keeping scams out of AI Overviews and showing official customer support numbers where possible,” the company said in a statement to WIRED.

Of course, it's not just happening on Google Search. Security researchers have shown how malicious text can be hidden in emails—and presumably documents as well—which is then scraped and summarized by the AI, and served up to the user who takes it as accurate and authentic. The issue is also showing up in other AI search engines.

How to Keep Yourself Safe

The advice for avoiding this kind of scam trick is simple: Don't believe everything you read in an AI Overview, especially not when it comes to specific facts, figures, or phone numbers. Google's AI technology is susceptible to picking up outdated or suspect information from the web as well as accurate data, and given the way the AI Overview interface is presented, it's difficult to tell the difference.

If you're looking for a contact phone number or something similar, run a search for the company you're trying to get in touch with, then use the details on the company's own website: It may be an extra click or two, but it's worth it to make sure you're dealing with correct contact information.

Caution is still required wherever you get your information from, though, especially when it comes to dealing with customer service representatives and discussing anything to do with payments or personal information. Ideally, you want to verify any number you call with a second Google search for it.

Google recommends this as well. The company says its recently launched a number of updates to further improve scam protections for AI Overviews specifically, but it still encourages people to double-check phone numbers by performing additional searches.

For now, there's no way to turn off AI Overviews. If Google decides to serve them up for your query, all you can do is scroll past them, or maybe switch to a different search engine. Google may be working to remove false phone numbers from results, but we know the nature of generative AI is not to simply parrot information but to embellish it—which is inevitably going to lead to problems.

As our searches become more reliant on AI, it can mean a more natural and conversational user experience, but for some queries the old ways are the best. So for example, you might want to chat with Gemini about ideas for your next vacation. But when it comes to actually finding accurate information about hotels, cruise ships, or travel agents, maybe leave AI out of it.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 16 February 2026 at 3:41 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

The campaign relies on social engineering that promises large profits from a supposed Swapzone.io arbitrage exploit, but instead runs malicious code that modifies the swap process directly within the victim's browser.

It could also be the first known ClickFix attack to use JavaScript to alter a webpage's functionality for a malicious purpose.

Promoted through Pastebin

In the campaign spotted by BleepingComputer, threat actors are iterating through Pastebin posts and leaving comments that promote an alleged cryptocurrency exploit, with a link to a URL on rawtext[.]host.

The campaign is widespread, with many of our posts receiving comments over the past week claiming to be "leaked exploit documentation" that allows users to earn $13,000 in 2 days.

The link in the comment redirects to a Google Docs page titled "Swapzone.io – ChangeNOW Profit Method," which claims to be a guide describing a method to exploit arbitrage opportunities for higher payouts.

"ChangeNOW still has an older backend node connected to the Swapzone partner API. On direct ChangeNOW, this node is no longer used for public swaps," reads the fake guide.

"However, when accessed through Swapzone, the rate calculation passes through Node v1.9 for certain BTC pairs. This old node applies a different conversion formula for BTC to ANY, which results in ~38% higher payouts than intended."

At any given time, these documents typically show between 1 and 5 active viewers, suggesting the scam is circulating.

The fake guide provides instructions to visit Swapzone.io and manually load a Bitcoin node by executing JavaScript directly in their browser's address bar.

The instructions tell victims to visit a URL on paste[.]sh and copy a JavaScript snippet hosted on the page.

The guide then tells the reader to go back to the SwapZone tab, click on the address bar, type javascript:, and then paste the code. When the code has been pasted into the address, they state to press Enter on your keyboard to execute it, as explained below.

This technique abuses the browser's 'javascript:' URI feature, which allows users to execute JavaScript from the address on the currently loaded website.

By convincing victims to run this code on Swapzone.io, attackers can manipulate the page and alter the swap process.

BleepingComputer's analysis of the malicious script hosted at paste[.]sh shows that it loads a secondary payload from https://rawtext[.]host/raw?btulo3.

This heavily obfuscated script is injected directly into the Swapzone page, overriding the legitimate Next.js script used for handling Bitcoin swaps to hijack the swap interface.

The malicious script includes embedded Bitcoin addresses, which are randomly selected and injected into the swap process, replacing the legitimate deposit address generated by the exchange.

Because the code executes within the Swapzone.io session, victims see a legitimate interface but end up copying and sending funds to attacker-controlled Bitcoin wallets.

In addition to replacing the deposit address, BleepingComputer was told that the script modifies displayed exchange rates and offer values, making it feel like the alleged arbitrage exploit is actually working.

Unfortunately, as Bitcoin transactions cannot be reversed, if you fell for this scam, there is no easy way to recover your money.

A novel ClickFix variant

This campaign is a variant of the ClickFix attacks, a social engineering technique that tricks users into executing malicious commands on their computer, typically to install malware.

Normally, ClickFix attacks target operating systems by telling victims to run PowerShell commands or shell scripts to fix alleged errors or enable functionality.

In this case, instead of targeting the operating system, the attackers instruct victims to execute JavaScript directly in their browser while visiting a cryptocurrency exchange service.

This allows the malicious code to modify the page and intercept transaction details.

This may represent one of the first reported ClickFix-style attacks specifically designed to use JavaScript in the browser and steal cryptocurrency.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 16 February 2026 at 3:39 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Apparently, many Windows 11 customers have been complaining to Microsoft that they are fed up of apps overriding their PC settings, installing bloatware, and modifying "core" Windows experiences without their explicit permission. As we step further into the AI era, Microsoft wants to evolve Windows by building a consent-first model for all apps and AI agents. This will increase transparency for the user, allowing them to define restricted access and reverse decisions, when needed. However, this model might also limit developers, which is why Microsoft is working on ways that will offer a decent middle ground that works for both parties, more on that later.

Although Microsoft already offers several built-in security features in Windows through the Secure Future Initiative (SFI), Windows Resiliency Initiative, and Smart App Control (SAC), it is now working on two more improvements in this area.

The first is Windows Baseline Security Mode, which will enable runtime integrity safeguards by default. This will enforce an environment where only signed apps, services, and drivers are allowed to run, while giving IT admins granular control over these safeguards too. Developers will have the ability to detect the operational status of this mode and any exceptions, so that they can modify their app's behavior based on what they have access to.

