The attackers intercepted and selectively redirected update requests from certain users to malicious servers, serving tampered update manifests by exploiting a security gap in the Notepad++ update verification controls.

A statement from the hosting provider for the update feature explains that the logs indicate that the attacker compromised the server with the Notepad++ update application.

External security experts helping with the investigation found that the attack started in June 2025. According the developer, the breach had a narrow targeting scope and redirected only specific users to the attacker’s infrastructure.

“Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign,” reads Notepad++’s announcement.

"The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. "

In December, Notepad++ released version 8.8.9 to address a security weakness in its WinGUp update tool after multiple researchers reported that the updater would receive malicious packages instead of legitimate ones.

Security researcher Kevin Beaumont had warned that he knew of at least three organizations affected by these update hijacks, which were followed by hands-on reconnaissance activity on the network.

Notepad++ is a free and open-source editor for text and source code and a popular tool on Windows, with tens of millions of users across the world.

The developer now explains that the attack occurred in June 2025, when a hosting provider for the software was compromised, enabling the attackers to perform targeted traffic redirections.

In early September, the attacker temporarily lost access when the server kernel and firmware were updated. However, the threat actor was able to regain its foothold by using previously obtained internal service credentials that had not been changed.

This continued until December 2, 2025, when the hosting provider finally detected the breach and terminated the attacker’s access.

Notepad++ has since migrated all clients to a new hosting provider with stronger security, rotated all credentials that could have been stolen by the attackers, fixed exploited vulnerabilities, and thoroughly analyzed logs to confirm that the malicious activity stopped.

Notepad++ users are recommended to take the following actions to strengthen their security:

• Change credentials for SSH, FTP/SFTP, and MySQL
• Review WordPress admin accounts, reset passwords, and remove unnecessary users
• Update WordPress core, plugins, and themes, and enable automatic updates if applicable

Starting from Notepad++ version 8.8.9, WinGup verifies installer certificates and signatures, and the update XML is cryptographically signed.

The developer also stated that they plan to enforce mandatory certificate signature verification in version 8.9.2, which is expected to be released in about a month.

BleepingComputer has contacted Don Ho, the primary developer of Notepad++ developer for indicators of compromise (IoCs) or other information that could help users determine if they were impacted.

Don Ho told us that sifting through the server logs the incident response team identified signs of intrusion but no IoCs. "Our IR team and I also requested IOCs directly from the former hosting provider, but we were not successful in obtaining any," the developer told us.

However, Rapid 7 researchers uncovered the campaign and attribute it to the Chinese APT group Lotus Blossom (a.k.a. Raspberry Typhoon, Bilbug, Spring Dragon) deploying "a previously undocumented custom backdoor" they named Chrysalis.

Based on the large number of capabilities, the researchers believe Chrysalis is a sophisticated tool with a permanent role on the victim system.

The researchers published a detailed technical analysis of the malware and note that they found no definitive artifacts to confirm exploitation of the updater-related mechanism.

"The only confirmed behavior is that execution of “notepad++.exe”  and subsequently “GUP.exe” preceded the execution of a suspicious process 'update.exe'," Rapid 7 says.

Update [February 2nd, 12:02 EST]: Article updated with comment from Notepad++ developer Don Ho, which arrived after publishing, and details from Rapid 7's investigation.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 3 February 2026 at 5:04 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of January) 461

RIP Matrix

Microsoft recently announced its plans to disable the legacy New Technology LAN Manager (NTLM) protocol by default in upcoming Windows releases. The software giant disclosed that the move is designed to address critical security vulnerabilities that would expose organizations to malicious attacks by bad actors, including "replay and man-in-the-middle attacks, due to its use of weak cryptography".

For context, the tech giant first introduced the protocol in 1993 with Windows NT 3.1 as the LAN Manager (LM) protocol's successor (via BleepingComputer). The protocol is designed to help authenticate a user's identity while simultaneously protecting the integrity and confidentiality of their activity.

As a result, Microsoft is now transitioning to stronger Kerberos-based alternatives. Kerberos will identify critical security vulnerabilities impacting organizations and support modern authentication standards.

Microsoft further indicated that NTLM is now classified as deprecated, which means that continued use of the security protocol could expose your organization to several risks, including no server authentication, weak cryptography, limited diagnostic data and auditing visibility (until recently), and vulnerability to replay, relay, and pass-the-hash attacks.

Microsoft plans to disable NTLM by default in future Windows releases in three phases. First, enhanced NTLM auditing tools will remain available for Windows Server 2025 and Windows 11 version 24H2, allowing organization admins to identify where the tool is still in use.

In a recent update on its public Microsoft 365 Roadmap, Microsoft has announced that IT admins will soon be able to leverage the Edge management service to find out which extensions are being installed in the browser by managed users. They will also be able to confirm or deny access requests to blocked extensions.

For those unaware, Edge management service is a Microsoft 365 offering that enables IT admins to configure the browser per their organization's requirements. These cloud-backed configurations can be applied through group policy. The ability to monitor and manage Edge extensions will be arriving in preview next month, followed by general availability in April 2026.

Additionally, in March 2026, Microsoft is also giving customers the ability to print calendar events physically through the new Outlook for Windows or the Teams calendar. Users will also have the option to print the attendee list. It's unclear how this helps customers outside of audit or legal scenarios, but there may be other use cases we are not aware of, obviously.

Next month will also see the arrival of two new features that will be loved particularly by IT admins. The first is the availability of dark mode for the SharePoint Admin Center, while the other relates to a visual revamp of the "Access Denied" experience of the Microsoft 365 platform. The Redmond tech giant seems quite proud of this change, touting "new illustrations, animations, and clearer messaging to help users quickly gain confidence and seamlessly continue their collaboration."

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 31 January 2026 at 6:21 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

That convenience has also sparked anxiety. Many users are asking the same question: Is Google’s AI reading my emails? The answer is more nuanced than a simple yes or no.

What Gemini Is - and Why It’s in Gmail

Gemini is Google’s flagship AI system, designed to understand and generate text, images, and code. It already powers features across Search, Docs, Maps, and smart home devices. In early 2026, Google began integrating Gemini more deeply into Gmail, turning it into a proactive assistant rather than a passive inbox.

Instead of just displaying emails in order, Gmail now highlights priorities, summarizes long threads, and extracts action items automatically.

What Gemini Can Do in Your Inbox

Once enabled, Gemini adds several AI-driven tools to Gmail:

• Email summaries that condense long threads into key points
• Smart reply assistance that helps draft responses in your writing style
• Automatic to-do lists pulled from email content
• Topic-based grouping that organizes related messages together

Basic AI features are included with free Gmail accounts, while more advanced querying and task automation are reserved for paid plans.

Is Google Actually Reading Your Emails?

Not in the human sense. Google states that no employees are manually reading Gmail messages as part of Gemini’s operation. However, the AI does require read access to your emails to function.

This isn’t entirely new - Gmail has long scanned messages to suggest calendar events or track packages. What’s different now is the depth of interpretation. Gemini doesn’t just detect keywords; it analyzes context to understand meaning, urgency, and intent.

