The bugs are piling up faster than the fixes. - CyberWire Daily

Summary7 min read

CyberWire Daily — June 2, 2026
Episode: “The bugs are piling up faster than the fixes.”

Episode Overview

This episode of CyberWire Daily, hosted by Dave Bittner with contributing interviewer Maria Varmazis, provides a rundown of pressing cybersecurity issues—from mounting vulnerability management crises, Android zero-day threats, and surreptitious malware campaigns, to new privacy innovations in femtech. The show also features an interview with Lore Leiden, Infosecurity Europe opening Chair and VP of Security and Infrastructure at Flow Health, focusing on privacy-driven app design in digital health. The episode concludes with a cautionary tale of how attackers exploited Meta’s AI support bot to hijack high-profile Instagram accounts.

Key News and Analysis

1. NIST’s Vulnerability Database Backlog

[02:20-05:02]

Main Point:
The National Vulnerability Database (NVD), central for prioritizing cybersecurity vulnerabilities, is “increasingly ineffective” due to an enormous backlog—over 27,000 unprocessed vulnerabilities by the end of 2025.
Findings:
- Backlog doubled from Feb 2024 (13,000) to end 2025 (27,000).
- Caused by funding and management failures after NIST stopped contractor funding.
- Duplication between NIST and CISA: 21,000 overlapping reviews; ~$200k wasted.
- Weak stakeholder communication, inefficient severity scoring.
Analysis:
The Inspector General calls for CISA coordination, refocusing scoring priorities, better engagement, and a sustainable catch-up plan. NIST agrees to pursue recommendations.

2. Google Android Security Updates

[05:03-05:48]

Main Point:
Google’s June 2026 update patches 124 vulnerabilities, notably a high-severity zero day exploited in the wild on Android 14+.
Details:
- 18 critical vulnerabilities fixed in core components.
- Urges prompt user action—Pixel devices get updates first; other vendors follow.

3. Citizen Lab on Webblock Geolocation Surveillance

[05:49-07:02]

Main Point:
Citizen Lab exposes "Webblock," a surveillance tool built on consumer mobile app data, capable of mass device tracking.
Implications:
- Data potentially reveals locations, social, religious, political, and health info.
- Used by global law enforcement and intelligence, including US, Hungary, El Salvador.
- Raises urgent privacy and civil liberties issues: “commercial data collection ecosystems can be repurposed for large scale monitoring.”

4. Malware Campaign Hides Commands in Steam Comments

[07:03-08:45]

Main Point:
GoDaddy researchers uncover malware using Steam Community comments for covert command and control.
Technique:
- Instructions encoded in invisible Unicode within ASCII art.
- Enables persistent infections, difficult removal, obfuscated through WordPress functions.
Broader Insight:
“Threat actors are increasingly abusing trusted platforms and unconventional techniques..."

5. AI-Assisted Malware Development Observed

[08:46-09:38]

Main Point:
Sophos finds threat actors with AI coding tools refining malware to evade major endpoint defenses.
Quote:
"AI was not acting autonomously... human operators used AI to accelerate coding..."—Sophos ([08:52])
Conclusion:
Though presented as red teaming, likely supporting ransomware/data theft.

6. Red Hat’s npm Namespace Hijack

[09:39-11:05]

Main Point:
Attackers distributed backdoored software through Red Hat’s npm namespace, affecting 32 key packages.
Vector:
- Build pipeline compromise, abused OIDC tokens.
- Payloads stole credentials, tried further propagation.
Remediation:
- Red Hat scrubbed infected packages; urges customers to rotate credentials, check supply chains.

7. DriveSurge: Large-Scale ‘Click Fix’ and Fake Update Malware

[11:06-12:09]

Main Point:
DriveSurge campaign uses compromised sites, click-fix lures, and fake browser update prompts for malware delivery.
Scope:
- Impacts Windows & macOS users.
- Targets thousands of sites, 80+ malicious domains.