The second is User Transparency and Consent, in which Windows will prompt you on certain cybersecurity matters, just like a smartphone. So, for example, if an app tries to access your camera, Windows will send you an alert, enabling you to allow or deny permissions to the associated software. Microsoft believes that this will improve the security and privacy posture of the OS, while also giving you more confidence about its interaction with other software.

Microsoft has emphasized that these security measures do not imply that Windows won't be as open anymore. Instead, it simply establishes principles that put the end-user in control of the software that they are running.

The Redmond tech firm will roll out these security updates in a staggered manner, while listening and adjusting its approach based on feedback. It has highlighted positive sentiment regarding these upcoming changes from various firms including 1Password, Adobe, CrowdStrike, Electronic Arts, OpenAI, and Raycast. No timeline has been communicated yet regarding the rollout of these security enhancements, so there's no knowing when the first phase will kick off.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 13 February 2026 at 12:51 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Cupid Vault works by allowing users of the free version of Bitwarden to create a 2-person shared vault called an 'Organization'. Other users can access the logins inside the Organization space with credentials assigned by the owner of the account.

Inviting a user (partner, friend, family member) to an Organization can be done by adding their email address as a second member.

This way, Bitwarden users can share in a secure way collections of login pairs for media streaming service accounts or other online platforms.

Setting up an Organization and creating shared collections is possible by logging into the Bitwarden vault via the web interface.

To prevent adversary-in-the-middle enrollment attacks, vault owners can verify through a fingerprint phrase that the intended member is getting access. The shared vault is completely isolated from the personal vault.

Access to the Organization vault and the secrets it contains can be revoked at any time, and sharing can be configured in both directions.

Bitwarden published a detailed guide on how to set up and use Cupid Vault, which explains that ownership of items within a new Organization isn’t tied to their creator, as both members can perform editing or deletion actions.

Bitwarden is a popular open-source password manager that lets users securely store, generate, and autofill passwords and other sensitive information.

It’s cross-platform, supporting a range of browsers, desktop operating systems, and mobile platforms, and protects stored data using end-to-end encryption.

The new Cupid Vault feature, launched ahead of Valentine’s Day, is available at no charge to all users and can be set up through the free plan. However, there’s a limit of 2 Collections and 2 users each.

Family, Teams, and Enterprise plan users already get multiple users, collections, and granular role-based access control permissions, so Cupid Vault is redundant for paying tiers and shouldn’t be confused with the secret-sharing features available to them.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 13 February 2026 at 12:47 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Odido is one of the largest mobile and telecommunications providers in the Netherlands, offering mobile, broadband, and television services to millions of customers nationwide. The company was formed in 2023 through the rebranding of T-Mobile Netherlands and Tele2 Netherlands.

The company says they detected the incident on the weekend of February 7 and launched an investigation with internal and external cybersecurity experts.

Odido says that the attackers breached their customer contact system, allowing them to download the personal data of many of its customers. 

"Odido has been hit by a cyberattack, which compromised customer data," warns the company.

"This involved personal data from a customer contact system used by Odido. No passwords, call logs, or billing information were affected."

Odido told Nu.nl that the breach affects 6.2 million customers, and that the threat actors contacted the company to say they stole millions of records.

After learning of the breach, Odido says they immediately blocked the unauthorized access to its customer contact information and reported the breach to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Odido says the exposed information varies per customer but may include:

• Full name
• Address and place of residence
• Mobile number
• Customer number
• Email address
• IBAN (account number)
• Date of birth
• Identification data (passport or driver's license number and validity)

However, the company emphasized that passwords, call records, location data, invoice details, and scans of identification documents were not affected.

The company is now emailing all impacted customers who should receive the notification within 48 hours.

Odido says it has now blocked the unauthorized access, strengthened security controls, increased monitoring for suspicious activity, and engaged external cybersecurity experts to assist with incident response and mitigation.

At this time, BleepingComputer has found no evidence that the data has been publicly leaked or who is behind the attack.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 13 February 2026 at 6:29 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

On Wednesday, former OpenAI researcher Zoë Hitzig published a guest essay in The New York Times announcing that she resigned from the company on Monday, the same day OpenAI began testing advertisements inside ChatGPT. Hitzig, an economist and published poet who holds a junior fellowship at the Harvard Society of Fellows, spent two years at OpenAI helping shape how its AI models were built and priced. She wrote that OpenAI’s advertising strategy risks repeating the same mistakes that Facebook made a decade ago.

“I once believed I could help the people building A.I. get ahead of the problems it would create,” Hitzig wrote. “This week confirmed my slow realization that OpenAI seems to have stopped asking the questions I’d joined to help answer.”

Hitzig did not call advertising itself immoral. Instead, she argued that the nature of the data at stake makes ChatGPT ads especially risky. Users have shared medical fears, relationship problems, and religious beliefs with the chatbot, she wrote, often “because people believed they were talking to something that had no ulterior agenda.” She called this accumulated record of personal disclosures “an archive of human candor that has no precedent.”

She also drew a direct parallel to Facebook’s early history, noting that the social media company once promised users control over their data and the ability to vote on policy changes. Those pledges eroded over time, Hitzig wrote, and the Federal Trade Commission found that privacy changes Facebook marketed as giving users more control actually did the opposite.

She warned that a similar trajectory could play out with ChatGPT: “I believe the first iteration of ads will probably follow those principles. But I’m worried subsequent iterations won’t, because the company is building an economic engine that creates strong incentives to override its own rules.”

Ads arrive after a week of AI industry sparring

Hitzig’s resignation adds another voice to a growing debate over advertising in AI chatbots. OpenAI announced in January that it would begin testing ads in the US for users on its free and $8-per-month “Go” subscription tiers, while paid Plus, Pro, Business, Enterprise, and Education subscribers would not see ads. The company said ads would appear at the bottom of ChatGPT responses, be clearly labeled, and would not influence the chatbot’s answers.

The rollout on Sunday followed a week of public jabs between OpenAI and its rival, Anthropic. Anthropic declared Claude would remain ad-free, then ran Super Bowl ads with the tagline “Ads are coming to AI. But not to Claude,” which depicted AI chatbots awkwardly inserting product placements into personal conversations.

OpenAI CEO Sam Altman called the ads “funny” but “clearly dishonest,” writing on X that OpenAI “would obviously never run ads in the way Anthropic depicts them.” He framed the ad-supported model as a way to bring AI to users who cannot afford subscriptions, writing that “Anthropic serves an expensive product to rich people.”

