Summary5 min read

Cybersecurity Today – "OpenClaw: Info Stealers Take Your Soul"

Host: Jim Love
Date: February 18, 2026

Episode Overview

In this episode, Jim Love breaks down several emerging cybersecurity threats—from the alarming new ways infostealer malware like OpenClaw can siphon away your digital life, to revealing stories about how behavioral anomalies are the new backbone of modern zero trust models. He also covers an accidental army of hacked robot vacuums, retail insider fraud, and another lesson on third-party data breaches based on a misattributed “hack” at Canada Goose. This content-packed episode drives home that modern security isn’t just technical—it’s contextual and ever-evolving.

Key Discussion Points & Insights

1. OpenClaw Infostealer: Rethinking What Can Be Stolen

OpenClaw’s vulnerabilities come under fresh scrutiny:
A standard infostealer malware attack vacuumed up the victim’s entire OpenClaw directory, showcasing just how deep modern credential theft can go.
Critical data lost in the sweep:
- Tokens: Authentication credentials, granting attackers all the victim’s access.
- Private Cryptographic Keys: Allow total device impersonation, bypassing many security layers.
- SOL MD Files: As Jim Love puts it, "the agent's personality, its behavioral rules, what access it has in your life and to the events in your life. Calendar events, private messages, daily activity logs." ([03:12])
A new frontier for criminal malware: Dedicated OpenClaw-hunting malware modules are imminent—just as threats evolved for Chrome and Telegram.
Core Takeaway:

"The attacker doesn't just get your credentials...they get a mirror of your life." – Jim Love ([03:39])

Security Lesson: This wasn’t even a targeted attack—just routine malware sweeping for sensitive files. The risk is especially high for those using OpenClaw or similar agents, highlighting the need to revisit what digital agents have access to.

2. Accidental ‘Robot Vacuum Army’: IoT Security in Crisis

Hobbyist exposes a global privacy flaw:
After trying to connect his PlayStation controller to a robot vacuum, coder Sammy as Douceful stumbled upon 7,000 exposed vacuums in 24 countries—including live camera feeds and microphones inside strangers' homes.
How it happened:
- Lack of device-level access controls—authenticating once allowed access to all devices on the network.
- Even DJI’s portable home battery stations were exposed, sharing the same infrastructure.
Blunt critique of IoT security practices:

"More and more connected devices show little evidence of security being considered until somebody out there discovers the weakness. And with the number of devices we have, cameras, doorbells, home battery systems, and now vacuums, well, that just sucks." – Jim Love ([08:17])

Memorable anecdote: A journalist’s vacuum was remotely observed cleaning, with a hacker mapping their living room from another country.
Broader trend: Echoes with prior hacks—Ecovacs in 2024, where vacuums were hijacked to harass users and pets.
Lesson for consumers and vendors: Until design priorities shift, serious privacy breaches will persist.

3. Retail Fraud: Context is the New Firewall

The Best Buy case:
- A single employee used a manager's override code 149 times over 9 months, netting $120,000 in discounted tech.
- The fraud went unnoticed until pawn shops reported the merchandise—no system-level alert was triggered.
A second, equally troubling case:
- A Georgia Best Buy employee was arrested for stealing $40,000 in goods under threat of blackmail—though the backstory changed in interviews.
Jim’s verdict on behavioral security:

"Security isn't just about whether credentials work. It's about whether the behavior makes sense in context..."
"Just because the device or the login is validated, we should still be asking, should this action be happening this often under these circumstances by this person?" – Jim Love ([13:49])

Main insight:
Rules and privileges aren’t enough—organizations must analyze patterns of behavior to prevent insider fraud.

4. Third-Party Data Breaches: The Case of Canada Goose

The rumor: Shiny Hunters leaked 600,000 “Canada Goose” customer records—names, addresses, purchases, payment parts.
The reality:
Canada Goose could find no breach. Shiny Hunters admitted data came from a payment processor—not Canada Goose itself.
- Data structure, with fields like Checkout id, carttoken, etc., pointed to third-party e-commerce platforms.
The risk of indirect breaches:
- "If you're Canada Goose...your customer data was leaked, but you had nothing to do with it...because somebody in your supply chain didn't measure up." ([17:28])
- If you use the same processor as Canada Goose, check your exposure—this could affect you too.
Key context:
Data is old (mostly 2021-2023), but still potent for phishing and fraud.
Big lesson:
Third-party breaches are routine—not rare—and your organization’s security is only as strong as its weakest supplier.

