This week on The Awareness Angle, we cover hundreds of exposed Clawdbot and Moltbot AI agent gateways leaking credentials and private chats, a new malware service selling guaranteed phishing extensions through the Chrome Web Store, and sensitive government documents uploaded to ChatGPT by the acting head of the US cybersecurity agency.

We also look at Google rolling out stronger ransomware protections in Drive, France accelerating plans to ban social media for under 15s, and what recent incidents involving AI powered toys reveal about data exposure risks for children.

All of that, and more, in this week’s episode of The Awareness Angle.

The Awareness Angle is best served in full. Watch on YouTube, or listen on Spotify or your favourite podcast platform to get the complete discussion and context.

Watch or listen to the episode today - YouTube | Spotify | Apple Podcasts

Visit riskycreative.com for past episodes, our blog, and our merch.

Support the show with all new Awareness Angle merch. Stickers, notebooks, mugs, and bits that quietly say you care about people, not just passwords. Click here to visit the shop.

Just some of the exciting new merchadise you can buy!

This week's stories...

Hundreds of exposed Clawdbot gateways leave credentials and private chats exposed

Watch | Read

Security researchers have identified more than 900 exposed Clawdbot gateways online, caused by poor setup and insecure default settings. These exposed systems allowed access to private conversations, API keys, and other sensitive information.

Clawdbot, also known as Moltbot, is an AI agent designed to make work easier by remembering information and acting on a user’s behalf inside messaging apps. Because it runs continuously and stores context over time, mistakes in setup can quietly expose far more than people realise.

Incidents like this often happen without malicious intent. Tools are adopted quickly to save time, experiments move into daily use, and security steps are skipped under pressure. The result is exposure created by normal human behaviour, not bad actors.

The Awareness Angle

• People prioritise speed and convenience – Security steps are often skipped to get work done
• Assumptions replace checks – If a tool feels helpful and familiar, risk is easily overlooked
• Psychological safety matters – People need to feel safe admitting mistakes before exposure grows

New malware service pushes phishing extensions into the Chrome Web Store

Watch | Read

Researchers have uncovered a new malware service called Stanley that allows criminals to create phishing browser extensions and successfully publish them to the Chrome Web Store. These extensions are designed to overlay legitimate websites with fake content while keeping the real web address visible, making them difficult to spot.

The service is sold in tiers, offering features such as silent installation, custom branding, and a management panel for attackers. Because the extensions pass official store checks, users are more likely to trust them, install them, and continue using them without suspicion.

This type of attack relies less on technical exploitation and more on habit. People install extensions to save time, solve small problems, or boost productivity, often without revisiting what access those extensions still have later on.

The Awareness Angle

• Trust is built on familiarity – Official stores and recognisable browsers lower people’s guard
• Convenience drives behaviour – Small productivity gains can outweigh perceived risk
• Unused access is rarely questioned – Extensions often stay installed long after they are needed

France moves to fast track a social media ban for under 15s

Watch | Read

France has announced plans to fast track a ban on social media use for children under 15, with the aim of having new rules in place before the next school year. The proposal includes stricter age verification and builds on existing restrictions around mobile phone use in schools.

The move follows similar action in Australia, where millions of under 16 social media accounts have already been removed. French officials have acknowledged that age limits can be bypassed, but see this as an important first step in reducing exposure to online harm and emotional manipulation.

Rather than focusing on individual behaviour, the approach shifts responsibility toward platforms and regulation, recognising that expecting children to self regulate in highly persuasive online environments has not worked.

The Awareness Angle

• Children are not the problem – Platforms are designed to capture attention, not protect wellbeing
• Rules fill the gaps left by design – Regulation steps in where controls and safeguards fall short
• Adults set the environment – Safety improves when responsibility moves away from the user

US cybersecurity chief uploaded sensitive government documents to ChatGPT

Watch | Read

The acting head of Cybersecurity and Infrastructure Security Agency uploaded internal government documents marked “for official use only” into ChatGPT. The uploads triggered automated warnings, and an internal review is now assessing any potential impact.

The documents were described as internal but unclassified, and the use of ChatGPT was said to be short term and previously approved as an exception. Following the incident, multiple staff members were suspended from accessing classified systems while investigations continue.

The story highlights how quickly everyday tools can blur boundaries at work, especially when people are under pressure to move fast or solve problems efficiently.

The Awareness Angle

• People default to familiar tools – Convenience often overrides caution
• Exceptions create confusion – One off permissions weaken shared understanding of risk
• Hierarchy does not prevent mistakes – Senior roles are not immune to everyday human error

Discussion Points...

ShinyHunters swipes right on 10M records in alleged dating app data grab Watch | Read

US cybersecurity chief uploaded sensitive documents to ChatGPT Watch | Read

What is Clawdbot and why it matters Watch | Read

Hundreds of exposed Clawdbot gateways leave data vulnerable Watch | Read

The AI agent craze is turning into a security nightmare Watch | Read

Phishing malware sold as Chrome extensions Watch | Read

Google Drive adds better ransomware protection Watch | Read

France moves to ban social media for under 15s Watch | Read

Exposed admin panel found in AI toy Watch | Read

Awareness, spotting phishing and AI content Watch | Read

Misleading breach headlines and fake panic Watch | Read

Reverse image search exposing fake profiles Watch | Read

Gift card scam warnings appearing in stores Watch | Read

Covering phone cameras as a security habit Watch | Read

Free WiFi on flight QR code prank Watch | Read

TikTok Argos MacBook discount scam Watch | Read

Real world phishing and family account compromise Watch

And finally...This Week I Messed Up!

I messed up and didn't protect those closest to me!

Watch

This week, the story that hit closest to home wasn’t a breach headline or an AI scare. It was my mum.

Her email account was compromised, no two factor authentication, a password she’d used for years, and attackers quietly sending gift card scam emails to people she trusts. I only spotted it once messages started disappearing from her inbox.

When I got proper access, the reason was obvious. The attackers had set up inbox rules to automatically mark messages as read, move them into hidden folders, and silently redirect copies to a Gmail account they controlled. From the outside, everything looked normal.

I spend my life talking about security awareness, and I still hadn’t locked down the person closest to me.

The Awareness Angle

• Inbox rules are a red flag – attackers often use filters and redirects to hide their activity and stay undetected
• No 2FA is still a big risk – even “quiet” email compromises can run for days without being noticed
• Check your family, not just your workplace – the people closest to you are often the least protected

It’s a reminder that security isn’t just an organisational problem. It’s personal. Take five minutes this week to check in on someone you care about.

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

Ant Davis and Luke Pettigrew write this newsletter and podcast.

The Awareness Angle Podcast and Newsletter is a Risky Creative production.

All views and opinions are our own and do not reflect those of our employers.

This week on The Awareness Angle, we cover a ransomware attack at Ingram Micro that disrupted a major part of the global IT supply chain, alongside a breach at Grubhub where customer, driver, and merchant data was accessed through a third party support system. We also look at a data breach at the Minnesota Department of Human Services affecting nearly 304,000 people, and a UK secondary school forced to close after a cyber attack knocked critical systems offline.

In the news, Microsoft issued emergency out of band Windows updates after Patch Tuesday caused shutdown and Cloud PC issues, while researchers uncovered malicious browser extensions designed to crash browsers and push fake fixes. We also discuss reports of criminals selling ready made voice phishing kits, a new EU vulnerability database launched as an alternative to CVE, and a phishing campaign targeting LastPass users with fake security alerts.

We round out the episode with policy and platform updates, including the UK government consulting on banning social media for under 16s, and TikTok finalising a deal to split its US operations into a new joint venture.

The Awareness Angle is best served in full. Watch on YouTube, or listen on Spotify or your favourite podcast platform to get the complete discussion and context.

Watch or listen to the episode today - YouTube | Spotify | Apple Podcasts

Visit riskycreative.com for past episodes, our blog, and our merch.

