Hello everybody,
Some activist friends and I have been discussing a problematic gap in the current landscape of secure messaging tools: the lack of userβfriendly communication systems that remain secure even in the presence of spyware. Standard E2E encrypted messengers such as Signal or Element become ineffective once the communication device itself is compromised. If spyware is able to read the screen, capture keystrokes, or access memory, E2E-encryption no longer protects the message content.
For this reason, we "developed" a concept we call Offline Decryption Messaging. The core idea is that each communication participant uses two distinct devices:
All sensitive operations, like writing, decrypting, and displaying clear messages, take place exclusively on the offline device. The online device is used only to transmit encrypted data via standard messaging services.
In practice, the user writes the clear message on the offline device, where it is encrypted and immediately deleted. The resulting ciphertext is then transferred to the online device (for example via a QR code) and sent over an existing messenger. The online device never has access to either the clear message or the cryptographic keys. On the receiving side, the process is reversed: the encrypted message is transferred to the recipientβs offline device and decrypted there.
Under this model, even if all participating online devices are fully compromised by spyware, no sensitive information can be exfiltrated. While spyware on the online device may observe or manipulate transmitted ciphertext, it never encounters the decrypted message. At the same time, spyware on the offline device has no communication channel through which it could leak information to an attacker.
The goal of our project, currently called HelioSphere, is to explore whether this security model can be implemented in a way that is not only robust against modern spyware, but also practical enough for realβworld activist use.
We would love feedback from this community, especially regarding:
The concept is further introduced in the document accessible via the link above. The link also contains information about our first functional prototype.
Thanks for reading! Weβre looking forward to your thoughts.
I've been experimenting with LangGraph's ReAct agents for offensive security automation and wanted to share some interesting results. I built an autonomous exploitation framework that uses a tiny open-source model (Qwen3:1.7b) to chain together reconnaissance, vulnerability analysis, and exploit executionβentirely locally without any paid APIs.
A Microsoft zero-day vulnerability that allows an unprivileged user to crash the Windows Remote Access Connection Manager (RasMan) service now has a free, unofficial patch - with no word as to when Redmond plans to release an official one - along with a working exploit circulating online.β¦
The sheer scope of cybercrime can be hard to fathom, even when you live and breathe it every day. It's not just the volume of data, but also the extent to which it replicates across criminal actors seeking to abuse it for their own gain, and to our detriment.
We were reminded of this recently when the FBI reached out and asked if they could send us 630 million more passwords. For the last four years, they've been sending over passwords found during the course of their investigations in the hope that we can help organisations block them from future use. Back then, we were supporting 1.26 billion searches of the service each month. Now, it's... more:
Just as it's hard to wrap your head around the scale of cybercrime, I find it hard to grasp that number fully. On average, that service is hit nearly 7 thousand times per second, and at peak, it's many times more than that. Every one of those requests is a chance to stop an account takeover. But the real scale goes well beyond the API itself. Because the data model is open source and freely available, many organisations use the Pwned Passwords Downloader to take the entire corpus offline and query it directly within their own applications. That tool alone calls the API around a million times during download, but the resulting data is then queried⦠well, who knows how many times after that. Pretty cool, right?
This latest corpus of data came to us as a result of the FBI seizing multiple devices belonging to a suspect. The data appeared to have originated from both the open web and Tor-based marketplaces, Telegram channels and infostealer malware families. We hadn't seen about 7.4% of them in HIBP before, which might sound small, but that's 46 million vulnerable passwords we weren't giving people using the service the opportunity to block. So, we've added those and bumped the prevalence count on the other 584 million we already had.
We're thrilled to be able to provide this service to the community for free and want to also quickly thank Cloudflare for their support in providing us with the infrastructure to make this possible. Thanks to their edge caching tech, all those passwords are queryable from a location just a handful of milliseconds away from wherever you are on the globe.