Anthropic responded as part of an advertising campaign of its own that including ads in conversations with its Claude chatbot “would be incompatible with what we want Claude to be: a genuinely helpful assistant for work and for deep thinking.” The company said more than 80 percent of its revenue comes from enterprise customers.

What Hitzig saw from the inside

Regardless of the debate over whether AI chatbots should carry ads, OpenAI’s support documentation reveals that ad personalization is enabled by default for users in the test. If left on, ads will be selected using information from current and past chat threads, as well as past ad interactions. Advertisers do not receive users’ chats or personal details, OpenAI says, and ads will not appear near conversations about health, mental health, or politics.

In her essay, Hitzig pointed to what she called an existing tension in OpenAI’s principles. She noted that while the company states it does not optimize for user activity solely to generate advertising revenue, reporting has suggested that OpenAI already optimizes for daily active users, “likely by encouraging the model to be more flattering and sycophantic.”

She warned that this optimization can make users feel more dependent on AI models for support, pointing to psychiatrists who have documented instances of “chatbot psychosis” and allegations that ChatGPT reinforced suicidal ideation.

OpenAI currently faces multiple wrongful death lawsuits, including one alleging ChatGPT helped a teenager plan his suicide and another alleging it validated a man’s paranoid delusions about his mother before a murder-suicide.

Rather than framing the debate as ads versus no ads, Hitzig proposed several structural alternatives. These included cross-subsidies modeled on the FCC’s universal service fund (in which businesses that pay for high-value AI labor would subsidize free access for others), independent oversight boards with binding authority over how conversational data is used in ad targeting, and data trusts or cooperatives in which users retain control of their information. She pointed to the Swiss cooperative MIDATA and Germany’s co-determination laws as partial precedents.

Hitzig closed her essay with what she described as the two outcomes she fears most: “a technology that manipulates the people who use it at no cost, and one that exclusively benefits the few who can afford to use it.”

A changing of the AI seasons

Hitzig was not the only prominent AI researcher to publicly resign this week. On Sunday, Mrinank Sharma, who led Anthropic’s Safeguards Research Team and co-authored a widely cited 2023 study on AI sycophancy, announced his departure in a letter warning that “the world is in peril.” He wrote that he had “repeatedly seen how hard it is to truly let our values govern our actions” inside the organization and said he plans to pursue a poetry degree (Hitzig, coincidentally, is also a published poet).

On Monday, xAI co-founder Yuhuai “Tony” Wu also resigned, followed the next day by fellow co-founder Jimmy Ba. They were part of a larger wave: at least nine xAI employees, including the two co-founders, publicly announced their departures over the past week, according to TechCrunch. Six of the company’s 12 original co-founders have now left.

The departures follow Elon Musk’s decision to merge xAI with SpaceX in an all-stock deal ahead of a planned IPO, a transaction that converted xAI equity into shares of a company valued at $1.25 trillion, though it is unclear whether the timing of the departures is related to vesting schedules.

The three sets of departures across OpenAI, Anthropic, and xAI appear unrelated in their specifics, but they arrive during a period of rapid commercialization across the AI industry that has tested the patience of researchers at multiple companies, and they fit a broader pattern of turnover and burnout that has become common at major AI labs.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 12 February 2026 at 12:05 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

The bug (tracked as CVE-2026-20841) is a remote code execution (RCE) flaw in Windows Notepad. It happens because the app doesn't properly clean up or block dangerous special characters in certain commands. The flaw affects the modern Windows Notepad app from the Microsoft Store, particularly when handling Markdown (.md) files.

According to Microsoft’s Security Update Guide, an attacker could exploit the vulnerability and create a malicious Markdown file containing specially crafted links. If a user opens the file in Notepad and clicks one of the links, a script could launch, download, and execute malicious code. If the process was successful, the attacker could gain full control of the victim's computer and all associated permissions.

The vulnerability carries a CVSS v3.1 base score of 8.8 (high severity), with Microsoft's maximum severity rating listed as Important. Microsoft reports no known public exploits at the time of the patch release.

Microsoft patched this vulnerability as part of the February 2026 Patch Tuesday security updates, released on February 10, 2026. It’s recommended for users to install the latest Windows updates and keep the Notepad app up to date.

The discovery of this vulnerability prompted some users to question Microsoft’s decision to give network functionality to Notepad. Users argue that a simple text editor doesn’t need to be connected to the internet all the time. However, allowing Notepad to access the internet is mandatory for keeping the integration of Copilot in the text editor functional. Still, whether Copilot is necessary in Notepad is up for another debate.

You can check the full patch notes on Microsoft’s security page.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 12 February 2026 at 4:33 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Confidential computing is a critical safeguard for cloud and multi-tenant enterprise systems. Billions of users depend on hardware-based protections to keep data secure against compromised hypervisors or malicious insiders. Intel TDX enables Confidential Virtual Machines (CVMs), also called Trust Domains (TDs), which enforce confidentiality and integrity at the hardware level. Google Cloud, a major partner in testing and improving these protections, offers Confidential VMs built on Intel Xeon CPUs. Microsoft is also an Intel partner, providing CVMs on Azure.

Intel introduced TDX to extend the hardware root of trust into virtualized environments. By isolating workloads inside CVMs, TDX ensures that even privileged software layers cannot access protected data. The technology spans hardware, firmware, and software, and is developed under Intel’s Security Development Lifecycle (SDL). This process includes early threat modeling, detailed design and code analysis, and ongoing risk mitigation throughout product development.

The latest collaboration focused on Intel TDX Module 1.5, which governs high-level TDX functions. Over five months in 2025, Google’s Cloud Security team worked with Intel’s INT31 research group to examine two advanced features:

• Live Migration: allowing a Trust Domain to move between host platforms while running.
• TD Partitioning: enabling nested VMs inside TDs.

Google engineers employed manual code reviews, custom bug-finding tools, and off-the-shelf AI, including Gemini pro, to analyze the module. Their work uncovered five vulnerabilities and flagged 35 additional weaknesses and improvement suggestions. All five vulnerabilities have since been patched in the latest release of Intel TDX Module code.

Thus workloads running on Google Cloud Confidential VMs backed by Intel TDX will now benefit from these new enhancements.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 11 February 2026 at 11:55 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Windows 8 is remembered most for its oddball touchscreen-focused full-screen Start menu, but it also introduced a number of under-the-hood enhancements to Windows. One of those was UEFI Secure Boot, a mechanism for verifying PC bootloaders to ensure that unverified software can’t be loaded at startup. Secure Boot was enabled but technically optional for Windows 8 and Windows 10, but it became a formal system requirement for installing Windows starting with Windows 11 in 2021.

