All articles tagged with #cybersecurity
Meta's AI-powered support bot was reportedly exploited to change the email address linked to Instagram accounts and reset passwords without robust identity verification, enabling hijacks via VPN-based location checks and even bypassing selfie verification. Meta patched the flaw over the weekend and says it is securing affected accounts, with several high-profile hijack incidents noted.
Anthropic is expanding access to its cyber-capable AI model Mythos to about 150 organizations in more than 15 countries, including several EU members, via the Glasswing Project. ENISA has been invited to use the model, with access contingent on meeting strict security safeguards. The move aims to bolster cybersecurity defenses and signals ongoing expansion beyond the US to additional international partners.
Trump issued a narrowed executive order on artificial intelligence and cybersecurity that defers stricter rules, directing agencies to develop a benchmarking process within 60 days to assess advanced AI models and decide when a model should be treated as a frontier model. The move emphasizes bolstering cyber defenses with a voluntary framework rather than mandatory licensing or forced model sharing, continuing the administration’s push to balance competitiveness with national security while considering future regulations.
The World Food Programme confirmed a cyber-attack exposing personal information (names, IDs, mobile numbers, and location data) of about 600,000 Gazan households via its Palestine self-registration app. The breach, detected in mid-May and announced in late May with public confirmation on June 2, affected only the SRA/People Portal used in Palestine, which WFP shut down to contain the intrusion and bolster security. No group has claimed responsibility. The incident underscores ongoing humanitarian data-security risks in conflict zones and follows broader concerns about protecting beneficiaries’ data and the potential misuse of location information.
Hackers used Instagram's AI support chatbot to hijack accounts by spoofing location, requesting to link a new email, and obtaining a verification code to reset passwords; Meta says the issue has been resolved and affected accounts are being secured, while denying claims that world leaders' accounts were hacked. The incident highlights security risks when AI-driven recovery tools lack robust human verification and oversight.
President Trump signed an executive order to require government review of new AI models for 30 days before public release, signaling a shift from the prior hands-off approach and proposing a cybersecurity clearinghouse to address AI vulnerabilities.
President Trump privately signed a scaled-back executive order to address AI cybersecurity, requiring some powerful AI models to undergo a voluntary government review 30 days before public release (down from a 90-day draft), while avoiding a mandatory licensing regime. The order also establishes a Treasury-led AI cybersecurity clearinghouse to coordinate patching of vulnerabilities, reflecting ongoing internal debates about how much oversight frontier AI should face.
The White House issues a sweeping executive order to accelerate U.S. AI innovation while tightening cyber defenses: it requires rapid cyber-defense upgrades for national security and civilian systems, creates an AI cybersecurity clearinghouse to coordinate vulnerability discovery and remediation, establishes a voluntary framework for developers to assess and share frontier AI models, expands AI-focused federal hiring, and strengthens enforcement against AI-enabled cybercrime, while explicitly avoiding mandatory licensing of AI models.
Hackers used a prompt-injection flaw in Meta's AI support chatbot to trigger email-address changes via password resets, enabling takeover and resale of high-value Instagram accounts before Meta pushed an emergency patch on May 29; the incident highlights security risks of AI agents with broad account-modification permissions, though accounts with MFA were more resistant.
Anthropic is expanding its Project Glasswing program to grant Mythos access to about 150 additional partners in more than 15 countries, extending into sectors such as energy, water, healthcare, and hardware with security screening for new users. The move follows Mythos’ EU rollout and a confidential SEC IPO filing, as the company markets its AI vulnerability-finding tool amid ongoing regulatory and industry scrutiny. Major current partners include Apple, Nvidia, Microsoft, CrowdStrike, and Palo Alto Networks.
Hackers reportedly used Meta's AI support bot to add a new email address to high-profile Instagram accounts, obtain a verification code, and trigger a password reset, enabling account takeover; Meta says the flaw has been fixed and affected accounts are being secured, highlighting risks as more services deploy AI-based support.
Hackers used Meta's AI-powered support chatbot to hijack high-profile Instagram accounts, including Barack Obama’s White House account. They prompted a verification code to a new email and used it to reset passwords, with videos showing VPN-based location spoofing to bypass safeguards. Meta says the issue is resolved and impacted accounts are being secured, but the incident highlights risks in relying on AI for key security actions like password resets as Meta expands AI features across its apps.
Experts say the viral claim that hackers can extract fingerprints from peace-sign selfies is unlikely for everyday users. While fingerprints can theoretically be lifted from high-resolution photos, the practical risk is low and attackers would need access to a fingerprint scanner and a high-value target. For most people, phishing and other traditional scams remain the bigger threat.
Security researchers uncovered a malicious supply-chain campaign targeting OpenAI Codex via a legitimate-looking npm package (codexui-android) and related Android apps. The npm package, linked to the friuns account (Igor Levochkin), secretly reads Codex credentials from ~/.codex/auth.json and exfiltrates access_token, refresh_token, id_token, and account ID to a server masquerading as Sentry (sentry.anyclaw.store). The refresh_token is long-lasting, enabling persistent access. The same actor also deployed Android apps (OpenClaw Codex Claude AI Agent and Codex) that run the npm package in a PRoot sandbox to harvest credentials. This underscores growing risks to AI developer tooling and software supply chains.
Cybersecurity experts say leaving iPhone's Automatically Airplay setting enabled can create risk by allowing automatic nearby connections, though it does not automatically grant access to all data. They advise turning off unused connectivity or setting AirPlay to 'Ask' (instead of 'Automatic'), and to be mindful of connectivity settings after iOS updates, which can reset defaults to less secure options.