Hacking, Security & Privacy
Stay informed with the latest hacking, cybersecurity, and privacy news, including data breaches, leaks, cyber attacks, and tips to stay safe online.
Stay Updated
Follow TweakTown for breaking tech news, reviews, and daily updates.
As an Amazon Associate, we earn from qualifying purchases. TweakTown may also earn commissions from other affiliate partners at no extra cost to you.
Your Wi-Fi router could be helping Russian hackers, confirms US government in new warning
Federal agencies have issued a stark warning to the public about Russia's state-backed hackers actively attempting to compromise home and small-business routers.
According to the Cybersecurity and Infrastructure Security Agency (CISA), Russian cyber actors including groups tracked as Energetic Bear, Dragonfly, and Static Tundra are exploiting misconfigured or vulnerable networking devices to gain persistent access. These groups use compromised routers to mask their activities and launch further attacks once access has been gained. The advisory was co-issued with partners in Australia, Denmark, New Zealand, and the UK, as authorities have discovered these efforts are global and not just targeting the United States.
Russian and Chinese state actors have been attempting to infiltrate and compromise devices for many years now, and in some instances their efforts have paid off as critical infrastructure has been compromised and data has been extracted. While agencies like the FBI have temporarily disrupted botnets by resetting DNS settings, attackers simply rebuild their networks.
Samsung is holding your health data hostage to train its AI
Samsung is forcing users to consent to AI training in the Samsung Health app or face losing access to their health data.
The controversial new toggle, now appearing in the app, requires users to allow their health information to be used for AI modeling or risk having it deleted. The notice, titled "Consent to the Use of Health Data for AI Training and Modeling," appears upon opening the app. Disabling it prevents users from syncing health data to their Samsung accounts, and the data is removed unless required by law. How-To Geek reported the first sightings of the toggle, which has since spread to more users.
This move raises serious privacy concerns, especially since the data in question may include highly sensitive information, such as medical records, medications, and menstrual cycle data. The broader AI industry is increasingly reliant on personal data, but requiring users to give up privacy or lose core functionality is a troubling trend. Samsung's decision may signal a shift in how health data is treated in the AI era.
Continue reading: Samsung is holding your health data hostage to train its AI (full post)
First 'agentic ransomware' run entirely by a large language model discovered
Researchers have uncovered what they believe is the first documented case of a ransomware operation fully conducted by an AI agent powered by a large language model (LLM).
The ransomware has been dubbed JadePuffer, and this new threat was autonomously discovered conducting reconnaissance, stealing credentials, and executing full-scale encryption - all without human instruction. JadePuffer exploited a zero-day vulnerability in Langflow, an open-source tool commonly used to build apps that run workflows around large language models. The exploit allowed the agentic ransomware to gain access.
From there, it pivoted to a Nacos server and a MySQL database, demonstrating its ability to adapt in real time - even correcting errors on-the-fly. According to Sysdig, a cloud security company, the ransomware agent self-corrected a failed backdoor attempt in under 31 seconds, something that was eyebrow-raising to security researchers.
Security researchers trick AI browsers into revealing passwords using BioShock-inspired prompt injection
Security researchers at LayerX have discovered a new prompt injection technique that tricks AI browsers into revealing saved passwords and login credentials by leading them to believe they are playing a game.
The attack is called BioShocking, named after the 2007 video game BioShock. The game follows a brainwashed character who follows commands after hearing the phrase "Would you kindly?" That is pretty much what's going on here. Essentially, the AI agent believes whatever information it is given, and changing the information changes what it will do.
The attack starts on a malicious webpage designed as a puzzle called Rapture Games, themed after BioShock's underwater world. The puzzle rewards wrong answers, training the agent to accept that 2+2=5 and that incorrect actions are the winning move. Once the agent learns this, its safety protections stop working. The last step of the puzzle tells the agent to navigate to a GitHub repository and copy the login details stored there.
Hackers are using Steam's Wallpaper Engine to distribute malware that can steal your logins
If you use Wallpaper Engine, now's a good time to pay attention. Kaspersky researchers have discovered that hackers are hiding malware inside wallpaper packages on the Steam Workshop, using them to steal Steam accounts and install additional malicious software on victims' PCs. The bad actors are exploiting the popularity of Steam's Wallpaper Engine to funnel users to the Workshop, from which they distribute malware.
Here's why this works so well: unlike a regular JPEG or PNG, Wallpaper Engine's "application wallpapers" are actual Windows executables that run on your system like any other program. That makes them a pretty convenient hiding spot for bad actors. The Wallpaper Engine also houses wallpapers in other formats, but it is these "application wallpapers' that are the primary source of the attack.