That’s what makes some users uneasy.

Are Your Emails Used to Train Google’s AI?

Google says your personal Gmail content is not used to train its AI models by default. However, there’s an important caveat: if you actively connect your Gmail data to other Google services or use certain AI-powered search features, you may be granting permission for limited data use to improve those services.

In short, passive email scanning for inbox features isn’t the same as feeding your emails into AI training—but some optional actions can blur that line.

What About Ads - Is Gmail Targeting You Based on Emails?

No. Google ended email-based ad targeting in Gmail back in 2017. Ads you see today are driven by broader activity such as searches, YouTube usage, and account-level behavior - not the content of your messages.

Even though Gemini processes email text, Google says it does not use that information to personalize ads.

Are There Real Security Risks?

Like any system that processes large amounts of data, AI-assisted email introduces potential attack surfaces. Researchers have shown that, in some cases, malicious instructions hidden in emails could be interpreted by AI tools during tasks like summarization.

uses layered defenses and continuous patching to mitigate them. While no online service is perfectly secure, experts note that these risks are not unique to Gemini - they apply to most modern cloud-based platforms.

How to Turn Gemini Off in Gmail

If you’d rather keep your inbox AI-free, Google does allow you to opt out.

On desktop:

1. Open Gmail
2. Click the settings gear icon
3. Select “See all settings”
4. In the General tab, find Smart features
5. Turn them off and save changes

On mobile:

1. Open the Gmail app
2. Go to Settings ? Data privacy
3. Disable Smart features and Workspace smart features

If you use a work or school account, these options may be controlled by an administrator.

Where Else Gemini Appears

Even if you disable it in Gmail, Gemini still exists across Google’s ecosystem. It appears in Search summaries, Chrome, Google Docs, Maps, and as a standalone app on mobile and web. Gmail is just one part of a much larger AI rollout.

The Bottom Line

Gemini isn’t secretly spying on your inbox—but it is far more involved than Gmail has ever been before. For some users, that’s a productivity boost. For others, it feels like a step too close.

The key difference this time is choice. Google lets you decide whether the convenience of AI outweighs your comfort level with deeper data processing. And in an era of increasingly intelligent software, that control matters more than ever.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 30 January 2026 at 3:54 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

Basically, a security hole in WhatsApp allowed attackers to add their victims to groups in a specific manner and then send them media, which would be automatically downloaded to their MediaStore database. Provided that this malicious media attachment was sophisticated enough, it could trigger harmful operations within that database, and perhaps, even escape it. This attack vector is a bit scary, considering that procuring phone numbers of targets is a pretty trivial challenge in today's era, and that the attack could be successful with zero interaction from the target.

After this issue was privately reported to Meta by Google in September 2025 with a 90-day deadline (which is standard in Google Project Zero's policy), the company only delivered a partial fix in November, which led to Project Zero publicly exposing the bug and us reporting on it.

Although we reached out to both Google Project Zero and Meta teams for details, the former declined to comment further, while the latter did not respond at all. Well, the pressure may have worked anyway, because the bug has now been marked as fixed after the security researcher who initially reported this issue updated it with a note that Meta has "successfully landed a comprehensive fix and also found and fixed variants of this issue".

Details of the patch and similar "variants" of the bug are currently unknown, but it's good to see Meta finally resolving the issue, given its severity and potential for exploitation.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 30 January 2026 at 3:51 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

The attack was part of a campaign targeting multiple companies, most of them in the telecommunications sector, and was detected and mitigated by Cloudflare last year on December 19.

Aisuru is responsible for the previous DDoS record that reached 29.7 Tbps. Another attack that Microsoft attributed to the botnet peaked at 15.72 Tbps and originated from 500,000 IP addresses.

Due to its timing, Cloudflare named the latest Aisuru campaign “The Night Before Christmas” and characterized it as an “unprecedented bombardment” on telecommunications service providers and IT organizations.

“The campaign targeted Cloudflare customers as well as Cloudflare’s dashboard and infrastructure with hyper-volumetric HTTP DDoS attacks exceeding rates of 200 million requests per second (rps) alongside Layer 4 DDoS attacks peaking at 31.4 Terabits per second, making it the largest attack ever disclosed publicly,” Cloudflare says in a report today.

More than half of the attacks in the Aisuru DDoS campaign lasted between one and two minutes, with just 6% taking longer. Most of them (90%) peaked between 1-5 Tbps, and roughly 94% were in the range of 1-5 billion packets per second.

Despite the scale of these hyper-volumetric attacks, Cloudflare says they were detected and mitigated automatically and didn’t trigger any internal alerts.

Aisuru botnet's power comes from compromised IoT devices and routers. However, the attack sources in "The Night Before Christmas" campaing were Android TVs, Cloudflare says in the report.

In its 2025 Q4 DDoS Threat Report, Cloudflare provides a retrospective of events throughout the year, confirming that the period recorded a 121% increase in DDoS attacks compared to 2024, with 47.1 million incidents.

Cloudflare mitigated an average of 5,376 DDoS attacks per hour in 2025, with the 73% of those being network-layer attacks, and the rest being HTTP-based.

Q4 was up 31% quarter-over-quarter and 58% year-over-year, indicating that the trend of increasing numbers of DDoS attacks continues.

During this quarter, the most targeted industries were telecommunication service providers, IT and services firms, gambling and casinos, and gaming companies.

The largest source of the attacks was Bangladesh, followed by Ecuador and Indonesia. Cloudflare also noted Argentina jumping to the fourth place while Russia dropped five posts to number 10.

According to the report, DDoS attacks last year targeted mostly organizations in China, Hong Kong, Germany, Brazil, and the United States.

Cloudflare's report highlights a 600% increase in network-layer attacks exceeding 100 Mpps and a 65% QoQ increase in attacks larger than 1 Tbps. The internet firm also notes that more than 71.5% of all recorded HTTP DDoS attacks come from known/documented botnets.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 30 January 2026 at 3:50 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

Over the past few years, YouTube has seemingly turned into a magician with a few tricks up its sleeve designed to bolster its aggressive campaign against ad blockers.

Last year, multiple reports emerged claiming that Google was preventing playback on YouTube videos for users with ad-blockers installed on their devices. “Ad blockers violate YouTube’s terms of service,” added Google.

To make things worse, several users claimed that Google was intentionally slowing down YouTube videos for users with ad-blockers installed on their devices, with some indicating that they'd received a countdown video asking them to disable their ad-blockers or get blocked from watching YouTube videos.

And as it now seems, Google and YouTube's campaign against ad blockers isn't going to stop any time soon. As reported by TechSpot, multiple users have lodged complaints about a sudden increase in "This content isn't available, try again later" errors on YouTube.

Perhaps more concerningly, the outlet claims that there's more to the story than meets the eye. The errors seem to be the latest attempt by Google to deter users from using ad blockers when interacting with and watching YouTube videos.