8. FreePBX Hardcoded Credentials Vulnerability

[12:10-12:59]

Main Point:
FreePBX flaw exposes control panels via hardcoded credentials.
Mitigation:
- Update required.
- Restrict access; enable MFA or SAML.

9. Dashlane Brute Force Attempt and Response

[13:00-13:56]

Main Point:
Automated brute force attacks led Dashlane to mass-suspend accounts, triggering user confusion.
Outcome:
- “Platform automatically locked targeted accounts... no evidence its systems were compromised.”
- Some users still report access issues post-incident.

Expert Interview: Privacy as Product in Femtech

[15:35-27:07]
Maria Varmazis (Host) interviews Lore Leiden (Flow Health, Infosecurity Europe Chair)

Privacy as Foundational, Not a Feature

Quote:
“Privacy and security are our product. It’s very simple.” —Lore Leiden ([16:16])
Context:
Leiden explains that Flow Health’s entire product lifecycle, from "product idea to pull request," builds on privacy/security by design.

Organization-Wide Cultural Buy-In

Quote:
“At Flow, absolutely everybody from the C suite down understands just how intrinsically important privacy and security are."—Leiden ([17:51])
Memorable Moment:
Leiden recounts her first week, where even the Chief People Officer was “totally invested” in the privacy/security steering group—atypical in tech company culture ([17:51-19:31]).

Lessons from Litigation: Truly Anonymous Modes

Background:
Addresses past lawsuit about third-party SDKs; Leiden clarifies Flow “defended itself successfully” and now leads femtech in privacy.
Innovation:
- Flow’s “Anonymous Mode” strips all identifiers—even IP addresses—so users interact invisibly to the company.
- Flow open-sourced this technology: “We don’t want to be the gatekeepers... We’ve open sourced it for the whole of the industry...” ([22:32])
Powerful Personal Anecdote:
Leiden shares a story where period symptom tracking led to a timely medical diagnosis, underscoring the real-world impact of trust in digital health ([23:28]).

Privacy Should Be “Table Stakes”

Quote:
“Just like the airline industry doesn’t compete on safety, we shouldn’t be competing on privacy and security either.” —Leiden ([25:44])
Industry Critique:
Leiden and Varmazis lament that many femtech solutions do not prioritize privacy, causing some users to revert to pen and paper for fear of exposure ([24:01-25:44]).

Notable Takeaways

Flow advocates for industry-wide uplift rather than using privacy as mere competitive edge.
Emphasizes transparent policies, “truly consumable” privacy documentation, and robust technical best practices “every step of the way.”

Notable Quotes

“Our product only works if you build privacy and security into absolutely everything you do. And that's what we do at Flow.” —Lore Leiden ([16:16])
“We don’t even know who the real user is. And of course, that in turn means that nobody else can know who that real user is either.” —Lore Leiden ([22:18])
“Women deserve better and great security. Great privacy should just be table stakes.” —Lore Leiden ([25:44])
“Threat actors are increasingly abusing trusted platforms and unconventional techniques…” —Dave Bittner ([08:40])

Meta AI Support Bot Incident

[28:32-30:15]

Discovery:
Hackers used Meta's AI chatbot to take over Instagram accounts, including high-profile ones (Obama White House, US Space Force, Sephora).
Exploit Method:
- VPN to spoof region, initiate password reset, ask AI chatbot to link a new email.
- AI granted email change, attackers received reset codes.
Broader Issue:
Underscores risk in automating security with AI—“When something goes wrong, there may be no human available to intervene.” ([29:55])
Meta’s Response:
Issue “has now been fixed,” accounts are being secured.

Memorable Moments

Leiden’s passionate explanation of Flow’s “Anonymous Mode” ([21:45-23:27]).
Call for elevating privacy industry-wide over competition ([25:44]).
Widespread concern: users reverting to pen and paper due to privacy fears, even in 2026 ([24:01]).