Secure Boot has relied on the same security certificates to verify bootloaders since 2011, during the development cycle for Windows 8. But those original certificates are set to expire in June and October of this year, something Microsoft is highlighting in a post today.

This certificate expiration date isn’t news—Microsoft and most major PC makers have been talking about it for months or years, and behind-the-scenes work to get the Windows ecosystem ready has been happening for some time. And renewing security certificates is a routine occurrence that most users only notice when something goes wrong.

But the downside is that the certificate expiration may cause problems for PCs that don’t pull down the patches before the June 2026 deadline. While these PCs will continue to function, expired certificates can prevent Microsoft from patching newly discovered Secure Boot vulnerabilities and can also keep those PCs from booting and installing newer operating system versions that use the new 2023-era certificates.

“If a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally, and existing software will keep running,” writes Nuno Costa, a program manager in Microsoft’s Windows Servicing and Delivery division.

“However, the device will enter a degraded security state that limits its ability to receive future boot-level protections. As new boot‐level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot–dependent software may fail to load.”

Making sure you’ve got the new certificates

For most systems, including older ones that aren’t being actively supported by their manufacturers, Microsoft is relying on Windows Update to provide updated certificates. For fully patched, functioning PCs running supported versions of Windows with Secure Boot enabled, the transition should be seamless, and you may in fact already be using the new certificates without realizing it.

This is possible because UEFI-based systems have a small amount of NVRAM that can be used to store variables between boots; generally, Windows and Linux operating systems using LVFS for firmware updates should be able to update any given system’s NVRAM with the new certificates. PCs will only have problems deploying the new certificates if NVRAM is full or fragmented in some way, or if the PC manufacturer is shipping buggy firmware that doesn’t support this kind of update.

As detailed on a Dell support page, the easiest way to see if your PC has the new certificates is to run a PowerShell command that checks the certificate stored in the “active db,” which is the one currently used to boot the PC.

A screenshot from a Windows 11 PC that is already using the new 2023 Secure Boot certificates to boot (the

first command has returned “true”) but which does not have the new certificates baked into its UEFI firmware

(the second command has returned “false.”) This is normal behavior for older PCs; for newer PCs, check to see

if a BIOS update is available.

Andrew Cunningham

 

If the second command returns “true” it means the new certificates are also baked into your PC’s firmware.

Newer systems should have BIOS updates available with the new certificates.

Andrew Cunningham

 

To check this, right-click either the PowerShell or Terminal app and run it as an Administrator, and type ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'). If this command returns “true,” then your PC is using the new certificate, and you’re good to go.

If it returns “false,” here are some steps to enable Windows Update to install the new certificates for you.

• Make sure you’re running a supported version of Windows. For Windows 11, that means version 24H2 or 25H2. For Windows 10, you need to enroll the PC in the Extended Security Updates (ESU) program, which consumers can do for free after jumping through a couple of hoops.
• Make sure Secure Boot is enabled in the BIOS and working properly. To check from within Windows, type Windows + R to open a Run window, type msinfo32, and press Enter. In the msinfo32 app, make sure Secure Boot State is set to “on.”
• Check to see whether there’s a firmware update available for your PC. These may fix bugs preventing the new certificates from being installed.
• Especially for older PCs that originally shipped with Windows 8 or Windows 10, it may help to do a factory reset of your Secure Boot keys from within your PC’s BIOS settings. This can help ensure that there is enough free space in your PC’s NVRAM to store the new certificates.
  • If you do this on a system with BitLocker encryption enabled, make sure you have your recovery key handy so you can unlock your drive.

The second thing to check is the “default db,” which shows whether the new Secure Boot certificates are baked into your PC’s firmware. If they are, even resetting Secure Boot settings to the defaults in your PC’s BIOS will still allow you to boot operating systems that use the new certificates.

To check this, open PowerShell or Terminal again and type ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023'). If this command returns “true,” your system is running an updated BIOS with the new Secure Boot certificates built in. Older PCs and systems without a BIOS update installed will return “false” here.

Microsoft’s Costa says that “many newer PCs built since 2024, and almost all the devices shipped in 2025, already include the certificates” and won’t need to be updated at all. And PCs several years older than that may be able to get the certificates via a BIOS update.

In the US, Dell, HP, Lenovo, and Microsoft all have lists of specific systems and firmware versions, while Asus provides more general information about how to get the new certificates via Windows Update, the MyAsus app, or the Asus website. The oldest of the PCs listed generally date back to 2019 or 2020. If your PC shipped with Windows 11 out of the box, there should be a BIOS update with the new certificates available, though that may not be true of every system that meets the requirements for upgrading to Windows 11.

Microsoft encourages home users who can’t install the new certificates to use its customer support services for help. Detailed documentation is also available for IT shops and other large organizations that manage their own updates.

“The Secure Boot certificate update marks a generational refresh of the trust foundation that modern PCs rely on at startup,” writes Costa. “By renewing these certificates, the Windows ecosystem is ensuring that future innovations in hardware, firmware, and operating systems can continue to build on a secure, industry‐aligned boot process.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 11 February 2026 at 11:49 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

On Tuesday, Discord released an update clarifying that the “vast majority of people can continue using Discord exactly as they do today,” without needing to use a face scan or ID to verify their age so they can use the platform without restrictions. Discord states in the post that “age prediction” using information Discord already has will likely be sufficient for many users:

We’ve seen some questions about our age assurance update and we want to share more clarity. We know how important these changes are to our community.

 

Here’s what we want you to know:

 

• Discord is not requiring everyone to complete a face scan or upload an ID to use Discord.

 

• The vast majority of people can continue using Discord exactly as they do today, without ever being asked to confirm their age.

 

You need to be an adult to access age-restricted experiences such as age-restricted servers and channels or to modify certain safety settings.

However, in the case that Discord’s age inference model can’t accurately or concretely estimate a user’s age, they will still have to use a video selfie or ID to verify that they’re an adult. Users who aren’t verified as adults or determined to be under 18 will have a “teen-appropriate” experience with certain limitations, like being blocked from age-restricted servers.