Notable Quotes and Memorable Moments

On infostealers and digital identities:

"The attacker doesn't just get your credentials...they get a mirror of your life." – Jim Love ([03:39])

On IoT device insecurity:

"More and more connected devices show little evidence of security being considered until somebody out there discovers the weakness...well, that just sucks." – Jim Love ([08:17])

On behavioral security:

"Security isn't just about whether credentials work. It's about whether the behavior makes sense in context..." – Jim Love ([13:49])

On third-party breaches:

"...your customer data was leaked, but you had nothing to do with it...because somebody in your supply chain didn't measure up." – Jim Love ([17:28])

Timestamps for Important Segments

[01:15] – OpenClaw Infostealer Attack and the Frightening Depth of Malware Sweeps
[07:00] – Robot Vacuum Hack: Global Access and Live Breaches
[11:20] – Best Buy Fraud Cases: When Credentials Aren’t Enough
[16:20] – Shiny Hunters “Canada Goose” Breach: The Real Risk Is Upstream

Final Takeaways

Ransomware and info-stealer malware are evolving to grab not just passwords, but the digital soul of victims—full life mirrors, via misconfigured agent software.
The Internet of Things remains a gaping hole in many households’ security postures, with device-level access controls often an afterthought.
Modern zero trust must include not just credentials and permissions, but also real behavioral analytics to spot pattern anomalies.
Your customers’ data is only as safe as the least careful business in your supply chain—third-party breaches are becoming business as usual.

For security professionals, business leaders, or anyone concerned about their privacy, this episode is a wakeup call: Security is about much more than passwords and firewalls—it’s about context, behavior, and knowing where even the indirect risks lurk.

