Cybersecurity threats aren’t just aimed at servers or customer databases. They also target a company’s most vital but…

Cybersecurity threats aren’t just aimed at servers or customer databases. They also target a company’s most vital but often overlooked asset: its documents. From contracts and HR files to invoices and internal communications, these documents contain sensitive data that, if compromised, can result in financial loss, legal exposure, and long-term reputational damage. Yet many businesses still rely on outdated, insecure methods of managing these records.

A secure document management system has rightly become an essential part of cybersecurity strategy around the world. It is no longer simply about comfort or going paperless. It’s about building a strong first line of security against threats that keep finding new ways to infiltrate critical infrastructure.

****What Today’s Cybersecurity Threats Look Like****

Cybercriminals have become more intelligent, resourceful, and patient. Phishing scams, ransomware attacks, insider threats, and data breaches have moved beyond targeting only large enterprises. In fact, small and medium-sized businesses are often seen as easier targets due to lax security controls.

One key vulnerability that hackers exploit is poorly managed documents. Files stored on unsecured drives, emailed back and forth between colleagues or shared through public links create multiple weak points in a company’s cybersecurity posture. Once access is gained, attackers can exfiltrate data, encrypt files for ransom, or use them as a gateway to access broader systems.

****What Secure Document Management Offers****

A robust DMS offers more than just storage and access. It incorporates multiple layers of protection that actively mitigate the risk of document-based attacks:

Access Control & Permissions: Granular user permissions ensure that only authorized personnel can view, edit, or share documents.

*   **Encryption:** Advanced encryption in transit and at rest makes stolen data unusable.

*   **Audit Trails:** Detailed logs track every action on a document, providing transparency and accountability.

*   **Two-Factor Authentication (2FA):** Adds an essential layer of identity verification.

*   **Cloud Backups:** Regular automated backups ensure data is never lost to ransomware.

*   **Role-Based Workflows:** Reduces the need to send documents over email, a common attack vector.

These features work together to create a secure environment that resists intrusion and minimizes the fallout of a breach. According to Folderit, a secure document management system, best practices for document management security require two-factor authentication (2FA), end-to-end encryption, complete audit trails, and compliance support for GDPR, HIPAA, and ISO 27001.

****Why First Line of Security?****

When a breach occurs, the faster an organization can detect, contain, and respond, the lower the impact. A secure DMS acts as a frontline deterrent. Even if attackers infiltrate other parts of the network, tightly secured documents often remain inaccessible or encrypted.

Moreover, an intelligent DMS is proactive. Automated alerts, permission controls, and centralized management limit the ability of an internal or external threat actor to misuse document-based data. It is an active, living part of the company’s broader cybersecurity framework.

****Real-World Impact: Compliance and Risk Mitigation****

In regulated industries such as healthcare, finance, or legal services, compliance with standards like GDPR, HIPAA, or ISO 27001 is mandatory. A secure DMS helps ensure adherence by enforcing retention policies, encryption protocols, and access logs. It can also streamline data subject access requests, mandatory breach notifications, and internal audits.

Even outside regulated sectors, demonstrating a strong document security posture can reduce insurance premiums, foster customer trust, and mitigate legal exposure in the event of a breach.

****The Ransomware Factor****

Ransomware is one of the most costly and disruptive threats today. A secure DMS minimizes its impact in several ways:

*   Limits Spread: Files are not freely accessible across shared drives.

*   Enables Quick Recovery: Cloud backups and versioning make recovery seamless.

*   Deters Attackers: Well-secured companies are less attractive to ransomware actors.

*   Best Practices for Document Security

To stay ahead, businesses must adopt security as a mindset. Fortunately, implementing a secure DMS is a foundational step in that direction. But it doesn’t end there. From regular access reviews to watermarking sensitive files, these practices can make the difference between a minor incident and a full-scale crisis.

****Common Mistakes to Avoid****

Despite the availability of secure solutions, many organizations continue to fall into risky habits. Relying on unsecured emails for sharing documents, using outdated software, failing to update permissions as staff roles change, or neglecting to revoke access after offboarding employees are all frequent mistakes.

Another common oversight is assuming that cloud storage alone is enough without layered security and oversight, cloud-based solutions can be just as vulnerable. Recognizing and correcting these gaps is as crucial as the tools used to prevent them.

****Lesson to Learn****

Cybersecurity threats will continue to grow in sophistication but secure document management isn’t optional. It’s the protection that stands between businesses and their next data breach.

Strong cybersecurity starts with getting the basics right, and secure document management is one of them. Using a secure DMS isn’t just about keeping things organized; it’s about protecting your business. Putting document security in place today helps ensure continuity, meet compliance needs, and maintain the trust of your clients and partners.

Why Secure Document Management Matters Against Cybersecurity Threats

The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm.

Since Russian troops invaded Ukraine more than three years ago, Russian technology companies and executives have been widely sanctioned for supporting the Kremlin. That includes Vladimir Kiriyenko, the son of one of Vladimir Putin’s top aides and the CEO of VK Group, which runs VK, Russia’s Facebook equivalent that has increasingly shifted towards the regime’s repressive positioning.

Now cybersecurity researchers are warning that a widely used piece of open source code—which is linked to Kiriyenko’s company and managed by Russian developers—may pose a “persistent” national security risk to the United States. The open source software (OSS), called easyjson, has been widely used by the US Department of Defense and “extensively” across software used in the finance, technology, and healthcare sectors, say researchers at security company Hunted Labs, which is behind the claims. The fear is that Russia could alter easyjson to steal data or otherwise be abused.

