A brand-new Linux malware named VoidLink targets victims' cloud infrastructure with more than 30 plugins that allow attackers to perform a range of illicit activities, from silent reconnaissance and credential theft to lateral movement and container abuse.Β β¦
Researchers have demonstrated remotely controlling a wheelchair over Bluetooth. CISA has issued an advisory.
CISA said the WHILL wheelchairs did not enforce authentication for Bluetooth connections, allowing an attacker who is in Bluetooth range of the targeted device to pair with it. The attacker could then control the wheelchairβs movements, override speed restrictions, and manipulate configuration profiles, all without requiring credentials or user interaction.
The developer security company has raised a total of more than $84 million in funding.
The post Aikido Security Raises $60 Million at $1 Billion Valuation appeared first on SecurityWeek.
A judge has ruled that the plaintiffs failed to demonstrate intent to defraud investors.Β
The post Investor Lawsuit Over CrowdStrike Outage Dismissed appeared first on SecurityWeek.
This blog also appears in our Age Verification Resource Hub: our one-stop shopΒ for users seeking to understand what age-gating laws actually do, whatβs at stake, how to protect yourself, and why EFF opposes all forms of age verification mandates. Head to EFF.org/Age to explore our resources and join us in the fight for a free, open, private, and yesβsafeβinternet.
EFF is against age gating and age verification mandates, and we hope weβll win in getting existing ones overturned and new ones prevented. But mandates are already in effect, and every day many people are asked to verify their age across the web, despite prominent cases of sensitive data getting leaked in the process.
At some point, you may have been faced with the decision yourself: should I continue to use this service if I have to verify my age? And if so, how can I do that with the least risk to my personal information? This is our guide to navigating those decisions, with information on what questions to ask about the age verification options youβre presented with, and answers to those questions for some of the top most popular social media sites. Even though thereβs no way to implement mandated age gates in a way that fully protects speech and privacy rights, our goal here is to help you minimize the infringement of your rights as you manage this awful situation.
Since we know that leaks happen despite the best efforts of software engineers, we generally recommend submitting the absolute least amount of data possible. Unfortunately, thatβs not going to be possible for everyone. Even facial age estimation solutions where pictures of your face never leave your device, offering some protection against data leakage, are not a good option for all users: facial age estimation works less well for people of color, trans and nonbinary people, and people with disabilities. There are some systems that use fancy cryptography so that a digital ID saved to your device wonβt tell the website anything more than if you meet the age requirement, but access to that digital ID isnβt available to everyone or for all platforms. You may also not want to register for a digital ID and save it to your phone, if you donβt want to take the chance of all the information on it being exposed upon request of an over-zealous verifier, or you simply donβt want to be a part of a digital ID system
If youβre given the option of selecting a verification method and are deciding which to use, we recommend considering the following questions for each process allowed by each vendor:
We attempt to provide answers to these questions below. To begin, there are two major factors to consider when answering these questions: the tools each platform uses, and the overall system those tools are part of.
In general, most platforms offer age estimation options like face scans as a first line of age assurance. These vary in intrusiveness, but their main problem is inaccuracy, particularly for marginalized users. Third-party age verification vendors Private ID and k-ID offer on-device facial age estimation, but another common vendor, Yoti, sends the image to their servers during age checks by some of the biggest platforms. This risks leaking the images themselves, and also the fact that youβre using that particular website, to the third party.Β
Then, thereβs the document-based verification services, which require you to submit a hard identifier like a government-issued ID. This method thus requires you to prove both your age and your identity. A platform can do this in-house through a designated dataflow, or by sending that data to a third party. Weβve already seen examples of how this can fail. For example, Discord routed users' ID data through its general customer service workflow so that a third-party vendor could perform manual review of verification appeals. No one involved ever deleted users' data, so when the system was breached, Discord had to apologize for the catastrophic disclosure of nearly 70,000 photos of users' ID documents. Overly long retention periods expose documents to risk of breaches and historical data requests. Some document verifiers have retention periods that are needlessly long. This is the case with Incode, which provides ID verification for Tiktok. Incode holds onto images forever by default, though TikTok shouldΒ automatically start the deletion process on your behalf.
Some platforms offer alternatives, like proving that you own a credit card, or asking for your email to check if it appears in databases associated with adulthood (like home mortgage databases). These tend to involve less risk when it comes to the sensitivity of the data itself, especially since credit cards can be replaced, but in general still undermine anonymity and pseudonymity and pose a risk of tracking your online activity. Weβd prefer to see more assurances across the board about how information is handled.