If you're hitting the API, then all the data is already searchable for you. If you're downloading it all offline, go and grab the latest data now. Either way, go forth and put it to good use and help make a cybercriminal's day just that much harder π
![]()
Pets, poisoned AI search results, and a phone call that sounds like itβs coming straight from the federal government, this weekβs scams donβt have much in common except one thing: theyβre getting harder to spot.
In todayβs edition of This Week in Scams, weβre breaking down the biggest security lapses and the tactics scammers used to exploit them, and what you can do to stay ahead of the latest threats.
If youβre a Petco customer, youβll want to know about not one but two data security lapses in the past week.
First, as reported by TechCrunch on Monday, Petco followed Texas data privacy laws by filing a data breach with the attorney generalβs office. In that filing, Petco reported that the affected data included names, Social Security numbers, and driverβs license numbers. Further info including account numbers, credit and debit card numbers, and dates of birth were also mentioned in the filing.
Also according to Techcrunch, the company filed similar notices in California and Massachusetts.
To date, Petco has not made a comment about the size of the breach and the number of people affected.
Different states have different policies for reporting data breaches. In some cases, that helps us put a figure to the size of the breach, as some states require companies to disclose the total number of people caught up in the breach. Thatβs not the case here, so the full scope of the attack remains in question, at least for right now.
As of Thursday, we know Petco reported that 329 Texans were affected along with seven Massachusetts residents, per the respective reports filed. Californiaβs report does not contain the number of Californians affected, yet laws in that state require businesses to report breaches that affect 500 or more people, so at least 500 people were affected there.
Below you can see the form letter Petco sent to affected Californians in accordance with Californiaβs data privacy laws:

Β
In it, you can see that Petco discovered that βa setting within one of our software applications β¦ inadvertently allowed certain files to become accessible online.β Further, Petco said that it βimmediately took steps to correct the issue and to remove the files from further online access,β and that it βcorrectedβ the setting and implemented unspecified βadditional security measures.β
So while no foul play appears to have been behind the breach, itβs still no less risky and concerning for Petcoβs customers. Weβll cover what you can do about that in a moment after we cover yet another data issue at Petco through its Vetco clinics.
Also within the same timeframe, yet more research and reporting from Techcrunch uncovered a second security lapse that exposed personal info online. From their article:
βTechCrunch identified a vulnerability in how Vetcoβs website generates copies of PDF documents for its customers.
βVetcoβs customer portal, located atΒ petpass.com, allows customers to log in and obtain veterinary records and other documents relating to their petβs care. But TechCrunch found that the PDF generating page on Vetcoβs website was public and not protected with a password.
βAs such, it was possible for anyone on the internet to access sensitive customer files directly from Vetcoβs servers by modifying the web address to input a customerβs unique identification number. Vetco customer numbers are sequential, which means one could access other customersβ data simply by changing a customer number by one or two digits.β
With the size and reach of the Petco breach still unknown, and the impact of the Vetco security lapse also unknown, we advise caution for all Petco customers. At minimum, monitor transactions and keep an eye on your credit report for any suspicious activity. And itβs always a good time to update a weak password.
For those who received a notification, we advise the following:
Check your credit, consider a security freeze, and get ID theft protection. You can get all three working for you with McAfee+ Advanced or McAfee+ Ultimate.
Monitor transactions across your accounts, also available in McAfee+ Advanced and Ultimate.
Keep an eye out for phishing attacks. Use our Scam Detector to spot any follow-on attacks.
Update your passwords. Strong and unique passwords are best. Our password managerΒ can help you create and store them securely.
And use two-factor authentication on all your accounts. Enabling two-factor authentication provides an added layer of security.

Β
What to do if your Social Security number was breached.
If you think your Social Security number was caught up in the breach, act quickly.
You might want to be careful when searching for customer service numbers while in AI mode. Or with an AI search engine. It could connect you to a scammer.
From The Times comes reports of scammers manipulating the AI in platforms like Google and Perplexity so that their search results return scam numbers instead of a proper customer service numbers for, say, British Airways.
