Normal view

3 easy-to-miss cybersecurity risks for small businesses

3 May 2026 at 12:33

There’s a lot to security that isn’t necessarily “cyber.” It’s not all hackers or complex network attacks.

Alongside traditional cyberattacks that deploy malware or exploit known software vulnerabilities, there are also less technical—yet equally devastating—forms of theft.

This doesn’t mean that well-known cybersecurity best practices don’t apply. Every small business owner should still use unique passwords for every account, turn on multi-factor authentication, keep their software and operating systems updated, and run always-on cybersecurity software.

But for the everyday small business owner juggling dozens of accounts, networks, devices, and the reams of data being created, stored, and shared across text messages, emails, and online portals, this advice is for you.

For National Small Business Week in the US, here are three ways to protect your business that require little technical prowess.

Don’t use your Social Security Number as your tax ID

In the US, the Internal Revenue Service (IRS) allows small business owners to use their personal Social Security Number (SSN) as the Federal Tax ID. It’s a small grace meant to simplify annual record-keeping for sole proprietors and owner-employees, but for cybercriminals, it’s a basic oversight they’d like every small business to make.

Using your Social Security Number as your Federal Tax ID means putting your Social Security Number in an ever-increasing number of hands. That’s because small business taxes are different from taxes for everyday salaried employees.

Whenever a small business takes on a new client or a contractor who pays for services costing at least $600, that small business has to share and receive what is called a W-9 form. This exact form isn’t filed with the IRS, but it is used to track payments for later filings.

What’s more important, though, is that this form asks for an owner’s name, address, and tax ID number.

This means that as a small business grows, its vulnerability to identity theft increases in tandem. Every W-9 filed that uses an owner’s SSN as their tax ID number is another opportunity for that SSN to be stolen. After just one year of operation, a small business owner’s SSN could end up in the inboxes, filing cabinets, and cloud drives of a dozen different people and companies.

This is exactly what cybercriminals want.

Equipped with a W-9 form about your business, a cybercriminal could impersonate you or your business. They could open a business credit line, file fraudulent returns that claim your small business income, or scam your clients.

How to stay safe:

Apply for a free Employer Identification Number (EIN) at IRS.gov. It’s quick to do and it separates your business tax identity from your personal tax identity. After that, put the EIN on W-9s, 1099s, and all other business paperwork instead of your SSN.

Keep your personal cloud storage personal

The most popular cloud storage for most small business owners is the cloud storage they already have—their personal Google Drive or iCloud.

Built to make memory archival as easy as possible, these tools can automatically back up and secure nearly every single moment that happens through your device, from the vacation photos you snapped last summer, to your kid’s first steps recorded on video, to the texts you sent, the notes you made, and the calendar appointments you managed.

But this type of automatic archival poses a threat to any non-personal information that you view, send, markup, or sign when using your personal smartphone. Suddenly, and often without thinking about it, your cloud storage has backups of signed contracts, tax returns, client intake forms, invoices, business financial statements, and photos of physical paperwork.

Above, we warned about using your SSN as your tax ID because it creates a risk if anyone in your business network is breached. But storing client information in your personal cloud storage creates a different problem: it puts that risk directly on you.

Compounding the threat here is the fact that many personal cloud storage accounts are shared with family members. More people accessing the same account means more exposure and more chances for mistakes, even if everyone has good intentions.

How to stay safe:

Go through the cloud backup settings on both your phone and your computer and manage what data is being synced. Move sensitive business files to a dedicated business storage account with proper access controls, sharing permissions, and audit logs—something that can tell you who opened a file and when.

If anything business-related has to live in a personal cloud account, give that account a strong, unique password, turn on multi-factor authentication, and don’t share access with anyone who isn’t you.

Protect device and account access in the home

Devices have a funny way of moving around. Your smartphone goes into your spouse’s hands as they override your music choices in the car. Your tablet ends most nights in your kid’s bedroom as they watch TV. And your laptop gets tugged around from couch to counter to kitchen table—each time fully opened and logged in, a portal to the web.

You trust everyone in your home to act safely online, but the path to online safety is full of mistakes.

A single errant click on a fake ad, a malicious search result, or a disguised download is all it takes to compromise your device today, along with all your small business records.

Aside from the threat of malware, someone using your device could make purchases, accidentally delete files, and overwrite important documents.

Remember, an “insider threat” doesn’t need to be malicious to cause damage—they just need to be inside your network (which in this, is your home).

How to stay safe:

Treat your devices that you use for work as work devices. That means requiring a passcode or password for device entry, along with multi-factor authentication for important business accounts.