Once you launch one of these infected wallpapers, it drops a backdoor onto your system, part of the DarkKomet malware family, and quietly installs a modified system library designed to hunt down your Steam credentials and hijack your active session. After taking over your Steam account, the attackers use it to upload additional infected wallpapers, perpetuating the cycle by compromising more PCs.
Microsoft sets a Patch Tuesday record with 206 fixes, and finally patches every zero-day Nightmare Eclipse disclosed
Microsoft has released its June 2026 Patch Tuesday update, and it is a record-breaker. The company patched 206 vulnerabilities this month, surpassing the previous record of 175 set in October 2025. Of the 206 vulnerabilities patched, 33 are rated Critical, with 28 of those being remote code execution flaws.
The full breakdown covers 65 Elevation of Privilege vulnerabilities, 55 Remote Code Execution vulnerabilities, 30 Information Disclosure vulnerabilities, 27 Spoofing vulnerabilities, 19 Security Feature Bypass vulnerabilities, and 7 Denial of Service vulnerabilities. Five are zero-day vulnerabilities, and one is already being actively exploited in the wild.
CVE-2026-41091 is an Elevation of Privilege flaw in Microsoft Defender that lets attackers gain system privileges. Microsoft has already pushed out a fix through the daily automatic Defender updates, with the patched Malware Protection Engine carrying version 1.1.26040.8 or later. To check your engine version, open Settings > Privacy and Security > Windows Security > About.
Microsoft threatened a security researcher with criminal charges, and the cybersecurity community isn't having it
A public dispute between Microsoft and security researcher Nightmare Eclipse has escalated into a full-scale backlash from the cybersecurity community, after Microsoft threatened criminal prosecution over a series of uncoordinated zero-day disclosures.
Between early April and mid-May 2026, Nightmare Eclipse published proof-of-concept exploit code for six Windows vulnerabilities without coordinating with Microsoft. Three of those, BlueHammer, RedSun, and UnDefend, were confirmed as being used in live attacks shortly after going public, prompting emergency patches and CISA adding them to its Known Exploited Vulnerabilities catalog. Three others, YellowKey, GreenPlasma, and MiniPlasma, remain unpatched.
Following these discoveries, Microsoft published a formal blog post describing uncoordinated disclosures as "never justifiable" and warning its Digital Crimes Unit could pursue criminal charges against those responsible. The company also had Nightmare Eclipse's GitHub account suspended around May 23, followed by their GitLab account between May 26 and 27.
Microsoft warns AI chatbots are luring users to cryptojacking malware disguised as trusted PC utility downloads
Microsoft has warned users about an active cryptojacking campaign that uses AI chatbots to serve malicious downloads disguised as trusted PC utilities. Microsoft Defender Experts and the Security Research Team said in a report published Tuesday that "this emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations."
The campaign impersonates legitimate system utilities like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. The idea is to target applications favored by PC users with high-performance GPUs to gain access to systems with higher cryptocurrency mining potential, rather than infecting a large number of machines at random.
Downloads from this cryptojacking campaign have also been found to establish persistent remote access through ScreenConnect deployments. ScreenConnect, also known as ConnectWise Control, is a legitimate remote management tool widely used by IT administrators, but it can also be leveraged for data theft, lateral movement, or ransomware.
Trump Mobile website is reportedly leaking customer data including names, addresses and order numbers
Last week, Trump Mobile announced that its T1 phone was finally shaping up to be an actual product ready to ship after months of delays and controversy. Now, the Trump Mobile website is allegedly facing serious security issues that have reportedly led to the leakage of customers' private information and order numbers.
According to YouTubers Coffeezilla and Cr1TiKaL, the official Trump Mobile website has been leaking customer information, including full names, email addresses, mailing addresses, and order numbers. Customers' credit card information appears to be safe. Anyone who ordered the phone or opted for Trump Mobile's cellular service could be affected.
Coffeezilla received the information via an anonymous source who shared personal data to prove they had access. The anonymous individual claimed to have exploited a vulnerability in the Trump Mobile website, allowing access to the entire pre-order database and even the ability to place fake orders for the T1 phone. "Long story short, I found a vulnerability in the Trump T1 Mobile preorder website and gained the ability to both place fake orders, but also to scrape and search the entire preorder database," the person told Coffeezilla.
Security researcher finds zero-day exploit that defeats Windows 11 BitLocker, calls it an insane 'backdoor' discovery
A security researcher going by the alias Nightmare-Eclipse has uncovered a zero-day exploit they describe as one of the most insane discoveries ever, saying it "almost feels like a backdoor." Dubbed YellowKey, the exploit allows anyone with physical access to a Windows 11 system to bypass default BitLocker protections and gain complete access to an encrypted device within seconds.
BitLocker is Microsoft's full-volume encryption that protects storage disks and their contents from anyone without the decryption key. That key is stored in a Trusted Platform Module (TPM), and BitLocker is a mandatory protection for many organizations, including government contractors.