Support the show with all new Awareness Angle merch. Stickers, notebooks, mugs, and bits that quietly say you care about people, not just passwords.

Just some of the stuff you can buy!

This week's stories...

Voice phishing kits sold as a service

Watch | Read

Cybercriminals are now selling ready made voice phishing kits that let almost anyone run convincing phone scams. These kits bundle scripts, call flows, dashboards, and in some cases AI generated voices that sound like banks or internal IT teams. This is not someone freelancing a scam call. This is packaged, repeatable, and designed to scale.

The kits guide attackers through the entire interaction. Who to call. What to say. When to apply pressure. Victims are coached into handing over credentials, one time passcodes, or approving actions that lead to account access. It is phishing, just delivered over the phone instead of email.

The problem is that phone calls still get a free pass. Many organisations have trained people to be cautious with links and emails, but far fewer have clear rules for handling unexpected calls. Attackers are leaning into that gap hard.

This is social engineering getting easier and more normal. And it is aimed squarely at busy humans.

The Awareness Angle

• Vishing is now off the shelf – Anyone can buy the tooling
• Calls still bypass suspicion – The channel carries trust
• Call back breaks the scam – Verification beats confidence

CrashFix browser attacks push fake fixes

Watch | Read

CrashFix is a browser based attack where a malicious extension deliberately crashes the browser, then tells the user they need to install a fix. That fix is malware. Nothing is broken. The crash is the whole point.

After the browser fails, users are shown clear, step by step instructions telling them what to do next. Run this. Install that. It works because this is exactly how people normally deal with software problems. Get it working and carry on.

This is not a clever technical exploit. It is frustration as a delivery mechanism. When something breaks, people stop thinking about risk and start thinking about recovery. CrashFix is designed to catch people in that moment.

The Awareness Angle

• The crash is intentional – Failure is the lure
• Fixing mode bypasses caution – Urgency beats scepticism
• Running commands is a red flag – Pause before you actWatch | Read

UK secondary school forced to close after cyber attack

Watch | Read

A secondary school in England was forced to close after a cyber attack took out its IT systems. There was no big data breach story and no suggestion that grades were tampered with. The school closed because it could not function safely without its systems.

Security, made human.Too much failed at once. Attendance, communications, access control, and safety related systems were all affected. That only happens when everything is tied together. Systems that should be dull, isolated, and resilient were clearly part of the same environment, so when one thing went down, everything followed.

This is what happens when convenience drives design. Things get connected because it is easier, cheaper, or sold as “modern”, not because it makes sense. Then something breaks, and suddenly the impact is far bigger than anyone expected.

The Awareness Angle

• Not everything should be connected – Convenience quietly increases risk
• Availability is a safety issue – Offline systems force closure
• Design decisions matter – Architecture shapes impact

This week's discussion points...

Ingram Micro ransomware attack knocks global IT supply chain offline – Watch | Read

Grubhub breach exposes customer, driver, and merchant data via third party support system – Watch | Read

Minnesota Department of Human Services breach exposes demographic records of nearly 304,000 people – Watch | Read

UK secondary school forced to close after cyber attack disrupts systems – Watch | Read

Microsoft releases emergency Windows updates after Cloud PCs fail to shut down properly – Watch | Read

Criminals are now selling ready made voice phishing kits – Watch | Read

Malicious Chrome extension crashes browsers to push fake “fix” in ClickFix variant – Watch | Read

EU launches new vulnerability database as alternative to CVE – Watch | Read

Phishing campaign targets LastPass users with fake security alerts – Watch | Read

Government consults on banning social media for under-16s in the UK – Watch | Read

TikTok seals deal to split US app into new joint venture, keeps platform running in America – Watch | Read

AI snowstorm videos show the current state of the internet – Watch

Five ways to spot AI generated accounts on social media – Watch

And finally...Action Fraud becomes “Report Fraud”, but the experience still breaks trust

Ant and Luke discuss Report Fraud's account issues

Watch

The UK’s fraud reporting service has been rebranded from Action Fraud to Report Fraud. The new name is clearer and does exactly what it says. The problem is what happens next.

When users try to sign in or create an account, they are redirected to a completely different domain to complete the process. For some people, antivirus tools flag that page as suspicious or phishing. That puts users in an impossible position. They are doing the right thing by reporting fraud, and the experience immediately tells them not to trust it.

This is how trust gets damaged. Not by attackers, but by confusing design. People are told to be cautious about links and domains, then asked to ignore their own instincts when it really matters. Many will simply abandon the report.

If we want people to report scams and cybercrime, the process has to feel safe and consistent all the way through.

The Awareness Angle

• Trust is fragile – Mixed signals stop people acting
• Design shapes behaviour – Confusion leads to drop off
• Security advice must align – We cannot teach one thing and do another

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

Ant Davis and Luke Pettigrew write this newsletter and podcast.

The Awareness Angle Podcast and Newsletter is a Risky Creative production.

All views and opinions are our own and do not reflect those of our employers.

This week on The Awareness Angle, we cover a busy mix of breaches, claims, and security moments that blurred the line between what happened and what people thought happened. Instagram password reset emails caused widespread confusion, ransomware groups made high-profile breach claims without releasing data, and a well-known hacking forum found itself dealing with a leak of its own.

We also look at cyber incidents with real-world impact, including attacks linked to drug smuggling at major European ports and attempted intrusions targeting national energy infrastructure. On the technology side, we discuss Microsoft’s latest Patch Tuesday, growing control over AI tools on work devices, and why some organisations want clearer choices around when those tools appear.

The episode also explores emerging questions about identity and trust, from reused passwords and long-lived leaked data to eye-scanning technology promoted as a way to prove you are human online.

The Awareness Angle is best served in full. Watch on YouTube, or listen on Spotify or your favourite podcast platform to get the complete discussion and context.

Watch or listen to the episode today - YouTube | Spotify | Apple Podcasts

Visit riskycreative.com for past episodes, our blog, and our merch.

This week's stories...

Instagram password reset emails and data leak claims

Watch | Read

A large number of Instagram users reported receiving password reset emails they did not request. Meta confirmed it fixed an issue that allowed an external party to trigger legitimate password reset emails at scale and said there was no breach of Instagram systems. According to Meta, user accounts were not compromised, and the emails were caused by abuse of a feature rather than a hack.

At the same time, security firm Malwarebytes reported that data linked to around 17.5 million Instagram accounts was being advertised online. The dataset is said to include usernames, email addresses, phone numbers, and, in some cases, physical addresses. Meta has denied any link between the password reset emails and the data, stating that it likely came from older scraping activity rather than a new Instagram breach.

While there is no public evidence tying the two events together, the timing created widespread confusion. Unexpected security emails combined with reports of leaked data looked and felt like a breach to many users, regardless of the technical explanation.

The Awareness Angle

• Timing shapes perception - When alerts and leak claims land together, people assume the worst
• Users see impact, not root cause - Bug or breach matters less than how it feels
• Old data still circulates - Historic scraping can resurface and fuel new scams

Ports hacked to support drug smuggling, hacker jailed

Watch | Read

A hacker has been sentenced to 7 years in prison for cyberattacks that disrupted operations at the Port of Rotterdam and the Port of Antwerp. The attacks took place between 2021 and 2023 and involved unauthorised access to container logistics systems.

Prosecutors said the access was used to manipulate the release and movement of shipping containers, enabling organised crime groups to collect drug shipments without detection. The case highlights how cyber access can directly enable real-world criminal activity rather than just data theft.

Authorities said the sentence reflects the seriousness of targeting critical infrastructure and the wider risks posed to safety, trade, and national security.