Each site offers users a menu of age assurance options to choose from. Weβve chosen to present these options in the rough order that we expect most people to prefer. Jump directly to a platform to learn more about its age checks:
If Meta can guess your age, you may never even see an age verification screen. Meta, which runs Facebook, Threads, Instagram, Messenger, and WhatsApp, first tries to use information youβve posted to guess your age, like looking at βHappy birthday!β messages. Itβs a creepy reminder that they already have quite a lot of information about you.
If Meta cannot guess your age, or if Meta infers you're too young, it will next ask you to verify your age using either facial age estimation, or by uploading your photo ID.Β
If you choose to use facial age estimation, youβll be sent to Yoti, a third-party verification service. Your photo will be uploaded to their servers during this process. Yoti claims that βas soon as an age has been estimated, the facial image is immediately and permanently deleted.β Though itβs not as good as not having that data in the first place, Yotiβs security measures include a bug bounty program and annual penetration testing. Researchers from Mint Secure found that Yotiβs app and website are filled with trackers, so the fact that youβre verifying your age could be not only shared to Yoti, but leaked to third-party data brokers as well.Β
You may not want to use this option if youβre worried about third parties potentially being able to know youβre trying to verify your age with Meta. You also might not want to use this if youβre worried about a current picture of your face accidentally leakingβfor example, if elements in the background of your selfie might reveal your current location. On the other hand, if you consider a selfie to be less sensitive than a photograph of your ID, this option might be better. If you do choose (or are forced to) use the face check system, be sure to snap your selfie without anything you'd be concerned with identifying your location or embarrassing you in the background in case the image leaks.
If Yotiβs age estimation decides your face looks too young, or if you opt out of facial age estimation, your next recourse is to send Meta a photo of your ID. Meta sends that photo to Yoti to verify the ID. Meta says it will hold onto that ID image for 30 days, then delete it. Meanwhile, Yoti claims it will delete the image immediately after verification. Of course, bugs and process oversights exist, such as accidentally replicating information in logs or support queues, but at least they have stated processes. Your ID contains sensitive information such as your full legal name and home address. Using this option not only runs the (hopefully small, but never nonexistent) risk of that data getting leaked through errors or hacking, but it also lets Meta see the information needed to tie your profile to your identityβwhich you may not want. If you donβt want Meta to know your name and where you live, or rely on both Meta and Yoti to keep to their deletion promises, this option may not be right for you.
If Google can guess your age, you may never even see an age verification screen. Your Google account is typically connected to your YouTube account, so if (like mine) your YouTube account is old enough to vote, you may not need to verify your Google account at all. Google first uses information it already knows to try to guess your age, like how long youβve had the account and your YouTube viewing habits. Itβs yet another creepy reminder of how much information these corporations have on you, but at least in this case they arenβt likely to ask for even more identifying data.
If Google cannot guess your age, or decides you're too young, Google will next ask you to verify your age. Youβll be given a variety of options for how to do so, with availability that will depend on your location and your age.
Googleβs methods to assure your age include ID verification, facial age estimation, verification by proxy, and digital ID. To prove youβre over 18, you may be able to use facial age estimation, give Google your credit card information, or tell a third-party provider your email address.
If you choose to use facial age estimation, youβll be sent to a website run by Private ID, a third-party verification service. The website will load Private IDβs verifier within the pageβthis means that your selfie will be checked without any images leaving your device. If the system decides youβre over 18, it will let Google know that, and only that. Of course, no technology is perfectβshould Private ID be mandated to target you specifically, thereβs nothing to stop it from sending down code that does in fact upload your image, and you probably wonβt notice. But unless your threat model includes being specifically targeted by a state actor or Private ID, thatβs unlikely to be something you need to worry about. For most people, no one else will see your image during this process. Private ID will, however, be told that your device is trying to verify your age with Google and Google will still find out if Private ID thinks that youβre under 18.
If Private IDβs age estimation decides your face looks too young, you may next be able to decide if youβd rather let Google verify your age by giving it your credit card information, photo ID, or digital ID, or by letting Google send your email address to a third-party verifier.
