If you use the internet, you’ve likely been affected by cybercrime in some way. Even when an attack is aimed at a company, the fallout usually lands on ordinary people.
The most obvious harm is stolen data. When attackers break into a business, it is usually customer information that ends up in criminal hands, and that can lead to identity theft, tax fraud, credit card fraud, and a long tail of scam attempts that can continue for months or years. For consumers, the breach itself is often just the start of the cleanup.
That work is annoying, time-consuming, and sometimes expensive. People may have to freeze credit, replace cards, change passwords, be on the lookout for suspicious transactions, and dispute charges. The Federal Trade Commission (FTC) specifically advises consumers to use IdentityTheft.gov after a breach and recommends steps like credit freezes and fraud alerts to reduce the chance of further abuse.
When sensitive data is exposed, the harm is not only financial. Medical, insurance, and other deeply personal records can be used to create more convincing phishing or extortion attempts, and the stress of knowing that private information is circulating among criminals can linger long after the technical incident is over. In other words, breach victims are not just cleaning up a data problem, they are dealing with a loss of trust.
Breaches happen every day. Don’t be the last to know.
Cybercrime also hits consumers through service disruption. Ransomware and intrusion campaigns can interrupt payment systems, telecom services, shipping, energy distribution, booking platforms, and other infrastructure people rely on every day. In those cases, the consumer impact is immediate: you may not be able to pay, travel, call, buy, or even work normally. The CSIS timeline and Canada’s cyberthreat assessment both show that these disruptions are increasingly tied to high-value targets and can be part of broader state or criminal campaigns.
Not all these incidents are driven by cybercriminals. Recently, Britain’s cybersecurity chief warned that the UK is handling 4 nationally significant cyberincidents every week, with the majority now traced back to foreign governments rather than cybercriminal groups.
Another cost is easy to overlook: disinformation and confusion. When attackers steal data, disrupt services, or impersonate trusted brands, they can also flood the public with fake support messages, scam calls, refund schemes, and phishing emails pretending to be the breached company. The breach becomes a launchpad for more fraud, and consumers are left trying to separate legitimate notifications from those sent by attackers.
Then there is the security backlash. After a breach, companies usually tighten access rules, add more multi-factor authentication prompts, force reauthentication, shorten sessions, and increase fraud checks. Those measures are often necessary, but they also make ordinary digital life more cumbersome. The consumer ends up paying with time and frustration for security problems they did not create.
That is why company-targeted cybercrime is not really only a business problem. It is a consumer issue, a public-trust issue, and sometimes even a national security issue. A single breach can leak data, trigger fraud, interrupt essential services, amplify scams, and make using the internet more frustrating for everyone else. The real cost is rarely confined to the company that got hit.
Knowing this, it’s worth thinking carefully about which companies to trust with your data and how much you’re willing to share . You cannot stop every attack against every company you deal with, but you can limit the fallout by being more selective. Some considerations:
Do they need all the information they are asking for?
Would it hurt anything if you leave some fields blank or give less specific answers?
Has this company been breached in the past, and how did they handle it?
How long will they store the data you provide?
Can you easily have your data removed at your request?
Your name, address, and phone number are probably already for sale.
Data brokers collect and sell your personal details to anyone willing to pay. Malwarebytes Personal Data Remover finds them and gets your information removed, then keeps watch so it stays that way.
DarkSword and Coruna are two new tools for invisible attacks on iOS devices. These attacks require no user interaction and are already being actively used by bad actors in the wild. Before these threats emerged, most iPhone users didn’t have to lose sleep over their data security. Protection was really only a major concern for a narrow group — politicians, activists, diplomats, high-level business execs, and others who handle extremely sensitive data — who might be targeted by foreign intelligence agencies. We’ve covered sophisticated spyware used against such a group before — noting how hard to come by those tools were.
However, DarkSword and Coruna — discovered by researchers earlier this year — are total game-changers. This malware is being used for mass infections of everyday users. In this post, we dive into why this shift happened, why these tools are so dangerous, and how you can stay protected.
What we know about DarkSword, and how it can target your iPhone
In mid-March 2026, three separate research teams coordinated the release of their findings on a new spyware strain called DarkSword. This tool is capable of silently hacking devices running iOS 18 without the user ever knowing something is wrong.