“You have this really critical package that’s basically a linchpin for the cloud native ecosystem, that’s maintained by a group of individuals based in Moscow belonging to an organization that has this suspicious history,” says Hayden Smith, a cofounder at Hunted Labs.

For decades, open source software has underpinned large swathes of the technology industry and the systems people rely on day to day. Open source technology allows anyone to see and modify code, helping to make improvements, detect security vulnerabilities, and apply independent scrutiny that’s absent from the closed tech of corporate giants. However, the fracturing of geopolitical norms and the specter of stealthy supply chain attacks has led to an increase in questions about risk levels of "foreign" code.

Easyjson is a code serialization tool for the Go programming language and is often used across the wider cloud ecosystem, being present in other open source software, according to Hunted Labs. The package is hosted on GitHub by a MailRu account, which is owned by VK after the mail company rebranded itself in 2021. The VK Group itself is not sanctioned. Easyjson has been available on Github since 2016, with most of its updates coming before 2020. Kiriyenko became the CEO of VK Group in December 2021 and was sanctioned in February 2022.

Hunted Labs’ analysis shared with WIRED shows the most active developers on the project in recent years have listed themselves as being based in Moscow. Smith says that Hunted Labs has not identified vulnerabilities in the easyjson code.

However, the link to the sanctioned CEO’s company, plus Russia’s aggressive state-backed cyberattacks, may increase potential risks, Smith says. Research from Hunted Labs details how code serialization tools could be abused by malicious hackers. “A Russian-controlled software package could be used as a ‘sleeper cell’ to cause serious harm to critical US infrastructure or for espionage and weaponized influence campaigns,” it says.

“Nation states take on a strategic positioning,” says George Barnes, a former deputy director at the National Security Agency, who spent 36 years at the NSA and now acts as a senior advisor and investor in Hunted Labs. Barnes says that hackers within Russia’s intelligence agencies could see easyjson as a potential opportunity for abuse in the future.

“It is totally efficient code. There’s no known vulnerability about it, hence no other company has identified anything wrong with it,” Barnes says. “Yet the people who actually own it are under the guise of VK, which is tight with the Kremlin,” he says. “If I’m sitting there in the GRU or the FSB and I’m looking at the laundry list of opportunities… this is perfect. It’s just lying there,” Barnes says, referencing Russia’s foreign military and domestic security agencies.

VK Group did not respond to WIRED’s request for comment about easyjson. The US Department of Defense did not respond to a request for comment about the inclusion of easyjson in its software setup.

“NSA does not have a comment to make on this specific software,” a spokesperson for the National Security Agency says. “The NSA Cybersecurity Collaboration Center does welcome tips from the private sector—when a tip is received, NSA triages the tip against our own insights to fully understand the threat and, if corroborated, share any relevant mitigations with the community.” A spokesperson for the US Cybersecurity and Infrastructure Security Agency, which has faced upheaval under the second Trump administration, says: “We are going to refer you back to Hunted Labs.”

GitHub, a code repository owned by Microsoft, says that while it will investigate issues and take action where its policies are broken, it is not aware of malicious code in easyjson and VK is not sanctioned itself. Other tech companies’ treatment of VK varies. After Britain sanctioned the leaders of Russian banks who own stakes in VK in September 2022, for example, Apple removed its social media app from its App Store.

Dan Lorenc, the CEO of supply chain security firm Chainguard, says that with easyjson, the connections to Russia are in “plain sight” and that there is a “slightly higher” cybersecurity risk than those of other software libraries. He adds that the red flags around other open source technology may not be so obvious.

“In the overall open source space, you don’t necessarily even know where people are most of the time,” Lorenc says, pointing out that many developers do not disclose their identity or locations online, and even if they do, it is not always possible to verify the details are correct. “The code is what we have to trust and the code and the systems that are used to build that code. People are important, but we’re just not in a world where we can push the trust down to the individuals,” Lorenc says.

As Russia’s full-scale invasion of Ukraine has unfolded, there has been increased scrutiny on the use of open source systems and the impact of sanctions upon entities involved in the development. In October last year, a Linux kernel maintainer removed 11 Russian developers who were involved in the open souce project, broadly citing sanctions as the reason for the change. Then in January this year, the Linux Foundation issued guidance covering how international sanctions can impact open source, saying developers should be cautious of who they interact with and the nature of interactions.

The shift in perceived risk is coupled with the threat of supply chain attacks. Last year, corporate developers and the open source world were rocked as a mysterious attacker known as Jia Tan stealthily installed a backdoor in the widely used XZ Utils software, after spending two years diligently updating it without any signs of trouble. The backdoor was only discovered by chance.

“Years ago, OSS was developed by small groups of trusted developers who were known to one another,” says Nancy Mead, a fellow of the Carnegie Mellon University Software Engineering Institute. “In that time frame, no one expected a trusted developer of being a hacker, and the relatively slower pace provided time for review. These days, with automatic release, incorporation of updates, and the wide usage of OSS, the old assumptions are no longer valid.”

Scott Hissam, a senior member of technical staff also from the Carnegie Software Engineering Institute, says there can often be consideration about how many maintainers and the number of organizations that work on an open source project, but there is currently not a “mass movement” to consider other details about OSS projects. “However, it is coming, and there are several activities that collect details about OSS projects, which OSS consumers can use to get more insight into OSS projects and their activities,” Hissam says, pointing to two examples.