Timestamps of Important Segments

| Segment | Start | Topic | |---------------------------------------|---------|--------------------------------------------------------| | NIST NVD Backlog | 02:20 | Vulnerability processing crisis | | Google Android Zero Day | 05:03 | Mobile updates, zero day exploitation | | Citizen Lab on Webblock | 05:49 | Surveillance tech, privacy implications | | Steam Comment Malware | 07:03 | Malware hiding in unexpected channels | | AI in Malware Development | 08:46 | Human-in-the-loop AI threat enhancement | | Red Hat's npm Namespace Attack | 09:39 | Supply chain compromise | | DriveSurge Campaign | 11:06 | Soc. engineering with fake updates/click-fix | | FreePBX Hardcoded Credentials | 12:10 | Vulnerability warning/report | | Dashlane Brute Force Suspension | 13:00 | User impact of automated security response | | Interview: Lore Leiden (Flow Health) | 15:35 | Privacy as a core value in femtech apps | | Privacy by Design Approach | 16:16 | Implementing privacy org-wide | | Anonymous Mode, Lessons Learned | 20:03 | Radical anonymization, open sourcing privacy tools | | Ensuring Privacy as Table Stakes | 25:44 | Call for industry-wide privacy standards | | Meta AI Chatbot Exploit | 28:32 | AI-assisted Instagram takeovers |

Summary

This episode delivers timely threat intelligence and industry perspectives on the swelling challenges of vulnerability management, emerging mobile and web threats, and the risks and responsibilities of data collection in modern apps. The interview with Lore Leiden provides a clear vision of what privacy by design can look like when organizational culture and technical innovation unite—especially meaningful in femtech, where stakeholder trust is paramount. The final news segment on Meta’s AI chatbot mishap serves as a stark reminder: rapid automation in security support must be matched by vigilant oversight, or it risks being weaponized by attackers.