The Redmond tech giant says that its organizational philosophy revolves around its Microsoft Privacy Principles, which indicate that users have control over their data, they can move, access, or delete it at any time, and Microsoft will leverage it to show you personalized ads only if you consent first. The firm notes that these principles are evident in its privacy-by-design practices, audits, and internal governance policies.

Microsoft says that its commitment to your privacy extends to giving you control over how your data is used, fighting for better privacy laws, and protecting your rights in case a government body requests access to your data. The last part is rather interesting, though, considering it was confirmed recently that Microsoft supplied BitLocker encryption keys to the FBI so they could access data on encyrpted laptops suspected of being involved in fraudulent schemes. This is the first publicly confirmed instance that the company has surrendered keys to federal investigators.

With the advent of AI technologies and Copilot creeping into pretty much everything that you use, Redmond has also emphasized that Microsoft 365 Copilot protects your privacy in the following ways too:

• Your prompts, responses, and data aren’t used to train foundation large language models (LLMs), including those used by Microsoft 365 Copilot.
• Your organizational data stays protected within your Microsoft 365 environment.
• Microsoft 365 Copilot is governed by the same identity controls, permissions, compliance standards, and data protections that already secure Microsoft 365.

You can read more about Microsoft's commitments to privacy here.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 29 January 2026 at 6:22 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

At the height of the COVID-19 pandemic, schools rapidly shifted to online platforms like Microsoft 365 Education and Google Workspace for Education to ensure students weren't held back from learning.

In June 2024, None of Your Business (noyb), a European Digital Rights non-profit organization based in Vienna, Austria, filed two complaints concerning Microsoft's 365 Education in schools with the Austrian DSB.

The digital privacy group claimed that Microsoft was illegally tracking students via its 365 Education platform, further claiming that the company had attempted to shift responsibility for access to local schools.

Recent rumors suggest the Galaxy S26 series will bring faster charging, more on-device AI capabilities, and Qualcomm’s latest Snapdragon 8 Elite Gen 5 processor. Ahead of the launch, Samsung has also teased a new marquee feature for the lineup: the Galaxy privacy layer, designed to protect users from "shoulder surfing" in public spaces.

Smartphones are personal devices, but people often use them in places with little privacy, including public transport, elevators, and queues. The Galaxy privacy layer aims to reduce this risk with pixel-level privacy. If someone tries to peek at your screen from the side, they’ll see a darkened view, while you can continue using the phone normally.

Unlike a physical privacy screen protector, Samsung's approach is also software-driven and can be turned on only when you need it. Samsung says the feature will be fully customizable. Users can enable it for specific apps or trigger it only when entering sensitive information (like passwords or access details). For example, if it’s enabled for WhatsApp, you can message more confidently in public without worrying about someone reading over your shoulder. You can also protect your notification pop-ups alone.

Samsung mentioned that it took over five years of engineering, testing, and refining to deliver this feature. It functions effectively as a result of expertly calibrated hardware and software capabilities.

Samsung also posted the following teasers for this upcoming privacy feature:

If the Galaxy privacy layer works as seamlessly as promised, it could become a defining standard for future flagship smartphones.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 29 January 2026 at 6:16 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

The security issue is a path traversal flaw that leverages Alternate Data Streams (ADS) to write malicious files to arbitrary locations. Attackers have exploited this in the past to plant malware in the Windows Startup folder, for persistence across reboots.

Researchers at cybersecurity company ESET discovered the vulnerability and reported in early August 2025 that the Russia-aligned group RomCom had been exploiting it in zero-day attacks.

In a report today, the Google Threat Intelligence Group (GTIG) says that exploitation started as early as July 18, 2025, and continues to this day from both state-backed espionage actors and lower-tier, financially motivated cybercriminals.

"The exploit chain often involves concealing the malicious file within the ADS of a decoy file inside the archive.

"While the user typically views a decoy document, such as a PDF, within the archive, there are also malicious ADS entries, some containing a hidden payload while others are dummy data," Google researchers explain. 

When opened, WinRAR extracts the ADS payload using directory traversal, often dropping LNK, HTA, BAT, CMD, or script files that execute on user login.

Among the state-sponsored threat actors that Google researchers observed exploiting CVE-2025-8088 are:

• UNC4895 (RomCom/CIGAR) delivering NESTPACKER (Snipbot) via spearphishing to Ukrainian military units.
• APT44 (FROZENBARENTS) using malicious LNK files and Ukrainian-language decoys for follow-on downloads.
• TEMP.Armageddon (CARPATHIAN) dropping HTA downloaders into Startup folders (activity ongoing into 2026).
• Turla (SUMMIT) delivering the STOCKSTAY malware suite using Ukrainian army themes.
• China-linked actors using the exploit to deploy POISONIVY, dropped as a BAT file that downloads additional payloads.

Google also observed financially motivated actors exploiting the WinRAR path-traversal flaw to distribute commodity remote access tools and information stealers such as XWorm and AsyncRAT, Telegram bot-controlled backdoors, and malicious banking extensions for the Chrome browser.

All these threat actors are believed to have sourced working exploits from specialized suppliers, such as one using the alias “zeroplayer,” who advertised a WinRAR exploit last July.

The same threat actor has also marketed multiple high-value exploits last year, including alleged zero-days for Microsoft Office sandbox escape, corporate VPN RCE, Windows local privilege escalation, and bypasses for security solutions (EDR, antivirus), selling them for prices between $80,000 and $300,000.

Google comments that this reflects the commoditization of exploit development, which is crucial in the cyberattacks lifecycle, reducing the friction and complexity for attackers and enabling them to target unpatched systems in a short time.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 28 January 2026 at 1:44 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

There are reports that a legitimate Microsoft email address—which Microsoft explicitly says customers should add to their allow list—is delivering scam spam.

The emails originate from no-reply-powerbi@microsoft.com, an address tied to Power BI. The Microsoft platform provides analytics and business intelligence from various sources that can be integrated into a single dashboard. Microsoft documentation says that the address is used to send subscription emails to mail-enabled security groups. To prevent spam filters from blocking the address, the company advises users to add it to allow lists.

From Microsoft, with malice

According to an Ars reader, the address on Tuesday sent her an email claiming (falsely) that a $399 charge had been made to her. It provided a phone number to call to dispute the transaction. A man who answered a call asking to cancel the sale directed me to download and install a remote access application, presumably so he could then take control of my Mac or Windows machine (Linux wasn’t allowed). The email, captured in the two screenshots below, looked like this:

 

Online searches returned a dozen or so accounts of other people reporting receiving the same email. Some of the spam was reported on Microsoft’s own website.

Sarah Sabotka, a threat researcher at security firm Proofpoint, said the scammers are abusing a Power Bi function that allows external email addresses to be added as subscribers for the Power Bi reports. The mention of the subscription is buried at the very bottom of the message, where it’s easy to miss. The researcher explained:

The abuse of a legitimate service, like Microsoft Power BI, adds an additional layer of credibility to the social engineering. The actual scam occurs during the voice interaction, which helps attackers evade traditional email-based detection and security controls. Further, attackers gain two advantages at once: the email is sent from a trusted Microsoft domain, and the lack of malicious links or attachments reduces the likelihood of automated filtering. While the emails originate from Microsoft infrastructure, the content and intent are fully controlled by the attacker via misuse of a legitimate feature.

