Hackers and scammers don’t want you to use EndpointLock: It stops them from capturing your keystrokes when you enter your usernames, account numbers and passwords. If you bank on your phone or do anything else confidential, you need this. Hit this link for 10% off.
Think your browser’s password manager is safe? Think again.
© Gmm2000 | Dreamstime.com
It’s so easy to click and save your passwords right to Chrome, Edge, Safari or any other browser. Have you ever stopped to think about just how bad an idea it is to do this? Anyone with access to your browser can jump right into any one of your accounts. Yup, even your banking and investment accounts are up for grabs.
Google and Apple have free, built-in password managers. But do you really want a company that makes money collecting and selling data to be the one protecting your most sensitive info?
Then there’s one-password syndrome
I bet you’re reusing passwords or have done this in the past. Reusing passwords is a cybersecurity disaster, and one I’ve warned you about for decades. Hackers love you. A shocking 81% of hacking-related breaches start with weak or stolen passwords.
- Credential stuffing: Hackers take a leaked password and try to sign into thousands of sites per second. If you reused the login, they’ll find it.
- Dark Web sales: One criminal steals your passwords, then sells them to lots of others for fraud and identity theft.
- Financial risk: Your banking info and credit card are tied to more accounts than you realize. Identity theft and financial fraud takes years to stop, and you’ll never get all that money back.
The right way to protect your accounts
✅ Use a dedicated password manager. You want one with military-grade encryption, so even if hackers breach your device, they can’t access your stored passwords. Steer clear of free options. Those are almost always a scam.
✅ Don’t be sloppy. Say it with me: Every single account, every login and every app gets its own strong, unique password that’s at least 16 characters long, with a mixture of upper- and lowercase letters, symbols and numbers. A good password manager does it for you and autofills across all your devices because you won’t remember a hard-to-crack password.
✅ Be smart when you update. Don’t just change a letter, character or number at the end of your current password and call it good. Sure, that makes it easy to remember, but it’s not hard for someone to figure out your pattern and crack your new logins.
✅ They know your tricks. Adding an exclamation point or question mark at the end of a password doesn’t do much to stop hackers and their software from figuring it out. Use numbers and special characters in a password. Replace an O (the letter) with a zero, like this k0mand0_scholar or an A with an @ like kom@ndo_f@n.
✅ Try a passphrase. They are longer and harder to crack. Mix in some characters and numbers. “My two cats are smart” becomes “my2c@tsrSmart.”
✅ Share the right way. Sending a password in a DM or text is dangerous. A password manager lets you share a login in its encrypted form instead of plain text anyone can read. Pro tip: If you ever do share a password in a message in a pinch, delete it after the other person has copied it down.
Your Wi-Fi was part of 2.7 billion records leaked
© Andrew Angelov | Dreamstime.com, © Denisismagilov | Dreamstime.com
I bet you’ve never heard of Mars Hydro. It’s a company headquartered in Communist China that makes Internet of Things (IoT) devices. Their speciality? LED lights and hydroponics equipment.
Security researcher Jeremiah Fowler (I had him on the show about other breaches, and he’s a smart, standup guy) was digging around and found they had a massive 1.17TB database online for anyone to see. There was no encryption and no password required.
Got a letter from Change Healthcare?
Don’t trash it! Hackers stole medical records and personal info in a Change Healthcare breach. Here’s what to do.
Peter Pan always flies because he never lands: A former Disney engineer thought he was downloading an AI image generator. It was malware. Hackers stole his personal info and Disney data, then dumped it all online. That’s not even what got him fired. He was watching porn on his work computer. Dummy.
Data brokers are cashing in, but you can stop them
© LagartoFilm | Dreamstime.com, © Lane Erickson | Dreamstime.com
Everyone wants your Social Security number. Some requests are legit, like when you’re starting a new job, applying for a loan or verifying your identity.
But countless others, from data brokers to scammers, are after your nine-digit code, too. In fact, an estimated 2,400 data brokers operate in the U.S., collecting and selling billions of personal records, often without your knowledge. Some even offer “credit header data,” which includes Social Security numbers, for as little as $5 per record.
Hacked on social media? Steps to take right now
The chances of your Instagram, X, Facebook, Amazon, Threads, Rumble, Twitch or other accounts getting taken over by spammy bots and data-stealing thieves have never been higher. So, don’t sit there all smug, thinking, “Oh, Kim, that could never happen to me!”
🇨🇳 Communist China’s at it again: Now, China’s sending hackers after Microsoft 365 accounts, mostly in the financial services and insurance biz. Their method of choice is password spraying, aka attempting to log in to accounts with all the most common, weakest passwords. This is your friendly reminder to use a complex password for every single account.
😱 Robin Hood: Hackers dropped a toolkit that permanently unlocks almost all versions of Windows (7 and up), plus Office 2013 to 2024. They’re giving it away for free because “profiting from piracy is not good.” How ethical. Go with the free LibreOffice instead.
It’s everywhere: Hackers uploaded a free survival game to Steam. PirateFi was live for a week on the super-popular gaming site, spreading malware. Today’s cybercriminals have too many tricks up their sleeves. You need real-time protection that’s smarter than they are. My pick, TotalAV, is $19 for the first year and works with Windows PCs, Macs, iPhones and Androids.
I’m not switching: Microsoft Edge’s new scareware blocker spots pop-ups that try to trick you into downloading malware or giving hackers remote access. Sounds great … until you realize it works by scanning every page you visit. Want real-time protection you can trust? My pick is TotalAV.
🏥 Your health, at risk: Two patient monitors that track your vitals have gaping security holes. Hackers can snoop on data, mess with settings or even assume total control. The Chinese-built models completely ignore network settings, meaning someone with the right know-how can break in. The only fix hospitals have? Unplug it and keep it off the network.
New chips mean new risks: A serious flaw in Apple gear lets hackers snag data while you’re logged into Gmail in one tab and iCloud in another. The two vulnerabilities, named “FLOP” and “SLAP,” impact Mac laptops made in 2022 or later; Mac desktops from 2023 or later; iPad Pro, Air and Mini models from September 2021 and later; and iPhone 13, 14, 15 and 16 models, plus the iPhone SE (3rd-gen). There’s no fix yet. Be extra careful and log out of your email account when you’re not using it.
Age isn’t a number; it’s a word: Several states now require you to verify your age before accessing porn. To do this, you’ll need to upload a government ID, submit a facial scan or other biometric data, or let a third party verify your identity. That sounds great, but these sites store your data, making it vulnerable to hackers and potentially exposing the fact you watched “The Boobyguard,” not “The Bodyguard.”
🚨 Botnet alert: Researchers found a botnet called “Murdoc” targeting security cameras and routers worldwide. Over 1,000 devices are compromised; AVTECH IP cameras and Huawei HG532 routers are the main targets. Once hackers take control, they can launch DDoS attacks or steal your info. Fixes are coming from the manufacturers, so keep your router (steps here) and security cams updated.
🚨 National security alert: Chinese hackers breached the U.S. Department of Treasury, gaining access to over 400 computers, including those belonging to the Secretary and other top officials. Over 3,000 files were compromised, exposing sensitive info about sanctions, law enforcement and international affairs. An investigation is underway, but this is just the tip of the iceberg.
Attention, website owners: Over 1 million WordPress sites use the SEO and optimization plugin W3 Total Cache. A new flaw lets hackers steal all kinds of sensitive info from the backend of a site. If you use the plugin, download software update 2.8.2 to patch the bug right now.
Google could stop this, but they don’t: At the top of its search results for Google Ads are fake sites that collect your real login info. Fall for one, and hackers can take over your Google Ads account to post their scam URLs — or just sell your info to other criminals. Make sure 2FA for Google Ads is on to detect strange logins. More smarts like this are coming soon in my small-biz newsletter.
Wait, are public phone chargers dangerous?
© Rattanachai Mokngam | Dreamstime.com
Those charging kiosks in airports, hotels and malls are so tempting when you’re out and about with a dying phone. Their owners promise they’re safe. The government disagrees, and so do I. Groan, I know.
Welcome to the newest phase of juice jacking. The phenomenon has been around for more than 10 years. Hackers use public phone-charging stations to upload malware to your devices. Then, they ransom your device or steal your passwords. Super-duper.