For full stories and daily updates: thecyberwire.com

Loading summary

Transcript18 lines

[00:02]
Maria Varmazis
You're listening to the Cyberwire Network powered by N2K. Do you know how the space and cybersecurity domains connect? T minus Space Cyber Briefing is your guide through the space based systems that expand the attack surface. I'm Maria Varmazis host here at N2K CyberWire and I'm excited to share that T Minus is back now as a weekly podcast, the T Minus Space Cyber Briefing. We have a new dedicated focus on two great things that are even better together. Space and cybersecurity. Because whether we realize it or not, we all depend on space based systems that are, by the way, increasingly Internet enabled. We're talking cybersecurity technologies, policies and organizations that are securing the critical space based infrastructure that powers, protects and connects our lives here on Earth. So join me for T Minus Space Cyber Briefing. New episodes every Sunday.
[01:14]
Dave Bittner
Maybe that's an urgent message from your CEO. Or maybe it's a deep fake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more. Doppel outpacing what's next in social engineering? Learn more@doppel.com that'S-O-P p e l.com. A federal watchdog questions NIST over its vulnerability database backlog. Google patches An Android zero day citizen lab exposes a powerful location tracking platform Malware hides commands in Steam comments Researchers spot AI assisted malware development Attackers compromise Red Hat's NPM namespace drive Surge spreads malware through click fix and fake updates. FreePBX patches a critical flaw Dashlane responds to a brute force attack Our guest is Lore Leiden, opening Chair for Info Security Europe and VP of Security and Infrastructure at Flow Health. Sharing her expertise on digital health platforms and Meta's AI support bot proves a bit too eager to help. It's Tuesday, june 2, 2026. I'm dave buettner and this is your cyberwire intel briefing. Thanks for joining us here today. It is great as always to have you with us. NIST's National Vulnerability Database. The NVD, a critical resource used by government and industry to prioritize cybersecurity vulnerabilities, has become increasingly ineffective due to management failures. According to a Department of Commerce Inspector General report, the backlog of unprocessed vulnerabilities more than doubled from 13,000 in February 2024 to over 27,000 by the end of 2025, undermining the database's usefulness and public confidence. The report attributes the crisis largely to poor planning after NIST stopped funding contractors who process vulnerability data. Although NIST promised to resolve the backlog by September 2024, it lacked a realistic strategy to meet its processing targets. The watchdog also found significant duplication of effort between NIST and CISA, including more than 21,000 overlapping vulnerability reviews and roughly $200,000 in wasted spending. Additional concerns included weak communication with stakeholders and inefficient severity scoring practices that often duplicated work already performed elsewhere. The inspector general recommended stronger coordination with cisa, reduced emphasis on vulnerability scoring, improved stakeholder engagement, and a sustainable plan to eliminate the backlog. NIST agreed with the recommendations and said it would begin implementing improvements immediately. Google's June 2026 Android security updates patch 124 vulnerabilities, including a high severity zero day that has been exploited in limited targeted attacks. The flaw affects Android 14 and later, allowing local attackers to execute code and escalate privileges. Google also fixed 18 critical vulnerabilities across Android system components, including flaws that could enable privilege escalation without user interaction. While Pixel devices will receive updates immediately, other Android vendors may take longer to deploy patches. Google urged users to install the latest Android updates as soon as they become available. A new report from Citizen Lab examines Webblock, a geolocation surveillance platform developed by Cobwebs Technologies and now sold by Penlink. The system uses location and advertising data collected from consumer mobile apps to track hundreds of millions of devices worldwide. According to the report, WeBlock provides access to continuously updated records that can reveal sensitive details about individuals, including home and work locations, social relationships, religious affiliations, political views, and health related activities. Researchers found evidence that the technology is used by law enforcement, intelligence and military organizations in multiple countries, including the United States, Hungary and El Salvador. The report also highlights concerns about limited transparency, oversight, and the potential for warrantless surveillance. Citizen Lab argues that the growing use of advertising derived data for government surveillance illustrates how commercial data collection ecosystems can be repurposed for large scale monitoring, raising significant privacy and civil liberties concerns. Researchers at GoDaddy uncovered a malware campaign affecting roughly 2,000 WordPress sites that uses an unusual command and control technique, hiding instructions inside Steam Community Profile comments the comments appear as harmless ASCII art, but invisible Unicode characters encode malicious payloads that infected sites decode to retrieve commands and download additional malware. The campaign ultimately loads a disguised JavaScript file from a malicious domain and installs a persistent PHP backdoor. That backdoor allows attackers to remotely update malicious code across WordPress themes and plugins, making infections difficult to fully remove. The malware also uses multiple layers of