True Grit Security

06/04/2026

Hackers have been hijacking Instagram accounts at scale by exploiting Meta's AI support chatbot. And, as if that weren't bad enough, the technique required no technical skill whatsoever.

Read more in my article on the Fortra blog.

Attackers simply asked an AI chatbot to hand over access to Instagram accounts that didn't belong to them - and it did.

06/03/2026

A website called "UK visa portal" has been quietly collecting passport scans, selfies, and personal data from thousands of travellers who thought they were applying through official channels. They weren't. And when a journalist tried to warn the company, it was lawyers who responded.

Meanwhile, a paper from Cornell suggests that prompt injection - the technique malicious actors use to trick AI agents into doing things they really shouldn't - may be fundamentally unsolvable. Which is err... awkward, because everyone is rushing to plug AI agents into their email, files, and corporate networks.

Plus don't miss our featured interview with Andrea Sivieri of CoreView, who tells us how hackers can lock your entire organisation out of its Microsoft 365 environment... without having to trick you into running a single piece of malicious code or handing over a password.

All this and more in episode 470 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Tanya Janca.

A website called “UK visa portal” has been quietly collecting passport scans, selfies, and personal data from thousands of travellers who thought they were applying through official channels.

05/28/2026

A notorious ransomware gang claims to have stolen MyPillow's private data, but CEO Mike Lindell calls it a politically motivated "hit job." With the countdown ticking toward a massive dark web leak, who is telling the truth?

Read more in my article on the Hot for Security blog.

The Play ransomware gang is claiming to have stolen data from US pillow manufacturer MyPillow, making off with private and personal confidential data.

05/28/2026

CISA, the US government agency whose entire job is keeping America's critical infrastructure safe from hackers, has had a contractor publish dozens of plain-text credentials to a public GitHub profile.

Meanwhile, your Oura ring is quietly transmitting some of its data unencrypted - and when one journalist asked the company how often it hands user data to law enforcement, the answer was quite telling.

Plus don't miss our featured interview with OPSWAT's Benny Czarny about his new book "Cybersecurity Upside Down."

All this and more in episode 469 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Lesley Carhart.

CISA, the US government agency whose entire job is keeping America’s critical infrastructure safe from hackers, has had a contractor publish dozens of plain-text credentials to a public GitHub profile.

05/26/2026

So, you've enabled multi-factor authentication. You've taught your staff never to type their passwords into dodgy-looking login pages. Surely your Microsoft 365 accounts are safe now?

Well, think again.

Read more in my article on the Hot for Security blog.

So, you've enabled multi-factor authentication.

05/21/2026

For almost 20 years, stolen credentials have been the most common route for attackers into organizations, according to the Verizon Data Breach Investigations Report (DBIR). But that's no longer the case.

Read more in my article on the Fortra blog.

Exploitation of vulnerabilities has overtaken credential theft as the leading vector for hackers to gain their initial access.

05/20/2026

Having receive a ransom payment for its attack on Canvas, ShinyHunters and other extortion gangs are only likely to be further incentivised to launch similar attacks in future.

Read more in my article on the Hot for Security blog.

When the FBI puts out a public service announcement that deliberately appears to avoid naming the company at the centre of the story, you can usually work out which one it is.

05/14/2026

Pay up, or we'll pay someone to pay you a visit. Cybercrime gangs are increasingly turning to real-world threats - and even hiring local muscle to deliver the message.

Read more in my article on the Hot for Security blog.

For years, ransomware has been a crime committed at arm's length.

05/14/2026

Welcome to the largest educational data breach in history - affecting nearly 9,000 institutions, every Ivy League university, and 30 million students mid-finals. When Canvas's parent company refused to pay and announced they had deployed "security patches" instead, the hackers were less than impressed. So they came back through the cat flap.

Meanwhile, a famous finance expert's face has been showing up on Facebook adverts promising hot stock tips and exclusive WhatsApp investment groups. Spoiler: it isn't him, the tips aren't real, and you're about to be scammed.

Plus we chat to Mike Nichols of Elastic, about how the SOC isn't dying, attackers and defenders are both deploying AI agents, and how the real security crisis is no longer human users - it's the bots acting on their behalf.

All this and more in episode 467 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Danny Palmer.

Welcome to the largest educational data breach in history – affecting nearly 9,000 institutions, every Ivy League university, and 30 million students mid-finals. When Canvas’s parent company refused…

05/09/2026

AI is powerful. No question about it.

But people are starting to trust it way too much.

AI will confidently give wrong answers, fake sources, bad advice, and sometimes complete nonsense while sounding absolutely convincing. That’s dangerous when people stop questioning it.

We’re heading toward a world where scammers use AI to clone voices, write perfect phishing emails, fake documents, and automate attacks at a scale we’ve never seen before.

AI is a tool, not a replacement for human judgment.

Use it. Learn it. But never turn your brain off just because a computer said it confidently.