Cybersecurity Today – "WhatsApp Privacy Lawsuit"

Host: Jim Love
Date: January 28, 2026

Episode Overview

In this episode, Jim Love delves into several major cybersecurity headlines shaping the start of 2026. The main focus centers around a new class action lawsuit claiming WhatsApp misled users about message privacy, with important implications for the meaning of end-to-end encryption and user trust. Jim also explores the rising risks tied to AI-generated personal profiles, an alarming web skimming breach at Canada Computers, and the massive exposure of 149 million stolen passwords. The episode emphasizes actionable advice and underscores the evolving challenges facing businesses and individuals in online security.

Key Topics and Insights

1. WhatsApp Privacy Lawsuit: End-to-End Encryption Controversy

[00:48–04:16]

Overview:
A class-action lawsuit in U.S. federal court accuses Meta and WhatsApp of misleading more than 2 billion users about the privacy of their messages.
Allegations:
The suit alleges WhatsApp has internal tools allowing employees to access user message content under certain circumstances, contradicting claims of unbreakable end-to-end encryption.

“They allege that Meta benefits commercially from user trust while operating systems that undermine those privacy expectations.”
— Jim Love [02:05]
Global Impact:
Plaintiffs include users from Australia, Brazil, India, Mexico, and South Africa. The matter could set new standards for what ‘end-to-end encryption’ actually guarantees.
Meta’s Response:
Meta denies the claims as “frivolous and categorically false”, asserting WhatsApp uses the Signal protocol and cannot read user messages. Meta plans to seek dismissal.
Broader Implications:
The case could redefine privacy expectations in messaging apps and prompt more transparency about technical realities.

2. AI-Generated Personal Profiles: New Security Risks

[04:17–08:04]

Google’s New Feature:
Google's new “personal intelligence” AI function now crafts detailed profiles by aggregating user data (Gmail, photos, etc.), triggering security and privacy questions.
Industry Context:
Similar capabilities exist in systems from OpenAI and Anthropic, which can deduce personal characteristics even from minimal interaction.

“If you don’t believe me, go onto either one of them and ask it to describe you.”
— Jim Love [05:22]
Risks and Threats:
The value of these AI-generated, highly structured personal profiles is enormous—and a breach would be fundamentally different from traditional ones.

“It could reveal behavioral patterns, relationships, habits, psychological cues—exactly the kind of intelligence cybercriminals and AI driven scam operations would find extraordinarily effective.”
— Jim Love [06:07]
Comparison to Past Breaches:
Exposure of these models could dwarf past scandals like Cambridge Analytica because of the granularity of the data.
Core Security Question:
The real challenge is not just how useful these features are, but whether companies can convincingly secure the most intimate digital profiles ever created.

3. Canada Computers Breach: Web Skimming, Delayed Response, and Legal Stakes

[08:05–13:02]

Incident Summary:
A customer discovered a malicious card-skimming script embedded in the Canada Computers checkout page in December 2025 or earlier. Despite early alerts, the problem persisted for weeks.
Timeline and Response Issues:
Initial customer reports on January 18 were allegedly dismissed. The code was only removed after public disclosure on Reddit.
Company Actions:
Customers were notified via email beginning January 25–26, with the company recommending monitoring and card cancellation.
Legal and Reputational Implications:

“Under Canadian privacy law, organizations are required to notify individuals as soon as feasible when a breach creates a real risk of significant harm.”
— Jim Love [11:22]
Whether Canada Computers met this legal standard is unclear, and there has been no public explanation for the response delay.
Lesson:
Speed is critical in web skimming attacks, as remediation delays can drastically increase financial and reputational exposure.

