It’s difficult being a password manager. This week, we reported that Dropbox is following Microsoft’s lead by dropping its password storage features. The latter will at least retain support for passkeys, but as of this weekend, any passwords you have in Microsoft Authenticator will be deleted and moved to Edge instead. Luckily, we have guides on what passkeys are and what to do with those passwords to keep them safe.
It’s been a busy week for the PCMag security team, and next week will be more of the same as the Black Hat and DEF CON security conferences ramp up. We’ll be on the ground at Black Hat, and we analysts have a lot we’re looking forward to. We’re particularly excited about the prospect that hacked EV chargers could burn your house down. More on that next week.
This week, however, we continued our coverage of the Tea hack, in which a dating safety app made for women to discuss things like, “Hey, does anyone know if this guy I’m about to meet is going to kill me,” got breached, leaking thousands of selfies used to verify users on the women-only site, conversations in the app, and more. Predictably, the hack was led by 4chan, which, despite some reports, is very much not dead.
4chan isn’t the only source of wrongdoing this week. We also reported that an early access game on Steam called Chemia has been updated to include “multiple malware families,” so keep an eye on that if you’re a fan of early access PC games. Hackers also hit insurance company Allianz, making off with data on the vast majority of its 1.4 million customers. On top of all of that, there’s a new phishing scam targeting Instagram users on the rise, and like many phishing scams, it’s easy to spot once you know what you’re looking for, but if you don’t, good luck.
That’s not to say it’s all doom and gloom, however. Sex toy company Lovense got around to patching a vulnerability that could leak your email address this week, and security company Proton launched an authenticator app to compete with Google and Microsoft, and it looks good so far. Look forward to a full review of it soon.
Security news never stops, so each week we collect the biggest cybersecurity stories so you can stay informed and safe.
Age Verification Laws Drive Record VPN Signups
Let’s focus on age verification for a moment. This week, the UK’s Online Safety Act took effect, leading to a combination of hilarious workarounds and rocketing signups for popular VPNs. Following the launch, UK users struggled to access the open web without being hampered by age checks or being forced to upload selfies and ID to third-party sites. The irony of the UK implementing age verification that’s modeled after what we’ve seen in the US, and a major breach of selfies and government IDs from the Tea app, which claimed to only use them for verification and then delete them afterward, is not lost on us.
It’s easy to say “what about the children” when talking about adult content, but censorship comes in many forms. Critics of age verification laws, both at home and abroad, correctly point out that who gets to determine what exactly constitutes “adult content” remains a question. Already, some users report being unable to access resources about reproductive health, LGBTQ+ awareness and health care, and even current events and news because they’ve been flagged as for adults only.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Journalist Discovers Google Vulnerability That Allowed People to Remove Pages From Search
404 Media reports on how a tech CEO who was arrested on felony domestic violence charges used a Google tool intended for journalists and SEO analysts as a method to suppress or outright remove negative stories about him from Google search. And he would have gotten away with it, too, if it hadn’t been for one of the pesky journalists who wrote about him in the first place, who discovered his stories had been delisted after searching for their exact headlines.
Google even confirmed that the issue was a vulnerability and that the tool in question, the Refresh Outdated Content Tool, is intended for publishers to flag that a story has been updated with new information so the search engine can display and rank it appropriately. The company didn’t say how many pages have disappeared this way, but they did acknowledge the issue, at least.
Nord Security, the company behind NordVPN, among other products, unveiled a tool for Android users this week that flags scam calls. ZDNet reports that the feature is baked into NordVPN and is only available for US-based subscribers at the moment, but according to a blog post from the company, more improvements are on the way, including a detailed caller ID for legitimate callers and the option to report spam and scam callers that the service didn’t catch.
Recommended by Our Editors
For Android users who are reading this and thinking, “My phone already does that,” that’s fair: Android’s default launcher will tell you whether a caller is likely a scam. The difference is that NordVPN’s implementation will tell you whether an incoming call is likely to be a scammer, some financial service that you may (or may not) want to answer, or a telemarketer using robocalling software to contact you.
Getting a Cybersecurity Vibe Check on Vibe Coding
Dark Reading took a deep dive into the security issues surrounding “vibe coding,” which involves essentially telling an AI chatbot what to code and letting it do the rest. It can be a powerful and easy way to build software, although it usually doesn’t involve touching the code directly or even knowing how to code. And then there are other issues, like how Replit’s AI coding agent deleted a user’s entire codebase despite being told explicitly not to do that.
So Dark Reading’s take on the topic, and forecast for how vibe coding with the help of AI agents is nevertheless on the rise, is welcome reading for any developer (or would-be developer) looking to leverage AI to build software in the future. They don’t stop at the issues with the agents themselves either; they review vulnerabilities in other AI vibe coding tools, as well as reports that examine the cybersecurity risks in trusting your codebase to an LLM.
Minnesota Activates National Guard After St. Paul Cyberattack
Bleeping Computer’s headline is giving, “what’s the National Guard going to do, shoot the ransomware,” but it’s for good reason. While the city says that emergency services are unaffected, the cyberattack on the city’s payment systems, libraries, and public works systems reduced response times for other critical city services. Similarly, the assistance the city requested from the Minnesota National Guard is from its cyber protection team, which will help investigate the source of—and help remediate damage from—the attack.
About Alan Henry
Managing Editor, Security
Read the latest from Alan Henry
- IPVanish VPN Review
- More from Alan Henry
