A prompt injection vulnerability paired with other flaws can turn a Google search into a full attack chain that could threaten enterprise networks.
Tracking pixels let social media companies spy on their users even after they click over to advertiser sites, gleaning credit card info, geolocations, and more, according to an analysis.
The suspected India-linked threat group targets governments, telecom, and critical infrastructure using spear-phishing, old vulnerabilities, and rapidly rotating infrastructure to maintain persistent access.
Credential theft soared in the second half of 2025, thanks in part to the industrialization of infostealer malware and AI-enabled social engineering.
When technical expertise meets clear communication, cybersecurity teams thrive. Learn how to foster trust and collaboration across diverse working groups.
Ransomware actors are ditching Cobalt Strike in favor of native Windows tools, as payment rates hit record lows and data theft surges.
In an unsuccessful phishing attack, threat actors leveraged trusted brands and domains to try to redirect a C-suite executive at Outpost24 to give up his credentials.
In a recent attack, the group showcased stealthier cross-network activity, thanks to its use of a new BYOVD technique and other tools.
Researchers uncovered an extensive cyber espionage campaign that used novel backdoors and familiar evasion techniques to maintain persistent access to regional targets.
Dozens of updated, malicious GlassWorm extensions have infested Open VSX, threatening software development supply chains.
Discover how Franz Regul, former CISO for the Paris 2024 Olympics, tackled unique cybersecurity challenges to protect the Games from evolving threats.
Drivers in the Russian city of Perm have been enjoying an unexpected bonus this week: free parking. Not because the city council suddenly decided to embrace generosity - but rather because hackers succeeded in knocking the city's payment system offline. Read more in my article on the Hot for Security blog.
A social engineering campaign impersonating PayPal and Amazon uses customer support interactions to acquire sensitive info.
The excitement around Cisco's latest SD-WAN bugs has inspired some light fraud, misunderstandings, and overlooked potential hazards.
Threat actors target nonprofits due to security gaps and highly coveted information, but a lack of sufficient data makes it difficult to grasp the entire picture.
If you're in the middle of applying for a planning or zoning permit, there is some unwelcome news: cyber-criminals have found a way to exploit the bureaucratic tedium of the process against you. Read more in my article on the Fortra blog.
Signal, the encrypted messaging app trusted by security-savvy users around the world, has confirmed that hackers have managed to takeover accounts - with government officials and journalists among those being targeted. Read more in my article on the Hot for Security blog.
A Wikipedia security engineer accidentally wakes a dormant JavaScript worm that hadn't stirred since 2024 - and within minutes, giant woodpecker images are plastered across the internet's favourite encyclopaedia. Meanwhile, a crypto contractor hired to help the US Marshals manage seized digital assets allegedly decides to help himself to $46 million of it - and then brags about it on a recorded Telegram call. Plus: Graham champions Asterix, Trisha discovers the fantasy novels of Robin Hobb, and someone called "Lick" ends up in the nick. All this, and much more, in episode 458 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Tricia Howard.
Elon Musk's social media site says it suspended 800 million accounts in a year for spam and manipulation - but with state-backed campaigns still flooding the platform, the real question is how many fake accounts remain. Read more in my article on the Hot for Security blog.
In a co-ordinated public-private operation between law enforcement agencies and cybersecurity industry partners, Tycoon 2FA - one of the world's most prolific phishing-as-a-service platforms - has been dismantled. Read more in my article on the Hot for Security blog.