“Delays can turn a contained incident into a much broader financial and reputation exposure.”
— Jim Love [12:50]

4. 149 Million Passwords Stolen: The Infostealer Epidemic

[13:03–16:10]

Discovery:
Researchers at Hudson Rock uncovered a database of 149 million stolen passwords sourced from infostealer malware, not a single breach.
Nature of the Data:
The credentials are highly “usable,” matched with context like browser data and session cookies. This can even include active authentication tokens, capable of bypassing MFA in some cases.
Scope and Impact:

“At this scale, it’s reasonable to assume that anyone’s credentials could have been compromised.”
— Jim Love [13:30]
Advice to Listeners:
Immediately change passwords on key accounts (email, financial, work) and cease password reuse.
Caveat About Breach Notification:
Tools like “Have I Been Pwned?” may not reflect this exposure, as infostealer datasets are fragmented and hard to responsibly validate.

“So in this case, the absence of an alert does not mean the absence of risk.”
— Jim Love [15:10]
Final Word:
Credential theft is a persistent, background danger. The best response is vigilance and minimizing the impact of inevitable exposures.

Notable Quotes

On AI-driven profiling:

“The real test may not be how useful they are, but whether the industry can convincingly demonstrate that the most intimate digital profiles ever assembled can actually be kept secure.”
— Jim Love [07:54]
On the lesson from card skimming attacks:

“Speed matters, and delays can turn a contained incident into a much broader financial and reputation exposure.”
— Jim Love [12:45]
On the reality of password theft:

“Infostealer malware has turned credential theft into a background condition of the Internet. The response isn’t panic, it’s realism.”
— Jim Love [15:35]

Timestamps – Quick Reference

[00:48] WhatsApp lawsuit and encryption claims
[04:17] Google's personal AI and security risks
[08:05] Canada Computers breach and delayed action
[13:03] 149 million stolen passwords exposed

Summary Takeaways

Messaging app privacy claims are under legal scrutiny, and definitions of encryption may shift as a result.
Advances in AI personalization bring new, deeper privacy risks that demand robust security practices and industry honesty.
Web skimming attacks remain a constant threat—speedy, responsible incident response is essential.
Large-scale password theft is now common; assume potential compromise and use unique, strong passwords for critical accounts.

For any business or individual, cybersecurity hygiene isn’t optional—it’s essential in a world where threats are everywhere and often invisible.

Host: Jim Love
Podcast: Cybersecurity Today

This summary excludes advertisements and sponsorship messages.

Transcript

A (0:01)