Some platforms, such as Instagram, YouTube, OpenAI, and Anthropic, already use AI to “guess” the age of users on their services as they inch their way toward implementing age verification. Discord says it uses account information, device and activity data, and “high-level patterns” across the platform’s communities to estimate someone’s age.

Many users expressed frustration with Discord after the platform announced that it would start imposing an age verification requirement on users around the globe next month. While some claimed they’re going to leave the platform and cancel their Nitro subscriptions, others raised privacy concerns. Last year, a third-party vendor used by Discord experienced a data breach, exposing user information and a “small number” of ID cards uploaded to the platform for age verification. Discord says it has since stopped using this vendor.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 11 February 2026 at 11:47 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Wikipedia editors are discussing whether to blacklist Archive.today because the archive site was used to direct a distributed denial of service (DDoS) attack against a blogger who wrote a post in 2023 about the mysterious website’s anonymous maintainer.

In a request for comment page, Wikipedia’s volunteer editors were presented with three options. Option A is to remove or hide all Archive.today links and add the site to the spam blacklist. Option B is to deprecate Archive.today, discouraging future link additions while keeping the existing archived links. Option C is to do nothing and maintain the status quo.

Option A in particular would be a huge change, as more than 695,000 links to Archive.today are used across 400,000 or so Wikipedia pages. Archive.today, also known as Archive.is, is a website that saves snapshots of webpages and is commonly used to bypass news paywalls.

“Archive.today uses advanced scraping methods, and is generally considered more reliable than the Internet Archive,” the Wikipedia request for comment said. “Due to concerns about botnets, linkspamming, and how the site is run, the community decided to blacklist it in 2013. In 2016, the decision was overturned, and archive.today was removed from the spam blacklist.”

Discussion among editors has been ongoing since February 7. “Wikipedia’s need for verifiable citations is absolutely not more important than the security of users,” one editor in favor of blacklisting wrote. “We need verifiable citations so that we can maintain readers’ trust, however, in order to be trustworthy our references also have to be safe to access.”

Archive would be hard to replace

On the other side, an editor who supported Option C wrote that “Archive.today contains a vast amount of archives available nowhere else. Not on Wayback Machine, nowhere. It is the second largest archive provider across all Wikimedia sites. Removal/blockage of this site will be disruptive daily for thousands of editors and readers. It will result in a huge proliferation of {{dead link}} tags that will never be resolved.”

Several posts mentioned an ongoing FBI case that could eventually make the Archive.today links useless anyway. Some said it would be better to act now than to have Option A forced on them later without a backup plan.

One editor supported starting with Option B and eventually shifting to Option A with “the proper end goal being the WMF [Wikimedia Foundation] supporting some sort of archive system, whether their own original or directly supporting the Internet Archive’s work so it can be done more systematically.”

Some discussion centered on copyright infringement, given that Archive.today publishes copies of many copyrighted articles. “On the general problem of linking to copyright infringement: perhaps the Wikimedia Foundation can work on ways to establish legally licensed archives of major paywalled sites, in partnership with archives such as the Internet Archive,” one editor wrote. “It would be challenging given the business model of those sites, but maybe a workable compromise can be established that manages how many Wikipedia editors [have] access at a given time.”

Malicious code in CAPTCHA page

The DDoS attack being discussed by Wikipedia editors was targeted at the Gyrovague blog written by Jani Patokallio. Last month, “the maintainers of Archive.today injected malicious code in order to perform a distributed denial of service attack against a person they were in dispute with,” the Wikipedia request for comment says. “Every time a user encounters the CAPTCHA page, their Internet connection is used to attack a certain individual’s blog.”

The trustworthiness of Archive.today was discussed in light of evidence that the site’s founder threatened to create “a new category of AI porn” in retaliation against the blogger. The AI porn threat was mentioned by several editors.

“I echo others [that Option] A is looking like something we’ll have to do eventually, anyways, and at least this way we have a chance to do it on our terms,” one editor wrote. “I hate to break it to you, but even if the FBI thing goes nowhere, a website whose operator apparently threatens to create AI porn in retaliation against enemies, using their names, isn’t a trustworthy mirror, and isn’t going to remain one.”

One editor reported being “miserable” about supporting Option A, “but we cannot permit websites to rope our readers into being part of DDoS attacks.” Moreover, “The fact is that most of the archive.today links on Wikipedia are not an attempt to save URLs that have now gone dead that the Internet Archive cannot handle, but efforts to bypass paywalls, which is convenient, but illegal. It’s strange that we accept links to archive.today for this purpose but don’t accept the same for Anna’s Archive or Sci-Hub,” the editor wrote.

Patokallio told us in an email today, “it’s true that there simply are no alternatives to archive.today for many sources that archive.org does not/cannot cover,” and that he hopes the Wikipedia request for comment “leads to the Wikimedia Foundation creating one as suggested by multiple commenters in the thread.”

The Wikimedia Foundation, the nonprofit that hosts Wikipedia, chimed in on the discussion today. “Our view is that the value to verifiability that the site provides must be weighed against the security risks and violation of the trust of the people who click these links,” wrote Eric Mill, head of the foundation’s product safety and integrity group. “We (WMF) encourage the English Wikipedia community to carefully weigh the situation before making a decision on this unusual case.”

Noting that “Archive.today’s owner has not been deterred from continuing the ongoing DDoS,” Mill wrote that “the same actions that make archive.today unsafe may also reduce its usefulness for verifying content on Wikipedia. If the owners are willing to abuse their position to further their goals through malicious code, then it also raises questions about the integrity of the archive it hosts.”

It’s possible the Wikimedia Foundation will act even if the volunteer editors decide to maintain the status quo. “We know that WMF intervention is a big deal, but we also have not ruled it out, given the seriousness of the security concern for people who click the links that appear across many wikis,” Mill wrote.

Blogger tried to uncover founder’s identity

The Wikipedia request for comments acknowledged that whether to blacklist would be a difficult decision. There are “significant concerns for readers’ safety, as well as the long-term stability and integrity of the service,” but “a significant amount of people also think that mass-removing links to Archive.today may harm verifiability, and that the service is harder to censor than certain other archiving sites,” it said.

An update to the request for comments yesterday indicated that the attack temporarily stopped, but the malicious code had been reactivated. “Please do not visit the archive without blocking network requests to gyrovague.com to avoid being part of the attack!” it said.