Scammers have abused Microsoft Power Bi functionality in the past. Security firm Cofense reported in September that it found a spam campaign that transmitted phishing links that were hosted on the platform. Companies besides Microsoft that have experienced similar abuse include Google, according to Check Point. The security firm found a run of nearly 9,400 emails that were sent through the Google Cloud Application Integration platform.

A key detail that’s currently unknown is: Do users have to explicitly opt in to receiving emails from email addresses like no-reply-powerbi@microsoft.com, and can scammers send them to any external address automatically? A Microsoft representative said he’s looking into reports and didn’t have information immediately available. For more experienced Internet users, scams like this one are easy to spot. For others, scams that originate from a known sender with a clean reputation are more believable.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 28 January 2026 at 1:42 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

WhatsApp already provides end-to-end encryption by default for personal messages and calls, ensuring conversations remain private. In a post published by Meta, the company explained that it is continually adding new security measures, particularly for the small subset of users who may face advanced threats. The introduction of Strict Account Settings reinforces WhatsApp’s broader privacy posture, which the platform has previously defended in court, warning it would leave India rather than comply with orders that could compromise message encryption.

This is particularly relevant given recent security concerns: Google Project Zero recently highlighted a WhatsApp Android vulnerability involving malicious media files delivered through group chats, files that would download automatically without user interaction unless advanced chat privacy or media auto-download was disabled, underscoring how quickly attackers can exploit the app's most commonly used features. The vulnerability also highlighted how WhatsApp’s ubiquity makes it an attractive target for attackers, and why additional safeguards are increasingly necessary.

Strict Account Settings locks an account into the most restrictive privacy configurations. Once enabled, the feature automatically blocks attachments and media from unknown contacts, silences calls from unfamiliar numbers, and limits additional settings that could expose a user to risk. While this may reduce some of the app’s functionality, it is designed to provide maximum protection for those who need it.

The feature will be available in WhatsApp’s settings under Privacy > Advanced, and is expected to roll out globally in the coming weeks. Meta described it as part of a broader effort to shield users from the most sophisticated cyber threats.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 28 January 2026 at 7:04 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

Pornhub will soon begin restricting UK users from accessing its website in response to the country’s “failed” online safety regulations, according to an announcement on Tuesday. The site’s owner, Aylo, says it will block users who haven’t already verified their age on the platform starting February 2nd, 2026, as reported earlier by 404 Media.

As part of efforts to comply with the UK’s Online Safety Act, Pornhub began requiring users in the country to provide proof of their age by uploading a government ID, entering a credit card, through their mobile network, or using another method.

The UK’s Online Safety Act became law in 2023 with the goal of preventing kids from accessing “harmful” material online. But rules mandating “strong age checks” under the legislation came into force last year, impacting porn sites and other platforms like Bluesky, Xbox, Reddit, and Discord. Many users have already found ways around this, whether it involves using a virtual private network (VPN) or tricking age-estimating face scans.

Aylo claims the Online Safety Act makes the internet “more dangerous” for children, while harming the privacy of users in the UK. “We cannot continue to operate within a system that, in our view, fails to deliver on its promise of child safety, and has had the opposite impact,” Aylo’s announcement says. “We believe this framework in practice has diverted traffic to darker, unregulated corners of the internet, and has also jeopardized the privacy and personal data of UK citizens.”

People who have already gone through the age verification process on Pornhub will still be able to access the site by logging in, while everyone else will get shut out after February 2nd, according to the post. The block will also apply to the other adult websites owned by Aylo, including YouPorn and Redtube.

Pornhub has already gone dark in nearly two dozen states across the US, including Florida, Texas, Arizona, Georgia, Utah, and others, in response to local age verification laws.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 28 January 2026 at 7:00 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

A 96GB database containing more than 149 million logins and passwords was recently discovered by respected cybersecurity researcher Jeremiah Fowler. The findings, which ExpressVPN published in its research blog, lay out Fowler's findings in detail.

The data, which was openly accessible to anyone who knew where to find it, was full of usernames and passwords from people all over the world. Estimates place email credentials at the top of the list of leaks, with Gmail alone taking up 48 million entries. Outlook is on the list with 1.5 million leaks. Yahoo, iCloud, and .edu addresses make up more than 6 million leaks.

Fowler lists Facebook, Instagram, TikTok, OnlyFans, HBO Max, Disney+, Roblox, Binance, and X (aka Twitter) as other notable accounts discovered in the exposed database.

It gets worse. Financial accounts, including crypto wallets, banking, and credit card credentials, were also spotted in the limited sample that Fowler viewed. The presence of .gov domain credentials from "numerous countries" has Fowler concerned about national and public safety; this sort of info can be used as an entry into protected government networking.

That's a wide enough swath that practically anyone plugged into the internet could be exposed. Here's a quick estimation of Fowler's findings:

• Gmail — 48 million
• Yahoo — 4 million
• Outlook — 1.5 million
• .edu — 1.4 million
• iCloud — 900,000
• Facebook — 17 million
• Instagram — 6.5 million
• Netflix — 3.4 million
• Binance — 420,000
• OnlyFans — 100,000

SoundCloud was founded in 2007 as an artist-first platform that now provides access to over 400 million tracks from more than 40 million artists worldwide.

The company confirmed the breach on December 15, following widespread reports from users who were unable to access SoundCloud and saw 403 "Forbidden" errors when connecting via VPN.

SoundCloud told BleepingComputer at the time that it had activated its incident response procedures after detecting unauthorized activity involving an ancillary service dashboard.

"We understand that a purported threat actor group accessed certain limited data that we hold," SoundCloud said. "We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed. The data involved consisted only of email addresses and information already visible on public SoundCloud profiles."

While SoundCloud didn't provide further details regarding the incident, BleepingComputer learned that the breach affected 20% of all SoundCloud users, roughly 28 million accounts based on publicly reported user figures (SoundCloud later published a security notice confirming the information provided by BleepingComputer's sources).

After the breach, BleepingComputer also learned that the ShinyHunters extortion gang was responsible for the attack, with sources saying that the threat group was also attempting to extort SoundCloud. This was confirmed by SoundCloud in a January 15 update, which said the threat actors had "made demands and deployed email flooding tactics to harass users, employees, and partners."

Although SoundCloud has yet to share how many users' data was stolen, data breach notification service Have I Been Pwned revealed the extent of the breach on Monday, reporting that it affected 29.8 million accounts whose email addresses, geographic locations, names, usernames, and profile statistics were harvested in the incident.

"In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users," said data breach notification service Have I Been Pwned.

"The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user's country. The attackers later attempted to extort SoundCloud before publicly releasing the data the following month."

BleepingComputer reached out to SoundCloud again today with questions about the December incident, but a response was not immediately available.