Hunted Lab’s Smith says he is currently looking into the provenance of other open source projects and the risks that could come with them, including scrutinizing countries known to have carried out cyberattacks against US entities. He says he is not encouraging people to avoid open source software at all, more that risk considerations have shifted over time. “We’re telling you to just make really good risk informed decisions when you're trying to use open source,” he says. “Open source software is basically good until it's not.”

Security Researchers Warn a Widely Used Open Source Tool Poses a 'Persistent' Risk to the US

Fake Qantas emails in a sophisticated phishing scam steal credit card and personal info from Australians, bypassing major…

Fake Qantas emails in a sophisticated phishing scam steal credit card and personal info from Australians, bypassing major email security filters.

Australian airline Qantas is being targeted by criminals with fake emails claiming to be from the airline. Security experts at Cofense Intelligence, who discovered this attack, found that these convincing emails trick users into giving away their credit card information and personal information like phone numbers and addresses.

These fake Qantas emails mimic real marketing emails, using the same colours, and layout as real ones and “with appropriate branding and functional links.” One clever trick the criminals used was to include an “unsubscribe” link in the emails, just like real marketing emails do.

However, the links in the fake emails didn’t go to Qantas’s official website. Instead, they went to other websites. Experts believe the criminals might have used these fake unsubscribe links to see which email addresses were real and active.

Interestingly, according to Cofense’s report, the fake emails mentioned that Qantas was celebrating its 103rd anniversary. However, Qantas’s 103rd anniversary was actually in 2023, two years ago. This was one of the few mistakes in the otherwise very convincing emails.

Source: Cofense Intelligence

The emails tricked people into clicking on links to fake websites, often containing the phrase “auth/auhs1” followed by random words related to Qantas or coupons. These websites generally disappeared within a day and asked for personal information in a multi-step process, including name, phone number, email address, and home address. This collected contact information, along with the date of birth, could be used for targeted scams or password guessing.

These fake websites allegedly attempted to set up multi-factor authentication after a user entered their credit card information, but this failed. Experts believe that this extra step was added to deceive victims into believing there was a problem with their end rather than the website.

Researchers observed that cybercriminals behind this campaign seemed to be particularly targeting people in Australia. Even though some people in the United States also received these emails, the offers were in Australian dollars, and Qantas is based in Australia.

This suggests the attackers preferred Australian victims. Moreover, they highlighted that the campaign successfully bypassed multiple Secure Email Gateways (SEGs), including Microsoft APT, Proofpoint, and Mimecast, indicating a sophisticated approach by the attackers.

This campaign started around February 2025 but seemed to slow down in mid-March 2025. It shows how criminals are constantly trying new and sophisticated ways to trick people online, making it important for everyone to be very careful about the emails they receive and the websites they visit.

Phishing Emails Impersonating Qantas Target Credit Card Info

Plus: France blames Russia for a series of cyberattacks, the US is taking steps to crack down on a gray market allegedly used by scammers, and Microsoft pushes the password one step closer to death.

Researchers unveiled a cluster of vulnerabilities in Apple’s wireless media streaming platform AirPlay this week that leave millions of third-party devices like speakers and TVs vulnerable to takeover if an attacker is on the same Wi-Fi network as the victim gadget. These “AirBorne” vulnerabilities have all been patched—including some that potentially impacted Apple’s Mac computers—but, in practice, third-party devices may not all get fixes, and even if they do, patch adoption could be low.

Records reviewed by WIRED show that utilizing car subscription features can substantially raise your risk of being subjected to government surveillance, because such services generate troves of data that are valuable to law enforcement. WIRED also did a deep dive on North Korea’s yearslong campaign to place IT workers inside companies in North American, the United Kingdom, and Europe. The schemes are more effective than ever as scammers incorporate AI into their workflows.

WhatsApp designed a special cloud processing platform called Private Processing to allow new AI tools to work in the secure messenger without compromising its end-to-end encryption. Experts warn, though, that it could create enticing targets for hackers. And we have a guide for navigating the privacy risks of using ChatGPT’s new image generator to do seemingly fun and innocuous projects like making an action figure version of yourself.

But wait, there's more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Three British Retailers Hacked in Spate of Cyberattacks**

Three separate retailers in the UK—including the supermarket Co-op and thedepartment stores Marks & Spencer and Harrods—have all revealed they have recently been subject to cyberattacks, with the intrusions and widespread impact seemingly ongoing. Toward the end of April, Marks & Spencer revealed it had been the victim of a “cyber incident.” Over the following two weeks, it has been forced to pause online orders within its apps, some food has been missing from its shelves, and it has paused recruitment and other “normal processes.” Staff at Co-op have been told to keep webcams turned on during remote meetings and check who is attending calls, after shutting down parts of its IT systems in response to its own hack. Harrods, meanwhile, told customers to “not do anything differently at this point.”

At the time of writing, none of the retailers have detailed the specific nature of the cyberattacks or the full scale of the impacts. It is also unclear if the attacks are linked. Bloomberg has reported a ransomware cartel dubbed DragonForce has claimed it and its partners were behind the attacks. The so-called cartel provides “infrastructure and tools” to hackers but “doesn't require affiliates to deploy its ransomware,” according to research from security firm Secureworks. The hacked companies did not respond to Bloomberg about the claims.