obfuscation, including encryption, encoded strings and legitimate WordPress functions to evade detection. Researchers believe the initial compromise likely stems from stolen credentials, vulnerable plugins or other common WordPress attack vectors. The campaign demonstrates how threat actors are increasingly abusing trusted platforms and unconventional techniques to conceal command and control infrastructure and maintain long term access to compromised websites. Sophos researchers discovered a threat actor using AI coding tools to develop and refine malware designed to evade endpoint detection and response products from multiple vendors. The activity appeared in a testing lab containing AI assisted Python scripts, many written in Russian, and tools for building stealthy malware loaders. Sophos emphasized that AI was not acting autonomously or embedded in the malware. Instead, human operators used AI to accelerate coding, testing and research. Although the project was presented as a Red Team exercise, Sophos assessed it was likely intended for real world post exploitation activity and linked to ransomware and data theft operations. Attackers briefly hijacked Red Hat's official npm namespace to distribute backdoored versions of 32 trusted software packages used across the company's hybrid cloud console ecosystem. According to researchers at Reversing Labs and Aikido Security. The malicious packages contained hidden pre install scripts that executed automatically during installation, stealing cloud credentials, CI CD tokens, NPM credentials and other sensitive data. The malware, identified as a variant of the mini Shai Hulud worm, also attempted to spread by using stolen publishing credentials to compromise additional packages. Investigators believe the attackers breached a GitHub Actions build pipeline and abused trusted publishing mechanisms based on OIDC tokens. Red Hat has since removed the malicious releases and published clean versions, but organizations that installed affected packages are advised to rotate credentials and review their development pipelines for signs of compromise. Researchers at Silent Push have identified a large scale malware distribution operator by a threat actor known as DriveSurge, which uses compromised websites to redirect visitors to malicious infrastructure. The campaign relies on two common social engineering techniques, click fix, which tricks users into running malicious commands and and fake updates, which impersonates browser update prompts to deliver malware. Drive Surge appears to operate as an initial access broker, using a pay per install model to provide footholds for other cybercriminals. Visitors are funneled through a traffic distribution system called ztds, which determines the most effective lure for each target. Researchers linked thousands of compromised sites and more than 80 malicious domains to the campaign. The operation targets both Windows and macOS users, highlighting the growing scale and sophistication of malware delivery through trusted websites, FreePBX has disclosed a critical vulnerability that could allow unauthenticated attackers to access the user control panel through hard coded credentials in the userman module. The flaw affects multiple versions when the optional generic template setup is used. Successful exploitation could expose sensitive communications data and enable unauthorized changes to user settings. Administrators should update restrict management interfaces to trusted networks or VPN access and enable Multi Factor Authentication, or saml, to strengthen account security. Dashlane says a recent wave of account suspensions was triggered by automated defenses responding to brute force login attacks. Affected users received alerts about login attempts and device registration requests from unfamiliar locations, leading some to suspect a phishing campaign. Dashlane confirmed the activity was caused by external attackers attempting to guess passwords and said the platform automatically locked targeted accounts to prevent unauthorized access. The company reported no evidence that its systems were compromised and and has since restored affected accounts. While Dashlane marked the incident as resolved, some users have continued to report login issues and difficulties reaching support. Coming up after the break, Lore Leiden, opening Chair for Infosecurity Europe and VP of Security and Infrastructure at Flow Health, shares her expertise on digital health platforms and Meta's AI support bot proves a bit too eager to help. Stay with us. What's the one thing in business that's spreading as fast as AI? AI risk. Every new tool your team signs up for. Every vendor that turns on AI features, every new integration, each one creates another opportunity for something to go wrong. And most security programs just weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one agentic trust platform used by more than 16,000 fast moving companies like Ramp, Cursor and Harvey to help ensure they're always audit ready. And now Vanta is helping companies watch for the risks that show up between audits across vendors, AI tools and their entire environment. The Vanta agent works like a 24.7grc engineer in the background, finding issues, drafting fixes and cutting vendor assessment time by up to 50%. Whether you're a fast growing startup or a global enterprise, Vanta is here to help you automate your security and compliance and earn and prove trust. Get started today@vanta.com cyber that's V A N T A dot com cyber.
[15:00]
Indeed Sponsor
When you need to build up your team to handle the growing chaos at work, use indeed sponsor jobs. It gives your job post the boost it needs to be seen, seen and helps reach People with the right skills, certifications and more spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed. Sponsored jobs.
