This episode is packed with leaked customer data, another employee phishing story that turned into a full blown breach, and some awkward questions about how much we really trust our password managers.
This week on The Awareness Angle, ShinyHunters are back with more stolen data, Canada Goose is investigating after hundreds of thousands of customer records were leaked, and Eurail has confirmed traveller information is now up for sale on the dark web. Different brands. Same story. Collect loads of data. Store it. Hope it never gets out.
We also talk about a fintech firm that disclosed a breach after a single employee was phished. One inbox. One click. Real consequences. The human layer is still where this starts.
Then we get into password managers. What do they actually see? Where are the weak spots? And are we a bit too comfortable assuming the vault is untouchable?
All of that, and a few opinions from us along the way, in this week’s edition of The Awareness Angle.
The Awareness Angle is best served in full. Watch on YouTube, listen on Spotify, Apple Podcasts, or wherever you get your podcasts. If you like your cyber news with context, challenge, and a few raised eyebrows, this one’s for you.
Watch or listen to the episode today - YouTube | Spotify | Apple Podcasts
Visit riskycreative.com for past episodes, our blog, and our merch.
This Week's Stories...
Phishing Led Breach at Figure
Fintech firm Figure has disclosed a data breach after an employee fell victim to a phishing email.
According to the company’s filing, the attack began with a successful phishing email that compromised an employee account. From there, the attacker gained access to internal systems and certain customer files.
Figure says there is currently no evidence that financial account credentials or customer funds were accessed. However, names, contact details and other personal information linked to customer accounts were exposed. Impacted individuals are now being notified.
ShinyHunters has reportedly claimed responsibility and says the breach is linked to a wider campaign targeting organisations using single sign on providers.
No zero day. No nation state. Just one convincing email.
The Awareness Angle
- Phishing still works – Even in fintech, even with mature security teams, one well crafted email can open the door.
- Access pathways matter – Inbox compromise is only step one. The real question is what that account can reach once inside.
- Human risk is business risk – This started with a person. Controls, monitoring, and response speed determine how far it spreads.
AI Generated Passwords Might Not Be as Smart as You Think
There’s been a bit of noise this week around AI generated passwords, and it’s worth paying attention to.
Researchers looked at passwords created by tools like ChatGPT, Claude and Gemini and found something interesting. They looked strong. They had symbols, numbers, upper and lower case. They passed basic strength tests. But they weren’t truly random.
Because large language models generate likely patterns, not true entropy, some passwords followed very similar structures. In some cases, near identical formats were repeated across tests. That means an attacker who understands how these models tend to construct strings could reduce the guesswork significantly.
It’s not that AI is useless. It’s just not built to be a cryptographic random number generator. So, if you’ve ever asked a chatbot to “give me a strong password”, it might be worth changing it.
The Awareness Angle
- Complex looking isn’t the same as secure – If something follows a pattern, attackers can learn that pattern.
- AI generates probability, not randomness – That works brilliantly for language. Not so brilliantly for passwords.
- Don’t outsource security decisions to convenience – Use a password manager, a long passphrase, or passkeys. Let tools designed for randomness handle randomness.
Infostealer Malware Now Targeting OpenClaw Secrets
We spoke more than once over the past few weeks about OpenClaw and the rise of agent based AI tools. This week, that story moved on yet again.
Security researchers have identified the first real world case of infostealer malware specifically harvesting OpenClaw configuration files. Not just browser passwords. Not just cookies. But API keys, authentication tokens and private cryptographic material tied to AI agents.
The important bit here is this.
People are wiring these agents into email, apps, local files and workflows. They are giving them memory. They are giving them access. And that means a single malware infection can now expose not just accounts, but the operational identity of someone’s AI assistant.
This is not a futuristic attack. It is infostealer malware doing what infostealers do. It just found a new goldmine of data sitting locally on machines.
AI agents are quickly becoming high value identity hubs.
The Awareness Angle
- AI agents centralise access – Email, tokens, apps and history all in one place makes them incredibly powerful, and incredibly attractive to attackers.
- Malware evolves fast – Infostealers are not targeting “AI” as a concept. They are simply harvesting files that contain keys and secrets. AI tools just happen to store lots of them.
- Experimentation needs guardrails – Curiosity is good. But when employees plug new tools into core systems without visibility, risk expands quietly.
Eurail and Canada Goose – Contact Data Still Has Teeth
Two very different brands this week, same underlying issue.
Eurail has confirmed that stolen traveller data is now being offered for sale online. The data includes names, email addresses, country of residence and booking details. Around the same time, Canada Goose began investigating claims that roughly 600,000 customer records were leaked, including names, email addresses, phone numbers and mailing addresses.
In both cases, you see the familiar reassurance. No payment data accessed. But if you know someone recently booked travel or bought something expensive, you do not need their card number. You just need enough context to send a believable message. “Problem with your booking.” “Issue with your delivery.” “Click here to avoid cancellation.”
That is where the real risk sits. Follow on phishing, smishing and impersonation campaigns that feel legitimate because they are built on real events.
The Awareness Angle
- Context is leverage – Real booking or purchase data makes phishing dramatically more convincing.
- Contact data is currency – Names, emails and phone numbers are more than enough to fuel targeted fraud.
- The second wave matters – The breach itself is often only the start of the story.
This week's discussion points...
Main Stories
73,000+ Patients Hit in Arizona Urology Data Breach Watch | Read
Eurail Says Stolen Traveller Data Is Now for Sale Watch | Read
Figure Discloses Breach After Employee Phishing Attack Watch | Read
Canada Goose Investigates 600,000 Customer Record Leak Watch | Read
ShinyHunters Claims CarGurus Breach Watch | Read
US Plans Portal to Bypass Content Bans Watch | Read
Vulnerabilities Found in Popular Password Managers Watch | Read | Read (Reddit discussion)
Infostealer Malware Targeting OpenClaw Secrets Watch | Read
AI Generated Passwords May Be Predictable Watch | Read
Extras
TikTok – Review Scam News Clip Watch | Watch on TikTok
And Finally...Online Review Blackmail Scam Hits Small Business
An ITV News clip highlighted a small business owner who was targeted with a different kind of scam. Criminals demanded payment, threatening to flood his company with fake one star reviews if he refused. They followed through.
Dozens of negative reviews appeared online, damaging his rating and threatening his livelihood. Instead of paying, he worked with Google to challenge the fake reviews. Eventually, the attackers stopped and moved on.
It is a reminder that not all cyber attacks involve malware or data theft. Sometimes the weapon is reputation.
The Awareness Angle
- Reputation is attack surface – Reviews, ratings and search results can be manipulated and weaponised. Your digital presence is part of your security footprint.
- Panic is the pressure point – Scammers rely on urgency and fear. The goal is to trigger a quick payment before you think clearly.
- Do not reward the behaviour – When there is no financial return, attackers often move on to easier targets. Reporting and persistence matter.
Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.
Ant Davis and Luke Pettigrew write this newsletter and podcast.
The Awareness Angle Podcast and Newsletter is a Risky Creative production.
All views and opinions are our own and do not reflect those of our employers.