Bleeping Computer originally reported that the threat actors known as Scattered Spider were allegedly behind the attack on Marks & Spencer. The publication reported that the company’s servers were encrypted by ransomware, with the intrusion beginning as early as February. The attribution to Scattered Spider has not been confirmed by Marks & Spencer.

Over the past two years, Scattered Spider has emerged as one of the most prolific and dangerous sets of hackers currently operating. The threat actors are not a well-defined group of hackers. Instead, they’re more a loose collective that uses social engineering—such as phishing and voice calls—to gain initial access into company networks. Scattered Spider members are often English-speaking, teenaged, and can be members of the heinous criminal group the Com. The hackers have been active since June 2022 and have targeted more than 100 companies—including the high-profile hacks on Caesar's Entertainment and MGM Resorts in 2023.

**France (Finally) Names Russian Hackers for the First Time**

French authorities have condemned Russia’s military intelligence agency, accusing it of orchestrating a series of high-profile cyberattacks—including the hacking of Emmanuel Macron’s 2017 presidential campaign, a brazen 2015 assault on the TV channel TV5 Monde, and recent intrusion attempts targeting organizations involved in preparing the 2024 Paris Olympic Games.

French authorities have also disclosed the name and location of a GRU unit tied to the notorious hacking group APT28—information that had never before been officially released. Unit 20728 is based in the southern Russian city of Rostov-on-Don and operates out of the "166th Information Research Center."

This marks the first time French officials have publicly assigned blame to a foreign intelligence service following an internal attribution process. The timing is significant, coming as Paris positions itself at the forefront of Europe’s support for Ukraine.

**US Moves to Crack Down on ‘Largest Illicit Marketplace’**

The Trump administration has taken the first step toward blacklisting a Cambodian financial conglomerate at the center of a global money laundering network. On Thursday, the Treasury Department designated Huione Group as a money-laundering operation, alleging that the company and its affiliates have laundered more than $4 billion for criminals, including North Korean hackers and online scammers.

These scammers—who defraud victims through bogus investments and other schemes—rely on Huione and its affiliates to move funds abroad to evade both law enforcement and anti-money-laundering systems. The proposed action represents the most significant effort yet to crack down on Huione, which is tied to what experts believe to be the “largest illicit marketplace”: Huione Guarantee. According to WIRED’s January report, the marketplace has likely facilitated over $24 billion in gray-market transactions. Experts believe the platform operates as a one-stop shop for scammers, offering everything from victim contact lists and deepfake tools to fake investment websites and other illicit services.

**New Microsoft Accounts Won’t Need Passwords Anymore**

Slowly but surely, the password is dying. Over the past two years, passkeys—a stronger method of authentication that doesn’t require you to remember or use a password—have become more common. The rollout of the technology has been piecemeal, but big tech companies have worked for years to create the alternative, which is more secure than passwords. This week, Microsoft announced that people setting up new accounts with the company won’t have to create passwords at all. “New Microsoft accounts will now be ‘passwordless by default,’” the company wrote in a blog post. Microsoft is also pushing people further away from passwords and will “detect” the best way for people to lo in to their accounts if they have set up alternatives to passwords.

Hacking Spree Hits UK Retail Giants

Passwords are becoming things of the past. Passkeys are more secure, easier to manage, and speed up the log in process

And we agree. If there is a cybersecurity themed day that we would like to get rid as soon as possible it’s world password day. Sorry, old friend, but you’re outdated, and it looks like your days are numbered. Let’s switch to passkeys.

To quote Microsoft:

> “As the world shifts from passwords to passkeys, we’re excited to join the FIDO Alliance in leaving World Password Day behind to celebrate the very first World Passkey Day.”

In 2013, Intel introduced World Password Day to remind people of the importance of strong passwords. But over time, the number of passwords we use, and the necessary strengths have grown so much that the system has become practically unusable without a password manager. So, only a few years later, Microsoft introduced Windows Hello, a new way for users to securely sign in to their accounts with their face, fingerprint, or PIN.

For several good reasons we want to say goodbye to passwords, especially for the important sites and services. Passwords are:

*   Hard to create
*   Easy to forget
*   Often reused across sites
*   Vulnerable to hacking techniques like brute-force attacks and phishing.

**The alternative: passkeys**

Passkeys are an alternative, more modern authentication method designed to replace passwords with a safer, simpler alternative. Despite their clear advantages, many people hesitate to switch to passkeys due to unfamiliarity and misconceptions. This blog post will try to explain what passkeys are, how to use them, and why they are better than passwords, helping you embrace this next step in online security.

A passkey is a digital credential that replaces traditional passwords by using cryptographic keys stored locally, and securely, on your device, such as your phone or computer.

At your demand, a program on your device will create a passkey automatically when you set up an account or enable a passkey login. Basically, it’s a unique key that identifies you without ever leaving your device.

When you log in with a passkey, your device proves you are the legitimate user by using the passkey to solve a challenge without actually providing the passkey itself. As with passwords, it’s a way to prove you know the answer and with that who you are. But the difference is that, unlike passwords, passkeys can’t be stolen by fake or malicious websites.

OK. I heard some sighs in the back from the I-know-this-already crowd. There are plenty of technical explanations to be found. Feel free to try explaining cryptographic public and private keys to the people you do tech support for.