First, we should clear up some confusion: iOS 18 isn’t as vintage as it might sound. Even though the latest version is iOS 26, Apple recently overhauled its versioning system, which threw everyone for a loop. They decided to jump ahead eight versions — from 18 straight to 26 — so the OS number matches the current year. Despite the jump, Apple estimates that about a quarter of all active devices still run iOS 18 or older.
With that cleared up, let’s get back to DarkSword. Research shows that this malware infects victims when they visit perfectly legitimate websites that have been injected with malicious code. The spyware installs itself without any user interaction at all: you just have to land on a compromised page. This is what’s known as a zero-click infection technique. Researchers report that several thousand devices have already been hit this way.
To compromise a device, DarkSword uses a six-vulnerability exploit chain to escape the sandbox, escalate privileges, and execute code. Once it’s in, the malware harvests data from the infected device, including:
Passwords
Photos
Chats and data from iMessage, WhatsApp, and Telegram
Browser history
Information from Apple’s Calendar, Notes, and Health apps
On top of all that, DarkSword lets attackers scoop up crypto-wallet data, making it essentially dual-purpose malware that functions as both a spy tool and a way to drain your crypto.
The only bit of good news is that the spyware doesn’t survive a reboot. DarkSword is fileless malware, meaning it lives in the device’s RAM, and never actually embeds itself into the file system.
Coruna: how older iOS versions are being targeted
Just two weeks before the DarkSword findings went public, researchers flagged another iOS threat dubbed Coruna. This malware is capable of compromising devices running older software — specifically iOS 13 through 17.2.1. Coruna uses the exact same playbook as DarkSword: victims visit a legitimate site injected with malicious code which then drops the malware onto the device. The whole process is completely invisible and requires zero user interaction.
A deep dive into Coruna’s code revealed it exploits a total of 23 different iOS vulnerabilities, several of which are tucked away in Apple’s WebKit. It’s worth reminding that, generally speaking (outside the EU), all iOS browsers are required to use the WebKit engine. This means these vulnerabilities don’t just affect Safari users — they’re a threat to anyone using a third-party browser on their iPhone as well.
The latest version of Coruna, much like DarkSword, includes modifications designed to drain crypto wallets. It also harvests photos and, in certain instances, email data. From what we can tell, stealing cryptocurrency seems to be the primary motive behind Coruna’s widespread deployment.
Who created Coruna and DarkSword — and how did they end up in the wild?
Code analysis of both tools suggests that Coruna and DarkSword were likely built by different developers. However, in both cases, we’re looking at software originally created by state-affiliated companies, possibly from the U.S. The high quality of the code points to this; these aren’t just Frankenstein kits cobbled together from random parts, but uniformly engineered exploits. Somewhere along the line, these tools leaked into the hands of cybercrime gangs.
One theory suggests an employee at the company that developed Coruna sold it to hackers. Since then, the malware has been used to drain crypto wallets belonging to users in China; experts estimate that at least 42 000 devices were infected there alone.
As for DarkSword, cybercriminals have already used it to compromise users in Saudi Arabia, Turkey, and Malaysia. The problem is exacerbated by the fact that the attackers who first deployed DarkSword left the full source code on infected websites, meaning it could easily be picked up by other criminal groups.
The code also includes detailed comments in English explaining exactly what each component does, which supports the theory of its Western origins. These step-by-step instructions make it easy for other hackers to adapt the tool for their own purposes.
How to protect yourself from Coruna and DarkSword
Serious malware that allows for the mass infection of iPhones while requiring zero interaction from the user has now landed in the hands of an essentially unlimited pool of cybercriminals. To pick up Coruna or DarkSword, you simply have to visit the wrong site at the wrong time. So this is one of those cases where every user needs to take iOS security seriously — not just those in high-risk groups.
The best thing you can do to protect yourself from Coruna and DarkSword is to update your devices to the latest version of iOS or iPadOS 26, as soon as you can. If you can’t update to the newest software — for instance, if your device is older and doesn’t support iOS 26 — you should still install the latest version available to you. Specifically, look for versions 15.8.7, 16.7.15, or 18.7.7. In a rare move, Apple patched a wide range of older operating systems.
To protect your Apple devices from similar malware that will likely pop up in the future, we recommend the following:
Install updates promptly on all your Apple devices. The company regularly releases OS versions that patch known vulnerabilities — don’t skip them.
