This week on The Awareness Angle, we are back after the Christmas break and straight into two weeks’ worth of cyber news that didn't slow down just because the calendar said it should. From phishing emails abusing real Google services and browser extensions quietly infecting millions, to Ubisoft taking Rainbow Six Siege offline after attackers started banning players live (with a little bit of Shaggy), there is plenty to unpack.
We look at airlines and retailers exposing customer data through supplier and access failures, including Korean Air and Coupang, where smashed laptops, rivers and forgotten access played a bigger role than sophisticated hacking. We also dig into ClickFix attacks being sold as a service, sleeper browser extensions stealing data months after install, and a British hacker who quite literally hacked his way into an Australian visa by doing things the right way.
Add in Meta quietly shaping how scam ads are policed, smart hacking tools being banned from a mayoral inauguration, and a growing tension between security, perception, and trust, and a clear theme starts to emerge.
All of that and more in this week’s Awareness Angle, so let’s get into it.
Watch or Listen to the episode today - YouTube | Spotify | Apple Podcasts
Visit riskycreative.com for past episodes, our blog, and our merch.
This Week's Stories...
Spotify scraping shows why “just metadata” is never just metadata
Claims a couple of weeks ago suggested Spotify content was scraped at massive scale, with Anna’s Archive alleging access to metadata for around 256 million tracks and audio files for roughly 86 million songs. The archive, reported to be around 300TB in size, has been distributed via torrents. Spotify said it identified and disabled accounts involved in unlawful scraping, describing the activity as a mix of public metadata access and illicit tactics, but stopped short of confirming the full scale of what is circulating.
What makes this story uncomfortable is that it doesn't look like a traditional breach. As we discussed on the show, this appears to be access working as designed, just abused at scale. It is easy to wave this away as “just metadata,” but metadata carries context. It reveals behaviour, popularity, listening patterns, and connections over time. Combined with other sources, it becomes far more revealing than most people expect. Add in the fact that torrents and unofficial archives are a common delivery mechanism for malware, and this stops being just a copyright issue.
The Awareness angles
- Metadata is not harmless – Even without names or passwords, metadata can expose behaviour, habits, and patterns when collected at scale or combined with other data sources
- Abuse accelerates quietly – When automated access or credentials work once, they can be reused rapidly, turning small gaps into mass scraping before anyone notices
- Trust the file, not the story – Archives framed as preservation or culture can still be high risk, unofficial downloads are a common place for malicious content to hide
The browser extensions you forgot about might be the riskiest thing you use
Security researchers recently uncovered a long running campaign that saw malicious browser extensions infect millions of users across Chrome, Edge, and Firefox, often without raising any suspicion. The activity, linked to a threat cluster dubbed DarkSpectre, involved extensions that appeared completely legitimate, complete with positive reviews, large install numbers, and official store badges. In some cases, these extensions sat quietly for days or weeks before activating malicious behaviour.
What makes this story so unsettling is how normal it all looks. As we talked about on the show, these were not shady downloads from obscure websites. They were tools people installed to customise tabs, improve productivity, or tweak their browsing experience. Once trusted, they were largely forgotten. That trust gave attackers ongoing access to sessions, credentials, meeting data, and in some cases crypto wallets, turning the browser into a silent surveillance tool.
This is a reminder that your browser is not just a window to the internet. It is part of your attack surface. Extensions run with deep privileges, often seeing everything you type, click, or view. When they turn malicious later, detection is hard and user suspicion is low, because nothing appears to change.
Awareness angles
- Install once does not mean safe forever – Extensions can change behaviour after updates, long after reviews and store checks have passed
- Dormant threats are deliberate – Waiting days or weeks before activating is a common way to evade detection and earn user trust
- Your browser is a security boundary – Extensions have access to sensitive data and sessions, making them a direct path into work and personal accounts
Meta knew about scam ads, and people kept getting hurt anyway
A Reuters investigation a couple of weeks ago laid out something many people already suspected. Meta, the company behind Facebook and Instagram, knew scam ads were a problem, knew how to reduce them, and still chose to manage the situation rather than fix it properly.
This is not about edge cases or clever users spotting red flags. These are the fake loan offers, investment scams, and impersonation ads that show up while people are tired, stressed, or just scrolling. Reuters reported that Meta was aware stronger advertiser checks would cut scams, but held back because of cost and potential impact on ad revenue. In other words, the scams kept running, and real people kept paying the price.
As we said on the show, this is where the blame needs to move. When the same scams appear again and again, it stops being a question of awareness or education. If a platform knows what works and delays using it, that is a choice. And when that choice leads to people losing money, confidence, or trust, it is not on the user to be more careful, it is on the platform to do better.
Awareness angles
- People are not failing here – When scams keep appearing, the problem is not judgement, it is enforcement
- Meta had options – Stronger checks would have reduced harm, and choosing not to use them has consequences
- Scams are a design issue – What platforms allow, tolerate, or profit from shapes who gets hurt
This week's discussion points...
Anna’s Archive claims massive Spotify scrape, raising questions about data access and abuse – Watch | Read (Android Authority)
Rainbow Six Siege hit by major hack, Ubisoft takes servers offline after chaos in game economy and bans – Watch | Read (Tom’s Hardware)
Korean Air discloses passenger data exposure after supplier cyberattack – Watch | Read (Security Affairs)
Coupang breach uncovered after smashed laptop data recovered by investigators – Watch | Read (The Record)
Phishing campaign abuses real Google services to look legit, then steals Microsoft logins – Watch | Read (TechRadar)
British hacker wins Australian visa after legally hacking government website – Watch | Read (Cyber News)
ErrTraffic sells “fake browser glitch” pages to push ClickFix attacks – Watch | Read (BleepingComputer)
DarkSpectre browser extension malware infected 8.8 million users across Chrome, Edge and Firefox – Watch | Read (Cybersecurity News)
Meta built “playbook” to delay crackdowns on scam ads, internal documents reveal – Watch | Read (Reuters)
NYC mayoral inauguration bans Flipper Zero and Raspberry Pi devices over security fears – Watch | Read (BleepingComputer)
And Finally...When AI Jailbreaks Get Pushed Underground
A subreddit focused on ChatGPT jailbreaks has been shut down, and on the surface that sounds like a win. Fewer prompts being shared, less obvious misuse, and fewer screenshots doing the rounds.
But that space was doing more than showing people how to break things. It was one of the few places where you could see what people were actually trying in the wild. What worked. What failed. What guardrails were being walked straight around. By removing it from Reddit, the behaviour has not stopped, it has just moved somewhere quieter.
This is the awkward bit. A lot of security learning comes from watching real behaviour, not ideal behaviour. Taking away visibility does not suddenly make AI safer, it just makes the problems easier to ignore. The jailbreaks will still exist, fewer defenders will see them.
Awareness angles
- You cannot fix what you cannot see – Removing public discussion hides problems, it does not remove them
- People will keep pushing systems – Curiosity and misuse do not disappear just because a platform closes a space
- Visibility beats comfort – Seeing how things break is uncomfortable, but it is how security actually improves
Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.
Ant Davis and Luke Pettigrew write this newsletter and podcast.
The Awareness Angle Podcast and Newsletter is a Risky Creative production.