Because passkeys are tied to your device and cannot be shared or stolen like passwords, they offer a safer login experience.

**It’s not hard to use passkeys. Really!**

Using passkeys is straightforward and really not that hard:

*   **Create a passkey:** When you sign up or log into a website or app that supports passkeys, the system prompts you to create one. Your device automatically generates the cryptographic keys. This means there is truly no need to struggle with inventing a complicated 12-character password that meets confusing requirements for a site you might never use again. Your device does _all the work_.
*   **Log in:** Instead of typing a password, unlock your device using biometrics or a PIN. Your device then securely verifies your identity and tells the site or service it can trust you, without ever sending sensitive secrets over the internet.
*   **Sync across devices:** You can securely sync passkeys across your devices using encrypted cloud services or password managers. This lets you log in effortlessly from multiple devices and prevents the hassle of losing access if your device goes missing.

Having to create and memorize hundreds of complex, unique passwords is difficult and stressful. Passkeys remove this burden entirely. You don’t need to create anything or remember a lot. The authentication process is as simple as unlocking your device.

And it’s faster. Microsoft has seen that on average passkey sign-ins to their services take only 8 seconds, compared with 69 seconds to sign in using a traditional password and second factor. 

**Common misconceptions**

Many people shy away from using passkeys for the wrong reasons.

*   Your biometrics, like fingerprints or facial scans are not stored externally, the site you’re visiting never gets to see them. They are just meant for your device to verify it’s really you.
*   Using passkeys is not complicated as we explained above. Sure, the theory behind it is, but the user-experience may actually be simpler than password creation and management.
*   You are not losing the extra layer of 2FA security you set up for important sites and services. Passkeys inherently support two-factor authentication (2FA) without extra steps, since possession of your device plus biometric or PIN verification is required.

**There are downsides**

I have to be honest here. Some things are not ideal yet. But as we move forward and more people start using passkeys, these will improve soon enough.

As I hinted earlier, losing your device can pose a problem, since your key got lost along with it, unless you synchronize it. This is a problem that’s actively being worked on.

Many websites and services also don’t support passkeys yet. Developers and service providers are actively working to make passkey adoption smoother and more widespread, so you will see more websites and apps supporting passkeys soon.

Not every passkey system is equal. Due to the history of their development which is still ongoing, there are currently multiple flavors of passkey. These range from device-bound and physical token passkeys (that never leave the device) to synchronized passkeys that offer the option to use a device’s Credential Manager to back up and synchronize passkeys across the user’s other devices. This can confuse or frustrate users who just want the authentication to work, without having to worry about the nuances of the underlying technology. Industry groups (including the FIDO Alliance and W3C) are working on standards, guides, and tools to improve this situation for developers and users.

**Give it a try**

It doesn’t take a lot of effort to convince yourself of the benefits of passkeys.

Passkeys are created on, saved to, and synchronized across devices through a password manager. For example, passkeys created on a website on Chrome on Android are stored to the Google Password Manager by default, and then synchronized to different environments where Google Password Manager is available, such as Chrome on macOS, Windows, Linux, and ChromeOS. It’s up to the user which password manager to store a passkey to or to authenticate a passkey from depending on the environment.

To save a passkey to Google Password Manager, ensure you’re signed into your Google Account on an eligible device (Android, Chrome, or other supported platforms). When prompted by a website supporting passkeys, agree to create a passkey and follow the on-screen instructions.

MacOS allows you to save passkeys either in Google Password Manager or iCloud Keychain if you’re using macOS 13.5 or higher.

*   **Try passkeys today:** Look for websites and apps that offer passkey login options and give them a try. You’ll likely find the experience faster and easier than passwords.
*   **Educate yourself and others:** Share what you learn about passkeys with friends and family, especially those who find passwords confusing or frustrating.
*   **Advocate for passkey support:** Encourage your favorite sites and services to support passkeys to help make the internet safer for everyone.
*   **Use secure device authentication:** Enable biometrics or PINs on your devices to fully benefit from passkey security.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 On world password day, Microsoft says fewer passwords, more passkeys 

A employee at Elon Musk's artificial intelligence company xAI leaked a private key on GitHub that for the past two months could have allowed anyone to query private xAI large language models (LLMs) which appear to have been custom made for working with internal data from Musk's companies, including SpaceX, Tesla and Twitter/X, KrebsOnSecurity has learned.

An employee at Elon Musk’s artificial intelligence company **xAI** leaked a private key on **GitHub** that for the past two months could have allowed anyone to query private xAI large language models (LLMs) which appear to have been custom made for working with internal data from Musk’s companies, including **SpaceX**, **Tesla** and **Twitter/X,** KrebsOnSecurity has learned.

Image: Shutterstock, @sdx15.

**Philippe Caturegli**, “chief hacking officer” at the security consultancy **Seralys**, was the first to publicize the leak of credentials for an x.ai application programming interface (API) exposed in the GitHub code repository of a technical staff member at xAI.

Caturegli’s post on LinkedIn caught the attention of researchers at **GitGuardian**, a company that specializes in detecting and remediating exposed secrets in public and proprietary environments. GitGuardian’s systems constantly scan GitHub and other code repositories for exposed API keys, and fire off automated alerts to affected users.

GitGuardian’s **Eric Fourrier** told KrebsOnSecurity the exposed API key had access to several unreleased models of **Grok**, the AI chatbot developed by xAI. In total, GitGuardian found the key had access to at least 60 fine-tuned and private LLMs.