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them@meter.com CST A lawsuit claims WhatsApp misled more than 2 billion users about message privacy Google's new personality AI raises hard questions about how personal profiles are Secur Secured Canada computers breach highlights the risk of delayed response to card skimming attacks and 149 million stolen passwords exposed. This is Cybersecurity Today. I'm your host Jim Love. A new class action lawsuit filed in the United States claims that Meta and WhatsApp misled their more than 2 billion users about the privacy of WhatsApp messages, despite years of assurances that the service uses end to end encryption that even WhatsApp app itself can't break. The lawsuit was filed in federal court in California on behalf of users in multiple countries, including Australia, Brazil, India, Mexico and South Africa. It alleges that WhatsApp, owned by Meta, has internal tools that allow employees to access and review message content under certain circumstances, according to that complaint. According to the complaint, that capability contradicts WhatsApp's long standing marketing claims that messages are readable only by the sender and the recipient. The plaintiffs argue that WhatsApp's encryption claims were central to its growth, particularly among users who rely on privacy for sensitive communications, including journalists, activists and political organizers. They allege that Metta benefits commercially from user trust while operating systems that undermine those privacy expectations. Meta has denied the allegations, claiming the lawsuits are frivolous and categorically false. The company says WhatsApp uses the signal protocol for end to end encryption and maintains that it cannot read users messages, adding that it plans to seek dismissal of the case. The outcome of this lawsuit could matter well beyond WhatsApp. If the claims survive early legal challenges, it may force clearer standards about what end to end encryption really means in practice, and whether messaging platforms can promise privacy while still retaining internal access mechanisms. Google's new personal intelligence feature doesn't just personalize search results. It brings a long standing but under discussed security issue into sharper focus. As AI systems become more capable and more connected, they're quietly building detailed personal profiles about the people who use them. Google says its system does not use personal data to train its models and that access to Gmail photos and other services is opt in and and tightly controlled. Taken at face value, those assurances may well be accurate, but Google's move makes something unavoidable. And this is no longer just about Google. Systems like OpenAI and Anthropics Claude already demonstrate the ability to infer surprisingly realistic personal characteristics from limited interaction. If you don't believe me, go onto either one of them and ask it to describe you. As users increasingly allow these tools to connect to calendars, documents, email and work systems, those inferred profiles could become much more explicit and persistent, and far more valuable. As users increasingly allow these tools to connect to calendars, documents, email, work systems, those inferred profiles could become explicit, persistent, and far more valuable. Which raises a hard security question not whether these companies intend to misuse personal profiles, but how these profiles are stored, segmented and defended A leak of highly structured AI curated personal intelligence would be fundamentally different from traditional data breaches. It wouldn't just expose messages or photos. It could reveal behavioral patterns, relationships, habits, psychological cues exactly the kind of intelligence cybercriminals and AI driven scam operations would find extraordinarily effective. The consequences of a breach could far exceed past social media scandals. Compared to the Cambridge Analytica episode, which relied on relatively crude profile data, the exposure of AI generated personal models could make that breach look trivial by comparison. And because of that value, it's reasonable to assume these systems will be under continuous scrutiny and even attack. So Google's personal intelligence doesn't create this risk, but it makes it visible. As AI systems grow more personal, the real test may not be how useful they are, but whether the industry can convincingly demonstrate that the most intimate digital profiles ever assembled can actually be kept secure. A major payment card breach at Canada Computers is raising concerns not just about the attack itself, but about how long it appears to have taken for the issue to be addressed after it was first reported. According to reporting by iPhone in Canada, a malicious credit card skimming script was discovered on the retailer's online checkout page by a customer who noticed suspicious behavior while inspecting the site's code. The individual reported the issue directly to Canada computers on January 18, submitting support tickets, warning that the card details entered during the checkout could be intercepted. Reports are that those tickets were closed without the issue being resolved based on the customer's public account. The same reporting says evidence suggests the skimmer may have been active since late December 2025, although the exact start date has not been independently confirmed. The malicious code was removed only after the discovery was shared publicly on online forums, including Reddit, where other users examined the site and confirmed the presence of the script. IPhone in Canada reports that the code was taken down shortly after that. Canada Computers began emailing customers on January 25th and 26th, advising them to monitor statements and consider canceling affected cards. In its notification, the company acknowledged that the unauthorized code has been present on its website and and said it was working with external cybersecurity experts to investigate. The company has not publicly explained why earlier reports did not lead to immediate remediation. This type of attack will sound familiar to regular listeners. We talked about this in mid January about mage card style web skimming campaigns where attackers were quietly injecting malicious code into checkout pages and siphoning off card data while transactions appeared to work normally. These attacks are designed to be hard to spot and can persist for weeks if no one is actively looking. But what stands out here is the apparent gap between when the issue was first raised and when action was taken, based on timelines reported in the press and community posts. Under Canadian privacy law, organizations are required to notify individuals as soon as feasible when a breach creates a real risk of significant harm. Whether that standard was met in this case may depend on details that have not yet been made public. And as of now, Canada Computers has not disputed the reported timeline or released a detailed incident report. But if they do, and if we are wrong, we'll be glad to go to press with a correction. But the episode is a reminder that in web skimming attacks, speed matters and delays can turn a contained incident into a much broader financial and reputation exposure. The discovery of A database containing 149 million stolen passwords leads to an uncomfortable but practical conclusion. At this scale, it's reasonable to assume that anyone's credentials are could have been compromised. The database was identified by researchers at Hudson Rock, who traced the data back to infosteeler malware infections. Rather than coming from a single breach, the credentials were aggregated from multiple infostealer campaigns and stored on an exposed server. That server was eventually taken offline, but only after the data had been discovered and analyzed. Hudson Rock says the credentials were likely accessed and copied before the takedown. That matters, because infostealer data doesn't stay put. Once collected, it's routinely duplicated, resold, and merged into other criminal data sets by the time a repository is shut down. The safer assumption is that the data is already in circulation, and what makes this dataset different is how usable it is. The database reportedly links passwords with context pulled directly from infected machines, browser data, session cookies, and indicators of whether credentials may still be valid. Some infostealers also capture active authentication tokens, which in Certain cases could allow attackers to bypass multi factor authentication until those sessions actually expire. At this scale, this becomes personal pretty quickly. This isn't about whether you've received a warning email. It's about whether your credentials could be out there without you knowing. Might make it a good moment to change passwords on key accounts, especially email, financial services and work systems. And if anybody is out there who is still reusing the same password in more than one place or hasn't gotten this message across to the employees in their company, they need to know. This is exactly why that needs to stop. One important caveat. Services like have I been Pwned? May not actually reflect this kind of exposure. Troy's service, have I Been Pwned? Is deliberately cautious about what data it ingests. Infosteeler datasets are fragmented, constantly reshuffled, and difficult to validate responsibly, which means they don't always make it into public breach notification databases. So in this case, the absence of an alert does not mean the absence of risk. Infostealer malware has turned credential theft into a background condition of the Internet. The response isn't panic, it's realism. Assume exposure as possible, limit the damage if it happens, and please God, stop making attackers jobs easier by reusing passwords. And that's our show. We'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys, and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments, and even run support. It's a single integrated solution that scales from branch offices to warehouses to large campuses, all the way to data centers. Book a demo@meter.com CST. That's M E T E R com CST. I'm your host, Jim Love. Thanks for listening.