Enable Background Security Improvements. This feature allows your device to receive critical security fixes separately from full iOS updates, reducing the window for hackers to exploit vulnerabilities. To enable it, go to Settings → Privacy & Security → Background Security Improvements and turn on the Automatically Install
Consider using Lockdown Mode. This is a heightened security setting that limits some device features but simultaneously blocks or significantly complicates attacks. To enable this, go to Settings → Privacy & Security → Lockdown Mode → Turn On Lockdown Mode.
Reboot your device once a day (or more). This stops fileless malware in its tracks, since these threats aren’t embedded in the system and disappear after a restart.
Use encrypted storage for sensitive data. Keep things like crypto wallet keys, photos of IDs, and confidential info in a secure vault. Kaspersky Password Manager is a great fit for this; it manages your passwords, two-factor authentication tokens, and passkeys across all your devices while also keeping your notes, photos, and docs synced and encrypted.
The idea that Apple devices are bulletproof is a myth. They’re vulnerable to zero-click attacks, Trojans, and ClickFix infection techniques — and we’ve even seen malicious apps slip into the App Store more than once. Read more here:
In 2023, Tim Utzig, a blind student from Baltimore, lost a thousand dollars to a laptop scam on X. Tim had been a long-time follower of a well-known sports journalist. When that journalist’s account started posting about a “charity sale” of brand-new MacBook Pros, Tim jumped at the chance to get a deal on a laptop he needed for his studies. After a few quick messages, he sent over the money.
Unfortunately, the journalist’s account had been hacked, and Tim’s cash went straight to scammers. The red flags were strictly visual: the page had been flagged as “temporarily restricted”, and both the bio and the Following list had changed. However, Tim’s screen reader — the software that converts on-screen text and graphics into speech — didn’t announce any of those warnings.
Screen readers allow blind users to navigate the digital world like everyone else. However, this community remains uniquely vulnerable. Even for sighted users, spotting a fake website is a challenge; for someone with a visual impairment, it’s an even steeper uphill battle.
Beyond screen readers, there are specialized mobile apps and services designed to assist the blind and low-vision community, with Be My Eyes being one of the most popular. The app connects users with sighted volunteers via a live video call to tackle everyday tasks — like setting an oven dial or locating an object on a desk. Be My Eyes also features integrated AI that can scan and narrate text or identify objects in the user’s environment.
But can these tools go beyond daily chores? Can they actually flag a phishing attempt or catch the hidden fine print when someone is opening a bank account?
Today we explore the specific online hurdles visually impaired users face, when it makes sense to lean on human or virtual assistants, and how to stay secure when using these types of services.
Common cyberthreats facing the blind and low-vision community
To start, let’s clarify the difference between these two groups. Low-vision users still rely on their remaining sight, even though their visual function is significantly reduced. To navigate digital interfaces, they often use screen magnifiers, extra-large fonts, and high-contrast settings. For them, phishing sites and emails are particularly dangerous. It’s easy to miss intentional typos — known as typosquatting — in a domain name or email address, such as the recent example of rnicrosoft{.}com.
Blind users navigate primarily by sound, using screen readers and specific touch gestures. Interestingly, though, unlike those with low vision, blind users are more likely to spot a phishing site using a screen reader: as the software reads the URL aloud, the user will hear that something is off. However, if a service — whether legitimate or malicious — isn’t fully compatible with screen readers, the risk of falling victim to a scam increases. This is exactly what happened to Tim Utzig.
It’s important to remember that screen magnifiers and readers are basic accessibility tools. They’re designed to enlarge or narrate an interface — not act as a security suite. They can’t warn the user of a threat on their own. That’s where more advanced software — tools that can analyze images and files, flag suspicious language, and describe the broader context of what’s happening on-screen — comes into play.
When to lean on an assistant
Be My Eyes is a major player in the accessibility space, boasting around 900 000 users and over nine million volunteers. Available on Windows, Android, and iOS, it bridges the gap by connecting blind and low-vision users with sighted volunteers via video calls for help with everyday tasks. For example, if someone wants to run a Synthetics cycle on their washing machine but can’t find the right button, they can hop into the app. It connects them with the first available volunteer speaking their language, who then uses the smartphone’s camera to guide them. The service is currently available in 32 languages.
