This week on The Awareness Angle, Luke is back, and we have a lot to get through together. We are talking about a real estate firm quietly exposing tens of thousands of people, SoundCloud losing control of user data while breaking its own VPN access, and Pornhub dealing with extortion after deeply personal viewing history leaked via a third-party analytics mess.
We also look at malware hiding inside movie subtitles, browser extensions harvesting millions of AI chats in plain sight, and a new Microsoft account takeover technique that bypasses passwords, MFA, and passkeys without dropping malware. Add in WhatsApp account hijacking through ghost pairing, a UK government hack still being downplayed, and smart TVs quietly shaping what we can and cannot do in our own homes, and there is a clear theme running through this week.
All of that and more in this week’s Awareness Angle, so let’s get straight into it.
Watch or Listen to the episode today - YouTube | Spotify | Apple Podcasts
Visit riskycreative.com for past episodes, our blog, and our merch.
The Week's Stories...
Browser extensions secretly harvesting AI chats
A Chrome browser extension with millions of users and a trusted Featured badge was found silently intercepting AI conversations from tools like ChatGPT, Copilot, Gemini, and others. Prompts, responses, timestamps, and session data were routed back to the developer and shared with an affiliated analytics firm. The behaviour was introduced through an update and documented quietly in a privacy policy, rather than being the result of a technical flaw.
During the discussion, Ant summed up the risk clearly: “If it’s free, you’re probably the product.” AI tools are now being used for genuine work, with people pasting emails, notes, ideas, and sensitive context into them without hesitation. This story highlights how browser extensions can turn everyday behaviour into large-scale data exposure without users ever realising.
The Awareness Angle
- Trust signals are misleading – Featured badges and ratings are not security guarantees
- AI prompts are high-value data – Inputs often contain information people would never share elsewhere
- Extension sprawl increases exposure – Fewer extensions means fewer silent risks
Microsoft accounts hijacked without passwords, MFA, or passkeys
A new browser-based attack technique is allowing attackers to take over Microsoft accounts without stealing passwords, bypassing MFA, or deploying malware. Victims are tricked into copying and pasting a URL that grants OAuth access to their account. Because the user is already logged in, the attacker receives a valid session token and gains access without triggering traditional alerts or controls.
The attack stood out because it relies entirely on normal-looking behaviour. Everything happens inside the browser, often via compromised websites or search results, and nothing appears broken. It reflects a broader shift away from exploiting technology and towards exploiting people, where strong technical controls still depend on users recognising when something does not look right.
The Awareness Angle
- Consent is the weak point – Access can be granted, not stolen
- Modern controls still rely on judgement – MFA reduces risk but does not remove it
- Browser-based attacks change the game – Old detection assumptions no longer hold
WhatsApp ghost pairing enables silent account hijacks
Attackers are hijacking WhatsApp accounts by abusing the platform’s built-in device linking feature. Victims are socially engineered into approving a new linked device, often through messages that appear to come from trusted contacts. Once paired, attackers can read messages in real time, impersonate the victim, and monitor conversations without disrupting normal use.
As Luke noted during the episode, “A working account is not the same thing as a secure one.” WhatsApp is widely used for informal work conversations, leadership chats, and quick decisions outside official systems. Because there are often no visible signs of compromise, attackers can remain connected for long periods unless users actively check their linked devices.
The Awareness Angle
- Convenience features are attack paths – Normal functionality is being weaponised
- Compromise can be invisible – No alerts does not mean no attacker
- Routine checks reduce risk – Linked devices should be reviewed regularly
This week's discussion points...
NYC and DC real estate developer notifies 47,000 people of data breach – Watch | Read (Comparitech)
SoundCloud confirms breach after member data stolen, VPN access disrupted – Watch | Read (BleepingComputer)
PornHub extorted after hackers steal Premium member activity data – Watch | Read (BleepingComputer)
Inquiry ongoing after UK government hacked, says minister – Watch | Read (BBC News)
Fake “One Battle After Another” torrent hides malware in subtitles – Watch | Read (BleepingComputer)
Microsoft account takeover alerts surge as attackers test logins at scale – Watch | Read (Push Security)
Featured Chrome browser extension caught intercepting millions of users’ AI chats – Watch | Read (The Hacker News)
LG backtracks on Copilot web app deletion after user backlash – Watch | Read (The Verge)
Ghost Pairing, WhatsApp account hijack technique – Watch | Read (BleepingComputer)
North Korean infiltrator caught working in Amazon IT department via keystroke lag – Watch | Read (Reddit)
And Finally...The Amazon Insider Caught by 110 Milliseconds
A North Korean infiltrator worked inside Amazon’s IT function, and the thing that gave them away was not malware, phishing, or suspicious logins.
It was typing.
Security teams noticed a consistent 110 millisecond delay between keystrokes. Tiny. Almost imperceptible. But enough to raise questions. The laptop was physically in the US. The person typing was not. The machine was being remotely controlled from North Korea, using legitimate access, doing legitimate work, until behaviour gave them away.
This is what modern insider risk looks like. No broken controls. No alarms. Valid credentials, authorised access, and activity that looked normal on the surface. The risk only surfaced because someone was paying attention to behavioural patterns rather than waiting for alerts.
It also raises an uncomfortable question about awareness. Behavioural signals can protect organisations, but they sit close to the line between monitoring and spying. In this case, it stopped a state-sponsored infiltration. In another, the same techniques could feel intrusive or excessive. Awareness is not just about spotting attackers, it is about understanding how security decisions affect people, trust, and culture.
Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.
Ant Davis and Luke Pettigrew write this newsletter and podcast.
The Awareness Angle Podcast and Newsletter is a Risky Creative production.