If you choose to provide your email address, Google sends it on to a company called VerifyMy. VerifyMy will use your email address to see if youβve done things like get a mortgage or paid for utilities using that email address. If you use Gmail as your email provider, this may be a privacy-protective option with respect to Google, as Google will then already know the email address associated with the account. But it does tell VerifyMy and its third-party partners that the person behind this email address is looking to verify their age, which you may not want them to know. VerifyMy uses βproprietary algorithms and external data sourcesβ that involve sending your email address to βtrusted third parties, such as data aggregators.β It claims to βensure that such third parties are contractually bound to meet these requirements,β but youβll have to trust it on that oneβwe havenβt seen any mention of who those parties are, so youβll have no way to check up on their practices and security. On the bright side, VerifyMy and its partners do claim to delete your information as soon as the check is completed.
If you choose to let Google use your credit card information, youβll be asked to set up a Google Payments account. Note that debit cards wonβt be accepted, since itβs much easier for many debit cards to be issued to people under 18. Google will then charge a small amount to the card, and refund it once it goes through. If you choose this method, youβll have to tell Google your credit card info, but the fact that itβs done through Google Payments (their regular card-processing system) means that at least your credit card information wonβt be sitting around in some unsecured system. Even if your credit card information happens to accidentally be leaked, this is a relatively low-risk option, since credit cards come with solid fraud protection. If your credit card info gets leaked, you should easily be able to dispute fraudulent charges and replace the card.
If the option is available to you, you may be able to use your digital ID to verify your age with Google. In some regions, youβll be given the option to use your digital ID. In some cases, itβs possible to only reveal your age information when you use a digital ID. If youβre given that choice, it can be a good privacy-preserving option. Depending on the implementation, thereβs a chance that the verification step will βphone homeβ to the ID provider (usually a government) to let them know the service asked for your age. Itβs a complicated and varied topic that you can learn more about by visiting EFFβs page on digital identity.
Should none of these options work for you, your final recourse is to send Google a photo of your ID. Here, youβll be asked to take a photo of an acceptable ID and send it to Google. Though the help page only states that your ID βwill be stored securely,β the verification process page says ID βwill be deleted after your date of birth is successfully verified.β Acceptable IDs vary by country, but are generally government-issued photo IDs. We like that itβs deleted immediately, though we have questions about what Google means when it says your ID will be used to βimprove [its] verification services for Google products and protect against fraud and abuse.β No system is perfect, and we can only hope that Google schedules outside audits regularly.
If TikTok can guess your age, you may never even see an age verification notification. TikTok first tries to use information youβve posted to estimate your age, looking through your videos and photos to analyze your face and listen to your voice. By uploading any videos, TikTok believes youβve given it consent to try to guess how old you look and sound.
If TikTok decides youβre too young, appeal to revoke their age decision before the deadline passes. If TikTok cannot guess your age, or decides you're too young, it will automatically revoke your access based on ageβincluding either restricting features or deleting your account. To get your access and account back, youβll have a limited amount of time to verify your age. As soon as you see the notification that your account is restricted, youβll want to act fast because in some places youβll have as little as 23 days before the deadline passes.
When you get that notification, youβre given various options to verify your age based on your location.
If youβre given the option to use facial age estimation, youβll be sent to Yoti, a third-party verification service. Your photo will be uploaded to their servers during this process. Yoti claims that βas soon as an age has been estimated, the facial image is immediately and permanently deleted.β Though itβs not as good as not having that data in the first place, Yotiβs security measures include a bug bounty program and annual penetration testing. However, researchers from Mint Secure found that Yotiβs app and website are filled with trackers, so the fact that youβre verifying your age could be leaked not only to Yoti, but to third-party data brokers as well.
You may not want to use this option if youβre worried about third parties potentially being able to know youβre trying to verify your age with TikTok. You also might not want to use this if youβre worried about a current picture of your face accidentally leakingβfor example, if elements in the background of your selfie might reveal your current location. On the other hand, if you consider a selfie to be less sensitive than a photograph of your ID or your credit card information, this option might be better. If you do choose (or are forced to) use the face check system, be sure to snap your selfie without anything you'd be concerned with identifying your location or embarrassing you in the background in case the image leaks.
If you have a credit card in your name, TikTok will accept that as proof that youβre over 18. Note that debit cards wonβt be accepted, since itβs much easier for many debit cards to be issued to people under 18. TikTok will charge a small amount to the credit card, and refund it once it goes through. Itβs unclear if this goes through their regular payment process, or if your credit card information will be sent through and stored in a separate, less secure system. Luckily, these days credit cards come with solid fraud protection, so if your credit card gets leaked, you should easily be able to dispute fraudulent charges and replace the card. That said, weβd rather TikTok provide assurances that the information will be processed securely.