In 2023, the app expanded its capabilities with the release of Be My AI — a virtual assistant powered by OpenAI’s GPT-4. Users take a photo, and the AI analyzes the image to provide a detailed text description, which it also reads aloud. Users can even open a chat window to ask follow-up questions. This got us thinking: could this AI actually spot a phishing site?
As an experiment, we uploaded a screenshot of a fake social media sign-in page to Be My Eyes. On a phone, you can do this by selecting a photo in your gallery or files, hitting Share, and choosing Describe with Be My Eyes. In Windows, you can upload a screenshot directly.
An example of a phishing page that mimics the Facebook sign-in form. Note the incorrect domain in the address bar
At first, the AI gave us a detailed description of the page. We then followed up in the chat: “Can I trust this page?” The AI flagged the domain name error immediately, advised us to close the fake login page, and suggested typing the official URL directly into the browser, or to use the official Facebook app.
Be My AI explains why the page looks sketchy: the domain doesn’t match the official site. The app suggests typing the official URL directly into the browser, or using the official Facebook app
We saw the same positive results when testing a phishing email. In fact, the AI flagged the scam during its initial description of the message. It wrapped up with a warning: “This looks like a suspicious email. It’s best not to open any attachments or click any links. Instead, navigate to the official website or app manually, or call the number listed on their official site”.
Beyond just spotting cyberthreats, Be My AI is a solid sidekick for navigating online stores, banking apps, and digital services. For instance, the AI can help you to:
Read descriptions, names, and prices when a store’s website or app doesn’t support screen readers or large fonts
Scan those tricky terms and conditions — often buried in tiny text or otherwise inaccessible to a screen reader — when you’re signing up for a subscription or opening a bank account
Pull key info directly from product cards or instruction manuals
The risks of relying on Be My AI
The most common hiccup with AI is hallucinations, where the language model distorts text, skips crucial details, or invents words out of thin air. When it comes to cyberthreats, an AI’s misplaced confidence in a malicious site or email can be dangerous. Furthermore, AI isn’t immune to prompt injection attacks, which scammers use to trick AI agents beyond just Be My AI.
Even though the AI passed our test, you shouldn’t rely on it unquestioningly. There’s no guarantee it’ll get it right every time. This is a vital point for the blind and low-vision community, as a neural network can often feel like the only eyes available.
At the end of every response, Be My AI suggests checking in with a volunteer if you’re still unsure. However, when you’re trying to spot a fake webpage, we advise against this. You have no way of knowing how tech-savvy or trustworthy a random volunteer might be. Besides, you risk accidentally exposing sensitive data like your email address or password. Before connecting with a stranger, make sure they won’t see anything confidential on your screen. Better yet, use the app’s dedicated feature to create a private group of family, friends, or trusted contacts. This ensures your video call goes to people you actually know, rather than a random volunteer.
To stay safe, we recommend installing a trusted security tool on all your devices. These programs are designed to block phishing attempts and prevent you from landing on malicious sites. Another practical recommendation for visually impaired users is to use a password manager. These apps will only auto-fill credentials on the legitimate, saved website; they won’t be fooled by a clever domain spoof.
How Be My AI handles and stores your data
According to the Be My Eyes privacy policy, video calls with volunteers may be recorded and stored to provide the service, ensure safety, enforce the terms of service, and improve the products. When you use Be My AI, your images and text prompts are sent to OpenAI to generate a response. This data is processed on servers located in the U.S., and OpenAI uses it only to fulfill your specific request. The policy explicitly states that user images and queries aren’t used to train AI models.
Photos and videos are encrypted both in transit and at rest, and the company takes steps to strip away sensitive information. It’s worth noting that video call recordings can be retained indefinitely unless you request their deletion — in which case they’re typically wiped within 30 days. Data from Be My AI interactions is stored for up to 30 days unless you delete it manually within the app. If you decide to close your account, your personal data may be held for up to 90 days. At any time, you can opt out of data sharing, or request the deletion of your existing data by contacting the Be My Eyes support team.
How to use Be My Eyes safely
Despite Be My Eyes’ claims regarding privacy, you should still follow a few ground rules when using the service:
Use Be My AI for a first-pass on suspicious emails or pages, but don’t treat it as the only source of truth. Specialized security software is better at identifying and neutralizing threats.