The researcher refers to it as a backdoor because the bug appears only in WinRE (Windows Recovery Environment) and not in Windows itself, which lacks the required functionality needed to trigger the bypass. Additionally, the bypass affects only Windows 11, Windows Server 2022, and Windows Server 2025 systems with the default BitLocker configuration, while Windows 10 machines are unaffected.
Google finds hackers using AI to discover and develop a zero-day exploit for the first time for mass attacks
With AI models achieving new milestones, it was inevitable that security experts' fears would come true. Google's Threat Intelligence Group has, for the first time, discovered a threat actor using a zero-day exploit likely developed with AI. A zero-day vulnerability is a software or hardware flaw that is unknown to developers, leaving them with zero days to patch it before attackers can exploit it.
The exploit targeted a popular open-source web-based system administration tool. Google called the threat actor a prominent cybercrime group that allegedly planned to use the flaw in a mass exploitation campaign. Had it gone undetected, the flaw would have allowed hackers to bypass two-factor authentication and access victim accounts with just a password.
Google investigators suspect, with "high confidence," that the exploit was developed with the help of an unidentified AI program, based on the Python code's structure and content. The report says the script has educational docstrings, a fake CVSS score, and a Pythonic format typical of LLM training data.
North Korean hackers weaponize gaming platform to spy on ethnic Koreans in China
North Korean hackers have compromised a gaming platform popular with ethnic Koreans in China, delivering a Trojanized backdoor that steals data and executes commands.
The threat, allegedly carried out by the state-sponsored group ScarCruft (APT37), has been active since late 2024 and targets users of the SQgame platform, which hosts traditional card and board games. The malware, dubbed BirdCall, exfiltrates everything from messages and media to ambient audio and clipboard data.
ESET researchers uncovered the BirdCall backdoor embedded in both Windows and Android versions of the platform. On Windows, it captures screenshots, logs keystrokes, and executes shell commands, while on Android, it steals contact lists, SMS, and call logs. All stolen data is uploaded to cloud services such as Dropbox. The malware has been updated seven times, indicating active development and maintenance.
How to Protect Personal Data Online From Hackers and Avoid Identity Theft
Updated drivers. Active antivirus. A router with a strong password. Everything is locked down tight. Most tech-savvy people stop there and assume the job is done. It is not. A hacker does not always need to breach your device to steal your personal information. Sometimes your data is already sitting in public view - harvested by a data broker long before any breach ever happens.
Clearnym fills the gap that cybersecurity software ignores. Their opt-out guides walk through exactly how to remove your personal information from people search sites and data broker databases. Beyond guides, Clearnym automates the entire removal process, submitting opt-out requests on your behalf and monitoring for re-listing so your personal data does not quietly reappear. It is the protection layer that no antivirus covers. Learn how to protect what lives outside your devices - because that exposure is just as real.
For a hacker to get into your financial accounts does not always need malware. They need your name, phone number, and the answers to your security questions. That information sits on people search sites right now. Thieves use it to pass verbal verification at your bank and gain access to your bank accounts without touching a single device.
HWMonitor and CPU-Z download links were infected with malware for 6 hours before devs caught it
Two of the most popular hardware monitoring utilities, HWMonitor 1.63 and CPU-Z, were recently found to be infected with malware. The official websites were hacked, and users trying to download the latest version were getting flagged by antivirus software. After roughly six hours of investigation, the developers identified the breach and removed the malware. Both of the monitoring utilities are now safe to download.
The issue first surfaced on Reddit, where users reported that the official download links had been replaced with malware-infected executable files instead of the legitimate installers. User u/DMkiller shared that while updating HWMonitor from version 1.42 to 1.63, the downloaded file was named "HWiNFO_Monitor_Setup.exe" rather than the expected "hwmonitor_1.62."
When he ran the file, Windows Defender flagged it as a virus, and a quick check on VirusTotal returned 32 security flags. Further analysis by u/Hattix under the same post revealed that the official download links on CPUID's website pointed to a Russian domain with the page header "Установка - HWiNFO Monitor, версия 1.63".
Apple confirms an iOS 18 patch for the DarkSword exploit, even for users who skipped upgrading to iOS 26
Last month, a malware toolkit called DarkSword had Apple users holding their iPhones a little tighter. The exploit could be used to break into older iPhones and iPads running iOS 18.4 through 18.7 simply by visiting a website hosting malicious code. Even legitimate websites that had been breached could be affected. The exploit could steal messages, browser histories, location data, and cryptocurrency, then upload everything to an attacker-controlled server. Bad news all around.
Apple responded by rolling out updates to address the two known exploits: Coruna, which affects devices running iOS 13 through iOS 17.2.1, and DarkSword, which targets iPhones running iOS 18.4 through 18.7.