Last week, ShinyHunters also claimed responsibility for a wave of ongoing voice phishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft, and Google, which could enable attackers to breach corporate SaaS platforms and steal data for extortion.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 28 January 2026 at 6:58 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

In a ticket in its public issue tracker, Brendon Tiszka of the Google Project Zero team has talked about how an attacker who creates a WhatsApp group can add their potential victim and a contact of the victim to it. Then, they can make the victim's contact an admin of the group, and send malicious media content that will get automatically downloaded on the victim's device without any interaction from their side. This media file will get downloaded to the MediaStore database, and if it has the capabilities to escape that environment, it will essentially be an exploit that is able to target victims in an interactionless manner.

While all of this sounds pretty scary, there are some caveats to keep in mind. The exploit requires knowing or guessing the phone numbers of the victim and their contact. While procuring this might not be very difficult in today's era, a sucessful exploit would also require the malicious media file to be sophisticated enough to perform harmful activities after reaching the database. Finally, if you enable Advanced chat privacy in WhatsApp or disable automatic downloading of media, any malicious file will not be downloaded automatically, making you safe by default.

Google Project Zero reported this vulnerability privately to Meta on September 1, 2025, giving the firm the standard 90 days to fix the issue before it was made public. Following Meta's failure to issue a fix by November 30, 2025, the vulnerability was made public. On December 4, Tiszka confirmed that while Meta had issued a partial server-side fix to plug this security hole, a complete fix is still in the works. The ticket has not been updated with new communications since then, which would indicate that this bug is still open.

Tiszka's ticket has only talked about WhatsApp Android being vulnerable in this way, so we can assume that other platforms should be safe. If you're on Android, turn on Advanced chat privacy in a group chat by navigating to it, pressing on the three-dots icon, tapping on Group info and toggling on Advanced chat privacy. However, you can still be vulnerable in scenarios where you've already been added to a group without your knowledge and the attack is in progress. So it's also better to disable automatic media download by navigating to Settings > Storage and data > Media auto-download. We have reached out to Google Project Zero and Meta for more details on this topic.

Keep in mind that an attachment-related vulnerability in WhatsApp was also acknowledged by Meta last year, so it's evident that this is an attractive attack surface for malicious actors.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 27 January 2026 at 1:36 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

The security feature bypass vulnerability, tracked as CVE-2026-21509, affects multiple Office versions, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise (the company's cloud-based subscription service).

However, as noted in today's advisory, security updates for Microsoft Office 2016 and 2019 are not yet available and will be released as soon as possible.

While the preview pane is not an attack vector, unauthenticated local attackers can still successfully exploit the vulnerability through low-complexity attacks that require user interaction.

"Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. An attacker must send a user a malicious Office file and convince them to open it," Microsoft explained.

"This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls."

"Customers on Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect," it added.

Although Office 2016 and 2019 aren't immediately patched against attacks, Microsoft has provided confusing mitigation measures that could "reduce the severity of exploitation."

We have attempted to clear this up with our instructions below:

1. Close all Microsoft Office applications.
2. Create a backup of the Windows Registry, as incorrectly editing it can cause issues with the operating system.
3. Open the Windows Registry Editor (regedit.exe) by clicking on the Start menu and typing regedit, and then pressing Enter when it appears in the search results.
4. When open, use the address bar at the top to see if one of the following Registry keys exists:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit Office, or 32-bit Office on 32-bit Windows)
   
   HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit Office on 64-bit Windows)
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\

   If one of the above keys does not exist, create a new "COM Compatibility" key under this Registry path by right-clicking on Common and selecting New -> Key.

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\

5. Now right-click on the existing or newly created COM Compatibility key and select New -> Key and name it {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
6. When the new {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} is created, right-click on it, select New -> DWORD (32-bit) Value. Name the new value Compatibility Flags.
7. When the Compatibility Flags value is created, double-click on it, make sure the Base option is set to Hexadecimal, and enter 400 in the Value data field.

After performing these steps, the flaw will be mitigated when you next launch an Office application.

Microsoft has not shared who discovered the vulnerability or any details on how it is exploited, and a spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Earlier this month, as part of the January 2026 Patch Tuesday, Microsoft issued security updates for 114 flaws, including one actively exploited and two publicly disclosed zero-day bugs.

The other actively exploited zero-day patched this month is an information disclosure flaw in the Desktop Window Manager, tagged by Microsoft as "important severity," that can let attackers to read memory addresses associated with the remote ALPC port.

Last week, Microsoft also released multiple out-of-band Windows updates to fix shutdown and Cloud PC bugs triggered by the January Patch Tuesday updates, as well as another set of emergency updates to address an issue causing the classic Outlook email client to freeze or hang.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 27 January 2026 at 1:34 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

Identified threats range from deceptive monetization practices like search hijacking to high-risk activities, including remote code execution and session hijacking. To help keep end users safe, the researchers have reported these extensions to Google and are recommending their complete removal from the Web Store and user devices.

One of the bad extensions that was identified was called Good Tab, which is still available on the Chrome Web Store at the time of writing. The extension uses an insecure HTTP iframe to grant a remote domain full permission to read and write to the user’s clipboard without disclosure. This vulnerability allows attackers to steal sensitive data, such as passwords or swap cryptocurrency wallet addresses during transactions.

Another extension called Children Protection, which no longer seems to be available, functioned as a full command-and-control framework that used a domain generation algorithm to be resilient against server takedowns. The extension was able to harvest browser cookies for session hijacking and executing arbitrary JavaScript pushed from a remote server.

Another troublesome extension was DPS Websafe, which also appears to be gone. This extension engaged in brand impersonation by using Adblock Plus iconography to trick users while hijacking their search queries and tracking user activity. There is also an extension called Stock Informer that contains a critical cross-site scripting vulnerability that allows remote attackers execute code due to a lack of origin checks on messaging events. This extension is also still available.

Users of the mentioned extensions are strongly advised to remove them to mitigate privacy and financial risks. This discovery just reinforces the idea that you cannot trust extensions in the Chrome Web Store even if they look as though they’re verified. The best thing to do is to use no extensions at all, but if you must, only use those you absolutely trust.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 27 January 2026 at 4:30 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

The Redmond giant revealed that it receives around 20 requests for BitLocker keys annually. It is not new information that Microsoft complies with lawful government requests and hands over keys that are within its cloud infrastructure. However, this is the first publicly confirmed instance that the company has surrendered keys to federal investigators.

For those not familiar, BitLocker encryption is turned on by default on most modern Windows PCs and encrypts drives to keep data safe. However, Windows frequently tells users to backup their 48-digit recovery keys to a Microsoft cloud account. This choice allows Microsoft to retain technical access to the keys, making them accessible if law enforcement comes knocking.

In the Guam case the FBI used the keys it received from Microsoft to bypass encryption that federal forensic experts previously said were “impenetrable.” The court documents said that agencies like Homeland Security Investigations (HSI) lacked the tools to break BitLocker without the specific recovery keys.

Microsoft’s decision to hand over keys to law enforcement contrasts with its competitors like Apple and Meta which use zero-knowledge architectures where recovery keys are end-to-end encrypted or stored on the user’s device, meaning the company can’t comply with requests, even under subpoena.