The Awareness Angle

• Cyber enables physical crime - Access to systems can unlock real-world harm
• Logins are high-value targets - Human access often matters more than malware
• Impact goes beyond IT - Disruption affects supply chains and public safety

Microsoft may allow Copilot to be uninstalled on managed devices

Watch | Read

Microsoft is planning to give IT administrators the option to uninstall Copilot from managed Windows devices, rather than just hide or disable it. The change would apply to enterprise-managed devices and address concerns about control, data handling, and readiness.

The move gives organisations more choice over when and how AI tools appear on work devices, particularly as teams continue to work through policies, training, and acceptable use. Copilot remains positioned as a productivity feature, but many organisations are still deciding how to introduce it safely.

The Awareness Angle

• Control matters - IT teams want clear choices, not forced rollouts
• AI affects behaviour - Tools change how people work, not just systems
• Readiness comes first - Introducing AI before guidance creates risk

AI is not selling, is interest waning?

Watch | Read

Despite heavy investment in AI-powered PCs and tools, some manufacturers are reporting weaker-than-expected demand. Executives at Dell said consumers are not buying devices for AI features, and that AI-focused messaging often creates confusion rather than clarity.

The comments suggest a gap between how vendors promote AI and how everyday users understand its value. While AI continues to be embedded across products, its presence alone does not appear to be driving purchasing decisions.

This comes as organisations continue to balance innovation with concerns about data use, trust, and whether people actually want AI involved in their daily work.

The Awareness Angle

• AI does not automatically sell - Features need clear, practical value
• Confusion slows adoption - Unclear benefits create hesitation
• Trust still matters - Data questions shape acceptance

This week's discussion points...

Everest Ransomware Claims Nissan Data Breach – Watch | Read

Spanish Energy Giant Endesa Reports Major Customer Data Breach – Watch | Read

Instagram Password Reset Emails – Watch | Read

Breachforums Data Leak – Watch | Read

Microsoft Patch Tuesday – Watch | Read

Microsoft Copilot Removal Option – Watch | Read

AI PCs Not Selling – Watch | Read

Hacker Jailed for Attacks on Rotterdam and Antwerp Ports – Watch | Read

Poland Cyber Attack on Energy Infrastructure Stopped – Watch | Read

Scam Email Knows My Password – Watch | Read

Worldcoin and Eye Scans for Human Verification – Watch | Read

And finally...Scanning your eyes to prove you are human, Sam Altman’s Orb

Watch | Read

This one is proper Black Mirror territory, because it takes a real problem, bot spam, fake accounts, AI-generated nonsense everywhere, and answers it with something that feels way too permanent. Worldcoin’s Orb scans your iris to create a unique digital identifier, a World ID, basically a way to prove you are a real human online. In some places, they even pay you in crypto to do it.

The pitch is “we do not store your eye images, we just turn it into a cryptographic code”, but the bit that makes my skin crawl is the direction of travel. Once you normalise scanning bodies to access digital services, it is hard to un-invent that. Passwords can be changed, devices can be replaced, but biometrics are forever. If a system like this ever gets abused, breached, repurposed, or linked up with other data sources, you do not get to rotate your eyeballs and start again.

And the crypto incentive matters. Paying people to hand over biometric data is not neutral as it changes the deal. It nudges adoption through cash, not through genuine understanding or informed consent. And if the goal is to build trust online, starting with “here is some money, let a shiny sphere scan your iris” is a weird way to do it.

This story is not just about one gadget in a shopping centre. It is about what comes next. If “prove you are human” becomes a standard requirement, who controls that proof, who decides when it is needed, and who gets locked out if they do not want to play along?

The Awareness Angle

• Biometrics are permanent - If something goes wrong, you cannot reset it like a password
• Incentives change consent - Paying people to sign up shifts behaviour faster than understanding
• This will not stay niche - If it works once, it will get pushed into more places

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

Ant Davis and Luke Pettigrew write this newsletter and podcast.

The Awareness Angle Podcast and Newsletter is a Risky Creative production.

All views and opinions are our own and do not reflect those of our employers.

This week on The Awareness Angle, it is a reminder of just how much data follows us around, and how often it ends up exposed in places we barely think about. From magazine subscriptions and radio stations holding millions of records, to healthcare providers, gas stations, and even space agencies dealing with serious breaches, the theme this week is scale, and how quickly it can spiral.

We look at incidents that were first reported as small, only to grow into hundreds of thousands or millions of affected people months later. We also dig into the way modern attacks blend into normal work, fake blue screens, booking emails, sideloaded apps, and even trusted security tools being used as a way in.

There is a longer view, too, with Equifax still discussing culture years after its breach, new government cyber plans taking shape, and insurers quietly spelling out what they will not cover when cyber incidents spill into the physical world.

It is a packed episode, full of practical lessons and uncomfortable reminders about trust, habit, and the digital footprints we all leave behind.

This week's stories...

Condé Nast breach and the risk hiding in forgotten subscriptions

Watch | Read

Condé Nast is responding to a breach claim that could affect up to 40 million users across brands, including Vogue, GQ, Wired, and The New Yorker. An attacker using the name “Lovely” shared data samples allegedly taken from subscription systems and claimed to have access across multiple Condé Nast properties. The exposed information reportedly includes names, email addresses, usernames, phone numbers, dates of birth, and location data. According to reports, the attacker alleged they attempted to flag vulnerabilities before releasing proof, though Condé Nast disputes parts of that account and says it has taken steps to disable the accounts involved in the unlawful access.

During the discussion on the show, the focus was less on the headline number and more on how ordinary this type of data feels. Subscription accounts like these are often created years earlier and then forgotten entirely. They don’t feel sensitive or important, yet the data persists long after interest fades. That long lived, low attention data is what makes incidents like this so uncomfortable, it surfaces quietly and is easy to abuse without ever feeling like a major breach at the time.

The Awareness Angles

• Subscription data is still valuable - names and email addresses alone can fuel phishing and scams
• Forgotten accounts create blind spots - users move on while data remains
• Proof leaks are rarely the end - small samples often point to wider exposure

European Space Agency breach shows even critical organisations aren’t immune

Watch | Read

The European Space Agency confirmed a cyber incident that is now under criminal investigation, after attackers gained unauthorised access to parts of its internal IT environment. Reporting suggests a public vulnerability was exploited, with attackers claiming to have taken hundreds of gigabytes of internal files. ESA said mission-critical spacecraft operations were not affected, but the incident was serious enough to involve law enforcement and trigger a wider forensic review.

The discussion wasn’t really about whether ESA should be better protected, it was more about frustration. There was a sense that some things just shouldn’t be messed with at all. Space, like healthcare or charities, doesn’t feel like a fair game. But that feeling clashes with reality. Attackers don’t draw ethical lines. If a vulnerability exists and remains open, it becomes an opportunity, regardless of how harmless or important the organisation feels.

The Awareness Angles

• Attackers don’t respect boundaries - ethical lines don’t factor into targeting decisions
• Unpatched weaknesses still get exploited - it only takes one open door
• Sensitive data isn’t limited to operations - internal documents and partner information still carry risk

Fake blue screens are being used to trick hotel staff into installing malware

Watch | Read

Hotels across Europe are being targeted by phishing emails that impersonate booking-related messages, often posing as reservation updates or cancellations. The emails lead staff to malicious pages that display a fake Windows blue screen and instruct users to follow recovery steps. Those steps involve running commands that install malware directly onto the system. It is a ClickFix-style attack, but disguised as a system failure rather than a security warning.

The conversation focused on how easy this is to fall into when it lands in the middle of a normal working day. Hotel staff deal with booking emails constantly, and fixing problems quickly is part of the job. When something looks technical and urgent, the instinct is to resolve it and move on, not stop and question whether it should be escalated. That pressure, combined with something that looks familiar, is what makes this technique effective.