The code’s first public mention was apparently in a Hacker News thread on January 14, and Patokallio wrote about the DDoS in a February 1 blog post. “Every 300 milliseconds, as long as the CAPTCHA page is open, this makes a request to the search function of my blog using a random string, ensuring the response cannot be cached and thus consumes resources,” he wrote. The Javascript code in the Archive.today CAPTCHA page is as follows:

        setInterval(function() {
            fetch("https://gyrovague.com/?s=" + Math.random().toString(36).substring(2, 3 + Math.random() * 8), {
                referrerPolicy: "no-referrer",
                mode: "no-cors"
            });
        }, 300);

In August 2023, Patokallio wrote a post attempting to uncover the identity of Archive.today founder “Denis Petrov,” which seems to be an alias. Patokallio wasn’t able to figure out who the founder is but cobbled together various tidbits from Internet searches, including a Stack Exchange post that mentioned another potential alias, “Masha Rabinovich.”

Patokallio seemed to be driven by curiosity and was impressed by Archive.today’s work. “It’s a testament to their persistence that [they’ve] managed to keep this up for over 10 years, and I for one will be buying Denis/Masha/whoever a well deserved cup of coffee,” Patokallio’s 2023 post said. In his post this month, Patokallio said his 2023 blog “gathered some 10,000 views and a bit [of] discussion on Hacker News, but didn’t exactly set the blogosphere on fire. And indeed, absolutely nothing happened for the next two years and a bit.”

FBI case revives interest in 2023 blog

But in October 2025, the FBI sent a subpoena to domain registrar Tucows seeking “subscriber information on [the] customer behind archive.today” in connection with “a federal criminal investigation being conducted by the FBI.” We wrote about the subpoena, and our story included a link to Patokallio’s 2023 blog post in a sentence that said, “There are several indications that the [Archive.today] founder is from Russia.”

In an email to Ars, Patokallio told us that the DDoS attack “appears to be because you kindly mentioned my blog in your Nov 8, 2025 story.” Patokallio added that he is “as mystified by this as you probably are.” Articles about the subpoena by The Verge and Heise Online also linked to Patokallio’s 2023 blog post.

We emailed Archive.today’s webmaster address today to ask for comment on the Wikipedia discussion. We received an email reply that said, “Ok, but first remove the paragraph with gyrovague excerpt from your previous article.”

On January 8, 2026, Patokallio’s hosting company, Automattic, notified him that it received a GDPR [General Data Protection Regulation] complaint from a “Nora” alleging that the 2023 post “contains extensive personal data… presented in a narrative that is defamatory in tone and context.” Patokallio said that after he submitted a rebuttal, “Automattic sided with me and left the post up.” (We have removed Nora’s last name because it appears to be an identity appropriated from an actual person.)

Patokallio said he also “received a politely worded email from archive.today’s webmaster asking me to take down the post for a few months” on January 10. The email was classified as spam by Gmail, and he didn’t see it until five days later, he said. In the meantime, the DDoS started.

Patokallio said he replied to the webmaster’s email on January 15 and again on January 20 but didn’t hear back. He tried a third time on January 25, saying he would not take down the blog post but offered to “change some wording that you feel is being misrepresented.”

Emails threatened AI porn and other scams

Patokallio posted what he called a lightly redacted copy of the resulting email thread. The first email from the Archive.today webmaster said, “I do not mind the post, but the issue is: journos from mainstream media (Heise, Verge, etc) cherry-pick just a couple of words from your blog, and then construct very different narratives having your post the only citable source; then they cite each other and produce a shitty result to present for a wide audience.”

In a later email, “Nora” wrote, “I do not care on your blog and its content. I just need the links from Heise and other media to be 404.” One message threatened to investigate “your Nazi grandfather” and “vibecode a gyrovague.gay dating app.” Another threatened to create a public association between Patokallio’s name and AI porn.

A Tumblr blog post apparently written by the Archive.today founder seems to generally confirm the emails’ veracity, but says the original version threatened to create “a patokallio.gay dating app,” not “a gyrovague.gay dating app.” The Tumblr blog has several other recent posts criticizing Patokallio and accusing him of hiding his real name. However, the Gyrovague blog shows Patokallio’s name in a sidebar and discloses that he works for Google in Sydney, Australia, while stating that the blog posts contain only his personal views.

In one email, Patokallio included a link to Wikipedia’s page on the Streisand effect, a name for situations in which people seeking to suppress access to information instead draw more public attention to the information they want hidden. The Archive.today site maintainer apparently viewed this as a threat.

“And threatening me with Streisand… having such a noble and rare name, which in retaliation could be used for the name of a scam project or become a byword for a new category of AI porn… are you serious?” the email said. Patokallio responded, “No, you’re Streisanding yourself: the DDOS has already drawn more attention to my blog post than it had gotten in the last two years, with zero action on my side.”

A subsequent reply in the email thread contained the “Nazi grandfather” and “gay dating app” threats. Patokallio wrote that after these emails, it didn’t seem worthwhile to continue the discussion. “At this point it was pretty clear the conversation had run its course, so here we are,” Patokallio wrote in his February 1 blog post. “And for the record, my long-dead grandfather served in an anti-aircraft unit of the Finnish Army during WW2, defending against the attacks of the Soviet Union. Perhaps this is enough to qualify as a ‘Nazi’ in Russia these days.”

While the outcome at Wikipedia is not yet settled, Patokallio wrote that the DDoS attack didn’t cause him any real harm. The Archive.today maintainer apparently intended to make Patokallio’s hosting costs more expensive, but “I have a flat fee plan, meaning this has cost me exactly zero dollars,” he wrote.

This article was updated with a statement from the Wikimedia Foundation, further comment from Patokallio, and an email reply from the Archive.today webmaster.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 11 February 2026 at 11:47 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Microsoft has announced that the original Secure Boot certificates that were issued when the feature first began shipping 2011 are set to expire this June, and that PCs which are not up to date will enter a degraded security state when this happens. This is the first time since Secure Boot was introduced that its certificates are expiring.

Secure Boot is a security feature that ships as part of Windows PCs, and is on by default. It protects your PC from certain security vulnerabilities that could be exploited during the boot phase, before Windows even fully loads, and ensures only signed code can run during this phase.

Pretty much all PCs that have shipped since 2011 include Secure Boot, and so most Windows users are going to be impacted by these Secure Boot certificates expiring. Microsoft says that most PCs will automatically be updated with new Secure Boot certificates via Windows Update, but that some PCs will need an additional firmware update issued by their OEM too.