[15:35]
Dave Bittner
Maria Vermazis speaks with Lor Leiden, opening Chair for Infosecurity Europe and VP of Security and Infrastructure at Flow Health. This interview is part of our media partnership with Infosecurity Europe.
[15:50]
Maria Varmazis
Well, you are working in a really fascinating world, and I can't think of an industry where PII privacy matters much more than especially right now in femtech. I would love to hear your, maybe your personal philosophy on building privacy into an app that's tied into something so personal as feminine health. What are your thoughts on that?
[16:17]
Lore Leiden
So privacy and security are our product. It's very simple. We understand that women's health information is amongst the most sensitive personal information that you can give or process. And so, yeah, if our users don't trust our platform, they won't use it. We take trust and building trust very, very seriously. Of course we would. Our product only works if you build privacy and security into absolutely everything you do. And that's what we do at flow. Privacy and are at the heart of what we do. Right. From a product idea to a pull request that ships code every step along the way. Yeah, Privacy and security are built in
[17:22]
Maria Varmazis
for organizations that are dealing with incredibly sensitive information. Women's health information is certainly one of them. Certainly many other industries are dealing with sensitive data as well. I'm just. I'm curious about what it's like to be building in privacy as not just a practice, but almost a philosophy at an organizational level to bake that into everything you do. Like, what does that look like? How does that work?
[17:51]
Lore Leiden
Here's how I see it. At Flow, absolutely everybody from the C suite down understands just how intrinsically important privacy and security are. And at every level, you feel like you're pushing on an open door. At Flow, I don't know that there are many organizations where in this type of role people can genuinely say that. I remember my first week at Flow and I was trying to make sense of all of the information coming at me, but specifically the governance structures here at Flow. And I was looking through various minutes and diary entries and I had the people, the chief people officer just come and approach me. She saw me sort of looking at the privacy and security steering group slides and she just got really excited. She said, hey, you know, we have the steering group next week. And she was totally invested in the whole process of governing security. And it just wasn't, it wasn't something that I was expecting, sort of unsolicited. And it really impressed me. It impressed me that she first of all knew when it was, but she was so heavily involved. And I think that's the thing. It doesn't matter where you turn at flo, people are fully connected with the privacy and security mission and it is very much that end to end journey here.
[19:32]
Maria Varmazis
Yeah, yeah. I feel like this is a good segue for us to mention that a few years ago. I'm going to summarize this poorly. Feel free to correct me. There was a lawsuit involving Flow at some point and use of SDKs that has been since I believe settled. And I'm sure, and I was looking at flow's website, there's a lot about sort of lessons learned from that experience and also user privacy. Could you walk me through those lessons learned and sort of what happened and what happened next?
[20:03]
Lore Leiden
So I'm really glad you asked the question because there is so much misinformation out there and I think it's really important to say that, look, Flow defended itself successfully and really what that's done is that's set us up as the leader in privacy and security in the femtech space. Privacy and security are our product. We go way above and beyond. We've chosen, for example, it's a choice that we've made ourselves to be dual ISO certified to ISO 27001 and 27701. We have an integrated privacy and security management system. We really recognize that our users deserve choice. We believe that all the time our users should be kept in control of their data and kept well informed. And that's why we developed Anonymous Mode. I'm sure you'll remember in the States, on the back of Roe V. Wade In 2018, when women lost the constitutional right to abortion, Flo developed anonymous mode, which is, let me say, absolutely unique and very, very special. I'm going to say that in the industry generally, it's really encouraging to see players leaning in towards collecting less personal information. We've gone a step further with Anonymous Mode. Not only do users not need to share their name, their email, but we, we give users the choice to strip off all of their personal identifiers. So not even technical identifiers, not even IP address. Through a series of transmission processes, the user interacts with our app in a completely anonymous way. And what that means is that when the user's using our app, we don't even know who the real user is. And of course, that in turn means that nobody else can know who that real user is either. And that's something really special and unique. And we don't want to be the gatekeepers, Maria, of this technology. We've open sourced it, we've open sourced it for the whole of the industry to use because we firmly believe that women should be able to trust femtech platforms. The importance of that is it affects people's life outcomes. I can give you an example from even my own personal life. Somebody very close to me started tracking periods with our app and symptoms from a very early age, in their teens, and very soon realized that the pain she was experiencing, the symptoms that she was experiencing, were not normal. And if she hadn't have been tracking that in such an honest and digital way, she wouldn't have been able to take that information to a clinician and get a diagnosis of a condition that could otherwise have potentially prevented her from having children in later life. So this is the sort of impact that having trust in a digital platform has on people's lives. It's super important that people can trust our platform. We're doing everything in our ability to make sure that we not only create the right conditions for our users to be able to do that freely, but we want to set the bar for the rest of the industry too.