The Awareness Angles

• Urgency drives behaviour - fake system errors push people into fast decisions
• Normal workflows lower scepticism - familiar-looking emails get less scrutiny
• ClickFix keeps evolving - attackers rely on users to run the malware for them

ChatGPT Health raises the stakes for account security

Watch | Read

OpenAI announced ChatGPT Health, a feature that allows users to connect medical records and wellness apps to their ChatGPT account. The company says the feature is not intended for diagnosis or treatment, and that connected health data won’t be used to train models. The goal, according to OpenAI, is to make responses more useful by grounding them in a user’s own health context.

The discussion wasn’t really about whether this is a good or bad feature, it was about concentration of value. On the show, the point was made that for many people ChatGPT is already a second brain. It holds questions, ideas, work context, and personal thinking. Adding health data into that mix means a single account can now represent a very complete picture of someone. That makes the impact of account compromise much higher than it used to be, even if the feature itself is well intentioned.

The Awareness Angles

• Accounts are becoming life hubs - more context means higher impact if compromised
• Login security matters more than ever - strong MFA and recovery controls are critical
• Convenience quietly expands risk - connecting data should always be a conscious choice

This Week's Discussion Points...

Condé Nast breach claims and subscriber data risk – Watch | Read

Covenant Health breach grows to nearly half a million people – Watch | Read

Tokyo FM breach highlights how radio stations hold vast listener data – Watch | Read

US gas station operator breach exposes payment cards and ID data after delayed notification – Watch | Read

European Space Agency breach placed under criminal investigation – Watch | Read

Equifax says security culture is now built in, after one of the biggest breaches on record – Watch | Read

Fake Blue Screen of Death attacks targeting hotel staff – Watch | Read

HSBC blocks customers using sideloaded Bitwarden apps – Watch | Read

OpenAI launches ChatGPT Health and raises questions about account value – Watch | Read

UK government publishes new cyber action plan – Watch | Read

And Finally...Cybersecurity Training That Ticks Boxes but Changes Nothing

We discussed NCSC's training for Schools.

Watch

This week we talked about NCSC cybersecurity training being issued to school staff, a 36 minute video, stock slides, synthetic narration, no interaction, and no assessment. Everyone completes it, signs it off, and moves on. On paper, the risk is managed. In reality, very little of that content will be remembered when someone receives a real scam, a fake text, or a convincing phishing email. It is a familiar pattern in security awareness, training designed to satisfy a requirement rather than change behaviour. The problem is not that people do not care, it is that long, generic training delivered once a year does not reflect how threats actually show up in daily life.

The Awareness Angle

• Completion is not protection - Watching a video does not mean someone can spot a scam under pressure
• Relevance beats length - Five minutes of current, relatable examples beats 36 minutes of theory every time
• Engagement is the control - If people do not remember it, it cannot protect them

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

Ant Davis and Luke Pettigrew write this newsletter and podcast.

The Awareness Angle Podcast and Newsletter is a Risky Creative production.

This week on The Awareness Angle, we are back after the Christmas break and straight into two weeks’ worth of cyber news that didn't slow down just because the calendar said it should. From phishing emails abusing real Google services and browser extensions quietly infecting millions, to Ubisoft taking Rainbow Six Siege offline after attackers started banning players live (with a little bit of Shaggy), there is plenty to unpack.

We look at airlines and retailers exposing customer data through supplier and access failures, including Korean Air and Coupang, where smashed laptops, rivers and forgotten access played a bigger role than sophisticated hacking. We also dig into ClickFix attacks being sold as a service, sleeper browser extensions stealing data months after install, and a British hacker who quite literally hacked his way into an Australian visa by doing things the right way.

Add in Meta quietly shaping how scam ads are policed, smart hacking tools being banned from a mayoral inauguration, and a growing tension between security, perception, and trust, and a clear theme starts to emerge.

All of that and more in this week’s Awareness Angle, so let’s get into it.

Watch or Listen to the episode today - YouTube | Spotify | Apple Podcasts

Visit riskycreative.com for past episodes, our blog, and our merch.

This Week's Stories...

Spotify scraping shows why “just metadata” is never just metadata

Claims a couple of weeks ago suggested Spotify content was scraped at massive scale, with Anna’s Archive alleging access to metadata for around 256 million tracks and audio files for roughly 86 million songs. The archive, reported to be around 300TB in size, has been distributed via torrents. Spotify said it identified and disabled accounts involved in unlawful scraping, describing the activity as a mix of public metadata access and illicit tactics, but stopped short of confirming the full scale of what is circulating.

What makes this story uncomfortable is that it doesn't look like a traditional breach. As we discussed on the show, this appears to be access working as designed, just abused at scale. It is easy to wave this away as “just metadata,” but metadata carries context. It reveals behaviour, popularity, listening patterns, and connections over time. Combined with other sources, it becomes far more revealing than most people expect. Add in the fact that torrents and unofficial archives are a common delivery mechanism for malware, and this stops being just a copyright issue.

The Awareness angles

• Metadata is not harmless – Even without names or passwords, metadata can expose behaviour, habits, and patterns when collected at scale or combined with other data sources
• Abuse accelerates quietly – When automated access or credentials work once, they can be reused rapidly, turning small gaps into mass scraping before anyone notices
• Trust the file, not the story – Archives framed as preservation or culture can still be high risk, unofficial downloads are a common place for malicious content to hide

The browser extensions you forgot about might be the riskiest thing you use

Security researchers recently uncovered a long running campaign that saw malicious browser extensions infect millions of users across Chrome, Edge, and Firefox, often without raising any suspicion. The activity, linked to a threat cluster dubbed DarkSpectre, involved extensions that appeared completely legitimate, complete with positive reviews, large install numbers, and official store badges. In some cases, these extensions sat quietly for days or weeks before activating malicious behaviour.

What makes this story so unsettling is how normal it all looks. As we talked about on the show, these were not shady downloads from obscure websites. They were tools people installed to customise tabs, improve productivity, or tweak their browsing experience. Once trusted, they were largely forgotten. That trust gave attackers ongoing access to sessions, credentials, meeting data, and in some cases crypto wallets, turning the browser into a silent surveillance tool.

This is a reminder that your browser is not just a window to the internet. It is part of your attack surface. Extensions run with deep privileges, often seeing everything you type, click, or view. When they turn malicious later, detection is hard and user suspicion is low, because nothing appears to change.

Awareness angles

• Install once does not mean safe forever – Extensions can change behaviour after updates, long after reviews and store checks have passed
• Dormant threats are deliberate – Waiting days or weeks before activating is a common way to evade detection and earn user trust
• Your browser is a security boundary – Extensions have access to sensitive data and sessions, making them a direct path into work and personal accounts

Meta knew about scam ads, and people kept getting hurt anyway

A Reuters investigation a couple of weeks ago laid out something many people already suspected. Meta, the company behind Facebook and Instagram, knew scam ads were a problem, knew how to reduce them, and still chose to manage the situation rather than fix it properly.

This is not about edge cases or clever users spotting red flags. These are the fake loan offers, investment scams, and impersonation ads that show up while people are tired, stressed, or just scrolling. Reuters reported that Meta was aware stronger advertiser checks would cut scams, but held back because of cost and potential impact on ad revenue. In other words, the scams kept running, and real people kept paying the price.

As we said on the show, this is where the blame needs to move. When the same scams appear again and again, it stops being a question of awareness or education. If a platform knows what works and delays using it, that is a choice. And when that choice leads to people losing money, confidence, or trust, it is not on the user to be more careful, it is on the platform to do better.

Awareness angles

• People are not failing here – When scams keep appearing, the problem is not judgement, it is enforcement
• Meta had options – Stronger checks would have reduced harm, and choosing not to use them has consequences
• Scams are a design issue – What platforms allow, tolerate, or profit from shapes who gets hurt

This week's discussion points...