“The credentials can be used to access the X.ai API with the identity of the user,” GitGuardian wrote in an email explaining their findings to xAI. “The associated account not only has access to public Grok models (grok-2-1212, etc) but also to what appears to be unreleased (grok-2.5V), development (research-grok-2p5v-1018), and private models (tweet-rejector, grok-spacex-2024-11-04).”

Fourrier found GitGuardian had alerted the xAI employee about the exposed API key nearly two months ago — on March 2. But as of April 30, when GitGuardian directly alerted xAI’s security team to the exposure, the key was still valid and usable. xAI told GitGuardian to report the matter through its bug bounty program at **HackerOne**, but just a few hours later the repository containing the API key was removed from GitHub.

“It looks like some of these internal LLMs were fine-tuned on SpaceX data, and some were fine-tuned with Tesla data,” Fourrier said. “I definitely don’t think a Grok model that’s fine-tuned on SpaceX data is intended to be exposed publicly.”

xAI did not respond to a request for comment. Nor did the 28-year-old xAI technical staff member whose key was exposed.

**Carole Winqwist**, chief marketing officer at GitGuardian, said giving potentially hostile users free access to private LLMs is a recipe for disaster.

“If you’re an attacker and you have direct access to the model and the back end interface for things like Grok, it’s definitely something you can use for further attacking,” she said. “An attacker could it use for prompt injection, to tweak the (LLM) model to serve their purposes, or try to implant code into the supply chain.”

The inadvertent exposure of internal LLMs for xAI comes as Musk’s so-called **Department of Government Efficiency** (DOGE) has been feeding sensitive government records into artificial intelligence tools. In February, **The Washington Post** reported DOGE officials were feeding data from across the Education Department into AI tools to probe the agency’s programs and spending.

The Post said DOGE plans to replicate this process across many departments and agencies, accessing the back-end software at different parts of the government and then using AI technology to extract and sift through information about spending on employees and programs.

“Feeding sensitive data into AI software puts it into the possession of a system’s operator, increasing the chances it will be leaked or swept up in cyberattacks,” Post reporters wrote.

Wired reported in March that DOGE has deployed a proprietary chatbot called GSAi to 1,500 federal workers at the **General Services Administration**, part of an effort to automate tasks previously done by humans as DOGE continues its purge of the federal workforce.

A **Reuters** report last month said Trump administration officials told some U.S. government employees that DOGE is using AI to surveil at least one federal agency’s communications for hostility to President Trump and his agenda. Reuters wrote that the DOGE team has heavily deployed Musk’s Grok AI chatbot as part of their work slashing the federal government, although Reuters said it could not establish exactly how Grok was being used.

Caturegli said while there is no indication that federal government or user data could be accessed through the exposed x.ai API key, these private models are likely trained on proprietary data and may unintentionally expose details related to internal development efforts at xAI, Twitter, or SpaceX.

“The fact that this key was publicly exposed for two months and granted access to internal models is concerning,” Caturegli said. “This kind of long-lived credential exposure highlights weak key management and insufficient internal monitoring, raising questions about safeguards around developer access and broader operational security.”

xAI Dev Leaks API Key for Private SpaceX, Tesla LLMs

SEO: Cybercriminals are using the recent power outages in Spain and Portugal to launch phishing attacks disguised as…

SEO: Cybercriminals are using the recent power outages in Spain and Portugal to launch phishing attacks disguised as TAP Air Portugal, aiming to steal personal and financial data.

Cybersecurity researchers at Cofense Intelligence recently uncovered a deceptive email campaign containing fraudulent messages designed to mimic official communications from TAP Air Portugal, the national airline of Portugal.

This particular scheme exploited a significant news event: the widespread power outage that affected both Spain and Portugal on April 28, 2025. It is worth noting that these malicious emails were distributed while the disruption was still ongoing. This timing suggests the perpetrators’ deliberate attempt to take advantage of the confusion and travel disruptions caused by the outage.

The fake email looked like a legitimate email from TAP Air Portugal claiming that people could receive money back for late or cancelled flights because of European air travel rules. The email also claimed the money would be deposited into their bank account within two days.

The email’s title prompted people to fill out a form for refunds, requiring victims’ personally identifiable information (PII), including names, addresses, contact details, and sensitive financial data. When clicked, users were directed to a fake webpage that appeared to be a form for refunds. However, when they clicked on the Submit button, nothing happened, and their sensitive personal and financial details were transferred to the attackers.

The Fake Email (Source: Cofense)

Cofense Intelligence’s analysis reveals that this campaign was not limited to a single language as the threat actors targeted both Portuguese-speaking and Spanish-speaking individuals. This was evident in the use of two distinct email subject lines.

For Portuguese speakers, the subject line read “Atualização de compensação: atraso em seu voo recente,” translating to “Compensation update: delay in your recent flight.” Simultaneously, Spanish-speaking targets received emails with the subject line “Compensación por su vuelo: Complete su solicitud ahora,” meaning “Compensation for your flight: Complete your request now.”

This multilingual approach underscores the broad scope and careful planning of this phishing attack, researchers noted in their blog post shared exclusively with Hackread.com.

Fake Refund Eligibility Form (Source: Cofense)

This campaign highlights how quickly cybercriminals can exploit real-world events, like the power outage in Spain and Portugal, to conduct phishing attacks. By impersonating a trusted airline and promising compensation, they aim to deceive users into revealing sensitive personal and financial data. Everyone must remain alert and carefully examine any unexpected emails, especially those requesting personal information or financial details.