Sometimes, if youβre between 13 and 17, youβll be given the option to let your parent or guardian confirm your age. Youβll tell TikTok their email address, and TikTok will send your parent or guardian an email asking them (a) to confirm your date of birth, and (b) to verify their own age by proving that they own a valid credit card. This option doesnβt always seem to be offered, and in the one case we could find, itβs possible that TikTok never followed up with the parent. So itβs unclear how or if TikTok verifies that the adult whose email you provide is your parent or guardian. If you want to use credit card verification but youβre not old enough to have a credit card, and youβre ok with letting an adult know you use TikTok, this option may be reasonable to try.
Bizarrely, if youβre between 13 and 17, TikTok claims to offer the option to take a photo with literally any random adult to confirm your age. Its help page says that any trusted adult over 25 can be chosen, as long as theyβre holding a piece of paper with the code on it that TikTok provides. It also mentions that a third-party provider is used here, but doesnβt say which one. We havenβt found any evidence of this verification method being offered. Please do let us know if youβve used this method to verify your age on TikTok!
If you arenβt offered or have failed the other options, youβll have to verify your age by submitting a copy of your ID and matching photo of your face. Youβll be sent to Incode, a third-party verification service. In a disappointing failure to meet the industry standard, Incode itself doesnβt automatically delete the data you give it once the process is complete, but TikTok does claim to βstart the process to delete the information you submitted,β which should include telling Incode to delete your data once the process is done. If you want to be sure, you can ask Incode to delete that data yourself. Incode tells TikTok that you met the age threshold without providing your exact date of birth, but then TikTok wants to know the exact date anyway, so itβll ask for your date of birth even after your age has been verified.
TikTok itself might not see your actual ID depending on its implementation choices, but Incode will.Β Your ID contains sensitive information such as your full legal name and home address. Using this option not only runs the (hopefully small, but never nonexistent) risk of that data getting accidentally leaked through errors or hacking. If you donβt want TikTok or Incode to know your name, what you look like, and where you liveβor if you don't want to rely on both TikTok and Incode to keep to their deletion promisesβthen this option may not be right for you.
Weβve covered the major providers here, but age verification is unfortunately being required of many other services that you might use as well. While the providers and processes may vary, the same general principles will apply. If youβre trying to choose what information to provide to continue to use a service, consider the βfollow the dataβ questions mentioned above, and try to find out how the company will store and process the data you give it. The less sensitive information, the fewer people have access to it, and the more quickly it will be deleted, the better. You may even come to recognize popular names in the age verification industry:Β Spotify and OnlyFans use Yoti (just like Meta and Tiktok), Quora and Discord use k-ID, and so on.Β
Unfortunately, it should be clear by now that none of the age verification options are perfect in terms of protecting information, providing access to everyone, and safely handling sensitive data. Thatβs just one of the reasons that EFF is against age-gating mandates, and is working to stop and overturn them across the United States and around the world.
Help protect digital privacyΒ & free speech for everyone
This is a current list of where and when I am scheduled to speak:
The list is maintained on this page.
Recently, fake LinkedIn profiles have started posting comment replies claiming that a user has βengaged in activities that are not in complianceβ with LinkedInβs policies and that their account has been βtemporarily restrictedβ until they submit an appeal through a specified link in the comment.
The comments come in different shapes and sizes, but hereβs one example we found.
The accounts posting the comments all try to look like official LinkedIn bots and use various names. Itβs likely they create new accounts when LinkedIn removes them. Either way, multiple accounts similar to the βLinked Veryβ one above were reported in a short period, suggesting automated creation and posting at scale.
The same pattern is true for the links. The shortened link used in the example above has already been disabled, while others point directly to phishing sites. Scammers often use shortened LinkedIn links to build trust, making targets believe the messages are legitimate. Because LinkedIn can quickly disable these links, attackers likely test different approaches to see which last the longest.