Anna’s Archive claims massive Spotify scrape, raising questions about data access and abuse – Watch | Read (Android Authority)

Rainbow Six Siege hit by major hack, Ubisoft takes servers offline after chaos in game economy and bans – Watch | Read (Tom’s Hardware)

Korean Air discloses passenger data exposure after supplier cyberattack – Watch | Read (Security Affairs)

Coupang breach uncovered after smashed laptop data recovered by investigators – Watch | Read (The Record)

Phishing campaign abuses real Google services to look legit, then steals Microsoft logins – Watch | Read (TechRadar)

British hacker wins Australian visa after legally hacking government website – Watch | Read (Cyber News)

ErrTraffic sells “fake browser glitch” pages to push ClickFix attacks – Watch | Read (BleepingComputer)

DarkSpectre browser extension malware infected 8.8 million users across Chrome, Edge and Firefox – Watch | Read (Cybersecurity News)

Meta built “playbook” to delay crackdowns on scam ads, internal documents reveal – Watch | Read (Reuters)

NYC mayoral inauguration bans Flipper Zero and Raspberry Pi devices over security fears – Watch | Read (BleepingComputer)

And Finally...When AI Jailbreaks Get Pushed Underground

A subreddit used by researchers gets closed down

A subreddit focused on ChatGPT jailbreaks has been shut down, and on the surface that sounds like a win. Fewer prompts being shared, less obvious misuse, and fewer screenshots doing the rounds.

But that space was doing more than showing people how to break things. It was one of the few places where you could see what people were actually trying in the wild. What worked. What failed. What guardrails were being walked straight around. By removing it from Reddit, the behaviour has not stopped, it has just moved somewhere quieter.

This is the awkward bit. A lot of security learning comes from watching real behaviour, not ideal behaviour. Taking away visibility does not suddenly make AI safer, it just makes the problems easier to ignore. The jailbreaks will still exist, fewer defenders will see them.

Awareness angles

• You cannot fix what you cannot see – Removing public discussion hides problems, it does not remove them
• People will keep pushing systems – Curiosity and misuse do not disappear just because a platform closes a space
• Visibility beats comfort – Seeing how things break is uncomfortable, but it is how security actually improves

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

Ant Davis and Luke Pettigrew write this newsletter and podcast.

The Awareness Angle Podcast and Newsletter is a Risky Creative production.

This week on The Awareness Angle, Luke is back, and we have a lot to get through together. We are talking about a real estate firm quietly exposing tens of thousands of people, SoundCloud losing control of user data while breaking its own VPN access, and Pornhub dealing with extortion after deeply personal viewing history leaked via a third-party analytics mess.

We also look at malware hiding inside movie subtitles, browser extensions harvesting millions of AI chats in plain sight, and a new Microsoft account takeover technique that bypasses passwords, MFA, and passkeys without dropping malware. Add in WhatsApp account hijacking through ghost pairing, a UK government hack still being downplayed, and smart TVs quietly shaping what we can and cannot do in our own homes, and there is a clear theme running through this week.

All of that and more in this week’s Awareness Angle, so let’s get straight into it.

Watch or Listen to the episode today - YouTube | Spotify | Apple Podcasts

Visit riskycreative.com for past episodes, our blog, and our merch.

The Week's Stories...

Browser extensions secretly harvesting AI chats

Image source - KOI Security, via The Hacker News

Watch | Read

A Chrome browser extension with millions of users and a trusted Featured badge was found silently intercepting AI conversations from tools like ChatGPT, Copilot, Gemini, and others. Prompts, responses, timestamps, and session data were routed back to the developer and shared with an affiliated analytics firm. The behaviour was introduced through an update and documented quietly in a privacy policy, rather than being the result of a technical flaw.

During the discussion, Ant summed up the risk clearly: “If it’s free, you’re probably the product.” AI tools are now being used for genuine work, with people pasting emails, notes, ideas, and sensitive context into them without hesitation. This story highlights how browser extensions can turn everyday behaviour into large-scale data exposure without users ever realising.

The Awareness Angle

• Trust signals are misleading – Featured badges and ratings are not security guarantees
• AI prompts are high-value data – Inputs often contain information people would never share elsewhere
• Extension sprawl increases exposure – Fewer extensions means fewer silent risks

Microsoft accounts hijacked without passwords, MFA, or passkeys

Image Source - Push Security

Watch | Read

A new browser-based attack technique is allowing attackers to take over Microsoft accounts without stealing passwords, bypassing MFA, or deploying malware. Victims are tricked into copying and pasting a URL that grants OAuth access to their account. Because the user is already logged in, the attacker receives a valid session token and gains access without triggering traditional alerts or controls.

The attack stood out because it relies entirely on normal-looking behaviour. Everything happens inside the browser, often via compromised websites or search results, and nothing appears broken. It reflects a broader shift away from exploiting technology and towards exploiting people, where strong technical controls still depend on users recognising when something does not look right.

The Awareness Angle

• Consent is the weak point – Access can be granted, not stolen
• Modern controls still rely on judgement – MFA reduces risk but does not remove it
• Browser-based attacks change the game – Old detection assumptions no longer hold

WhatsApp ghost pairing enables silent account hijacks

Image Source - Gen Digital

Watch | Read

Attackers are hijacking WhatsApp accounts by abusing the platform’s built-in device linking feature. Victims are socially engineered into approving a new linked device, often through messages that appear to come from trusted contacts. Once paired, attackers can read messages in real time, impersonate the victim, and monitor conversations without disrupting normal use.

As Luke noted during the episode, “A working account is not the same thing as a secure one.” WhatsApp is widely used for informal work conversations, leadership chats, and quick decisions outside official systems. Because there are often no visible signs of compromise, attackers can remain connected for long periods unless users actively check their linked devices.

The Awareness Angle

• Convenience features are attack paths – Normal functionality is being weaponised
• Compromise can be invisible – No alerts does not mean no attacker
• Routine checks reduce risk – Linked devices should be reviewed regularly

This week's discussion points...

NYC and DC real estate developer notifies 47,000 people of data breach – Watch | Read (Comparitech)

SoundCloud confirms breach after member data stolen, VPN access disrupted – Watch | Read (BleepingComputer)

PornHub extorted after hackers steal Premium member activity data – Watch | Read (BleepingComputer)

Inquiry ongoing after UK government hacked, says minister – Watch | Read (BBC News)

Fake “One Battle After Another” torrent hides malware in subtitles – Watch | Read (BleepingComputer)

Microsoft account takeover alerts surge as attackers test logins at scale – Watch | Read (Push Security)

Featured Chrome browser extension caught intercepting millions of users’ AI chats – Watch | Read (The Hacker News)

LG backtracks on Copilot web app deletion after user backlash – Watch | Read (The Verge)

Ghost Pairing, WhatsApp account hijack technique – Watch | Read (BleepingComputer)

North Korean infiltrator caught working in Amazon IT department via keystroke lag – Watch | Read (Reddit)

And Finally...The Amazon Insider Caught by 110 Milliseconds

Watch | Read

A North Korean infiltrator worked inside Amazon’s IT function, and the thing that gave them away was not malware, phishing, or suspicious logins.

It was typing.

Security teams noticed a consistent 110 millisecond delay between keystrokes. Tiny. Almost imperceptible. But enough to raise questions. The laptop was physically in the US. The person typing was not. The machine was being remotely controlled from North Korea, using legitimate access, doing legitimate work, until behaviour gave them away.

This is what modern insider risk looks like. No broken controls. No alarms. Valid credentials, authorised access, and activity that looked normal on the surface. The risk only surfaced because someone was paying attention to behavioural patterns rather than waiting for alerts.

It also raises an uncomfortable question about awareness. Behavioural signals can protect organisations, but they sit close to the line between monitoring and spying. In this case, it stopped a state-sponsored infiltration. In another, the same techniques could feel intrusive or excessive. Awareness is not just about spotting attackers, it is about understanding how security decisions affect people, trust, and culture.