Cybersecurity Today – "WhatsApp Privacy Lawsuit"

Host: Jim Love
Date: January 28, 2026

Episode Overview

Key Topics and Insights

1. WhatsApp Privacy Lawsuit: End-to-End Encryption Controversy

[00:48–04:16]

Overview:
A class-action lawsuit in U.S. federal court accuses Meta and WhatsApp of misleading more than 2 billion users about the privacy of their messages.
Allegations:
The suit alleges WhatsApp has internal tools allowing employees to access user message content under certain circumstances, contradicting claims of unbreakable end-to-end encryption.

“They allege that Meta benefits commercially from user trust while operating systems that undermine those privacy expectations.”
— Jim Love [02:05]
Global Impact:
Plaintiffs include users from Australia, Brazil, India, Mexico, and South Africa. The matter could set new standards for what ‘end-to-end encryption’ actually guarantees.
Meta’s Response:
Meta denies the claims as “frivolous and categorically false”, asserting WhatsApp uses the Signal protocol and cannot read user messages. Meta plans to seek dismissal.
Broader Implications:
The case could redefine privacy expectations in messaging apps and prompt more transparency about technical realities.

2. AI-Generated Personal Profiles: New Security Risks

[04:17–08:04]

Google’s New Feature:
Google's new “personal intelligence” AI function now crafts detailed profiles by aggregating user data (Gmail, photos, etc.), triggering security and privacy questions.
Industry Context:
Similar capabilities exist in systems from OpenAI and Anthropic, which can deduce personal characteristics even from minimal interaction.

“If you don’t believe me, go onto either one of them and ask it to describe you.”
— Jim Love [05:22]
Risks and Threats:
The value of these AI-generated, highly structured personal profiles is enormous—and a breach would be fundamentally different from traditional ones.

“It could reveal behavioral patterns, relationships, habits, psychological cues—exactly the kind of intelligence cybercriminals and AI driven scam operations would find extraordinarily effective.”
— Jim Love [06:07]
Comparison to Past Breaches:
Exposure of these models could dwarf past scandals like Cambridge Analytica because of the granularity of the data.
Core Security Question:
The real challenge is not just how useful these features are, but whether companies can convincingly secure the most intimate digital profiles ever created.