[24:00]
Maria Varmazis
Yeah, thank you for that wonderful response. It was making me think exactly about what you just concluded with, which was. It's shocking to me as a woman who has spent a lot of time looking through a lot of femtech options, how this level of privacy isn't standard. And it always, when I have these conversations with friends of mine, with family of mine, a lot of people just go, you know what? It is really not worth the risk. I'm just gonna go back to pen and paper, which is, oh, no, no. Frankly, how I grew up doing it. I know, I know. And it's just, it's a little. It's wild to me that I remember where I was in 2022 when the Dobbs decision came down. I mean, that was a huge moment. And I remember that feeling of dread. And I understand that for many people, and this is not just a us thing. I apologize. I'm getting very America centric, so American. But for many women around the world, I mean, they're tracking, for some reason, tracking our health becomes an issue that can be physically dangerous to us, which is just crazy in 2026 that this is still where we're at and that many solutions in the industry don't seem to take that as seriously as I think real women are. And it's just wild to me. I don't know, I don't really have. I know if I have a point to that, aside from just going, it's crazy to me that you all are a wonderful standout on this front, in my biased opinion, but many other solutions really are much further behind and it just is. I don't understand why it's not taken as seriously as it really should be, because I don't know if it's really an app versus an app thing versus an app versus pen and paper thing for many people.
[25:44]
Lore Leiden
Honestly, my view on this, Maria, is that just like the airline industry doesn't compete on safety, we shouldn't be competing on privacy and security either. Women deserve better and great security. Great privacy should just be table stakes. And I unfortunately, I think you're right. You know, there are sadly not all companies walk the walk. Some are quite good at talking the talk and we really just want to bring others along. You know, this is not for any single player to differentiate on. It's for the industry to really appreciate the importance of that to our users. And not just that, but to really be able to keep our users in control, to be able to keep users informed. We go to great lengths to make things like our privacy policy consumable, really consumable, so that people understand exactly how their information is being processed. And then under the hood, all of the effort that goes in every step of the way to making sure that we're following that best practice and leading it.
[27:08]
Dave Bittner
That's our own Maria Vermazes speaking with Lore Leiden, opening Chair for Infosecurity Europe and VP of Security and Infrastructure at Flow Health.
[27:29]
Maria Varmazis
So good, so good, so good.
[27:31]
Nordstrom Rack Sponsor
Everything you want for summer is at Nordstrom Rack stores now and up to 60% off. Stock up and save on the brands you love like Vince, Sam, Edelman, Frame and Free People. Join the Nordy Club to unlock exclusive discounts. Shop new arrivals first and more. Plus buy online and pick up at your favorite rack store for free. Great brands, great prices. That's why you wreck.
[27:55]
Microsoft Copilot Sponsor
No one goes to Hank's for spreadsheets. They go for a darn good pizza. Lately, though, the shop's been quiet, so Hank decides to bring back the $1 slice. He asks co pilot in Microsoft Excel to look at his sales and costs and help him see if he can afford it. Copilot shows Hank where the money's going and which little extras make the dollar slice work. Now Hanks has a line out the door. Hank makes the pizza. Copilot handles the spreadsheets. Learn more@m365copilot.com work.
[28:32]
Dave Bittner
And finally, Hackers claim they found an unexpectedly cooperative accomplice in Meta's AI support chatbot. According to reports and videos shared in Telegram channels, attackers were able to take over Instagram accounts by persuading the AI support system to change the email address associated with a target profile. The process allegedly involved matching the victim's region with a vpn, initiating a password reset, and then asking the chatbot to link a new email address. Once the AI complied, the attacker received reset codes and gained control of the account. The alleged exploit coincided with a string of high profile Instagram takeovers, including accounts linked to the Obama White House, the U.S. space Force and Sephora. Researchers and victims say the incident highlights a growing challenge with AI driven support systems. When something goes wrong, there may be no human available to intervene. In a touch of irony, Meta had recently promoted its AI support tools as a way to improve account security and prevent takeovers. Meta says the issue has now been fixed and that affected accounts are being secured. Still, the episode serves as a reminder that replacing human judgment with automation can sometimes produce results no one intended, except perhaps the attackers. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren n2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ivan. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
[31:10]
Maria Varmazis
Sa.