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

Ant Davis and Luke Pettigrew write this newsletter and podcast.

The Awareness Angle Podcast and Newsletter is a Risky Creative production.

LG Copilot Update, Widespread Data Breaches, and Travel Privacy Fears

Hi, it's Ant! 

This week on The Awareness Angle, I am on my own, and there is a lot to get through. Data breaches are everywhere, from forgotten accounts and simple misconfigurations to ransomware hitting pharma firms and exposing sensitive data. I look at how software updates are being abused to push malware, why Apple has rushed out fixes for active zero-days, and what it means when governments start accusing each other of cyber attacks on critical infrastructure.

I also dig into LG quietly pushing Microsoft Copilot onto smart TVs without a clear opt-out, raising some big questions about privacy and control in our own homes. And finally, there is a proposal in the US that could see travellers handing over years of social media just to get through the border.

All of that and more in this week’s Awareness Angle. It is just me this time as Luke's on his holidays, so let’s get straight into it.

 Listen on your favourite podcast platform - Spotify, Apple Podcasts and YouTube

Listen Now

Podcast · Risky Creative

This week's stories...

LG smart TVs quietly get Microsoft Copilot

Watch | Read

LG has pushed Microsoft Copilot onto a range of smart TVs via a routine firmware update, installing it as a system-level feature with no obvious way to remove it. It just appears. For a lot of people, this is not about Copilot being good or bad, it is about something being added to a device in their living room without being asked.

What really sits underneath this is control and data. Smart TVs already collect a lot of viewing and usage information, and adding an AI assistant only raises more questions about what is being gathered and where it goes. It is the same pattern we have seen with cars, phones, and other “smart” devices, once the hardware is in your home, the software can keep changing.

The Awareness Angle

• Control after purchase – Buying hardware should not mean surrendering future decisions.
• Data follows features – New functionality usually comes with new data flows.
• Question connected defaults – Not everything needs to be online all the time.

US may require travellers to hand over social media history

Watch | Read | Read More

The US is proposing changes to its visa waiver process that could require travellers to provide up to five years of social media history, along with contact details and other personal information. This would apply to people travelling from countries like the UK who currently enter visa-free, often for work, conferences, or holidays.

I am not suggesting people have anything to hide, but it does raise an uncomfortable question about where the line sits. Online posts, likes, and opinions suddenly become part of a border decision. With major global events coming up in the US, it will be interesting to see how many people rethink travel if this goes ahead.

The Awareness Angle

• Privacy versus security – Extra checks always come with trade-offs.
• Digital history becomes identity – Old posts can gain new meaning at borders.
• Friction changes behaviour – More intrusive processes discourage travel.

Millions exposed by third-party data breaches

Watch | Read

This week’s breaches include a credit-checking firm and a veterinary services provider, exposing millions of records through a mix of poor access control and simple misconfiguration. In many cases, the people affected never chose to trust these organisations, their data was just passed along as part of the background machinery of modern services.

This is why third-party risk feels so unfair at a personal level. You can be careful, you can follow advice, and you still end up dealing with the fallout because someone else made a mistake. Identity data cannot be changed, and once it is out there, it stays out there.

The Awareness Angle

• Invisible trust chains – Your data moves far beyond the companies you recognise.
• Long tail impact – Identity exposure lasts longer than headlines.
• Basic hygiene still matters – Most damage comes from simple failures.

Pharma firm hit by ransomware and data theft

Watch | Read

A pharmaceutical research firm has confirmed it was hit by ransomware after attackers accessed and stole data before locking systems. This is now the standard playbook. Get in, take what you can, then encrypt everything and demand payment for both silence and recovery.

We still talk about ransomware as if it is mainly about downtime, but the real damage is often the data loss. In sectors like pharma and healthcare, that data can be sensitive, regulated, and tied to real people. Even when systems come back, the risk does not disappear.

The Awareness Angle

• Ransomware is about leverage – Stolen data changes the pressure entirely.
• Backups reduce pain, not risk – Recovery does not undo exposure.
• Early access is the weak point – Phishing and stolen credentials remain common entry routes.

This Week's Discussion Points...

Coupang breach traced to ex-employee access - Watch | Read (BleepingComputer)

Credit check company breach exposes millions - Watch | Read (Tom’s Guide)

Petco Vetco website data exposure - Watch | Read (TechCrunch)

Inotiv ransomware attack and data theft - Watch | Read (BleepingComputer)

Apple emergency zero-day updates - Watch | Read (The Hacker News)

Notepad++ malicious update flaw - Watch | Read (BleepingComputer)

LG TVs install Microsoft Copilot - Watch | Read (WebProNews)

Germany accuses Russia of air traffic control cyber attack - Watch | Read (BBC News)

Pringles account breach and password reuse - Watch | Read (Reddit)

Harley Sugarman's Elsbeth TV show phishing simulation - Watch | Read (LinkedIn)

US proposal to collect travellers’ social media history - Watch | Read (TikTok)

And Finally...Pringles Popped

Watch

This week, someone shared a screenshot of a Google warning telling them their password for the Pringles website had been exposed in a data breach. And yes, that raises the obvious question: why does anyone even have a Pringles account?

But that is precisely the point.

Most of us now have hundreds of online accounts. Brand sites, loyalty schemes, competitions, things we signed up for once and never thought about again. We forget they exist, but attackers do not.

When one of those random accounts gets breached, it is not about crisps. It is about whether that same password works anywhere else. Email, shopping, social media, and work tools. That is where the real damage happens.

So laugh at the Pringles account if you want, but it is a perfect reminder that password reuse is still one of the biggest risks out there. If your brain cannot remember every account you have, it should not be trying to remember every password either.

That is why password managers matter, even for the silly stuff.

Do you have something you would like us to talk about? Are you struggling to solve a problem, or have you had an awesome success? Reply to this email telling us your story, and we might cover it in the next episode!

Scientology hit by the Qilin ransomware gang

Watch | Read

The Church of Scientology has confirmed a ransomware attack after the Qilin gang claimed they stole 190 gigabytes of internal files. Samples posted online appear to include recent operational documents from its UK base. It is an unusual breach of a very private organisation, and it raises the question of what happens when a group built on secrecy loses control of its own information.

The Awareness Angle

• Backups protect choices - Good backups take the pressure out of ransom negotiations and limit long-term damage.
• Reputation does not reduce risk - Attackers care about opportunity and leverage, not public profile.
• Fast isolation contains fallout - Stopping the spread early makes the difference between a bad day and a full crisis.

Westminster Council still struggling after last month’s attack

Watch | Read

Westminster Council is weeks into its recovery and still cannot process repairs, housing payments, children’s services referrals or even simple online requests. Residents are being pushed to offline workarounds while the council rebuilds systems and investigates the source of the attack. It is a clear reminder that cyber incidents do not just affect networks. They affect people and entire communities.

The Awareness Angle

• Critical services need manual fallbacks - When systems fail, people need clear alternative paths.
• Local impact is wide and immediate - Councils hold sensitive data and support essential services, so downtime hits real lives fast.
• Shared platforms multiply the damage - When multiple councils share systems, one breach becomes everyone’s problem.

Windows 10 becomes a 500,000,000 device security problem

Watch | Read

More than five hundred million people are still on Windows 10. Support has ended, updates have stopped, and new vulnerabilities are now left open for attackers to use. This is not a user failure. This is a Microsoft-created problem. They made the upgrade path difficult. They set hardware requirements that millions of perfectly good devices cannot meet. They pushed people toward machines that need new chips and new components, even when the old ones still work.

This week’s Windows LNK zero-day proves the point. A simple shortcut file could run hidden code. Windows 11 users will get a fix. Windows 10 users are on their own. When half a billion people are stuck on an unsupported system, it is not a natural result of poor user behaviour. It is the result of a forced upgrade strategy that people cannot afford, cannot justify or simply cannot complete.