Scammers Use Spain-Portugal Blackout for TAP Air Refund Phishing Scam

These 3 cybersecurity threats may not be the most sophisticated, but they're the most effective—and serious—threats for small businesses.

In an online world filled with extraordinarily sophisticated cyberattacks—including organized assaults on software supply chains, state-directed exploitations of undiscovered vulnerabilities, and the novel and malicious use of artificial intelligence (AI)—small businesses are forced to prioritize a different type of cyberattack: The type that gets through.

Without robust IT budgets or fully staffed cybersecurity departments, small businesses often rely on their own small stable of workers (including sole proprietors with effectively zero employees) to stay safe online. That means that what worries these businesses most in cybersecurity is what is most likely to work against them.

Here are the three biggest cybersecurity threats to small businesses right now. They may sound basic or even crude, but they are the biggest threats precisely because they are so effective.

**1\. Phishing**

In phishing scams, cybercriminals trick people and businesses into handing over sensitive information like credit card numbers or login details for vital online accounts.

Cybercriminals do this by sending messages—like emails and texts—disguised as legitimate communications from major businesses (think Slack, Uber, FedEx, and Google). These messages frequently warn recipients about a problem with their accounts, like a password that needs to be updated, a policy change that requires a login, or a delayed package that has to be approved.

But when victims follow the links within these malicious messages, they are brought to a website that, while appearing genuine, is completely controlled by cybercriminals. Lured in by similar color schemes, company logos, and familiar layouts, victims “log in” to their account by entering their username and password. In reality, those usernames and passwords are delivered directly to cybercriminals on the other side of the website.

In phishing attacks, there never is a genuine problem with a user’s account, and there never is a real request for information from the company. Instead, the entire back-and-forth is a charade.

As devastating as this is, the more complex threat of phishing lies in its adaptability. Whereas early phishing scams arrived almost entirely through emails, modern phishing scams can reach victims through malicious websites, text messages, social media, and even mobile app downloads.

In 2024, Malwarebytes found more than 22,800 phishing apps on Android, according to the recent 2025 State of Malware report. Disguised as apps such as TikTok, Spotify, and WhatsApp, these Android apps can trick victims into handing over their associated usernames and passwords when asking them to login.

Understandably, some small business owners might discount the threat of losing their login credentials to consumer tools like Spotify and TikTok. But here, the threat of phishing is compounded by another enormous problem in cybersecurity, which is that too many individuals and businesses reuse passwords across multiple accounts. That means that email login credentials that were successfully stolen in a phishing scam could also provide access to a small business’s financial accounts, payroll services, and even tax info.

Further, if a hacker were to use their wrongful access to steal customer data, then a small business might also have to front the cost for sending out data breach notifications, per their state’s regulations.

**How to protect your business:**

*   Use unique, strong passwords for each online account and store and create these passwords using a password manager
*   Enable “multifactor authentication” on all important business accounts so that hackers who steal passwords cannot access accounts with only usernames and passwords
*   Do not click on links from unknown senders
*   If you’re asked for login information through an email or online message, do _not_ input your login info in the email or through whatever link you’re directed towards. Instead, navigate to the site directly.

Social media is not just a vital tool for promoting many small businesses, it can often be the entire business itself.

YouTube video creators, Twitch streamers, and lifestyle influencers on TikTok and Instagram are effectively small business owners. They make a product and they earn revenue just like many online businesses—through ads and sponsored partnership deals.

If any of these social media business owners lost their login credentials through a phishing scam or data breach, they could potentially lose access to their entire operation.

In 2023, famous YouTube tech personality Linus Sebastian suffered a hack of three different YouTube channels associated with his company, Linus Media Group. The hackers hijacked the channels to spread cryptocurrency scams, while deleting some of the group’s old videos in the process. The attack was largely reminiscent of a 2022 YouTube account hack that repurposed a 2018 interview with Apple CEO Tim Cook to fool viewers into following a separate cryptocurrency scam.

Both incidents reveal the real threat to small businesses everywhere.

Social media account hacks are not only a risk to content creators—they’re a risk to any business with a legitimate online audience. Once scammers have control of any business’s social media account, they can send fraudulent messages to people on the business’s behalf and promote online scams that could tarnish the business’s reputation for years to come. Hackers could even swipe sensitive information before access is restored.

While social media hacks are often the byproduct of successful phishing attacks, cybercriminals can also gain wrongful access to a social media account through separate data breaches.

Hackers frequently buy usernames and passwords on the dark web from prior data breaches. They then use those login credentials on a variety of online accounts that belong to the same owner—entering the username and password for, say, a breached LinkedIn account into the username and password fields for QuickBooks, Shopify, and Hubspot. When people and businesses reuse passwords across accounts, hackers find an easy way in.

**How to protect your business:**

*   Use unique, strong passwords for each account and store and create these passwords using a password manager
*   Enable “multifactor authentication” on all important business accounts so that hackers who steal passwords cannot access accounts with only usernames and passwords
*   Avoid phishing attacks by refusing to click on links from unknown senders
*   Do not download any attachments from unknown senders or from unexpected emails. These attachments could contain malware that steals passwords, data, and multifactor authentication codes.