Loading summary

Transcript1 lines

[00:01]
A
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless, and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST An Infosteeler grabs Openclaw's Soul tokens, keys, and your entire digital life. A hobby coder accidentally builds a robot vacuum arm. Best Buy cases show why zero trust is about behavior, not just rules. And Canada Goose breach that wasn't when your supplier gets hacked instead. This is Cybersecurity today. I'm your host, Jim Love. We've warned before about Open Claw's security weaknesses, but Hudson Rock, a cybersecurity firm that tracks infosteeler malware, now has documented exactly how what one of those attacks looks like in the real world. And it builds layer by layer, into something that is actually quite frightening. An infostealer is a malware that quietly vacuums up sensitive data from your computer and sends it to attackers. And you probably never know it happened. But in this case, a standard file grabbing routine swept up everything in the victim's openclaw directory. First, it grabbed tokens, authentication credentials that give whoever holds them access to everything the user can access. A master key that's bad enough on its own. Then it grabbed the device's private cryptographic keys. The key is used to sign and verify that communications are genuinely coming from your device. With those, an attacker can obviously impersonate your device, completely bypassing security checks and potentially accessing encrypted logs and even paired cloud services. The digital equivalent of stealing your identity at the hardware level. But then came the Coup de Grace. OpenClaw agents are built around files called SOL MD. Yeah, that's the actual name, which defines the agent's personality, its behavioral rules, what access it has in your life and to the events in your life. Calendar events, private messages, daily activity logs. The attacker doesn't just get your credentials, as Hudson Rock put it, they get a mirror of your life. And here's what should concern everyone in security. This wasn't even a targeted attack, just a broad malware sweeping for anything sensitive that happened to hit the jackpot with a poorly designed piece of software. Hudson Rock is now warning the dedicated OpenClaw modules, malware built specifically to hunt and parse these files are almost certainly on their way, just as we already have specialized stealers for Chrome and Telegram and others. If you're running openclaw, this is another reason to take a hard look at what you've given your agent access to because apparently so are the criminals. A hobbyist coder wanted to drive his robot vacuum with a PlayStation controller. Why? Who knows. But what he accidentally did was build an army of robot vacuums. Sammy as Douceful had just bought a DJI Romo and thought it would be fun to control it manually. So he used an AI coding tool to reverse engineer the device's communication protocols. And he built his own app. And when he connected to DJI servers, roughly 7,000 robot vacuums across 24 countries started answering. He found he could watch live camera feeds inside strangers homes, listen through onboard microphones, generate accurate floor plans using just a 14 digit serial number. He pinpointed a journalist's robot vacuum vacuum, confirmed it was cleaning the living room at 80% battery and produced a map of their house from another country. The technical failure was almost embarrassingly basic. DJI systems had no access controls at the messaging level. Authenticate with one device token and you could see traffic from every other device in plain text. And it wasn't just vacuums. DJI's portable home battery stations run on the same infrastructure. And they showed up too. DJI initially told journalists the flaw had been fixed. That statement arrived about 30 minutes before as Dufle demonstrated thousands of robots, including the journalist's own device. Still reporting in live now. This isn't the first Vacuum hack. In 2024, hackers took over Ecovacs vacuums across US cities, shouting slurs through the speakers and chasing pets. Security testing of six vacuum brands last year found serious flaws in three Chinese models. More and more connected devices show little evidence of security being considered until somebody out there discovers the weakness. And with the number of devices we have, cameras, doorbells, home battery systems, and now vacuums, well, that just sucks. There's a story coming out of Florida where police say a Best Buy employee used a manager's override code, which he was entitled to do. But he did it 149 times to buy high end electronics, including MacBook Pros, at discounts as steep as 99%. The alleged scheme ran from March to December 2024 and cost the store roughly $120,000 before it was uncovered. And investigators traced the fraud not because of a security breach warning, but after discounted merchandise began appearing in pawn shops. Think about it. One employee using high privileged override credentials nearly 150 times over nine months. That's not damaged box discounts. That's a pattern. And the fact that it went unnoticed for so long just simply encouraged more of that behavior. There's another case that we found as well. In the same story, a Georgia case, another Best Buy employee was arrested after more than $40,000 in merchandise allegedly walked out of the store over two weeks. Police reports say that he initially told investigators he was being blackmailed by a hacker group threatening to release intimate images unless he cooperated, though he later disputed parts of that account in interviews. But two different stories, same underlying lesson, and we all know it. Security isn't just about whether credentials work. It's about whether the behavior makes sense in context. Just because the device or the login is validated, we should still be asking, should this action be happening this often under these circumstances by this person? In both cases, the systems allowed it. What failed, though, was the contextual oversight. As we put our controls together and we tend to focus outward or on absolute controls, it's something to think about. Shiny Hunters is back with another data dump, and this time it's Canada Goose, a Canadian clothing company that had 600,000 customer records, including names, addresses, order histories and partial payment card information leaked. But here's where it gets interesting. Canada Goose was investigating and said they could find no evidence of a breach on their own systems. And then, according to Bleeping computer, when they were asked directly, Shiny Hunters told them the data didn't come from Canada Goose at all. It came from a third party payment processor and a breach dating back to August 2025. When you look at it, the structure of the leaked records backs that up. Security researchers noted that the dataset schema field names like Checkout id, shipping lines, carttoken closely resemble E Commerce checkout exports from hosted storefront and payment processing platforms. So if you're Canada Goose, you just found out your customer data was leaked, but you had nothing to do with it, you weren't breached, your security held, but your customer's information is out there anyway because somebody in your supply chain didn't measure up. And if you're in payment processing or E commerce platform operations, this should get your attention because you might be using one of the same suppliers or service providers as Canada Goose, and you may want to find out where that breach actually happened and whether you were part of it. The data, thankfully, is old. Most of it dates back to 2021-2023. But old data still enables phishing, fraud and identity theft just with a little less urgency than fresh information. Once again, third party breaches are becoming part of a pattern, not the exception. And that's our show. We'd like to thank Meter for their support in bringing you the podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, they build the software, they manage deployments, they run support. They do it all. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. Book a demo@meter.com CST that's M E T E R.com CST I'm your host, Jim Love. Thanks for listening.

Cybersecurity Today – "OpenClaw: Info Stealers Take Your Soul"

Host: Jim Love
Date: February 18, 2026

Episode Overview

Key Discussion Points & Insights

1. OpenClaw Infostealer: Rethinking What Can Be Stolen

OpenClaw’s vulnerabilities come under fresh scrutiny:
A standard infostealer malware attack vacuumed up the victim’s entire OpenClaw directory, showcasing just how deep modern credential theft can go.
Critical data lost in the sweep:
- Tokens: Authentication credentials, granting attackers all the victim’s access.
- Private Cryptographic Keys: Allow total device impersonation, bypassing many security layers.
- SOL MD Files: As Jim Love puts it, "the agent's personality, its behavioral rules, what access it has in your life and to the events in your life. Calendar events, private messages, daily activity logs." ([03:12])
A new frontier for criminal malware: Dedicated OpenClaw-hunting malware modules are imminent—just as threats evolved for Chrome and Telegram.
Core Takeaway:

"The attacker doesn't just get your credentials...they get a mirror of your life." – Jim Love ([03:39])

Security Lesson: This wasn’t even a targeted attack—just routine malware sweeping for sensitive files. The risk is especially high for those using OpenClaw or similar agents, highlighting the need to revisit what digital agents have access to.

