Why Was an Elevator Held Hostage by Windows?

This episode is packed with privacy fails, phishing scams, and one very unfortunate elevator ride. We kick things off with Fitify, a fitness app that left over 370,000 files exposed online, including 138,000 user progress pics and body scans. These were stored in an unprotected Google Cloud bucket and were accessible to anyone with a link. Many of the images were uploaded for Fitify’s AI coach, often featuring users in minimal clothing. It’s a sharp reminder that encryption in transit isn’t the same as being safe at rest. Hardcoded secrets in code can open up serious risks. Users trusted the app with personal data, and it let them down.

Then we talked about WeTransfer’s AI terms-of-service drama. After a wave of backlash from creatives, the company clarified that it wouldn’t use files to train AI models, just to help moderate harmful content. It’s a lesson in clear language, user trust, and why reviewing the fine print still matters. CapCut and Dropbox have faced similar scrutiny. Everyone’s watching where their data might end up next.

From there we moved into national security. A breach by Salt Typhoon forced US military networks to assume they were fully compromised. The espionage group reportedly accessed conversations from senior officials and spent nearly a year inside the National Guard’s systems. If Zero Trust wasn’t on your radar before, it should be now.

Closer to home, Reddit rolled out age verification in the UK ahead of new Online Safety Act rules. Users now have to upload selfies or government ID to access adult content, verified by a third-party firm called Persona. While it’s meant to protect kids, it raises fresh questions around online anonymity, privacy trade-offs, and whether VPNs will simply sidestep it all.

Pet owners weren’t spared either. Thousands received fake microchip renewal emails, even though microchips don’t expire. The scam messages were personalised, using real chip numbers, breeds, and names. Some pet databases allow you to search details without any real rate-limiting or security checks, meaning attackers could scrape info in bulk. This one blends phishing, poor platform security, and good old-fashioned oversharing.

In India, police raided a tech support scam call centre after an 18-month joint investigation with the NCA, FBI, and Microsoft. The centre had duped UK victims out of hundreds of thousands of pounds by using fake virus pop-ups and impersonating Microsoft. These scams are global, evolving, and still preying on fear.

We also discussed the UK data breach that forced a secret Afghan relocation scheme. Nearly 19,000 people had their details leaked when a British official emailed a sensitive file to the wrong recipients. So far, over 4,500 have been relocated under a programme that was kept quiet until a High Court judge lifted the super injunction. It’s one of the most extreme examples of real-world harm from a simple mistake, and a wake-up call for better systems that don’t rely on human perfection.

Louis Vuitton confirmed that UK customer data had been stolen in a cyberattack. No financial info was taken, but names, emails, and purchase history were. That’s more than enough for phishing. With similar breaches in their Korean, Italian, and Swedish operations, this seems to be a coordinated campaign, likely tied to the ShinyHunters group behind the Ticketmaster and Santander breaches.

We wrapped up with a few wildcards. A lift stuck mid-ride because of a Windows update, and a reminder that some companies are putting critical infrastructure on connected touchscreens. Not ideal. And finally, Luke brought a phishing scam that used white-on-white text to trick Google Gemini into producing fake warnings. Simple trick, big risk. AI tools are powerful, but they still fall for very old-school tactics.

This week’s Awareness Awareness focused on new hire phishing stats from Keepnet. New starters are 44 percent more likely to fall for phishing attempts, especially in their first 90 days. If you don’t show people what normal looks like when they join, they’re left guessing, and that’s a risky game.

Fitify Leaks 138K Progress Photos
Watch | Read

WeTransfer AI Terms Backlash and Retraction
Watch | Read

US Military Told to Assume Network Compromise
Watch | Read

Reddit Introduces Age Verification in the UK
Watch | Read

Fake Pet Microchip Renewal Scams Target UK Owners
Watch | Read

Indian Police Raid Tech Support Scam Call Centre
Watch | Read

Secret Afghan Relocation Scheme After MoD Breach
Watch | Read

Louis Vuitton Customer Data Breach
Watch | Read

New Hires More Likely to Fall for Phishing (Keepnet Report)
Watch | Read

Experiences of Victims of Cybercrime (Shared by Listener Boris)
Watch | Read

Anti-Phishing Training Might Be Making Things Worse
Watch | Read

Windows Update Traps Someone in a Lift
Watch | Read