If a site, email, or message feels off, don’t touch any links or attachments. Instead, manually type the official website address into your browser, or open the official app to verify the info.
Remember: a volunteer sees exactly what your camera sees. Make sure it isn’t capturing things it shouldn’t, like a safe code or an open passport. Avoid sharing your name, showing your face, or revealing too much of your surroundings. Be extra careful about reflections that might show you or your personal details. Only show what is absolutely necessary for the task at hand.
Stick to your inner circle. Create a group in the app and add your friends and family. This ensures your video calls go to people you know — not a random volunteer.
Don’t use Be My AI to read documents that contain confidential info. Remember, your images and text prompts are sent to OpenAI for processing and generating a response.
Remember to delete chats you no longer need. Otherwise, they’ll hang around for 30 days.
If you need to read something personal or confidential, consider apps with real-time reading features like Envision, Seeing AI, or Lookout. These apps process data locally on your device rather than sending it to the cloud.
The smart-home craze has connected everything — from your lightbulbs to your tea kettle — to the internet, and the adult industry isn’t sitting this one out: manufacturers are releasing more smart models than ever. While syncing a sex toy to your smartphone unlocks some cool extra features, it also opens the door to potential security and privacy headaches. The good news? You can significantly lower most of these risks just by tweaking your settings and adjusting your usage habits.
How sex-toy apps actually work
To be clear upfront, while researchers have successfully hijacked sex toys in controlled experiments, the odds of a hacker remotely taking over your vibrator in the real world are pretty slim. In this post, we focus on the more realistic risks: your privacy and the safety of your data.
Most modern adult toys link up with the manufacturer’s app. These apps offer a range of usage options: you can control the device yourself, or hand over the remote to a partner — anywhere in the world via the internet.
Beyond just basic controls, many of these apps have social features: private messaging, group chats, calls, and even video sessions. In fact, you don’t even need a physical device to use some of them; you just create an account. Because of this, some of these services have essentially evolved into niche dating platforms.
The toy and your phone talk to each other via Bluetooth — with minimal risks. To handle social features or remote control, the app connects to a cloud server. This creates a constant stream of data moving back and forth: everything from commands to private messages.
Here’s the catch: even if you only use the app to control your toy locally via Bluetooth, you still get connected to that cloud server. That means you’re inheriting all the security and privacy risks.
The main risks of using sex-toy apps
Sex-toy apps are typically free. In practice, this means the primary way these services make money is by collecting data — which is often excessive. It’s not hard to find buyers of this information; it could be ad services, data brokers, or other companies interested in building detailed user profiles.
Developers of intimate apps suffer from frequent data breaches, and in this sense they’re no different from many other online services that spring a leak regularly. However, unlike a breach at an online pet food store, a data leak from a sex toy app can have much more serious consequences for the user. For sex industry workers, such as those who use webcams, these data breaches pose a direct threat to their physical safety.
Vulnerabilities within the service’s infrastructure warrant special attention. These types of bugs can be exploited by hackers to gain unauthorized access to other people’s accounts.
The inclusion of broad social features essentially turns sex-toy apps into just another messaging platform. However, while we usually know if mainstream messengers use end-to-end encryption, or what vulnerabilities they face, every sex-toy app has to be evaluated individually.
Without end-to-end encryption, user chats may be accessible on the server side. This means that if the service is compromised, the contents of those messages could end up in the hands of hackers. Furthermore, the sex toy manufacturer itself, or its individual employees, could have access to your chats.
Finally, the user’s account and everything in it can be hijacked by bad actors if it isn’t protected by a strong password and, ideally, two-factor authentication.
How to lower the risks when using sex-toy apps
Now that we’ve covered the threats, let’s talk about how to defend yourself. The most obvious choice is to skip installing the app altogether. Thankfully, most sex toys still come with physical buttons — unlike, say, smart mattresses, which often require an app just to function. For those who want the extra features, here are some practical tips for setting up and using these services.
Create an account with a dedicated email address
Set up a separate email address just for registering your account in the intimate app. This should be a “clean” email with no links to any other online services you use. Naturally, the username for this email account shouldn’t include your real name or any other easily identifiable info.