Legal experts are now anticipating more law enforcement requests for BitLocker keys now that Microsoft’s compliance has been reported. Users that do not want to allow Microsoft to store their keys can audit their accounts at account.microsoft.com/devices/recoverykey. From there, you can see if keys are stored in the cloud. If you want more security, it is recommended to move to local-only key storage, such as a physical USB drive or a printed document, to regain full control over encrypted data.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 25 January 2026 at 4:17 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

I’ll confess, with no shame whatsoever, that I really love ads. Artsy ones, funny ones, weird ones, emotional ones — TV commercials were my childhood TikTok before any of us were using terms like “short-form video.” But like most creative things in my life, AI is sucking the joy out of it. And it’s only going to suck harder this year.

Ads are mini-movies, posters, illustrations, and photoshoots with an underlying purpose: to burn whatever product they’re flogging into your brain as quickly as possible. It requires a great deal of creativity, and in some cases, a substantial production budget. And while the creative in me loves to see the fruits of that labor, it also makes ads the ideal testing ground for generative AI technology, as brands race to make content creation faster and cheaper. Many image and video generator models saw huge visual improvements last year, prompting more advertisers to adopt them in campaigns.

According to a Marketing Week study, more than half of 1,000 polled brand marketers used some variant of AI in their creative campaigns in 2025. Another study by the Interactive Advertising Bureau (IAB) found that 90 percent of advertisers were using, or planning to use, generative AI for video ads in 2025, and projected that such tools would be used in 40 percent of all ads by 2026.

That’s why we’re increasingly seeing AI ads on TV, in magazines, and across social media. Some are upfront about using generative AI, such as Coca-Cola’s sloppy holiday ads, but many aren’t — leaving us to be suspicious of everything we see that appears slightly “off.” Sometimes, that can be humans who give off uncanny valley vibes, like the ads we’ve seen from McDonalds and DoorDash where the people look too polished and move in unnatural ways. Or perhaps CGI and visual effects that morph inconsistently in ways that would be weird for a VFX artist to do intentionally, like this ad for Original Source shower gel. Why does that man’s face keep changing? Why does it keep trying to turn him into a Memoji?

But while generation in commercials might seem obvious to some, clocking AI in the wild isn’t something most humans are good at yet. The Association for Computing Machinery (ACM) found that humans could only accurately identify AI-generated images, video, and audio 50 percent of the time, and that’s one of the higher success rates we’ve seen. Kantar, the market research company that helped to develop Coca-Cola’s AI holiday campaign in 2024, also found that most of its ad testers couldn’t tell it was AI-generated, despite the tell-tale visuals and clear on-screen AI disclosure.

“The people that matter most – Coca-Cola’s target audience – still enjoy it, feel good when they see it, and love the brand for it,” Kantar managing director Dom Boyd told Campaign. “Lots. In fact, Kantar’s [ad testing] shows that the vast majority of people didn’t notice the ad was AI-generated (we asked), and the execution is one of the highest-performing this year for short-term sales potential.”

Audience reactions to AI ads have been mixed, however. In a November 2025 Kantar study, consumers were discouraged by ads that featured obvious AI signals like “distracting or unnatural visuals,” but responded well to ads that used AI well enough to go largely undetected. The same study also found that people have stronger emotional reactions to AI-generated ads compared to those made without it — but the reactions in question were typically negative.

We see much of that negativity around obvious AI advertisements across forums and in the comments on social media platforms. There’s even an r/AiSlopAds subreddit community dedicated to publicly shaming examples of AI ads. There are several commonly mentioned reasons for this sentiment, including ethical and environmental concerns around generative AI, seeing its supposed cost-cutting and efficiency benefits as something that cheapens branding, and just thinking it looks unappealing.

Money (duh) is the obvious reason why more brands are increasingly ready to risk that negativity to explore generative AI. Sure, AI ads for prediction market platform Kalshi are scorned by Reddit users, but a particularly bonkers and confusing example that aired during a primetime 2025 NBA finals slot only cost $2,000 to make. It was created in just two days by one person using Google’s Veo 3 AI model. It’s not hard to see the appeal of that efficiency, and passionate hatred of an ad does indicate people found it memorable, even if it’s for the wrong reasons.

A memorable ad can become a company’s legacy. The famous “Just Do It” (1988) Nike slogan was created for the fitness company’s first major television campaign by Wieden and Kennedy, with relatable commercials that featured everyday people doing their workouts. UK readers may also recall the 1999 Guinness “Surfer” commercial (directed by Jonathan Glazer with the ABM BBDO ad agency), an internationally acclaimed masterpiece of advertising that took nine days to film in Hawaii, using pioneering visual effects to merge live-action, heavy-water surfing with CGI horses.

The production budgets for commercials aren’t frequently disclosed, but when made traditionally, they can cost a pretty penny. The media spend for Old Spice’s “The Man Your Man Could Smell Like” is estimated to be $10 million, which was smaller than many major ad campaigns that also aired in 2010. There’s also the iconic “1984” commercial directed by Ridley Scott to introduce the Apple Macintosh computer, which reportedly had a then-unprecedented production budget of $900,000, equivalent to $2.8 million in 2026.

These famous ads aren’t memorable for being crap. Coca-Cola says that its AI holiday commercials are successful, but they just replicated its iconic red truck campaign, something that already had decades of positive nostalgia through genuine human creativity and production efforts.

But while creating a successful campaign entirely through generative AI may be challenging now, it will become easier as tools and models continue to improve. The tech and media world is banking on it now that major brands like Nestlé, Mondelez, and Coca-Cola have already set a precedent. Google and Microsoft have produced ads using their own generative AI models, and Amazon is giving sellers tools to fill its site with AI ads. Meta is expected to roll out fully automated AI ads on its social platforms this year, and Nvidia is building tools that can serve up an infinite variety of custom personalized video ads.

Even the marketers behind beloved, iconic ads are on board. ABM BBDO has launched its own AI platform, and Wieden and Kennedy is openly using AI in its production pipelines. “I think AI is an incredibly powerful tool, but it’s still a tool,” Wieden and Kennedy CEO Neal Arthur said in a LinkedIn News interview. “I think it allows us to scale more efficiently, but I don’t spend any time worrying about whether AI is going to take over for us as humans.”

Generative AI usage is expected to be so pervasive in advertising this year that early trends are already anticipating a resistance movement, one that aims to build loyalty with consumers who are seeking to avoid synthetic content.

“2026 will be the year of ‘things AI can’t do,’ or more truthfully, things AI can’t do (very well yet),” Thom Glover, founder of creative agency American Haiku, said in AdAge’s creativity predictions report. “Expect messy, hand-drawn, roughly textured or erratically collaged design, ideas that take pleasure in playing with the boundaries of what an ad is, and the return to the simple pleasures of 16mm film, analog recording, and ‘leaving in the mistakes.’”

Some brands have already joined this resistance. Aerie’s promise not to use AI in its ads was the clothing brand’s most popular Instagram post last year, and Polaroid advertised its Flip instant camera with bus posters that poked fun at the technology, one reading “AI can’t generate sand between your toes.”