3. Canada Computers Breach: Web Skimming, Delayed Response, and Legal Stakes

[08:05–13:02]

Incident Summary:
A customer discovered a malicious card-skimming script embedded in the Canada Computers checkout page in December 2025 or earlier. Despite early alerts, the problem persisted for weeks.
Timeline and Response Issues:
Initial customer reports on January 18 were allegedly dismissed. The code was only removed after public disclosure on Reddit.
Company Actions:
Customers were notified via email beginning January 25–26, with the company recommending monitoring and card cancellation.
Legal and Reputational Implications:

“Under Canadian privacy law, organizations are required to notify individuals as soon as feasible when a breach creates a real risk of significant harm.”
— Jim Love [11:22]
Whether Canada Computers met this legal standard is unclear, and there has been no public explanation for the response delay.
Lesson:
Speed is critical in web skimming attacks, as remediation delays can drastically increase financial and reputational exposure.

“Delays can turn a contained incident into a much broader financial and reputation exposure.”
— Jim Love [12:50]

4. 149 Million Passwords Stolen: The Infostealer Epidemic

[13:03–16:10]

Discovery:
Researchers at Hudson Rock uncovered a database of 149 million stolen passwords sourced from infostealer malware, not a single breach.
Nature of the Data:
The credentials are highly “usable,” matched with context like browser data and session cookies. This can even include active authentication tokens, capable of bypassing MFA in some cases.
Scope and Impact:

“At this scale, it’s reasonable to assume that anyone’s credentials could have been compromised.”
— Jim Love [13:30]
Advice to Listeners:
Immediately change passwords on key accounts (email, financial, work) and cease password reuse.
Caveat About Breach Notification:
Tools like “Have I Been Pwned?” may not reflect this exposure, as infostealer datasets are fragmented and hard to responsibly validate.

“So in this case, the absence of an alert does not mean the absence of risk.”
— Jim Love [15:10]
Final Word:
Credential theft is a persistent, background danger. The best response is vigilance and minimizing the impact of inevitable exposures.

Notable Quotes

On AI-driven profiling:

“The real test may not be how useful they are, but whether the industry can convincingly demonstrate that the most intimate digital profiles ever assembled can actually be kept secure.”
— Jim Love [07:54]
On the lesson from card skimming attacks:

“Speed matters, and delays can turn a contained incident into a much broader financial and reputation exposure.”
— Jim Love [12:45]
On the reality of password theft:

“Infostealer malware has turned credential theft into a background condition of the Internet. The response isn’t panic, it’s realism.”
— Jim Love [15:35]

Timestamps – Quick Reference

[00:48] WhatsApp lawsuit and encryption claims
[04:17] Google's personal AI and security risks
[08:05] Canada Computers breach and delayed action
[13:03] 149 million stolen passwords exposed

Summary Takeaways

Messaging app privacy claims are under legal scrutiny, and definitions of encryption may shift as a result.
Advances in AI personalization bring new, deeper privacy risks that demand robust security practices and industry honesty.
Web skimming attacks remain a constant threat—speedy, responsible incident response is essential.
Large-scale password theft is now common; assume potential compromise and use unique, strong passwords for critical accounts.

For any business or individual, cybersecurity hygiene isn’t optional—it’s essential in a world where threats are everywhere and often invisible.

Host: Jim Love
Podcast: Cybersecurity Today

This summary excludes advertisements and sponsorship messages.

wavePod

What's App Privacy Lawsuit

Summary

Cybersecurity Today – "WhatsApp Privacy Lawsuit"

Episode Overview

Key Topics and Insights

1. WhatsApp Privacy Lawsuit: End-to-End Encryption Controversy

2. AI-Generated Personal Profiles: New Security Risks

3. Canada Computers Breach: Web Skimming, Delayed Response, and Legal Stakes

4. 149 Million Passwords Stolen: The Infostealer Epidemic

Notable Quotes

Timestamps – Quick Reference

Summary Takeaways

Transcript

Summary

Cybersecurity Today – "WhatsApp Privacy Lawsuit"

Episode Overview

Key Topics and Insights

1. WhatsApp Privacy Lawsuit: End-to-End Encryption Controversy

2. AI-Generated Personal Profiles: New Security Risks

3. Canada Computers Breach: Web Skimming, Delayed Response, and Legal Stakes

4. 149 Million Passwords Stolen: The Infostealer Epidemic

Notable Quotes

Timestamps – Quick Reference

Summary Takeaways