Using an anonymous email protects your reputation if the app suffers a data breach. The risk of this happening is far from theoretical. For instance, back in 2015, a hacking group named The Impact Team leaked the user database of Ashley Madison, a dating site for people seeking extramarital affairs.
To create an anonymous email, pick a service that doesn’t require a phone number at all, or lets you skip that step. Besides your real name, we also recommend leaving out your birth date, your usual social media handles, and any other details that could lead back to you.
Don’t sign up via Google, Apple, social media, or your phone number
The reasoning here is basically the same as the previous point. However, it’s worth highlighting that signing up through Google, Apple, social media, or your phone number is actually just about the worst way to go.
Using Google or social media accounts gives the app permission to, among other things, access certain data from those profiles. In the context of intimate apps, this is especially risky because it creates a direct link between highly sensitive data and your real-world identity.
Keep your real info out of your profile
Once you’re in the app, don’t use any information that could be traced back to you. Come up with an anonymous handle (if you’re feeling uninspired, use a random nickname generator), pick a fake birthday, and choose a random location.
Using fictional info means you don’t have to sweat being outed if the service ever leaks your data. You’re also protecting yourself from stalking, blackmail, and other threats that come with someone being able to pin your real identity to your account.
Hide your face and distinguishing marks when sharing private media
As we’ve mentioned throughout this post, these apps often include social features used for swapping intimate photos and videos. Even if you trust the person you’re chatting with, those files can be saved, forwarded, or used without your consent. When combined with other account info, they can make it easy to figure out who you are.
We recommend never sending intimate media that shows your face or anything else that identifies you — think recognizable home decor, personal items, documents, unique clothing, tattoos, or jewelry.
Set a strong password and enable two-factor authentication, if available
If a hacker breaks into your sex toy account, they’re getting access to your most private data. Because of that, your account needs a rock-solid password. Just to be clear, here’s what we mean by a strong password:
It’s at least 16 characters long.
It uses a mix of uppercase and lowercase letters, numbers, and special characters (like $ or @).
It’s not a real word or a well-known phrase.
It’s unique and not reused for any of your other accounts.
It doesn’t include personal info that’s easy for an outsider to find.
We also recommend turning on two-factor authentication (2FA) if the service offers it. Your best bet is to use 2FA one-time codes from an authenticator app, as it’s the most secure and completely anonymous option. You can dive deeper into creating and storing secure passwords, as well as different 2FA methods, in our dedicated blogposts.
Grant only the necessary app permissions
Every mobile app asks for permission to access certain features of your phone like Bluetooth, location, your camera, or your storage. Every extra “yes” you give expands the amount of data the app can scoop up.
We suggest being extra cautious about what you let these services see, especially when it comes to sex-toy apps. By tightening these permissions, you cut down on the amount of info that can be collected or shared without your say-so.
Take a second to think about the absolute bare minimum you’re willing to allow a sex-toy app to access. For example, there’s usually no reason for it to track your location or access your camera and mic. If you do want to upload photos, it’s better to grant access only to specific files rather than giving the app the keys to your entire photo library.
Stop apps from tracking your activity
In your iOS settings, you can block apps from collecting data about what you do and linking it to a single advertising ID. This practice, known as tracking, allows companies to stitch together data from different apps, websites, and services to build a comprehensive profile of you for targeted ads or behavioral analysis.
We strongly recommend disabling tracking for all sex-toy apps so that sensitive details about your private life don’t end up as part of your advertising profile.
Unfortunately, Android doesn’t have an exact equivalent for this setting. To minimize data collection on those devices, you’ll need to turn off ad personalization, and manually delete or reset your advertising ID every now and then. You can find more tips on dodging ad tracking in our dedicated guide.
Keep your apps and operating system up to date
Updates aren’t just about shiny new features; they also fix security bugs. Outdated versions of apps and operating systems often have vulnerabilities that hackers are just waiting to exploit.
Staying on top of your updates helps close these gaps, and lowers the risk of data breaches or unauthorized access. To make sure you don’t miss any critical fixes, it’s best to turn on automatic updates whenever possible.
Security is in your hands
Smart sex-toys and their companion apps naturally handle sensitive data, which means they require extra care when it comes to setup and daily use. That said, you can eliminate — or at least significantly reduce — most risks by following basic security rules. Essentially, it comes down to sharing as little personal info as possible with the app and, of course, using a rock-solid password.