**3\. Ransomware**

Ransomware is more than a cyberthreat—it is an existential one, threatening to lock down computer systems, remove vital data, and waste potentially hundreds of thousands of dollars in recovery.

But because most ransomware news coverage focuses on major, multibillion dollar corporations that get hit with disruptive attacks, many boutique businesses might assume that ransomware gangs would never bother with a small outfit like theirs.

In reality, ransomware gangs do not care about the size, budget, or resources of their victims, because ransomware itself has become increasingly easy to scale and deploy.

Modern gangs operate on a “Ransomware-as-a-Service” model, where ransomware developers lease out their malicious software to “affiliates” who, if successful in launching an attack, return a small portion of their ill-gotten gains back to the ransomware developers at the top. LockBit, which was once the most active ransomware gang in history, had at least 194 affiliates doing its dirty work.

While LockBit most frequently attacked large conglomerates and governments, another Ransomware-as-a-Service group called Phobos was more than happy to prey on smaller organizations.

In 2024, when the US Department of Justice charged a Russian national named Evgenii Ptitsyn for his alleged involvement into running Phobos, its indictment revealed that one of the ransomware gang’s affiliates allegedly extorted a Maryland-based healthcare provider out of just $2,300. Other victims cited in the indictment included a marketing and data analytics firm in Arizona, a Connecticut public school system, and an automotive company out of Ohio.

According to data analyzed by Malwarebytes’ business unit ThreatDown, these smaller victims were the bread and butter of Phobos. Unlike other ransomware gangs that demanded up to $1 million or more from each victim in 2023, Phobos operators demanded an average of $1,719 from victims, with a median demand of just $300.

**How to protect your business:**

*   **Block common forms of entry.** Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
*   **Prevent intrusions and stop malicious encryption.** Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 The 3 biggest cybersecurity threats to small businesses 

Artificial intelligence (AI) company Anthropic has revealed that unknown threat actors leveraged its Claude chatbot for an "influence-as-a-service" operation to engage with authentic accounts across Facebook and X.
The sophisticated activity, branded as financially-motivated, is said to have used its AI tool to orchestrate 100 distinct persons on the two social media platforms, creating a

Claude AI Exploited to Operate 100+ Fake Political Personas in Global Influence Campaign

Cybercriminals are having less success targeting end-user technology with zero-day attacks, said Google's security team this week.

Cybercriminals are having less success targeting end-user technology with zero-day attacks, said Google’s security team this week. While most attacks do still target personal technology like smartphones and browsers, the focus is moving increasingly to enterprise tech.

Zero-day vulnerabilities are those that are exploited before vendors have a chance to patch them – and often before they even know about them. Attackers using these flaws to compromise systems are still primarily espionage groups, says the Google Threat Intelligence Group in its annual analysis of zero-day exploits.

Government-backed groups and customers of commercial surveillance vendors (that’s sanitized corporate-speak for spyware) were responsible for over half the attacks that the researchers were able to attribute. Spyware continues to be a much bigger factor in zero-day exploits today than it was before 2023.

The Chinese government exploited five zero-day flaws that Google knows of, while for the first time North Korea equaled that number. Spyware customers used eight zero-day exploits.

But state and private espionage-focused attackers aren’t the only ones using zero-days. Google also sees crime groups using them to come after your data. However, as it points out, some of these groups involved in cybercrime also maintain strong links to the Russian government.

While the number of zero-day exploits that Google identified dipped to 75 from last year’s 98, the trend is still moving slowly upward, the company says. In 2022, it found 63 zero-day exploits, and the year before that it was 95, but 2019 and 2020 both showed just 31 zero-day exploits each.

Vendors are also doing better at protecting at least some of their products, found the research. Google said attackers are having less success targeting browsers and mobile operating systems. Attackers traditionally use these technologies to get at consumer users.

Perhaps that increased protection is one reason behind another key fact: The proportion of zero-day exploits targeting end-user technologies was lower this year at 56% than those targeting enterprise tech. That’s a consistently falling number; 90.32% of zero-day exploits targeted end-user tech in 2019, followed by 70.97%, 74.74%, 63.49%, and 63.27% respectively through 2023.

In particular, exploitation of browsers and mobile devices was far lower this year than last. Browsers saw a third fewer zero-day exploits than last year, with most targeting Chrome due to its popularity, while mobile device zero-day attacks halved.

This doesn’t mean attackers won’t continue trying their best to infiltrate end-user products. “Phones and browsers will almost certainly remain popular targets, although enterprise software and appliances will likely see a continued rise in zero-day exploitation,” Google said.

When spyware attackers do target mobile devices, they will chain together multiple vulnerabilities in complex attacks on mobile devices to get around mobile vendors’ security practices.

As Google points out, it’s difficult to separate attacks against enterprise and end-user technology because enterprises often use these technologies too. Nevertheless, it has seen a 9% rise in zero-day attacks using purely enterprise tech, namely security and network products. They comprised 60% of all zero-day attacks on enterprise technologies, the company said.

What does all this mean for you? Just keep on doing what you already should be, applying basic cyber hygiene when using your devices. Admittedly, keeping your system up to date won’t help against a zero-day, but patching quickly could stop attacks reaching you if vendors see them and issue updates in time. In addition, some technologies use heuristics to try and stop software they haven’t seen before which look suspicious. And of course, avoiding opening links and files that you’re not sure about can stop zero-day exploits hitting your device in the first place.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#intel