Microsoft says it is about progress and security. But creating a security crisis by ending support for a product that half the world still uses should not be called progress. It should be called what it is. A company decision that shifted risk from Microsoft to everyone else.

The Awareness Angle

• Unsupported devices become easy targets - Once a product is abandoned, every new hole stays open. Attackers know exactly where to look.
• Upgrade friction is a business problem, not a user flaw - People did not reject security. They rejected the cost and complexity of replacing hardware that still works.
• Lifecycle planning beats last-minute panic - Organisations need clear plans for device refresh long before support ends. People should never be forced into insecure choices by a vendor.

This Week's Discussion Points...

Scientology ransomware attack

Watch | Read

Westminster Council still disrupted after cyber attack

Watch | Read

Freedom Mobile breach

Watch | Read

Brsk breach in the UK

Watch | Read

Marquis breach affecting seventy four US banks

Watch | Read

Windows 10 security crisis and five hundred million unsupported devices

Watch | Read

Windows LNK zero day actively exploited

Watch | Read

Microsoft Teams location and activity tracking concerns

Watch | Read

India drops plan to force cyber safety app on smartphones

Watch | Read

Fake ChatGPT Atlas installer used in ClickFix attack

Watch | Read

AI used to fake street footage and mislead viewers

Watch | Read

Employee falls for phishing but reports within minutes

Watch | Read

AI generated Home Alone behind the scenes footage

Watch | Read

Japanese studio makes candidates draw live to prevent AI cheating

Watch | Read

The Fake ChatGPT Atlas Attack We Caught Live

Watch

This one was wild because it unfolded in real time while we were recording. A sponsored Google search result appeared, claiming to offer a Mac install of something called “ChatGPT Atlas.” At first glance, it looked legitimate. Clean branding, a simple landing page, and a Google Sites address that many people would trust without thinking twice.

But the moment you clicked the download button, the trap appeared. The page told users to open their terminal, copy a command that had already been placed on the clipboard, paste it in, and press enter. That single instruction would have handed attackers full access to the device, likely including passwords and authentication tokens. No malware file, no pop-up, just social engineering wrapped inside “tech support” style instructions. Classic ClickFix.

The most alarming part came when we dug deeper. The Google ad promoting the fake installer was not placed by the attackers using their own domain. It was placed through a compromised Google Ads account belonging to a genuine charity. This gave the malicious site extra credibility because it came from a trusted advertiser with a history of clean campaign activity. It also explains why it climbed so high in search results.

This is what modern attacks look like. No broken English. No dodgy popups. Just familiarity, big brand names, borrowed trust and a single "copy and paste" that does the damage.

The Awareness Angle

• Trust is being borrowed from real brands - Attackers know people search for “ChatGPT app” or “ChatGPT browser” and click the first result. They do not need to fool the platform. They only need to fool the user.
• Terminal commands are the new phishing link - Tech-savvy staff are often the easiest to catch here. If you are used to running commands, you stop questioning the source.
• Platform trust signals are fading fast - Google sites, sponsored results, clean pages, even verified advertiser accounts. None of these guarantees safety anymore. The only safe rule is this. Never paste a command into your terminal unless you know exactly who wrote it.

ClickFix attacks are now using fake Windows updates to install malware. And a government budget was leaked because someone guessed the URL.

This week’s episode looks at why the smallest human shortcuts still create the biggest openings. From predictable web addresses to fake update screens that look almost real, Ant breaks down why attackers keep coming back to the same ideas. Because they work.

Also this week, London councils face a major cyber incident, the US emergency alert system is disrupted by ransomware, and Harvard reveals a vishing breach that exposed donor data. Mix in AI voice scams and a coffee machine admin menu that uses 1111 as the password, and you get a perfect snapshot of where human security habits really are.

Watch or Listen to the episode today - YouTube | Spotify | Apple Podcasts

Visit riskycreative.com for past episodes, our blog, and our merch.

Breach Watch

London councils hit by severe cyber incident

Watch | Read

Several London boroughs, including Kensington and Chelsea and Westminster City Council, are dealing with a major incident affecting services and phone lines. They have notified the ICO and are working with the NCSC. Councils hold some of the most sensitive personal data in the country, which makes this a serious situation for anyone living in those areas.

∠The Awareness Angle

• Sensitive data attracts attention - People often forget how valuable council records can be for profiling and scams.
• Service disruption hurts fast - When core services pause, the ripple effect hits vulnerable people first.
• Partnerships matter - Fast support from NCSC shows how important joined up response is.

US emergency alert system disrupted after ransomware attack

Watch | Read

The OnSolve Code Red platform, which powers emergency notifications across the United States, was taken offline after a ransomware attack. Agencies temporarily lost the ability to send weather alerts and critical warnings. They are restoring the system from a backup more than six months old.

∠The Awareness Angle

• Backups only help if they are recent - Restoring from half a year ago shows why recovery needs routine testing.
• Criminals do not care about impact - Even life-saving systems are targets.
• Ransomware is still a supply chain problem - One compromised provider can hit thousands of communities.

Harvard reports vishing breach exposing alumni data

Watch | Read

Attackers used voice phishing to access Harvard’s alumni and donor systems. Emails, phone numbers, addresses and donation details were exposed. No payment data was taken, but the personal context is sensitive enough to power convincing social engineering attempts.

∠The Awareness Angle

• Phone calls bypass many controls - People trust a real voice more than an email.
• Context is power - Donation history and relationships make scams far more believable.
• Vishing is rising fast - It is still one of the easiest entry points for attackers.

OBR budget leaked because the URL was predictable

Watch | Read

Journalists accessed the UK budget forty minutes early by guessing the link. It was a near copy of last year’s URL. No hack. Just poor digital housekeeping.

∠The Awareness Angle

• Predictability is a vulnerability - If someone can guess it, they will.
• Security by obscurity does not work - Publishing sensitive material without protection is never safe.
• Randomising filenames is basic hygiene - Fundamentals still matter.

This Week's Stories...

SIM swap story shows how quickly attackers can take over everything

Watch | Read

The BBC shared the story of a woman whose number was hijacked. Attackers took over her Gmail, locked her out of her bank, opened a credit card, broke into her WhatsApp and even threatened groups she was part of. All powered by old breach data and a SIM swap request.

∠The Awareness Angle

• Your phone number is an identity key - If someone controls it, they can reset almost anything.
• Old breach data still matters - Information from years ago can fuel modern scams.
• SIM swap alerts must not be ignored - If your phone suddenly loses signal, call your provider fast.

Fake Windows update uses ClickFix to deliver malware

Watch | Read

A fake Windows update page tells people to press Windows and R, then paste code they did not type. It looks convincing enough to fool anyone who is not deeply familiar with update screens. This continues the wider ClickFix trend attackers have been using all year.

∠The Awareness Angle

• No one should ever paste code from a pop up - This is a simple behaviour that is easy to teach.
• Interfaces can be faked - People trust what looks familiar.
• Run box attacks are everywhere - Microsoft needs to address this, but organisations can help by educating.

Black Friday scam wave hits with polished fake surveys

Watch | Read

Malwarebytes found more than one hundred domains pushing fake rewards for Lego, Yeti, Louis Vuitton and more. It starts with a survey and ends with a request for a small shipping fee. That final step steals payment details.

∠The Awareness Angle

• Big brands equal big trust - Scammers lean on names people recognise.
• Shipping fee scams are everywhere - Small payments feel harmless, which is the point.
• Holiday pressure lowers caution - Urgency and excitement make mistakes more likely.

This Week's Discussion Points...