Want more tips on keeping your intimate life private in the digital age? Check out these posts:
April 7 marks World Health Day. The theme for 2026 is “Together for health. Stand with science” — a call to join forces in the fight for evidence-based medicine and scientific progress. Many people view telehealth as one of the crowning achievements of this progress: you can basically get a doctor’s consultation in five minutes without ever leaving your couch. But there’s a catch…
Medical data sells on the black or gray markets for dozens of times more than credit card info or social media logins. Unlike a credit card, which you can just block and replace, you can’t exactly reset your medical history. Your name, birthday, address, phone number, insurance ID, diagnoses, test results, prescriptions, and treatment plans stay relevant for years. This is a goldmine for everything from targeted marketing to blackmail, fraud, or identity theft.
And with the rise of AI, the internet is now flooded with fake websites that claim to offer medical services but are actually designed to strip-mine confidential info from unsuspecting victims. Today, we’re diving into which medical details are at risk, why hackers want them, and how you can stop them in their tracks.
More valuable than credit cards
Scammers monetize stolen medical data both in bulk and through individual sales. Their first move is usually to extort a ransom from the companies they’ve successfully hacked. (In fact, back in 2024, 91% of malware-related healthcare data leaks in the U.S. were the result of ransomware attacks.) But later, the leaked data is then used for pinpointed, personal attacks. It allows hackers to build a medical profile of a victim — what meds they buy, how often, and what they take long-term — to then sell that info to big pharma or marketers, or to use it for targeted phishing scams like pitching a fake innovative treatment. They can even blackmail a patient over a sensitive diagnosis or use the info to fraudulently score prescriptions for controlled substances. On top of that, insurance companies are also hungry for this kind of data. They analyze these details to hike up insurance premiums for patients or, in some cases, refuse to provide coverage altogether. In short, there are plenty of ways they can use it against you.
How bad is it really?
The biggest medical data breach in history went down in February 2024, when the BlackCat hacking group broke into the systems of Change Healthcare. This is a division of UnitedHealth Group, which processes around 15 billion insurance transactions a year and acts as the financial middleman between patients, healthcare providers, and insurance companies.
For nine days, the attackers roamed freely through Change Healthcare’s internal systems, siphoning off six terabytes of confidential data before finally launching their ransomware. UnitedHealth was forced to completely yank Change Healthcare datacenters offline to stop the encryptor from spreading, and they ended up paying a 22-million-dollar ransom to the extortionists. The attack effectively paralyzed the U.S. healthcare system. The number of victims was revised three times: first 100 million, then 190 million, and the final tally hit a staggering 192.7 million people, with total damages estimated at 2.9 billion dollars. And the reason (on the Change Healthcare’s side) for this massive incident — which we broke down in detail in a separate post — was simply… a lack of two-factor authentication on a remote desktop access portal.
Before that, the mental health telehealth startup Cerebral embedded third-party tracking tools directly into its website and apps. As a result, the data of 3.2 million patients — including names, medical and prescription histories, and insurance info — leaked out to LinkedIn, Snapchat, and TikTok. The U.S. Federal Trade Commission slapped the company with a 7.1-million-dollar fine, and issued an unprecedented ban on using medical data for advertising purposes. By the way, that same startup also made the headlines for sending its clients promotional postcards without envelopes, displaying patient names and phrasing that made it easy for anyone to figure out their diagnosis.
Why telehealth is so vulnerable
Let’s take a look at the main weak spots in telehealth services.
Ad trackers in medical apps. Trackers from Facebook, TikTok, Snapchat, and other tech giants are often baked right into telehealth platforms, leaking patient data to advertisers without users ever knowing.
Unsecured communication channels. Sometimes doctors chat with patients through regular messaging apps instead of certified medical platforms. It’s convenient, sure, but it’s illegal for the clinic and totally unsafe for the patient.
Poor staff training. Our research showed that 30% of doctors have dealt with compromised patient data specifically during telehealth sessions, and 42% of medical staff don’t actually understand how their patients’ data is being protected.
Outdated medical devices. Many wearable medical gadgets (like heart monitors or blood pressure cuffs) use an old data transfer protocol called MQTT. It’s full of holes that could potentially allow hackers to steal sensitive info or even mess with how the device functions.