Also, to ensure that any wrong click doesn’t lead to a malicious PDF download or a wayward malware installation, use always-on antimalware protection software, like Malwarebytes for Teams.

Secure your success

It’s easy to get overwhelmed with modern cybersecurity advice. Every week there are new vulnerabilities to patch, emerging scams to avoid, and novel viruses and pieces of malware that can seemingly take over your device, your data, and your business.

Thankfully, there are important steps you can take today that don’t require you to fiddle with internal settings or take a class on network engineering. Some of the most effective protections are simple: Limit how widely you share sensitive information, keep business and personal data separate, and control who can access your devices.

For everything else, try Malwarebytes for Teams to receive 24/7, always-on antimalware protection to shut out viruses, block malware attacks, and keep hackers out of your business.

3 easy-to-miss cybersecurity risks for small businesses

3 May 2026 at 12:33

There’s a lot to security that isn’t necessarily “cyber.” It’s not all hackers or complex network attacks.

Alongside traditional cyberattacks that deploy malware or exploit known software vulnerabilities, there are also less technical—yet equally devastating—forms of theft.

This doesn’t mean that well-known cybersecurity best practices don’t apply. Every small business owner should still use unique passwords for every account, turn on multi-factor authentication, keep their software and operating systems updated, and run always-on cybersecurity software.

But for the everyday small business owner juggling dozens of accounts, networks, devices, and the reams of data being created, stored, and shared across text messages, emails, and online portals, this advice is for you.

For National Small Business Week in the US, here are three ways to protect your business that require little technical prowess.

Don’t use your Social Security Number as your tax ID

In the US, the Internal Revenue Service (IRS) allows small business owners to use their personal Social Security Number (SSN) as the Federal Tax ID. It’s a small grace meant to simplify annual record-keeping for sole proprietors and owner-employees, but for cybercriminals, it’s a basic oversight they’d like every small business to make.

Using your Social Security Number as your Federal Tax ID means putting your Social Security Number in an ever-increasing number of hands. That’s because small business taxes are different from taxes for everyday salaried employees.

Whenever a small business takes on a new client or a contractor who pays for services costing at least $600, that small business has to share and receive what is called a W-9 form. This exact form isn’t filed with the IRS, but it is used to track payments for later filings.

What’s more important, though, is that this form asks for an owner’s name, address, and tax ID number.

This means that as a small business grows, its vulnerability to identity theft increases in tandem. Every W-9 filed that uses an owner’s SSN as their tax ID number is another opportunity for that SSN to be stolen. After just one year of operation, a small business owner’s SSN could end up in the inboxes, filing cabinets, and cloud drives of a dozen different people and companies.

This is exactly what cybercriminals want.

Equipped with a W-9 form about your business, a cybercriminal could impersonate you or your business. They could open a business credit line, file fraudulent returns that claim your small business income, or scam your clients.

How to stay safe:

Apply for a free Employer Identification Number (EIN) at IRS.gov. It’s quick to do and it separates your business tax identity from your personal tax identity. After that, put the EIN on W-9s, 1099s, and all other business paperwork instead of your SSN.

Keep your personal cloud storage personal

The most popular cloud storage for most small business owners is the cloud storage they already have—their personal Google Drive or iCloud.

Built to make memory archival as easy as possible, these tools can automatically back up and secure nearly every single moment that happens through your device, from the vacation photos you snapped last summer, to your kid’s first steps recorded on video, to the texts you sent, the notes you made, and the calendar appointments you managed.

But this type of automatic archival poses a threat to any non-personal information that you view, send, markup, or sign when using your personal smartphone. Suddenly, and often without thinking about it, your cloud storage has backups of signed contracts, tax returns, client intake forms, invoices, business financial statements, and photos of physical paperwork.

Above, we warned about using your SSN as your tax ID because it creates a risk if anyone in your business network is breached. But storing client information in your personal cloud storage creates a different problem: it puts that risk directly on you.

Compounding the threat here is the fact that many personal cloud storage accounts are shared with family members. More people accessing the same account means more exposure and more chances for mistakes, even if everyone has good intentions.

How to stay safe:

Go through the cloud backup settings on both your phone and your computer and manage what data is being synced. Move sensitive business files to a dedicated business storage account with proper access controls, sharing permissions, and audit logs—something that can tell you who opened a file and when.

If anything business-related has to live in a personal cloud account, give that account a strong, unique password, turn on multi-factor authentication, and don’t share access with anyone who isn’t you.