Breach Watch

London councils cyber incident Watch | Read - The Guardian

OnSolve CodeRED emergency alert outage Watch | Read - BleepingComputer

Harvard vishing breach exposing alumni and donor data Watch | Read - BleepingComputer

OBR budget leak caused by a guessable URL Watch | Read - The Register

The News

SIM swap story and why old breach data still matters Watch | Read - BBC News

New ClickFix wave using fake Windows updates Watch | Read - Malwarebytes

Black Friday fake brand giveaways and survey scams Watch | Read - Malwarebytes

AI kidnapping scam using a cloned voice Watch | Read - FOX 5 NY

Corridor Crew test AI shopping scams Watch | Read - YouTube

Gmail smart features and email scanning correction Watch | Read - Malwarebytes

Awareness Awareness

Layer 8 Champions Impact Report early look Watch | Read - CIISec and Layer 8

And Finally...

A free coffee machine hack thanks to a default password

Watch | Watch on TikTok

Luke found a video of someone double-tapping a Frankie coffee machine and entering 1111 to unlock the admin panel. You can edit drinks, change settings or run a free taste cycle. A perfect example of why default passwords create easy wins for attackers.

∠The Awareness Angle

• Anything with a screen needs a new password - Even a coffee machine.
• Defaults stay forever unless someone changes them - Build this into onboarding.
• Physical access still matters - Small devices can cause big problems.

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

Ant Davis and Luke Pettigrew write this newsletter and podcast.

The Awareness Angle Podcast and Newsletter is a Risky Creative production.

This episode dives into the attacks and scams that show how fragile everyday systems really are. From a rail IT supplier leaking terabytes of data to CCTV cameras exposing maternity wards, and a Google ad scam that fooled one of our own. It has been a busy week.

Luke and I break it all down in plain language. No drama. No jargon. Just what people need to stay safe at work and at home.

Watch or Listen to the episode today - YouTube | Spotify | Apple Podcasts

Visit riskycreative.com for past episodes, our blog, and our merch.

Introducing Kindred Cyber and Kinsights

Last week, Ant launched Kindred Cyber, his new home for people-centred security work. One of the first things he is offering is Kinsights, a clear and honest look at how your culture is really doing. It cuts through noise, shows what is working, and gives you the actions that actually help people change their behaviour. If you want a sharper view of your awareness activities, Kinsight is where to start. Find out more at www.kindredcyber.com

Get in touch today for a chat!

The Breach Report

Italian rail supplier hit with a 2.3 TB data leak

Watch | Read

A hacker claims to have taken 2.3 TB of internal data from Almaviva, an IT supplier for Italy’s rail network. Technical docs, contracts, HR files, accounting data. The lot. It is unclear whether passenger data is included but the size and depth of the leak is heavy.

The Awareness Angle

• Supply chains matter. Attackers often go for the vendor, not the main brand.
• Structured data is gold. When the leak includes internal repos, it indicates deep access.
• Reputation is fragile. Public sector contracts depend heavily on trust.

Salesforce customers impacted via Gainsight integration

Watch | Read

ShinyHunters are back. This time they appear to have used tokens from a previous breach to access Salesforce customers through a Gainsight integration. Salesforce revoked all tokens while they investigate. It is another reminder that synced tools can quietly open doors you thought were locked.

The Awareness Angle

• Third parties expand the attack surface. OAuth connections are often the weak link.
• Attackers reuse access for months. Once they have one foothold, they circle back.
• Token hygiene matters. Organisations need to audit old integrations more often.

One hundred and twenty thousand CVs leaked in Cornerstone Staffing ransomware attack

Watch | Read

Qilin claim to have stolen 300 GB of Cornerstone Staffing data, including 120,000 CVs and more than a million files with personal data and financial documents. CVs are a treasure trove for cybercriminals. Perfect for identity theft and targeted phishing.

The Awareness Angle

• CVs expose everything. Skills, job history, phone numbers, home addresses.
• Double extortion is standard now. Even if you recover systems, the leaks keep coming.
• Threat groups move fast. Qilin have claimed almost one thousand victims since 2023.

A WhatsApp flaw exposed 3.5 billion phone numbers

Watch | Read

Researchers from the University of Vienna scraped almost the entire WhatsApp user base by hammering the contact lookup system. With no rate limits in place at the time, they pulled phone numbers, profile photos and bios in bulk. phones, photos and names. All public metadata, just gathered at scale.

The Awareness Angle

• Metadata is enough. Attackers do not need messages to target you.
• Rate limits matter. Systems should never allow bulk lookups.
• Phone numbers are weak identifiers. They are too easy to harvest.

The News

US, UK and Australia sanction Russian hosting companies linked to ransomware

Watch | Read

Media Land, a well known bulletproof hosting provider, has been sanctioned for enabling ransomware gangs including LockBit and Evil Corp. It is part of a coordinated effort to choke off the infrastructure these groups rely on.

The Awareness Angle

• Hitting infrastructure hurts. Without servers, campaigns slow down.
• International coordination is improving. Sanctions across three nations is a strong signal.
• Enablers are in scope. Not just the hackers, but the support systems.

Twitch banned for under sixteens in Australia

Watch | Read

Australia’s new social media rules now include Twitch. Under sixteen accounts must be blocked or closed. Platforms face huge fines if they do not comply.

The Awareness Angle

• Livestreaming now equals social media. Regulators are treating them the same.
• Age verification is coming. Likely ID checks or face recognition in future.
• The internet is shifting. Young users will move to lesser known platforms.

Hackers sell maternity ward CCTV footage online

Watch | Read

Fifty thousand CCTV systems across India, including maternity hospitals, schools and homes, were hacked using default passwords and weak setups. Footage was sold on Telegram for as little as nine dollars. Eight people were arrested.

The Awareness Angle

• Default passwords remain a massive problem.
• CCTV needs proper security just like any other device.
• Real people suffer real harm. The victims here were at their most vulnerable.

Teenagers plead not guilty in the London Transport cyber attack

Watch | Read

Two teenagers linked to Scattered Spider have pleaded not guilty after the TfL attack that disrupted systems and forced identity checks for every staff member. The trial is set for June 2026.

The Awareness Angle

• Critical infrastructure is under constant pressure.
• Younger attackers are being recruited and guided by bigger groups.
• Legal cases like this take years to resolve.

Awareness Awareness

CIISec Live is this week

Ant is heading to the Chartered Institute of Information Security CIISec Live at Heathrow for a QI style session blended with a Who Wants to Be a Millionaire format. The question we are answering is simple. How do we actually change behaviour and culture in cyber?

If you are in engagement, training or human risk, the event is worth your time. https://www.ciisec.live/

This Week’s Topics From Us

Watch the topics section

1. The social engineering trick that asks for your phone’s unlock code

A WhatsApp style scam screenshot has been doing the rounds. It shows how easy it is for someone to ask for your phone’s passcode under the disguise of returning a lost phone. Simple but effective. Real or not, it's a useful reminder.

2. The AI data leak problem is getting worse

A developer posted 200 customer records straight into ChatGPT to debug a SQL query. No policy prevented it. No DLP caught it. The browser made it invisible. Everyone is facing this problem and policy alone is not enough. Engagement matters.

3. Sponsored Google ads strike again

Luke shared a real example after someone booked flights through a sponsored Google search result. A convincing fake site, Airpaz, took the booking and the card details. Thankfully the bank stopped it. The Trustpilot reviews for Airpaz tell the full story and they are not pretty.

The Awareness Angle

• Sponsored does not mean safe.
• Fake sites look perfect now.
• Always check the URL before entering details.

Subscribe to the Newsletter

riskycreative.com

And finally… a quick reminder for Black Friday

If you buy any connected tech this week, especially cameras, doorbells or baby monitors, change the default passwords immediately. Cheap devices often come with weak security. A few minutes of setup can prevent a painful story later.

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

Ant Davis and Luke Pettigrew write this newsletter and podcast.

The Awareness Angle Podcast and Newsletter is a Risky Creative production.