Hereβs another example:
Malwarebytes blocks this last link based on the IP address:
If users follow these links, they are taken to a phishing page designed to steal their LinkedIn login details:
A LinkedIn spokesperson confirmed to BleepingComputer they are aware of the situation:
βI can confirm that we are aware of this activity and our teams are working to take action.β
In situations like this awareness is keyβand now you know what to watch for. Some additional tips:
Pro tip: The free Malwarebytes Browser Guard extension blocks known malicious websites and scripts.
We donβt just report on scamsβwe help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if itβs a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and weβllΒ tell you if itβs a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
The French data protection regulator, CNIL, today issued a collective β¬42 million ($48.9 million) fine to two French telecom companies for GDPR violations stemming from a data breach.β¦
RedVDS enables threat actors to set up servers that can be used for phishing, BEC attacks, account takeover, and fraud.
The post RedVDS Cybercrime Service Disrupted by Microsoft and Law Enforcement appeared first on SecurityWeek.
Researchers at Group-IB say the DeadLock ransomware operation is using blockchain-based anti-detection methods to evade defenders' attempts to analyze their tradecraft.β¦
In September 2025, security researchers at Anthropic uncovered something unprecedented: an AI-orchestrated espionage campaign where attackers used Claude to perform 80β90% of a sophisticated hacking operation. The AI handled everything from reconnaissance to payload development, demonstrating that artificial intelligence has fundamentally changed the threat landscape, not just as a tool for defenders, but as both
The post Thinking Like an Attacker: How Attackers Target AI Systems appeared first on OffSec.
The Predator spyware is more sophisticated and dangerous than previously realized.
The post Predator Spyware Turns Failed Attacks Into Intelligence for Future Exploits appeared first on SecurityWeek.
Novee provides continuous AI-driven penetration testing to uncover and address novel vulnerabilities.
The post Novee Emerges From Stealth With $51.5 Million in Funding appeared first on SecurityWeek.
Two hospitals in Belgium have cancelled surgeries and transferred critical patients to other facilities after shutting down servers following a cyberattack.β¦
Eurail has confirmed customer information was stolen in a data breach, according to notification emails sent out this week.β¦
The UK government has backed down from making digital ID mandatory for proof of a right to work in the country, adding to confusion over the scheme's cost and purpose.β¦
Researchers have been tracking a Magecart campaign that targets several major payment providers, including American Express, Diners Club, Discover, and Mastercard.
Magecart is an umbrella term for criminal groups that specialize in stealing payment data from online checkout pages using malicious JavaScript, a technique known as web skimming.
In the early days, Magecart started as a loose coalition of threat actors targeting Magentoβbased web stores. Today, the name is used more broadly to describe web-skimming operations against many eβcommerce platforms. In these attacks, criminals inject JavaScript into legitimate checkout pages to capture card data and personal details as shoppers enter them.
The campaign described by the researchers has been active since early 2022. They found a vast network of domains related to a long-running credit card skimming operation with a wide reach.
βThis campaign utilizes scripts targeting at least six major payment network providers: American Express, Diners Club, Discover (a subsidiary of Capital One), JCB Co., Ltd., Mastercard, and UnionPay. Enterprise organizations that are clients of these payment providers are the most likely to be impacted.β
Attackers typically plant web skimmers on e-commerce sites by exploiting vulnerabilities in supply chains, third-party scripts, or the sites themselves. This is why web shop owners need to stay vigilant by keeping systems up to date and monitoring their content management system (CMS).
Web skimmers usually hook into the checkout flow using JavaScript. They are designed to read form fields containing card numbers, expiry dates, card verification codes (CVC), and billing or shipping details, then send that data to the attackers.
To avoid detection, the JavaScript is heavily obfuscated to and may even trigger a selfβdestruct routine to remove the skimmer from the page. This can cause investigations performed through an admin session to appear unsuspicious.
Besides other methods to stay hidden, the campaign uses bulletproof hosting for a stable environment. Bulletproof hosting refers to web hosting services designed to shield cybercriminals by deliberately ignoring abuse complaints, takedown requests, and law enforcement actions.
Magecart campaigns affect three groups: customers, merchants, and payment providers. Because web skimmers operate inside the browser, they can bypass many traditional serverβside fraud controls.
While shoppers cannot fix compromised checkout pages themselves, they can reduce their exposure and improve their chances of spotting fraud early.
A few things you can protect against the risk of web skimmers:
Pro tip: Malwarebytes Browser Guard is free and blocks known malicious sites and scripts.
We donβt just report on threatsβwe remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byΒ downloading Malwarebytes today.
Login