Protect device and account access in the home

Devices have a funny way of moving around. Your smartphone goes into your spouse’s hands as they override your music choices in the car. Your tablet ends most nights in your kid’s bedroom as they watch TV. And your laptop gets tugged around from couch to counter to kitchen table—each time fully opened and logged in, a portal to the web.

You trust everyone in your home to act safely online, but the path to online safety is full of mistakes.

A single errant click on a fake ad, a malicious search result, or a disguised download is all it takes to compromise your device today, along with all your small business records.

Aside from the threat of malware, someone using your device could make purchases, accidentally delete files, and overwrite important documents.

Remember, an “insider threat” doesn’t need to be malicious to cause damage—they just need to be inside your network (which in this, is your home).

How to stay safe:

Treat your devices that you use for work as work devices. That means requiring a passcode or password for device entry, along with multi-factor authentication for important business accounts.

Also, to ensure that any wrong click doesn’t lead to a malicious PDF download or a wayward malware installation, use always-on antimalware protection software, like Malwarebytes for Teams.

Secure your success

It’s easy to get overwhelmed with modern cybersecurity advice. Every week there are new vulnerabilities to patch, emerging scams to avoid, and novel viruses and pieces of malware that can seemingly take over your device, your data, and your business.

Thankfully, there are important steps you can take today that don’t require you to fiddle with internal settings or take a class on network engineering. Some of the most effective protections are simple: Limit how widely you share sensitive information, keep business and personal data separate, and control who can access your devices.

For everything else, try Malwarebytes for Teams to receive 24/7, always-on antimalware protection to shut out viruses, block malware attacks, and keep hackers out of your business.

Hackers stole hundreds of thousands of Roblox accounts: Here’s what to do

30 April 2026 at 17:48

More than 610,000 Roblox accounts were reportedly stolen. Was yours or your child’s among them?

Ukrainian police arrested three individuals in Lviv who allegedly orchestrated one of the largest Roblox account theft operations to date. Between October 2025 and January 2026, the hacking group is said to have compromised over 610,000 Roblox accounts, including at least 357 high-value “elite” accounts, making around $225,000 from selling access to them.

The hackers distributed infostealing malware disguised as game-enhancement tools, harvested login credentials from infected devices, and sold accounts through a Russian website and closed online communities based on their value.

This operation targeted Roblox accounts because they hold significant monetary value for many users. Accounts can contain high Robux balances, limited-edition items that can no longer be obtained, years of gaming progress with achievements and unlocks, and paid access to premium content. 

Roblox account recovery

If you recently downloaded any suspicious game enhancements or other Roblox-related software, your first priority is to run a full system anti-malware scan.

Then check for unknown or untrusted browser extensions. Keep only those that came from verified, trusted sources.

If the scans led to any removals, clear your browser history and cookies completely. Note that this will log you out of most websites.

If you still have access to your Roblox account, change your password and turn on two-step verification if you haven’t already.

If the hackers changed your password and you’re unable to log in, use the password recovery option on the Roblox login page by clicking “Forgot Password or Username?”. Enter the email address associated with your account and check your inbox (including spam folders) for the reset link.

After recovering access, immediately terminate all active sessions to prevent hackers from maintaining access through stolen cookies. Go to Settings > Security and click Log out of all other sessions at the bottom of the page. This ensures that anyone who had unauthorized access can no longer use your account.

If you’ve been completely locked out—because hackers have changed both your password and recovery details—contact Roblox Support immediately. Visit the Roblox support page and provide as much detail as possible. They may ask for:

  • Your account username (this is crucial for identification).
  • The original email address used to create the account.
  • Payment information or purchase receipts showing Robux transactions.
  • The approximate date and time of the compromise.
  • Screenshots showing account details before the compromise, including creation date.
  • Your previous account settings or any other details that prove ownership.

Roblox explicitly states that, unless required by law, it is under no obligation to restore compromised accounts. It does not guarantee that accounts will be returned to their previous state or that lost virtual items and currency can be recovered. Only in very limited circumstances may Roblox offer the ability to recover lost inventory or its approximate value. It’s important to note that you must contact Roblox within 30 days of the compromise if you want assistance recovering lost items or currency. The support process typically takes 2–5 days.


Picked up something you shouldn’t have?


How to protect your Roblox account

There are a few steps that make it harder for someone to steal your Roblox account:

  • Verified email address. Ensure your account has a verified email address that you actively monitor. This helps you spot unauthorized password or email changes quickly.
  • Use unique passwords. Never reuse passwords across different accounts. If one is exposed elsewhere, attackers will try it on other platforms, including Roblox. Your Roblox password should be completely unique and stored securely. A password manager can help you with both.
  • Don’t share access. Never share your password with anyone, even with people claiming to be friends. Your account credentials should belong only to you (and your parents if you’re a minor). Roblox staff will never ask for your password.
  • Be wary of game enhancements, hacks, cracks and keys. The hackers in this case specifically distributed malware disguised as game-enhancement tools. Be extremely cautious about downloading any third-party programs, cheats, exploits, or tools that claim to improve your Roblox experience. These are often vehicles for credential theft and account compromise.
  • Keep software updated. Keep all the software on your device up-to-date, so you’re protected against the latest known exploits.
  • Use anti-malware. Run up-to-date, real-time anti-malware software to protect your device against information stealers and other malware.

Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

Hackers stole hundreds of thousands of Roblox accounts: Here’s what to do

30 April 2026 at 17:48

More than 610,000 Roblox accounts were reportedly stolen. Was yours or your child’s among them?

Ukrainian police arrested three individuals in Lviv who allegedly orchestrated one of the largest Roblox account theft operations to date. Between October 2025 and January 2026, the hacking group is said to have compromised over 610,000 Roblox accounts, including at least 357 high-value “elite” accounts, making around $225,000 from selling access to them.

The hackers distributed infostealing malware disguised as game-enhancement tools, harvested login credentials from infected devices, and sold accounts through a Russian website and closed online communities based on their value.

This operation targeted Roblox accounts because they hold significant monetary value for many users. Accounts can contain high Robux balances, limited-edition items that can no longer be obtained, years of gaming progress with achievements and unlocks, and paid access to premium content. 

Roblox account recovery

If you recently downloaded any suspicious game enhancements or other Roblox-related software, your first priority is to run a full system anti-malware scan.

Then check for unknown or untrusted browser extensions. Keep only those that came from verified, trusted sources.

If the scans led to any removals, clear your browser history and cookies completely. Note that this will log you out of most websites.

If you still have access to your Roblox account, change your password and turn on two-step verification if you haven’t already.

If the hackers changed your password and you’re unable to log in, use the password recovery option on the Roblox login page by clicking “Forgot Password or Username?”. Enter the email address associated with your account and check your inbox (including spam folders) for the reset link.

After recovering access, immediately terminate all active sessions to prevent hackers from maintaining access through stolen cookies. Go to Settings > Security and click Log out of all other sessions at the bottom of the page. This ensures that anyone who had unauthorized access can no longer use your account.

If you’ve been completely locked out—because hackers have changed both your password and recovery details—contact Roblox Support immediately. Visit the Roblox support page and provide as much detail as possible. They may ask for:

  • Your account username (this is crucial for identification).
  • The original email address used to create the account.
  • Payment information or purchase receipts showing Robux transactions.
  • The approximate date and time of the compromise.
  • Screenshots showing account details before the compromise, including creation date.
  • Your previous account settings or any other details that prove ownership.

Roblox explicitly states that, unless required by law, it is under no obligation to restore compromised accounts. It does not guarantee that accounts will be returned to their previous state or that lost virtual items and currency can be recovered. Only in very limited circumstances may Roblox offer the ability to recover lost inventory or its approximate value. It’s important to note that you must contact Roblox within 30 days of the compromise if you want assistance recovering lost items or currency. The support process typically takes 2–5 days.


Picked up something you shouldn’t have?


How to protect your Roblox account

There are a few steps that make it harder for someone to steal your Roblox account:

  • Verified email address. Ensure your account has a verified email address that you actively monitor. This helps you spot unauthorized password or email changes quickly.
  • Use unique passwords. Never reuse passwords across different accounts. If one is exposed elsewhere, attackers will try it on other platforms, including Roblox. Your Roblox password should be completely unique and stored securely. A password manager can help you with both.
  • Don’t share access. Never share your password with anyone, even with people claiming to be friends. Your account credentials should belong only to you (and your parents if you’re a minor). Roblox staff will never ask for your password.
  • Be wary of game enhancements, hacks, cracks and keys. The hackers in this case specifically distributed malware disguised as game-enhancement tools. Be extremely cautious about downloading any third-party programs, cheats, exploits, or tools that claim to improve your Roblox experience. These are often vehicles for credential theft and account compromise.
  • Keep software updated. Keep all the software on your device up-to-date, so you’re protected against the latest known exploits.
  • Use anti-malware. Run up-to-date, real-time anti-malware software to protect your device against information stealers and other malware.

Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

❌