How do they manipulate those results? By spamming the internet with false info that gets picked up and then amplified by AI.
β[S]cammers have started seeding fake call center numbers on the web so the AI is tricked into thinking it is genuine β¦
βCriminals have set up YouTube channels with videos claiming to help with customer support, which are packed with airline brand names and scam numbers designed to be scraped and reused by the AI.
βBot-generated reviews on Yelp or video descriptions on YouTube are filled with fraudulent numbers as are airline and travel web forums.β
And with these tactics, scammers could poison the results for just about any organization, business, or brand. Not just airlines. Per The Times, βThe scammers have also hijacked government sites, university domains, and even fitness sites to place scam numbers, which fools the AI into thinking they are genuine.β
This reveals a current limitation with many AI platforms. Largely they canβt distinguish when people deliberately feed them bad info, as seen in the case here.
Yet even as this attack is new, our advice remains the same: any time you want to ring up a customer service line, get the number directly from the companyβs official website. Not from AI search and not by clicking a paid search result that shows up first (scammers can poison them too).
Are you under investigation for money laundering? Of course not. But this scam wants you to think soβand to pay up.
On Tuesday, the Federal Trade Commission (FTC) issued a consumer alert warning that people are reporting getting unexpected calls from someone saying theyβre βFTC agentβ John Krebs. Apparently βAgent Krebsβ is telling people that theyβre under investigation for money launderingβand that a deposit to a Bitcoin ATM can resolve the matter.
Of course, itβs a scam.
For starters, the FTC doesnβt have βagents.βΒ And the idea of clearing oneβs name in an investigation with a Bitcoin payment is a sure-fire sign of a scam. Lastly, any time someone asks for payment with Bitcoin or other payment methods that are near-impossible to recover (think wire transfers and gift cards), those are big red flags.
Apart from hanging up and holding on to your money, the FTC offers the following guidance, which holds true for any scam call:
As always, hereβs a quick list of a few stories that caught our eye this week:
AI tools transform Christmas shopping as people turn to chatbots
National cybercrime network operating for 14 years dismantled in Indonesia
Why is AI becoming the go-to support for our childrenβs mental health?
Weβll see you next Friday with a special edition to close out 2025 β¦ This Year in Scams.
The post This Week in Scams: Petco Breach Warning, and Watch Out for Fake Federal Calls appeared first on McAfee Blog.
If you're running React Server Components, you just can't catch a break. In addition to already-reported flaws, newly discovered bugs allow attackers to hang vulnerable servers and potentially leak Server Function source code, so anyone using RSC or frameworks that support it should patch quickly.β¦
Microsoft is overhauling its bug bounty program to reward exploit hunters for finding vulnerabilities across all its products and services, even those without established bounty schemes.β¦
The US is suing a former senior manager at Accenture for allegedly misleading the government about the security of an Army cloud platform.β¦
Civil society groups are urging the UK's data watchdog to investigate whether the Home Office's digital-only eVisa scheme is breaching GDPR, sounding the alarm about systemic data errors and design failures that are exposing sensitive personal information while leaving migrants unable to prove their lawful status.β¦
Half of the internet-facing systems vulnerable to a fast-moving React remote code execution flaw remain unpatched, even as exploitation has exploded into more than a dozen active attack clusters ranging from bargain-basement cryptominers to state-linked intrusion tooling.β¦
Terraform Labs founder Do Kwon will spend 15 years in jail after pleading guilty to committing fraud.β¦
My father got tricked into calling scammers after a hidden Google logout URL made him think his computer was hacked. Turns out, Google lets any website instantly log you out of Gmail, YouTube, and Drive just by loading a simple link - no warning, no confirmation. I made a petition, and I want to know if this is something worth signing and sharing, or if it's not realistic.
CyberVolk, a pro-Russian hacktivist crew, is back after months of silence with a new ransomware service. There's some bad news and some good news here.β¦