2. Accidental ‘Robot Vacuum Army’: IoT Security in Crisis

Hobbyist exposes a global privacy flaw:
After trying to connect his PlayStation controller to a robot vacuum, coder Sammy as Douceful stumbled upon 7,000 exposed vacuums in 24 countries—including live camera feeds and microphones inside strangers' homes.
How it happened:
- Lack of device-level access controls—authenticating once allowed access to all devices on the network.
- Even DJI’s portable home battery stations were exposed, sharing the same infrastructure.
Blunt critique of IoT security practices:

"More and more connected devices show little evidence of security being considered until somebody out there discovers the weakness. And with the number of devices we have, cameras, doorbells, home battery systems, and now vacuums, well, that just sucks." – Jim Love ([08:17])

Memorable anecdote: A journalist’s vacuum was remotely observed cleaning, with a hacker mapping their living room from another country.
Broader trend: Echoes with prior hacks—Ecovacs in 2024, where vacuums were hijacked to harass users and pets.
Lesson for consumers and vendors: Until design priorities shift, serious privacy breaches will persist.

3. Retail Fraud: Context is the New Firewall

The Best Buy case:
- A single employee used a manager's override code 149 times over 9 months, netting $120,000 in discounted tech.
- The fraud went unnoticed until pawn shops reported the merchandise—no system-level alert was triggered.
A second, equally troubling case:
- A Georgia Best Buy employee was arrested for stealing $40,000 in goods under threat of blackmail—though the backstory changed in interviews.
Jim’s verdict on behavioral security:

"Security isn't just about whether credentials work. It's about whether the behavior makes sense in context..."
"Just because the device or the login is validated, we should still be asking, should this action be happening this often under these circumstances by this person?" – Jim Love ([13:49])

Main insight:
Rules and privileges aren’t enough—organizations must analyze patterns of behavior to prevent insider fraud.

4. Third-Party Data Breaches: The Case of Canada Goose

The rumor: Shiny Hunters leaked 600,000 “Canada Goose” customer records—names, addresses, purchases, payment parts.
The reality:
Canada Goose could find no breach. Shiny Hunters admitted data came from a payment processor—not Canada Goose itself.
- Data structure, with fields like Checkout id, carttoken, etc., pointed to third-party e-commerce platforms.
The risk of indirect breaches:
- "If you're Canada Goose...your customer data was leaked, but you had nothing to do with it...because somebody in your supply chain didn't measure up." ([17:28])
- If you use the same processor as Canada Goose, check your exposure—this could affect you too.
Key context:
Data is old (mostly 2021-2023), but still potent for phishing and fraud.
Big lesson:
Third-party breaches are routine—not rare—and your organization’s security is only as strong as its weakest supplier.

Notable Quotes and Memorable Moments

On infostealers and digital identities:

"The attacker doesn't just get your credentials...they get a mirror of your life." – Jim Love ([03:39])

On IoT device insecurity:

"More and more connected devices show little evidence of security being considered until somebody out there discovers the weakness...well, that just sucks." – Jim Love ([08:17])

On behavioral security:

"Security isn't just about whether credentials work. It's about whether the behavior makes sense in context..." – Jim Love ([13:49])

On third-party breaches:

"...your customer data was leaked, but you had nothing to do with it...because somebody in your supply chain didn't measure up." – Jim Love ([17:28])

Timestamps for Important Segments

[01:15] – OpenClaw Infostealer Attack and the Frightening Depth of Malware Sweeps
[07:00] – Robot Vacuum Hack: Global Access and Live Breaches
[11:20] – Best Buy Fraud Cases: When Credentials Aren’t Enough
[16:20] – Shiny Hunters “Canada Goose” Breach: The Real Risk Is Upstream

Final Takeaways

Ransomware and info-stealer malware are evolving to grab not just passwords, but the digital soul of victims—full life mirrors, via misconfigured agent software.
The Internet of Things remains a gaping hole in many households’ security postures, with device-level access controls often an afterthought.
Modern zero trust must include not just credentials and permissions, but also real behavioral analytics to spot pattern anomalies.
Your customers’ data is only as safe as the least careful business in your supply chain—third-party breaches are becoming business as usual.