Most PCs that have shipped since 2024 already have these updated Secure Boot certificates, and so there's nothing you need to worry about if you're using a Windows PC that shipped in the last couple of years.

If you're using an older PC that's running a version of Windows that's no longer supported, you will not receive updated Secure Boot certificates. Microsoft says that functionally, nothing will immediately change when the old Secure Boot certificates expire, but it will leave your PC in a "degraded security state" that will be vulnerable to new exploits that are discovered in the future.

"It’s important to note that devices running unsupported versions (Windows 10 and older, excluding those who have enrolled in Extended Security Updates) do not receive Windows updates and will not receive the new certificates. We continue to encourage customers to always use a supported version of Windows for best performance and protection."

Microsoft also says that over time, outdated Secure Boot certificates may lead to certain software, drivers, and newer Windows operating systems to fail to load. This isn't expected to happen right away, but it will begin to take place as time progresses and new devices and software expect the latest Secure Boot certificates to function.

The "Windows Baseline Security Mode" and "User Transparency and Consent" initiatives represent a major shift for the operating system that now powers more than 1 billion devices.

Windows Platform engineer Logan Iyer said that this new security model was prompted by applications increasingly overriding settings, installing unwanted software, or even modifying core Windows experiences without obtaining user consent.

After the transparency and consent changes roll out, Windows will prompt for permission when apps try to install unwanted software or access sensitive resources, as on smartphones, allowing users to change their choices at any time after accepting or denying access requests.

Windows Baseline Security Mode will enable runtime integrity safeguards by default, ensuring that only properly signed apps, services, and drivers can run, but still allowing users and IT administrators to override these safeguards for specific apps when needed.

"Just like they do today on their mobile phones, users will be able to clearly see which apps have access to sensitive resources, including file system, devices like camera and microphone, and others. If they see an app that they don't recognize, they will be able to revoke access," Iyer said.

"Users will have transparency and consent control over how apps access their personal data and device features. They will receive clear prompts to grant or deny apps permission to access protected data and hardware. Users will also be able to revoke permissions they have previously granted."

The changes will roll out as part of a phased approach developed "in close partnership" with developers, enterprises, and ecosystem partners, with Microsoft planning to adjust the rollout and the controls based on feedback.

The action is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023 after the Cyber Safety Review Board of the U.S. Department of Homeland Security tagged the company's security culture as "inadequate." The board's report was issued following an Exchange Online breach by Storm-0558 Chinese hackers who stole a Microsoft consumer signing key in May 2023 to gain widespread access to Microsoft cloud services.

As part of this initiative, Microsoft also announced plans to secure Entra ID sign-ins against script-injection attacks, has disabled all ActiveX controls in Microsoft 365 and Office 2024 Windows apps, and has updated Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols.

"Apps and AI agents will also be expected to meet higher transparency standards, giving both users and IT administrators better visibility into their behaviors," Iyer added. "These updates raise the bar for security and privacy on Windows, while giving you more control and confidence in how your system and data are accessed."

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 11 February 2026 at 3:20 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Starting from next month, everyone on Discord will default to a teen-appropriate experience globally. Communication settings will be automatically updated, sensitive content will be age-gated, and content filtering policies will be in effect. Adults who want to transition to a non-teen experience may be required to prove their age through various methodologies.

Two of the age verification methods include facial age estimation and submitting identification documents to partner vendors. For the former, Discord assures users that video selfies will not leave their devices, while for the latter, it guarantees that documents are deleted very quickly. In case of successful verification, an age group is assigned. However, if there are doubts in determining age, multiple verification methods may be used, with some to be revealed later. If you feel that your assigned age group is incorrect, you can appeal the decision and retry the age verification process. Regardless, it is worth noting that age verification status is private.

Speaking more about the default teen-only experience, sensitive content will be blurred, access to age-restricted channels, servers, and app commands will be gated, private messages from unknown users will be routed to a separate inbox, warning prompts will be shown for friend requests from users you may not know, and you will not be allowed to speak on stage in servers.

Keep in mind that Discord trialed this teen-only experience in the UK and Australia last year, and the fact that it is being rolled out globally in a staggered manner suggests that it was successful. That said, a major change this time around is the establishment of a "Teen Council," which is an advisory body that will act as a direct link between Discord and its teenage user base. It will consist of 10-12 teenagers, and you apply to join it by filling out the form available here.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 10 February 2026 at 11:42 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Flickr, just like Substack, failed to say exactly how many users were affected by this specific vendor screw-up, apart from the fact that real names and email addresses definitely got exposed. The security notice explicitly lists other data points the hackers potentially got their hands on, including Flickr usernames, account types, IP addresses, general location data, and activity logs on the site. Payment card numbers and passwords were not affected, according to the notice.

Here is how the company is responding to the incident, according to its statement:

Our immediate response

 

• We disabled access to the affected system & removed all links to the vulnerable endpoint.
• We notified the service provider & demanded a full investigation.
• We are conducting a thorough review & strengthening our security practices with third-party providers.
• We notified the relevant data protection authorities.

While Flickr is no longer the dominant social network it was in the mid-2000s, it has survived by moving away from being a mass-market "social media" platform to becoming a niche community for photographers and archivists, with over 15 million monthly active users.

One contributor to its "downfall" was Yahoo, its previous owner, missing the mobile revolution and being slow to develop a mobile app, which allowed Instagram to eat its lunch. The platform was eventually sold to SmugMug, which has since made a couple of controversial changes, like removing the famous free 1TB of storage plan and adding download restrictions that prevent free account holders from downloading high-resolution versions of images (including their own).

Via: Bleeping Computer

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 7 February 2026 at 4:30 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Although the incident occurred four months ago, CEO Chris Best told affected users that Substack only discovered the breach this week. However, while the attackers stole some users' data, Best added that they didn't access credentials or financial information.

"On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata," Best said in breach notification emails sent today.

"This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed."

Although Substack has yet to share how many users were affected by the incident, on Monday, a threat actor leaked a database on the BreachForums hacking forum containing 697,313 records of allegedly stolen data.

They also claim to have scraped the data and noted that "the scraping method used was noisy and patched fast."

While it didn't explain how the attacker gained access to the stolen data or reveal the full impact of the data breach, Substack says it has addressed the flaw exploited in the attack and warned of potential phishing attempts that could exploit the stolen information.