There was a catch, though. Apple only patched iOS 18 for devices unable to run iOS 26. This left anyone who could upgrade but chose not to completely exposed. That is how Apple typically operates. If you are running an older version of iOS on a device that can be updated, Apple will withhold security patches until you make the jump to the latest version.
12 years after release, the Xbox One has finally been hacked
The Xbox One was a polarizing console. Many gamers preferred the PlayStation 4 over Microsoft's offering. Yet, the Xbox One's security stood out. For over a decade, numerous attempts to bypass its protections failed, giving it an "impenetrable" reputation until now.
At the recently held RE//verse 2026 conference, security researcher Markus Gaasedelen unveiled the "Bliss" double glitch. This security exploit bypasses the Xbox One's encryption by precisely adjusting the device's voltage (the electrical power supplied) at specific times. By doing so, it interrupts the typical security checks that the hardware performs to keep the device secure.
This is a monumental milestone: the first public, reproducible bypass of the Xbox One since its launch in November 2013. Although Markus successfully demonstrated the "Bliss" glitch, it is not as straightforward as jailbreaking a PS4 or JTAGging an Xbox 360.
Continue reading: 12 years after release, the Xbox One has finally been hacked (full post)
Authorities seize crypto wallet... then accidentally publish the password - $4.4m gone
South Korea's National Tax Service accidentally exposed the mnemonic recovery phrase of a seized cryptocurrency wallet, leading to $4.4 million in crypto assets being stolen.
The stolen funds were stored in a Ledger cold wallet that was seized by local law enforcement during an operation targeting tax evaders. Law enforcement celebrated the success of the raid by releasing photos of the Ledger device containing the stolen funds, but failed to realize that the image also showed a piece of paper with a handwritten note containing the wallet recovery phrase. That phrase enables a user to recover the device's assets onto another device, and since it was made public, it was only a matter of time before the funds were stolen.
That's exactly what happened. Shortly after the press release was published, 4 million Pre-Retogeum (PRTG) tokens were transferred out of the confiscated wallet to a new address. Blockchain data analysis expert Cho Jae-woo, a professor at Hansung University in Seoul, commented on the theft of the digital assets, and said the mistake of law enforcement is comparable to the police finding a full wallet on the side of the street and advertising it to the nation that it's open and the money is free to take if they want it.
US government seizes one of the internet's largest hacker forums
The Department of Justice (DOJ) has announced it has seized LeakBase, a leading hacker forum that is home to more than a hundred thousand members.
In a press release posted to the DOJ website, it states authorities seized LeakBase, a forum that was commonly used by cybercriminals to buy and sell stolen data, and tools used to commit cybercrimes. LeakBase had more than 142,000 members and more than 215,000 messages between the accounts. The DOJ goes on to describe the forum had an "enormous, continuously updated archive of hacked databases, including many from high-profile attacks, including hundreds of millions of account credentials."
Some of this data included information that was illegally obtained from "U.S. corporations and individuals, and offered credit and debit card numbers, banking account and routing information, usernames and associated passwords which could facilitate additional account takeovers, as well as other sensitive business and personally identifiable information."
Continue reading: US government seizes one of the internet's largest hacker forums (full post)
Notepad++ hack detailed - and what to do if you think you might be affected
The developer of Notepad++ has furnished us with more information about how the popular text editor was compromised by hackers for some six months.
Ars Technica picked up the blog post which supplies further details about the exploitation of some Notepad++ users, which was leveraged via an "infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org".
Meaning that the compromise was enacted at the web hosting provider level, and wasn't a direct hack of the Notepad++ software itself - targeted users were redirected to download compromised updates, essentially.
'Largest-ever' cloud DDoS attack recorded in Australia, 3.64 billion packets per second
On October 24, 2025, the largest DDoS attack "ever observed in the cloud" on a single endpoint of Microsoft's Azure services in Australia was recorded. Measuring 3.64 billion packets per second or 15.72 Tbps, enough data to stream millions of movies, the good news is that Microsoft's Azure DDOS Protection automatically detected and mitigated the attack before it caused any harm.
With DDoS attacks and recorded instances on the rise, this particular record-breaking attempt was carried out by the Aisuru botnet. Botnets and DDoS attacks are fundamentally straightforward: multiple IP addresses and devices target specific IP addresses and attempt to flood them, aiming to overwhelm them and take them offline.
According to Microsoft's Sean Whalen, this attack originated from over 500,000 source IPs across various regions, indicating it was a global attack targeting a single point in Australia. Aisuru is a Turbo Mirai-class IoT botnet behind many recent record-breaking DDoS attacks, exploiting devices such as home routers, cameras, and other smart devices, mainly located in residential homes.






