Spam and phishing in telehealth
Hackers aren’t the only ones interested in the medical field — spammers and scammers are all over it, too. They pitch “medical services” with deals that look way too good to be true, send out emails about supposed changes to your health insurance, or talk up “ancient Himalayan healing traditions”. Of course, all the links they send lead to suspicious websites offering dubious goods or services.
Spam posing as Medicare, the U.S. national health insurance program. The user is informed falsely that their insurance terms have changed in an attempt to lure them to a fake website
CURING DIABETES IS EASY: All you have to do is… Scammers are promoting some kind of miraculous Himalayan tradition for treating diabetes. But losing your money is the only thing guaranteed here!
And of course, we can't forget the classic "miracle cure" for a fungal infection — now with a 70% discount, naturally.
Should you land on such a phishing site, scammers will try to squeeze every bit of private info they can out of you: photos of your ID, insurance policy, prescriptions, and sometimes even… photos of body parts that supposedly need medical attention. From there, this data can be dumped and sold on the dark web — or used for blackmail, extortion, and follow-up phishing attacks. To learn more about how the underground data assembly line works, check out our post, What happens to data stolen using phishing?
A fake clinic website with a pretty convincing look. Scammers even created pages for "medical staff", "departments", and "research". However, for some reason, you won't find a privacy policy or terms of use anywhere on this site
Another suspicious website offers AI diagnostics, asking for a ton of personal info: full name, phone number, email, requested medical services, medical history, and current medications
This scam site offers users "visual health screening using AI" — all you have to do is upload photos of your tongue and eyes! Just a reminder: retinal scans are sometimes used for biometric authentication
As a rule of thumb, fake clinic sites usually skip the privacy policy section, and bombard you with “today only” deals that seem too good to be true. That said, with the help of AI, creating a professional-looking site that’s indistinguishable from the real thing is now a total breeze: you don’t even need design skills or fluency in the victim’s language. That’s exactly why we recommend using our comprehensive security suite — it’s designed to sniff out spam, scams and phishing, and warn you about fake websites before you land on them.
Safety tips for telehealth patients
Set up a dedicated email address for medical services. If this address leaks because a clinic gets hacked, it makes it much harder for scammers to track the rest of your digital life.
Avoid using Google, Apple, or social media sign-in for telehealth sites. Keeping things separate makes it way tougher to link your medical data to your personal accounts.
Double-check which platform is being used for your consultation. If the clinic suggests a call or chat through a standard messaging app, that’s a red flag. A secure, encrypted patient portal provided by the clinic is significantly safer.
Never send medical documents via chat apps or social media. Always upload lab results, scans, and records through the clinic’s official patient portal.
Use a unique, complex password for every account. Your government portal, clinic login, and doctor-booking app should each have a separate password. Kaspersky Password Manager can generate and store all of them for you; it also regularly scans leak databases, and alerts you if any of your accounts are compromised.
Turn on two-factor authentication. Do this first of all for government services and medical organizations. We recommend using an authenticator app rather than SMS codes: it’s more secure and totally anonymous. Kaspersky Password Manager can help you out here, too.
Share only what’s necessary. Don’t feel obligated to fill out every optional field in medical apps or on websites. The less data a service stores, the less there is to leak.
Be careful about sharing health info on social media or in chat apps. Scammers love to exploit people when they’re vulnerable. For instance, in 2024, hackers gained the trust of the XZ Utils developer who had publicly posted about burnout and depression. They convinced him to hand over control of his tool, which they then loaded with malicious code. Since XZ Utils is used in tons of Linux systems and affects OpenSSH (a protocol for remote server connections), the attack could have wrecked a huge chunk of the internet if it hadn’t been caught in time.
Don’t install telehealth apps from unknown developers. Check the reviews and take a minute to skim the privacy policy — even major platforms might be sharing your data with third parties.
Keep an eye on your medical records. Strange prescriptions, doctor visits you never made, or meds you’ve never heard of can all be signs that your account has been compromised.
Configure and regularly update your health gadgets. Fitness trackers, blood pressure monitors, smart scales, and activity trackers all send data to the web. Improper settings or unpatched vulnerabilities are an open door for data breaches.
What else you need to know about protecting your health online: