Researchers show a browser attack that can infer open sites and apps.
In March, Mark Zuckerberg’s Meta announced a new Meta AI support assistant feature on both Facebook and Instagram, providing users with a way to “resolve account problems” and help in taking down any offending impersonator accounts or scams.
Besides highlighting the tech industry’s seemingly insatiable appetite for automating customer service-level jobs with AI, the new feature appears to have backfired spectacularly. As 404 Media reports, the chatbot happily obliged when hackers asked it for access to high-profile Instagram profiles.
The ruse is shockingly simple: after matching the account owner’s geographic region using a VPN, the hackers asked the support chatbot to change the email address associated with the profile, thereby allowing them to successfully complete two-factor authentication. Worse yet, the vulnerability has been around for several months already, according to Telegram group messages reviewed by 404 Media.
“t’s either the new Meta Accounts Center glitching out or my Instagram account is being targeted in a hacking attempt,” former Meta researcher and self-proclaimed hacker Jane Wong wrote in a Threads post. “It appears that my password has been changed without my knowledge / I was not able to log in using my password.”
The exploit highlights glaring cybersecurity issues that continue to plague AI-powered chatbots. We’ve seen countless instances of large language model based tools being jailbroken, tricked into telling lies, or even hallucinate made-up company policies leading to plenty of confusion and even lawsuits.
Experts have also long warned against handing AI chatbots personal information, citing the risk of data leaks. Meta, in particular, has garnered a reputation for continuously treating user data with little care. In March, for instance, The Information reported that an in-house AI agent had caused a critical security incident at Meta, exposing sensitive user data to people without proper authorization.
While it’s unclear whether they were connected to the latest exploit, the news comes after several high profile Instagram accounts, including former president Barack Obama’s and Space Force chief master John Bentivegna’s, were hacked.
Hackers have been offering access to high-profile accounts in exchange for small amounts of money by using the vulnerability, per 404 Media.
Fortunately, Meta appears to have patched the issue, but considering the exploit was discovered months ago, the damage could be extensive.
More on Meta: Meta Workers Say They’re Seeing Disturbing Things Through Users’ Smart Glasses
The post Meta’s AI Support Bot Is Giving Hackers Access to Other People’s Instagram Accounts Just by Asking appeared first on Futurism.
These days, it’s nearly impossible to traverse the web without leaving some trace of your activity. That’s thanks to a panopticon of cookies, keystroke loggers, fingerprinting, tracking pixels, and probably some other horrors that haven’t even come to light. Maybe that sounds paranoid, but it’s exactly what researchers in Austria uncovered in bombshell new cybersecurity research.
According to the recently released paper, first spotted by Ars Technica, researchers have uncovered a type of no-interaction attack that websites can easily run to access data stored in your computer.
It’s called FROST, which stands for “fingerprinting remotely using OPFS-based SSD timing.” It’s a mouthful for sure, but it basically allows malicious websites to spy on your computer activity, all without installing any software or tricking you into clicking sketchy email links.
Per the researchers, it works by taking advantage of your computer’s solid state drive (SSD), the internal storage devices which have largely taken over from magnetic hard drives on the consumer market. Whenever you visit a site, your computer’s SSD starts buzzing with activity, allowing webpages to store temporary files for your browsing pleasure.
FROST attacks take advantage of this by creating a massive file — we’re talking several gigabytes — which functionally blocks your computer from moving what it sees as temporary web data out of the SSD. While that mammoth file is being processed, however, the malicious website is able to probe the timing of incoming data from other sites, generating data which can then be analyzed through a machine learning model to predict what else you’re doing online.
While “predict” suggests the attacker is guessing, the FROST method is scary good at identifying what a victim’s doing on their computer. Researchers write that by using this technique, their machine learning model was able to predict which sites a user would access with an accuracy rate of 88.95 percent, and could accurately predict accessed applications 95.83 percent of the time.
Worse, the whole thing works regardless of what browser you use — because it works through your SSD, an attacker can theoretically track your web browsing on Firefox based on a website accessed via Google Chrome. Researchers only experimented with the technique on Mac and Linux devices, but caveated that Windows devices are not immune.
“In principle, it would be possible to train a model on any system activity that reliably generates SSD accesses,” the study’s lead author, Hannes Weissteiner, told Ars.
While FROST represents the kind of vulnerability that probably needs to be patched by web developers, Ars notes that you can mitigate the risks by closing website tabs as soon as you’re done with them. It isn’t much, but it could prevent you from becoming the next victim of a scary new kind of cyberattack.
More on web development: New Website Detects Apocalypse If Billionaire Jets Start Fleeing en Masse
The post Websites Are Spying on Your Solid State Drive appeared first on Futurism.
Monstrous defeats keep coming for Mike Lindell, the notorious entrepreneur behind the MyPillow brand and one-time advisor to Donald Trump.
According to Straight Arrow News, a clique of hackers known as “Play” is claiming to have accessed a huge chunk of private data from MyPillow, which it’s now holding hostage. Per the outlet, which viewed a communique from the gang, the hackers now have access to “private and personal confidential data, clients’ documents, budget, payroll, IDs, taxes, finance information and etc.”
Lindell’s company has been given until Friday, May 29 to respond — or else its data will be published online, the hackers threatened. The amount they’re trying to extort hasn’t been disclosed, and neither the hackers nor MyPillow responded to Straight Arrow‘s requests for comment.
Play first appeared in 2022, when it orchestrated cyber attacks throughout the US, Brazil, Germany, and Switzerland, among others. Their targets tend to be those associated with government functionaries, like the Argentinian judiciary, and an IT firm contracted by the Swiss Federal Department of Finance.
In that vein, a successful attack on Lindell would be a major trophy. The entrepreneur first met Trump in the run-up to the 2016 presidential election, a relationship which blossomed as the would-be president ferried the increasingly crankish Lindell around rallies across the country.
In 2020, Lindell briefly served as Trump’s reelection campaign chair, then nearly ran for governor of Minnesota with his blessings. Later in November of 2022, Lindell ran for Chair of the Republican National Committee, though he lost after receiving only 2.4 percent of the total votes.
Now in 2026, the MyPillow founder is once again running for governor of Minnesota, having filed all the corresponding paperwork — which is more than he did last election cycle. That said, the hack comes as his finances and personal life are now under perhaps more scrutiny than they’ve ever been. Given his ties to Trump, who appears to be backing him again in the 2026 election, there could conceivably be some fascinating details lurking in the MyPillow archives.
Whether Lindell can pony up to keep them hidden remains to be seen: in April of 2025 he admitted that he didn’t even have “5 cents” to his name, owing to an avalanche of civil suits and federal investigations stemming from his political antics.
More on hacking: Riot Games Denies Using Anti-Cheat Software That Bricks Hackers’ Computers
The post The MyPillow Guy’s Entire Business is Being Held Hostage by Hackers appeared first on Futurism.
Rest easy, paranoid gamers. Riot Games says its Vanguard anti-cheat tool won’t “brick” the computers of hackers ruining everyone’s fun in its multiplayer games. And that’s too bad, since cheaters deserve to suffer at least twice as much as the beleaguered gamers that willingly subject themselves to grinding MMR in one of the company’s titles already do.
The brouhaha stems from a Vanguard update the “Valorant” and “League of Legends” maker released last week that targets notoriously hard to detect direct memory access (DMA) cheats, which bypass security measures by using an external device to write directly to a computer’s RAM.
Responding to another post about its new anti-cheat measure, the Riot social media account tweeted a picture of a bunch of rounded-up computer hardware that was reminiscent of a drug bust haul. It was appended with a provocative caption: “congrats to the owners of a brand new $6k paperweight.”
This turned out to be a PR landmine. The tongue-in-cheek post was interpreted as Riot bragging that it now had the ability to remotely brick your computer, creating an explosion of angry posts so overwhelming that the company scrambled to propitiate the mob banging on its gates.
“There’s been a wave of claims by cheaters about Vanguard ‘bricking’ their PCs, so let’s clear that up: Vanguard does not damage hardware or disable your devices,” it wrote in a lengthy X statement less than a day later.
“The photo we posted is a picture of cheat hardware devices that are sold explicitly for cheating in VALORANT (not normal PCs or PC components),” it added. “Through our latest updates, Vanguard now makes those devices worthless for VAL, but does not in any way brick PCs or PC components or PC software.”
congrats to the owners of a brand new $6k paperweight https://t.co/3rjZVQntrc pic.twitter.com/fS3JC0FL0p
— Riot Games (@riotgames) May 21, 2026
The backlash is a reflection of how controversial Riot’s Vanguard software remains years after it was first released in 2020. A so-called kernel-level anti-cheat, it requires gaining the highest level of access to a part of the operating system where its most crucial processes run, a privilege that most software does not ask for.
While this makes Vanguard adept at rooting out cheats running on someone’s system, it also in the eyes of critics makes it alarmingly invasive. And beyond potential privacy concerns, many users have complained that Vanguard causes all sorts of technical glitches on their machines, though it’s impossible to corroborate all those claims.
Unfortunately for Riot, those critiques aren’t about to die down after its latest DMA update and accompanying disastrous post. And unfortunately for the Vanguard-skeptical, Riot is sticking to its kernel-level guns.
“We’ll keep investing in anti-cheat to protect competitive integrity, and we’ll keep being as transparent as possible about how those systems work,” the company said in its statement.
More on cybersecurity: Google Alarmed by Formidable AI-Powered Zero-Day Cyberattack
The post Riot Games Denies Using Anti-Cheat Software That Bricks Hackers’ Computers appeared first on Futurism.
Researchers show a browser attack that can infer open sites and apps.
Login