“We are such an analog brand that basically gave us the permission: We can own that conversation,” Polaroid’s creative director Patricia Varella told Business Insider. “That layer of imperfection that makes us human and beautifully imperfect — something we think is important to remind people.”

Some generative AI tools can now mimic analog and retro medium styles rather effectively, which will make distinguishing them from human-made content even harder.

Many tools are catered to delivering content that looks too polished, however, creating an echo chamber in which everything starts to look the same without human-creativity to differentiate it. It’s also easier to spot mistakes in images and videos that strive for such perfection. Every unnatural hallucination and unexplained visual error implies that the project didn’t include any human creative professionals to identify or correct them. And advertisers are finding that they care less and less about creativity in their campaigns, with a recent study from IAB showing that cost efficiency, time savings, and scalability are being prioritized going forward.

With that in mind, I’m begging brands and marketing agencies to remember that a good ad doesn’t need to be expensive or challenging to produce by hand. One of the best commercials of all time was achieved by filming a bunch of dude yelling “WASSUUUUUP” at each other while drinking a Budweiser. That’s something that can only be manifested by delightful human weirdness.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 25 January 2026 at 4:15 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

Microsoft has confirmed that it will provide BitLocker recovery keys to the Federal Bureau of Investigation if presented with a valid legal request. The confirmation follows reporting that Microsoft supplied encryption keys to law enforcement during a criminal investigation in 2025.

The situation is tied directly to how Windows 11 handles device encryption by default. When a user signs in with a Microsoft Account, the operating system automatically backs up the device’s BitLocker recovery key to Microsoft’s cloud unless the user explicitly chooses another option during setup.

Why Microsoft Can Access BitLocker Keys

BitLocker Keys Are Stored With Microsoft Accounts

BitLocker encrypts the data on a Windows PC to protect it if the device is lost or stolen. To prevent permanent data loss, Windows 11 ties the recovery key to the user’s Microsoft Account by default.

This design allows users to recover their data if they are locked out of their PC. It also means Microsoft can access the key stored in its cloud systems when required by law.

Microsoft told Forbes that it receives around 20 requests per year from the FBI for BitLocker recovery keys. In most cases, Microsoft cannot comply because the key was never uploaded. When the key is stored in the cloud, however, Microsoft can provide it.

Legal Requests And Privacy Implications

Microsoft says it only hands over recovery keys when presented with valid legal orders. A company spokesperson stated that while cloud key recovery offers convenience, it also involves trade-offs, and customers are ultimately responsible for deciding how their encryption keys are managed.

The approach differs from some other technology companies. Apple, for example, has publicly resisted law enforcement requests when it does not have technical access to encrypted data. In contrast, Microsoft’s design allows access because the recovery keys are not end-to-end encrypted in a way that prevents the company itself from seeing them.

How To Check And Manage Your BitLocker Recovery Keys

Users can check whether their BitLocker recovery keys are stored in Microsoft’s cloud by visiting their Microsoft Account device management page. From there, keys can be viewed or deleted.

It is also possible to configure Windows to store recovery keys locally or in other locations during setup, but this requires manual action and is not the default behavior when using a Microsoft Account.

What This Means For Windows 11 Users

Windows 11’s mandatory Microsoft Account setup on most consumer editions makes cloud key backup the standard configuration. For users concerned about data access by third parties, this setup may warrant closer inspection of encryption and account settings.

Microsoft has not indicated any plans to change how BitLocker recovery keys are stored by default. For now, users who want full control over their encryption keys must actively manage where those keys are saved.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 24 January 2026 at 6:22 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

As spotted by Forbes, Microsoft has updated its public Microsoft 365 Roadmap to delay the release of a feature that would have allowed an employer to find out your general location. Basically, Teams would be able to detect the identity of the Wi-Fi network that you are connected to, and then update your work location to reflect that. So, for example, if you were connected to your organization's "Building123_WiFi" network, your work location on Teams and Outlook would show up as "Building 123".

Of course, the flip side of this was that if you are late for work, do some work from home, or do anything on Teams and Outlook from any network that is not your organization's, your employer would know about this. This obviously did not sit well with workers who either work in hybrid setups or do not appreciate this type of invasion of privacy.

While Microsoft is seemingly trying to find a balance for this by disabling this location tracking feature, requiring IT admins to turn it on, and then have end-users opt-in, it doesn't really help. This entire process falls apart if your organization enforces the enablement of location tracking as a mandatory policy, giving its workforce no way to opt out.

Although location tracking in Teams was initially set for general availability on Windows and Mac in January, it was pushed back to February, and is now delayed once again to March. It's unclear why Microsoft keeps delaying it, but it might have to do with walking the fine line between giving employees more flexibility versus giving employers more control over their workforce's asset usage and availability. Of course, both approaches have their pros and cons, but we'll likely find out how organizations react once the capability does eventually land.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 24 January 2026 at 4:40 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

Every week, more than 230 million people ask ChatGPT for health and wellness advice, according to OpenAI. The company says that many see the chatbot as an “ally” to help navigate the maze of insurance, file paperwork, and become better self-advocates. In exchange, it hopes you will trust its chatbot with details about your diagnoses, medications, test results, and other private medical information. But while talking to a chatbot may be starting to feel a bit like the doctor’s office, it isn’t one. Tech companies aren’t bound by the same obligations as medical providers. Experts tell The Verge it would be wise to carefully consider whether you want to hand over your records.

Health and wellness is swiftly emerging as a key battleground for AI labs and a major test for how willing users are to welcome these systems into their lives. This month two of the industry’s biggest players made overt pushes into medicine. OpenAI released ChatGPT Health, a dedicated tab within ChatGPT designed for users to ask health-related questions in what it says is a more secure and personalized environment. Anthropic introduced Claude for Healthcare, a “HIPAA-ready” product it says can be used by hospitals, health providers, and consumers. (Notably absent is Google, whose Gemini chatbot is one of the world’s most competent and widely used AI tools, though the company did announce an update to its MedGemma medical AI model for developers.)

OpenAI actively encourages users to share sensitive information like medical records, lab results, and health and wellness data from apps like Apple Health, Peloton, Weight Watchers, and MyFitnessPal with ChatGPT Health in exchange for deeper insights. It explicitly states that users’ health data will be kept confidential and won’t be used to train AI models, and that steps have been taken to keep data secure and private. OpenAI says ChatGPT Health conversations will also be held in a separate part of the app, with users able to view or delete Health “memories” at any time.

OpenAI’s assurances that it will keep users’ sensitive data safe have been helped in no small way by the company launching an identical-sounding product with tighter security protocols at almost the same time as ChatGPT Health. The tool, called ChatGPT for Healthcare, is part of a broader range of products sold to support businesses, hospitals, and clinicians working with patients directly. OpenAI’s suggested uses include streamlining administrative work like drafting clinical letters and discharge summaries and helping physicians collate the latest medical evidence to improve patient care. Similar to other enterprise-grade products sold by the company, there are greater protections in place than offered to general consumers, especially free users, and OpenAI says the products are designed to comply with the privacy obligations required of the medical sector. Given the similar names and launch dates — ChatGPT for Healthcare was announced the day after ChatGPT Health — it is all too easy to confuse the two and presume the consumer-facing product has the same level of protection as the more clinically oriented one. Numerous people I spoke to when reporting this story did so.

Whichever security assurance we take, however, it is far from watertight. Users for tools like ChatGPT Health often have little safeguarding against breaches or unauthorized use beyond what’s in the terms of use and privacy policies, experts tell The Verge. As most states haven’t enacted comprehensive privacy laws — and there isn’t a comprehensive federal privacy law — data protection for AI tools like ChatGPT Health “largely depends on what companies promise in their privacy policies and terms of use,” says Sara Gerke, a law professor at the University of Illinois Urbana-Champaign.

Even if you trust a company’s vow to safeguard your data — OpenAI says it encrypts Health data by default — it might just change its mind. “While ChatGPT does state in their current terms of use that they will keep this data confidential and not use them to train their models, you are not protected by law, and it is allowed to change terms of use over time,” explains Hannah van Kolfschooten, a researcher in digital health law at the University of Basel in Switzerland. “You will have to trust that ChatGPT does not do so.” Carmel Shachar, an assistant clinical professor of law at Harvard Law School, concurs: “There’s very limited protection. Some of it is their word, but they could always go back and change their privacy practices.”

Assurances that a product is compliant with data protection laws governing the healthcare sector like the Health Insurance Portability and Accountability Act, or HIPAA, shouldn’t offer much comfort either, Shachar says. While great as a guide, there’s little at stake if a company that voluntarily complies fails to do so, she explains. Voluntarily complying isn’t the same as being bound. “The value of HIPAA is that if you mess up, there’s enforcement.”

It’s more than just privacy. There’s a reason why medicine is a heavily regulated field — errors can be dangerous, even lethal. There are no shortage of examples showing chatbots confidently spouting false or misleading health information, such as when a man developed a rare condition after he asked ChatGPT about removing salt from his diet and the chatbot suggested he replace salt with the sodium bromide, which was historically used as a sedative. Or when Google’s AI Overviews wrongly advised people with pancreatic cancer to avoid high-fat foods — the exact opposite of what they should be doing.

To address this, OpenAI explicitly states that their consumer-facing tool is designed to be used in close collaboration with physicians and is not intended for diagnosis and treatment. Tools designed for diagnosis and treatment are designated as medical devices and are subject to much stricter regulations, such as clinical trials to prove they work and safety monitoring once deployed. Although OpenAI is fully and openly aware that one of the major use cases of ChatGPT is supporting users’ health and well-being — recall the 230 million people asking for advice each week — the company’s assertion that it is not intended as a medical device carries a lot of weight with regulators, Gerke explains. “The manufacturer’s stated intended use is a key factor in the medical device classification,” she says, meaning companies that say tools aren’t for medical use will largely escape oversight even if products are being used for medical purposes. It underscores the regulatory challenges technology like chatbots are posing.

For now, at least, this disclaimer keeps ChatGPT Health out of the purview of regulators like the Food and Drug Administration, but van Kolfschooten says it’s perfectly reasonable to ask whether or not tools like this should really be classified as a medical device and regulated as such. It’s important to look at how it’s being used, as well as what the company is saying, she explains. When announcing the product, OpenAI suggested people could use ChatGPT Health to interpret lab results, track health behavior, or help them reason through treatment decisions. If a product is doing this, one could reasonably argue it might fall under the US definition of a medical device, she says, suggesting that Europe’s stronger regulatory framework may be the reason why it’s not available in the region yet.

Despite claiming ChatGPT is not to be used for diagnosis or treatment, OpenAI has gone through a great deal of effort to prove that ChatGPT is a pretty capable medic and encourage users to tap it for health queries. The company highlighted health as a major use case when launching GPT-5, and CEO Sam Altman even invited a cancer patient and her husband on stage to discuss how the tool helped her make sense of the diagnosis. The company says it assesses ChatGPT’s medical prowess against a benchmark it developed itself with more than 260 physicians across dozens of specialties, HealthBench, that “tests how well AI models perform in realistic health scenarios,” though critics note it is not very transparent. Other studies — often small, limited, or run by the company itself — hint at ChatGPT’s medical potential too, showing that in some cases it can pass medical licensing exams, communicate better with patients, and outperform doctors at diagnosing illness, as well as help doctors make fewer mistakes when used as a tool.

OpenAI’s efforts to present ChatGPT Health as an authoritative source of health information could also undermine any disclaimers it includes telling users not to utilize it for medical purposes, van Kolfschooten says. “When a system feels personalized and has this aura of authority, medical disclaimers will not necessarily challenge people’s trust in the system.”

Companies like OpenAI and Anthropic are hoping they have that trust as they jostle for prominence in what they see as the next big market for AI. The figures showing how many people are already using AI chatbots for health suggest they may be onto something, and given the stark health inequalities and difficulties many face in accessing even basic care, this could be a good thing. At least, it could be, if that trust is well-placed. We trust our private information with healthcare providers because the profession has earned that trust. It’s not yet clear whether an industry with a reputation for moving fast and breaking things has earned the same.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 24 January 2026 at 4:40 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix

The Pwn2Own Automotive hacking competition focuses on automotive technologies and took place this week in Tokyo, Japan, during the Automotive World auto conference.

Throughout the contest, the hackers targeted fully patched in-vehicle infotainment (IVI) systems, electric vehicle (EV) chargers, and car operating systems (e.g., Automotive Grade Linux).

Before TrendMicro's Zero Day Initiative publicly discloses them, vendors have 90 days to develop and release security fixes for zero-days that were exploited and reported during the Pwn2Own contest.

Team Fuzzware.io won the Pwn2Own Automotive 2026 contest after taking home $215,000 in cash, followed by Team DDOS with $100,750 and Synactiv with $85,000.

In total, Fuzzware.io earned $118,00 after hacking an Alpitronic HYC50 Charging Station, an Autel charger, and a Kenwood DNR1007XR navigation receiver on the first day.

They were also awarded another $95,000 for demonstrating multiple zero-days in the Phoenix Contact CHARX SEC-3150 charging controller, the ChargePoint Home Flex EV charger, and the Grizzl-E Smart 40A EV charging station on the second day, and an additional $2,500 after a bug collision while attempting to root an Alpine iLX-F511 multimedia receiver on the last day of the contest.

Synacktiv Team also collected $35,000 after chaining an out‑of‑bounds write flaw and an information leak to hack the Tesla Infotainment System via a USB-based attack on the first day of Pwn2Own.

The full schedule for the third day and the results for each challenge are available here, while the complete schedule for Pwn2Own Automotive 2026 is available here.

During the Pwn2Own Automotive 2024 contest, hackers collected another $1,323,750 after demoing 49 zero-day bugs and hacking a Tesla car twice. Last year, security researchers earned another $886,250 after exploiting 49 zero-days at Pwn2Own Automotive 2025.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 24 January 2026 at 4:35 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix