A (0:01)

Grok leak exposes 370,000 chats, Microsoft scrambles to fix SSD failures, hackers hijack Microsoft infrastructure to steal logins, the leader of rapperbot DDoS gang is arrested and hackers claim 15.8 million PayPal logins are stolen. Are they lying? This is cybersecurity today. I'm your host Jim Love. Elon Musk's Grok chatbot has suffered a major privacy failure. More than 370,000 private conversations were exposed online, indexed by search engines and open to anyone who knew how to look. These were not harmless exchanges. The leaked chats included instructions for making fentanyl and methamphetamine, building explosives, hacking into crypto wallets, and even step by step guides for writing malware. There were also disturbing transcripts detailing methods of suicide, and one outlined a plan to assassinate Musk himself. Many users had turned to Grok for business, medical or even psychological advice, and people shared names, conditions, passwords. They even uploaded spreadsheets and images. All of this was exposed, creating the risk of identity theft, phishing, and even reputational harm. What makes this worse is that no one can claim they were surprised. OpenAI had a similar incident just weeks ago, when ChatGPT conversations were indexed by Google, forcing the company to pull the feature. Google's Gemini has also shown to be vulnerable to prompt injection, potentially exposing emails and calendar invites. But others took corrective steps. XAI or Grok apparently didn't. And there's the irony here. When OpenAI's leak made headlines earlier this summer, Elon Musk took a victory lap, boasting that Grok had no such flaw. Well, it has one now, and the result isn't just embarrassing, it somehow feels like karma. Microsoft's August security update KB5063878, intended to patch Windows 11 systems, quietly turned into a storage nightmare for some users when large data transfers were underway over 50 gigabytes and on drives more than 60% full. Some SSDs and even some HDDs simply vanished from the system and and data corruption hit hard. Reports also emerged of recovery features like reset my PC and fix problems using Windows updates, breaking even when no storage was missing. Microsoft has confirmed it's working with hardware partners, particularly SSD controller makers, to reproduce the failures, investigate root causes, and hopefully deliver a fix. The company is already offering an out of band update to address the broken reset and recovery functions, urging admins to delay the original patch and deploy the repaired version instead. One company, Fison, is in the spotlight. They acknowledge that SSDs using their controllers appear to be affected. But they stress the issue isn't isolated to their chips. In fact, a falsified document, supposedly from Fison and pointing fingers at specific controller models, circulated widely. But Fison has denounced it as a fake and is taking legal action to stop the misinformation. Hackers have found a way to weaponize Microsoft's own login infrastructure, making it nearly impossible for users and even security filters to spot the trap. It starts with a Google Ad that looks legitimate for Office365. Click it and you're sent to an authentic Microsoft address like outlook.office.com but from there, Microsoft's own redirect process hands you off to a malicious domain. And the final stop is a perfectly faked login page where credentials, even multi factor authentication codes, are stolen. These sites appear to be pixel perfect and even contain authentic looking content prepared to lure you into a false sense of security. The trick hinges on Active Directory Federation Services or adfs. Attackers set up their own Microsoft tenants using AD fs, which silently redirects the user to the fake site, which appears authentic. Security researchers at Push Security warn this approach blends trusted Microsoft infrastructure with standard phishing kits, making it harder than ever for both users and automated defenses to catch the problem. For years we've told users only log in through trusted sites, but in this case the trusted site itself. Microsoft.com becomes part of the attack. And these kind of exploits not only fool people, they slip past many technical security controls. Which leaves organizations with a tough challenge. How do you teach people not to trust even the domains they've been told are safe? The alleged head of one of the most powerful DDoS botnets, but one that has operated under the radar, has been unmasked and arrested. 22 year old Ethan Foltz of Eugene, Oregon is accused of running the Wrapper Bot Botnet, a service for hire that rented out for massive denial of service attacks. Wrapperbok got its name from the malware family Folch used to quietly infect routers and IoT devices, building a botnet that could knock websites offline at will. For years the operation stayed in the shadows, hitting dozens of organizations while avoiding the kind of publicity that usually brings investigators to the door. Foltz warned his clients not to go too far and and limited the time and size of attacks. And he gave them one special warning. They were not to attack Brian Krebs site. A lot of attackers have hit Krebs only to find it's protected by Google's Project Shield, a service designed to defend journalists and human rights groups from massive DDoS campaigns. But apparently veteran cybersecurity journalist Brian Krebs got them anyway. He dug in, connected the dots, and helped expose the group. And so the moral of this story is simple. You can run a DDoS service, you can think you're invisible. But to paraphrase the late Jim Croce, you don't mess around with Krebs. And finally, a hacker group calling themselves ChuckyBF is advertising what they say are 15.8 million PayPal credentials for sale on a dark, dark web forum. The dump allegedly includes emails, plain text passwords and login URLs. But PayPal strongly denies any new breach, pointing out the material appears linked to an older 2022 incident. Securities researchers also note the suspiciously low asking price and the limited sample provided suggest the data may be recycled, outdated or or stitched together from other leaks. Some believe that this data comes from infostealer malware, malicious programs that harvest saved logins directly from victims devices. But this means the risk is still real. Stolen PayPal credentials can fuel credential stuffing, phishing and fraud, even if they didn't come from PayPal's servers, especially if there is reuse of any of these credentials. This highlights a problem that we don't always think about. Criminals often exaggerate their claims to boost sales, but you can't take a hacker's word at face value, even though that doesn't make the stolen data any less dangerous. And that's our show for today. You can reach me with tips, comments, and even some constructive criticism. You can reach me on the Contact Us page at Tech Newsday. You can find me on LinkedIn. Or if you're watching this on YouTube, you can leave a comment under the video. This weekend we have a show which will hopefully share some of the good, the bad and the ugly of cybersecurity research. Join us if you can. I'm your host, Jim Love. Thanks for listening.