"We have fixed the problem with our system that allowed this to happen," Best added. "We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious."

A Substack spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Almost six years ago, in July 2020, Substack accidentally exposed some users' email addresses in a privacy policy update email by including them in the 'to' line instead of the 'bcc' field.

Since its launch in 2017, Substack has gained popularity among independent journalists and content creators, reaching five million paid subscriptions by March 2025.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 6 February 2026 at 4:46 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

"Last year our security team detected that a single Coinbase contractor improperly accessed customer information, impacting a very small number of users (approximately 30)," a Coinbase spokesperson told BleepingComputer.

"The individual no longer performs services for Coinbase. Impacted users we notified last year and were provided with identity theft protection services and other guidance. We have also disclosed this incident to the relevant regulators, as is standard practice."

BleepingComputer has learned that this is a newly revealed insider breach and is not related to the previously disclosed TaskUs insider breach in January 2025.

This statement comes after threat actors known as "Scattered Lapsus Hunters" (SLH) briefly posted screenshots of an internal Coinbase support interface on Telegram and then deleted the posts soon after.

The screenshots showed a support panel that gave access to customer information, including email addresses, names, date of birth, phone numbers, KYC information, cryptocurrency wallet balances, and transactions.

It is not uncommon for screenshots and stolen data to be passed around among different threat actors before being leaked or disclosed, so it is unclear whether this group was behind the insider breach or whether other threat actors carried it out. 

However, the same threat actors previously claimed to have bribed an insider at CrowdStrike to share screenshots of internal applications.

BPOs under attack

Over the past few years, Business Process Outsourcing (BPO) companies have become increasingly targeted by threat actors seeking access to customer data, internal tools, or corporate networks.

A Business Process Outsourcing (BPO) company is a third-party firm that performs operational tasks for another organization. These tasks commonly include customer support, identity verification, IT help desk services, and account management.

Because BPO employees often have access to sensitive internal systems and customer information, they have become a high-value target for attackers.

In the past year, threat actors have exploited BPOs through bribing insiders with legitimate access, social engineering support staff to grant unauthorized access, and compromising BPO employee accounts to reach internal systems.

As we have seen with Coinbase this year, one way BPOs are targeted is by bribing their employees to steal or share customer information.

Coinbase disclosed a similar data breach last year, later linked to external customer support representatives employed by TaskUs, an outsourcing firm that provides services to the crypto exchange.

Another common tactic is social engineering attacks against outsourced IT and support desks, where threat actors impersonate employees and call BPO help lines to obtain access to internal corporate systems.

In one of the most prominent cases, attackers posed as an employee and convinced a Cognizant help desk support agent to grant them access to a Clorox employee account, allowing them to breach the company's network. The incident later became the focus of a $380 million lawsuit by Clorox against Cognizant.

Google also reported that threat actors targeted U.S. insurance firms in social engineering attacks on outsourced help desks to gain access to internal systems.

Retailers also confirmed that social engineering attacks against support personnel enabled ransomware and data theft attacks.

Marks & Spencer confirmed attackers used social engineering to breach its networks, while Co-op disclosed data theft following a ransomware attack that similarly abused support staff access.

In response to the attacks on M&S and Co-op retail companies, the U.K. government issued guidance on social engineering attacks against help desks and BPOs.

In some cases, hackers target the BPO employee accounts themselves to gain access to the customer data they manage.

In October, Discord disclosed a data breach that allegedly exposed data from 5.5 million unique users after its Zendesk support system instance was compromised.

While the company did not confirm how its instance was breached, the threat actors told BleepingComputer that they used a compromised account belonging to a support agent employed by an outsourced business process outsourcing (BPO) provider. Using this account, they downloaded Discord's customer data.

This repeated abuse of outsourced support providers shows how threat actors are increasingly bypassing vulnerability exploits and instead targeting third-party companies with access to corporate networks and data.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 5 February 2026 at 4:29 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Android update is already available on supported Pixel phones via the standard over-the-air update mechanism. Other manufacturers who support Android 16 are expected to follow with their own versions once they’ve merged Google’s security patches.

One Fix Included in the February 2026 Android Security Bulletin

The February Android Security Bulletin contains only one vulnerability:

CVE-2026-010 – An Elevation of Privilege (EoP) vulnerability in the VPU driver, classified as High severity.

No other vulnerabilities in the framework, system, kernel, or media components are mentioned. That’s a notable shift from January’s update, which addressed multiple issues across various parts of the OS.

Google hasn’t provided any extra technical details beyond the vulnerability’s type and the affected component. There’s also no evidence that the flaw was actively exploited before being patched.

What Android 16 February 2026 Update Means for Pixel Owners?

For Pixel users, the 16th February 2026 update is essentially a maintenance release. There are no new features, interface changes, or behavior adjustments tied to this patch. Installing it simply brings devices up to date with the latest security patch level and addresses the single known driver issue.

If you’re running Android 16 on a supported Pixel, it’s still worth installing the update once it’s available. Even small updates can include under-the-hood changes that aren’t fully documented. Staying current also ensures you don’t fall behind on security.

If you usually delay updates to avoid potential regressions, you’re unlikely to notice any difference with this release—it doesn’t include any functionality changes.

Looking Ahead to Android 16 QPR3

While February’s update is quiet, more significant changes are on the horizon with the next quarterly platform release. Google is expected to roll out Android 16 QPR3 to Pixel devices in the coming months.

Recent beta versions have focused less on visible new features and more on performance and stability improvements. These updates usually include system-level tweaks that don’t appear in the UI but can improve responsiveness and day-to-day reliability.

At least one more beta release is anticipated before the final version of QPR3 lands. A full changelog hasn’t been released yet.

Should You Install the Android 16 Beta?

If you're eager to try out new features early, you can enroll a compatible Pixel device in the Android 16 beta program. The current Android 16 betas are fairly stable, but they’re not without risk.

Installing a beta on your main device is still not recommended. You might run into bugs, app compatibility issues, or battery drain. Plus, going back to a stable build requires a full wipe of your phone.

If you rely on a single device, it’s safer to wait for the official QPR3 release.

The February 2026 update doesn’t bring any changes to how your device works, and the next round of meaningful improvements will arrive with the upcoming QPR3 release. For now, this patch is about staying secure and up to date.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 5 February 2026 at 4:28 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix