Smashing Security

Episod

• This AI security flaw might be impossible to fix 03.06.2026 57min

  A website called "UK visa portal" has been quietly collecting passport scans, selfies, and personal data from thousands of travellers who thought they were applying through official channels. They weren't. And when a journalist tried to warn the company, it was lawyers who responded.Meanwhile, a paper from Cornell suggests that prompt injection - the technique malicious actors use to trick AI agents into doing things they really shouldn't - may be fundamentally unsolvable. Which is err... awkward, because everyone is rushing to plug AI agents into their email, files, and corporate networks.Plus don't miss our featured interview with Andrea Sivieri of CoreView, who tells us how hackers can lock your entire organisation out of its Microsoft 365 environment... without having to trick you into running a single piece of malicious code or handing over a password.All this and more in episode 470 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Tanya Janca.EPISODE LINKS:Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked - 404 Media.Canon Printer Vulnerability Leaks Plaintext Credentials - Praetorian.Password manager Dashlane says hackers stole some customers' password vaults - TechCrunch.UK Visa Portal exposed thousands of applicants’ passports and selfies — then called the lawyers on us - TechCrunch.AI Agents May Always Fall for Prompt Injections - ArXiv.MCP Security Crisis: Systemic Design Flaws in AI Agent Infrastructure - Cloud Security Alliance.From Preventive to Reactive: How AI Coding Assistants Transform Developers' Security Awareness - ArXiv.Design details that feel like magic - Design Spells.Singing lessons.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!CoreView - How secure is your Microsoft 365 tenant? Find out with CoreView's free Microsoft 365 Tenant Security Scanner.ESET - 30 years of threat research behind unique global telemetry, AI-native technology, and human expertise working together to keep your business protected.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• What your Oura ring won't tell you 27.05.2026 53min

  CISA, the US government agency whose entire job is keeping America's critical infrastructure safe from hackers, has had a contractor publish dozens of plain-text credentials to a public GitHub profile.Meanwhile, your Oura ring is quietly transmitting some of its data unencrypted - and when one journalist asked the company how often it hands user data to law enforcement, the answer was quite telling.Plus don't miss our featured interview with OPSWAT's Benny Czarny about his new book "Cybersecurity Upside Down."All this and more in episode 469 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Lesley Carhart.EPISODE LINKS:Canadian man arrested by international authorities, charged with administrating KimWolf DDoS botnet - US Dept of Justice.700+ education and tech websites hijacked in huge ClickFix malware campaign - Malwarebytes.Leaked Documents Reveal Russian ‘Cognitive Strikes’ Against the West - Including Islamophobic ‘Pig Head’ Attacks in Paris - OCCRP.Lawmakers Demand Answers as CISA Tries to Contain Data Leak - Krebs On Security.US cybersecurity agency CISA reportedly in dire shape amid Trump cuts and layoffs - TechCrunch.Oura says it gets government demands for user data. Will it share how many? - This Week In Security.Privacy and transparency of fitness tracking devices - Whyli.Upfest - Europe’s largest street-art festival.Magnets Are Bad For Hardware Again - Hackaday.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!XBOW - The autonomous offensive security platform that helps security teams scale. Start a pentest today.OPSWAT - Read Benny Czarny's book, "Cybersecurity Upside Down", to rethink how you protect your organization from file-based threats, including those powered by AI.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• High-speed train hacks and homicidal lawnmowers 20.05.2026 55min

  A 23-year-old radio enthusiast spent £300 on a piece of kit from the internet, and used it to bring four packed high-speed trains to a screeching halt. His defence in court? Possibly the most creative excuse we've heard all year.Meanwhile, owners of $4,000 robot lawnmowers are discovering that their gadget can be hijacked over the internet, redirected at journalists who foolishly lie down in front of it, and used to harvest Wi-Fi passwords, email addresses, and GPS coordinates. Change the default password? Sure - until the next firmware update silently resets it back.Plus - don't miss our featured interview with XBOW's Brendan Dolan-Gavitt about how AI is transforming penetration testing.All this and more in episode 468 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Geoff White.EPISODE LINKS:Open source tool maker Grafana Labs says hackers stole its code, refuses to pay ransom - TechCrunch.Man accused of stealing Beyoncé’s unreleased music takes guilty plea - ABC News.Shai-Hulud code drop: Open season for supply chain attacks- ReversingLabs.Student hacked Taiwan high-speed rail to trigger emergency brakes - BleepingComputer.Polish teen derails tram after hacking train network - The Register.The Cheap Radio Hack That Disrupted Poland's Railway System - WIRED.The man with an army of Yarbo robot lawn mowers - The Verge.Ever been run over by a robot? I have - for science! - TikTok.RD280UA 28” WQXGA BenQ Programming Monitor with Backlight and Flexible Arm - BenQ.Kai Shun DM-0708 combination sharpening stone, grain 300/1000 - Knives and Tools.AI-Assisted ICS Attack on a Water Utility - Dragos.Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access - Google Cloud Blog.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!XBOW - The autonomous offensive security platform that helps security teams scale. Start a pentest today.OPSWAT - Read Benny Czarny's book, "Cybersecurity Upside Down", to rethink how you protect your organization from file-based threats, including those powered by AI.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• How ShinyHunters hacked the world's biggest universities 13.05.2026 1j 4min

  Welcome to the largest educational data breach in history - affecting nearly 9,000 institutions, every Ivy League university, and 30 million students mid-finals. When Canvas's parent company refused to pay and announced they had deployed "security patches" instead, the hackers were less than impressed. So they came back through the cat flap.Meanwhile, a famous finance expert's face has been showing up on Facebook adverts promising hot stock tips and exclusive WhatsApp investment groups. Spoiler: it isn't him, the tips aren't real, and you're about to be scammed.Plus we chat to Mike Nichols of Elastic, about how the SOC isn't dying, attackers and defenders are both deploying AI agents, and how the real security crisis is no longer human users - it's the bots acting on their behalf.All this and more in episode 467 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Danny Palmer.EPISODE LINKS:ICO fines South Staffordshire £963K over 2022 breach - The Register.US bank reports itself after AI customer data mishap - The Register.Hackers abuse Google ads, Claude.ai chats to push Mac malware - Bleeping Computer.Canvas hack: What we know about apparent cyberattack that impacted thousands of schools - CNN.Canvas hack: Company pays criminals to delete students' stolen data - BBC News.Post by @amosmagliocco.bsky.social - Bluesky.Post by @sethcotlar.bsky.social - Bluesky.The Architecture of Deception: How a $187 Million Fraud Ecosystem Exploits Trust Across Australia and the United States - Group IB.The Fake Nobel that Duped the Romanian Academy - Scena9.A (Very) Short History of Life On Earth by Henry Gee - Waterstones.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Elastic – AI is transforming security operations, but security is still a data problem. Learn how context-rich data drives faster, more reliable defence.CoreView - How secure is your Microsoft 365 tenant? Find out with CoreView's free Microsoft 365 Tenant Security Scanner.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• Meta sees everything, Copy Fail, and a deepfake gets hired 06.05.2026 1j 2min

  Meta's smart glasses promise privacy "designed for you" - but everything they record was being beamed off to workers in Nairobi to label by hand. When those workers blew the whistle, Meta sacked all 1,108 of them.Meanwhile, the IT press is in a frenzy over a new Linux bug called "Copy Fail" - complete with logo, dedicated website, and a marketing-friendly name. But is it really the disaster everyone's making it out to be?And in our featured interview, Jake Moore of ESET explains how he tricked a company into offering his deepfake clone a job - after a perfectly normal-looking video interview.All this and more in episode 466 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest Paul Ducklin.EPISODE LINKS:Anti-DDoS Firm Heaped Attacks on Brazilian ISPs - Krebs On Security.Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha - Bleeping Computer.Trellix confirms data breach after hack of 'a portion' of its source code - TechRadar.Meta’s AI Smart Glasses and Data Privacy Concerns: Workers Say “We See Everything” - Svd.Dispute over fate of Kenyan workers who saw Meta AI glasses films - BBC News.Copy Fail - CVE-2026-31431.Copy Fail: Hype versus reality - the full story - SolCyber.Flight into Danger: The Original Airplane! - BBC Sounds.The Luton writer behind the original Airplane! - BBC News.Code Dependent by Madhumita Murgia - Pan Macmillan.The Code Book - Simon Singh.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!ESET - 30 years of threat research behind unique global telemetry, AI-native technology, and human expertise working together to keep your business protected.Action1 - Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• This developer wanted to cheat at Roblox. It cost millions 29.04.2026 1j 4min

  A developer at an AI startup wanted to cheat at Roblox. They downloaded a dodgy script on their work laptop. That one decision triggered a cascade of failures that ended with a $2 million data breach affecting hundreds of thousands of organisations. All for some free in-game currency.Meanwhile, there's a 1980s phone protocol called SS7 that lets shadowy surveillance companies track anyone, anywhere, via their mobile phone. Governments know about it. Telecoms know about it. Nobody's fixing it.All this and more in episode 465 of the "Smashing Security" podcast with cybersecurity keynote speaker and industry veteran Graham Cluley, joined this week by special guest James Ball.Plus! Don't miss our featured interview with Rob Edmondson of CoreView, discussing how to lock down Microsoft 365 before it's too late.EPISODE LINKS:Burglar alarm biz gets burgled, ShinyHunters pursues ransom - The Register.Ransomware negotiator pleads guilty after leaking victims' insurance details to 'BlackCat' hackers - Tom’s Hardware.Grok tells researchers pretending to be delusional ‘drive an iron nail through the mirror while reciting Psalm 91 backwards’ - The Guardian.Vercel April 2026 security incident - Vercel.App host Vercel says it was hacked and customer data stolen - TechCrunch.Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials - Hacker News.Sorry for the Nazi spam from my Twitter account - Graham Cluley.Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors - Citizen Lab.Surveillance vendors caught abusing access to telcos to track people's phone locations, researchers say - TechCrunch.The rapid rise of phone surveillance firms - The Bureau of Investigative Journalism.Please shut up about your Spotify Wrapped - The New World.Think For Yourself - Beatles Song Identification Game.Nodes: Free Connection Puzzle & Vertex Game Alternative.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Elastic – AI is transforming security operations, but security is still a data problem. Learn how context-rich data drives faster, more reliable defence.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Coreview - Download "Total Tenant Takeover", a white paper about the Microsoft 365 Disaster No One Is Ready For.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• Rockstar got hacked. The data was junk. The secrets it revealed were not 22.04.2026 51min

  A company that ran anonymous tip lines for 35,000 American schools - handling reports of bullying, weapons, and self-harm - boasted on its website that it had suffered zero security breaches in over 20 years. A hacker called Internet Yiff Machine thought that sounded like a challenge, with predictable results...Meanwhile, Rockstar Games gets hacked again - and the stolen data turns out to be less embarrassing than the financial secrets it accidentally revealed. GTA Online is still making half a billion dollars a year. Red Dead Redemption is not.All this and more in episode 464 of the "Smashing Security" podcast with cybersecurity keynote speaker and industry veteran Graham Cluley, joined this week by special guest BBC cybersecurity correspondent Joe Tidy.Plus! Don't miss our featured interview with Ryan Benson of Meter.EPISODE LINKS:Grinex exchange blames "Western intelligence" for $13.7M crypto hack - Bleeping Computer.Are Former Black Basta Affiliates Automating Executive Targeting? - Reliaquest.Apple is working on passcode bug locking out iPhone users - The Register.Hackers who stole crime tip records offering data cache for $10k - San.P3 Advertised 20+ Years and 0 Security Breaches. You Can Guess What Happened Next - Databreaches.net.Portland police urge residents to avoid Crime Stoppers following hack - San.GTA-maker Rockstar Games hacked again but downplays impact - BBC News.Rockstar hackers release their stolen data, reveal that Rockstar was right to not pay them anything for it - PC Gamer.XCancel.”We Are Anonymous” by Parmy Olson - Penguin.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Elastic – AI is transforming security operations, but security is still a data problem. Learn how context-rich data drives faster, more reliable defence.Meter – Network infrastructure for the enterprise. Get a free personalised demo.Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• This AI company leaked its own code. It's also built something terrifying 15.04.2026 50min

  A hacking group claims to have broken into the flood defence system protecting Venice's Piazza San Marco - and is offering to sell access to whoever wants it. The asking price? A frankly insulting $600.Meanwhile, Anthropic accidentally leaked the source code for Claude Code via a basic packaging mistake. Oh, and by the way, they've also just revealed they've built an AI model called Mythos that can find and chain together software vulnerabilities faster than any human. Sleep well.All this and more in episode 463 of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest Tanya Janca.EPISODE LINKS:Booking.com warns customers of hack that exposed their data - The Guardian.GTA-maker Rockstar Games hacked again but downplays impact - BBC News.Meta removes ads for social media addiction litigation - Axios.Hackers claim control over Venice San Marco anti-flood pumps - Security Affairs.Venezia, attacco hacker al sistema di pompe che difende piazza San Marco dall'acqua: «Abbiamo i codici, possiamo disattivarlo» - Corriere del Veneto. Digging into the Claude Code source - Dave Schumaker’s write-up of Anthropic leaking data in February 2025.Anthropic goes nude, exposes Claude Code source by accident - The Register.Assessing Claude Mythos Preview’s cybersecurity capabilities - Anthropic.Smashing Security transcripts!Shrinking - Apple TV. Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Meter - Network infrastructure for the enterprise. Get a free personalised demo.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Coreview - Download "Total Tenant Takeover", a white paper about the Microsoft 365 Disaster No One Is Ready For.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• LinkedIn is spying on you, and you agreed to nothing 08.04.2026 41min

  LinkedIn has been secretly scanning your browser for over 6,000 installed extensions — on every single click you make. It can tell if you're job hunting, what religion you are, and whether you have ADHD. And none of this is mentioned anywhere in their privacy policy.Meanwhile, California's crypto millionaires are learning that no amount of encryption can protect you from someone who knocks on your door pretending to deliver a pizza.All this and more in episode 462 of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest Dave Bittner.EPISODE LINKS:Russian government hackers broke into thousands of home routers to steal passwords - TechCrunch.Refusal to Give the Government Passwords to Personal Mobile Device Criminalized in Hong Kong - US Consulate in Hong Kong."I didn't think millions would see this..." Russians are calling each other through a cat feeder - GUBDaily.BrowserGate.Scanned extensions database - BrowserGate.LinkedIn secretly scans for 6,000+ Chrome extensions, collects data - Bleeping Computer.Translate into LinkedIn speak - Kagi.Security - xkcd.Wealthy California crypto holders targeted in violent ‘wrench attacks’ - KTLA 5.Lost Doctor Who episodes to be released this week - BBC News.Doctor Who: The Daleks’ Master Plan - The Nightmare Begins - BBC iPlayer.Doctor Who: The Daleks’ Master Plan - Devil’s Planet - BBC iPlayer.Milton Bradley Grandmaster Robotic Chess Computer - YouTube.Robot Chess - One-armed gambit - Techmoan on YouTube.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:ESET - 30 years of threat research behind unique global telemetry, AI-native technology, and human expertise working together to keep your business protected.Meter - Network infrastructure for the enterprise. Get a free personalised demo.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• This man hid $400 million in a fishing rod. Then it vanished 01.04.2026 45min

  A cannabis-growing, beekeeping, gyrocopter-flying Irishman invested his drug money in Bitcoin back in 2011 - and now sits on a fortune worth $400 million. There's just one small problem: the access codes were tucked inside his fishing rod case, which has mysteriously vanished. Or has it? Because this week, one of his frozen wallets suddenly woke up and moved $35 million - and someone had to identify themselves to do it.Meanwhile, Ajax Football Club scores a spectacular cyber own-goal, as a data breach that the club claimed affected "a few hundred" fans turns out to may have exposed the personal details of 300,000 supporters - along with the ability to steal match tickets and quietly remove people from the stadium ban list.All this and much more in episode 461 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest journalist Danny Palmer.EPISODE LINKS:Iran-linked hackers breach FBI director's personal email, publish photos and documents - Reuters.Windows PCs crash three times as often as Macs, report says - TechSpot.Wife used CCTV to steal $176M of husband’s crypto, UK court told - Coin Telegraph.Gardaí open €30m bitcoin virtual wallet, first of 12 accessed since seizure in 2019 - Irish Times.Irish Drug Dealer’s Lost BTC Stack Worth $400m Has Woken Up - Arkham.Ajax FC data breach exposes 300,000 fans, hacker steals tickets an stadium ban details - Cybernews.Small Prophets - BBC iPlayer.RPG Taverns - Dungeons and Dragons tavern in London.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Action1 - Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits.Meter - Network infrastructure for the enterprise. Get a free personalised demo.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• Never knock on the door of a nuclear submarine base and ask for a selfie 26.03.2026 40min

  A disgruntled data analyst decides that the best response to losing his contract is to steal the entire company payroll database and demand $2.5 million in Bitcoin - signing his extortion emails from a company called "Loot."Meanwhile, two people drive up to the entrance of the UK's nuclear submarine base at Faslane and politely ask if they can have a look around. Tourists? Spies? Something in between?Plus: Female Muslim punk rock group, and a little red book that might save your sanity in a post-truth world.All this and more in episode 460 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Jenny Radcliffe.EPISODE LINKS:A Top Google Search Result for Claude Plugins Was Planted by Hackers - 404 Media.Iowa-based Intoxalock cyberattack disrupts calibration service for interlock users - DysruptionHub.China hacker group leaks $7M crypto theft operation targeting wallet supply chains​ - Crypto News.Federal Jury Convicts Charlotte Man For Cyber Extortion Scheme That Targeted International Technology Company - DOJ.Iranian and Romanian charged after allegedly trying to enter UK nuclear naval base - Sky News.LadyParts - Spotify.On Disinformation: How to Fight for Truth and Protect Democracy - Lee McIntyre.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:ThreatLocker - Start your free trial and book a demo of ThreatLocker today to see how you can implement Zero Trust in your environment.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Meter - Network infrastructure for the enterprise. Get a free personalised demo.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• This clever scam nearly hijacked a tech CEO's Apple ID 19.03.2026 54min

  In episode 459 of Smashing Security, we dive into a chillingly clever account takeover attempt targeting WordPress co-founder Matt Mullenweg - involving MFA fatigue, real Apple alerts, a convincing support call, and a phishing page that oh-so-nearly worked. If a famous techie could have this happen to you, can you be sure you're immune?Plus: would you donate your lifetime medical history to science if you were promised anonymity? We unpack serious concerns around UK Biobank, where “de-identified” data may not be as anonymous as you think — and how surprisingly little information it takes to reveal everything.And! Human-powered “AI”, and a punishment worse than prison: eight hours on the RSA expo floor...All this, and much more, in episode 459 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Paul Ducklin.EPISODE LINKS:DOGE employee stole Social Security data and put it on a thumb drive, report says - TechCrunch.Foreign hacker in 2023 compromised Epstein files held by FBI, source and documents show - Reuters.New font-rendering trick hides malicious commands from AI tools - Bleeping Computer.Lockdown Mode - Apple support.Gone (Almost) Phishin’ - Matt Mullenweg.Listen to the Live Scam Call Targeting Matt Mullenweg’s Apple Account - YouTube.Confidential health records from UK BioBank project exposed online - The Guardian.A message from Professor Sir Rory Collins, Chief Executive and Principal Investigator of UK Biobank - UK BioBank.Psychotherapy data breach blackmailer sent to prison - Paul Ducklin.Your AI slop bores me.Post by Vaughan Shanks - LinkedIn.Judge Sentences CISO to 8 Consecutive Hours on RSA Expo Floor as Formal Punishment for Security Breach - The Exploit.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Adaptive Security - request a custom demo featuring a real CEO deepfake simulation.Meter - Network infrastructure for the enterprise. Get a free personalised demo.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• How not to steal $46 million from the US government 12.03.2026 41min

  A Wikipedia security engineer accidentally wakes a dormant JavaScript worm that hadn't stirred since 2024 - and within minutes, giant woodpecker images are plastered across the internet's favourite encyclopaedia.Meanwhile, a crypto contractor hired to help the US Marshals manage seized digital assets allegedly decides to help himself to $46 million of it - and then brags about it on a recorded Telegram call.Plus: Graham champions Asterix, Trisha discovers the fantasy novels of Robin Hobb, and someone called "Lick" ends up in the nick.All this, and much more, in episode 458 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Tricia Howard.EPISODE LINKS:Major data leak forum dismantled in global action against cybercrime forum - Europol.Ericsson blames vendor vishing slip-up for breach exposing thousands of records - The Register.How hackers bypassed MFA with a $120 phishing kit – until law enforcement  shut them down - Hot for Security.Wikipedia hit by self-propagating JavaScript worm that vandalized pages - Bleeping Computer.FBI arrests crypto thief accused of stealing $46 million from seized government wallet - Tom’s Hardware.Twitter thread by ZachXBT about John Daghita’s arrest - Twitter.Asterix - Wikipedia.Robin Hobb.The Complete Farseer trilogy - Harper Collins.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!ThreatLocker - Start your free trial and book a demo of ThreatLocker today to see how you can implement Zero Trust in your environment.Meter - Network infrastructure for the enterprise. Get a free personalised demo.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• How a cybersecurity boss framed his own employee 05.03.2026 49min

  When a top cybersecurity firm discovered it had a leak, you would expect the FBI to be called. Instead, the person put in charge of the investigation was the actual leaker... who promptly sent an innocent colleague into a career-ending ambush.In this episode, we unravel the jaw-dropping tale of a defence contractor caught selling zero-day exploits to a Russia-linked broker.Plus: are nation states quietly poisoning AI models to bend reality itself? We explore how “foreign information manipulation interference” could target not just social media users, but the large language models we increasingly trust for answers — and what that might mean for truth, trust, and the future of online influence.All this, and much more, in episode 457 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Carl Miller.EPISODE LINKS:Large-Scale Online Deanonymization with LLMs - Simon Lermen.Hacked Prayer App Sends ‘Surrender’ Messages to Iranians Amid Israeli and US Strikes - Wired.“Stay safe out there gamers”: Streamers say Amazon just made Wishlists a doxxing risk - Daily Dot.Apple alerts exploit developer that his iPhone was targeted with government spyware - TechCrunch.Former General Manager for U.S. Defense Contractor Sentenced to 87 Months for Selling Stolen Trade Secrets to Russian Broker - US Department of Justice.Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools - US Department of Treasury.Inside the story of the US defense contractor who leaked hacking tools to Russia - TechCrunch.​​Hundreds of English-language websites link to pro-Kremlin propaganda - Guardian.The Incredible Shrinking Man - Internet Archive.“The Immortalists” by Aleks Kortoski - Penguin Books.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Action1 - Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits.Meter - Network infrastructure for the enterprise. Get a free personalised demo.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• How to lose friends and DDoS people 26.02.2026 48min

  When the mysterious operator of an internet archiving-service decided to silence a curious Finnish blogger, they didn’t just send a stroppy email - they allegedly weaponised their own CAPTCHA page to launch a DDoS attack, threatened to invent an entirely new genre of AI porn, and tampered with parts of their own archive to smear the blogger's name.In this episode, we unravel how a website designed to preserve history may have trashed its own credibility - and how Wikipedia responded when trust went out the window.Plus a ransomware gang shoots itself in the foot with a classic case of buffoonery, accidentally corrupting the very keys victims would need to decrypt their data. When even the criminals can’t unlock your files, what happens next?All this, a surprisingly zen Pick of the Week, and a gloriously splenetic rant against web forms, on episode 456 of the award-winning "Smashing Security" podcast, with cybersecurity veteran Graham Cluley and special guest Paul Ducklin.EPISODE LINKS:This App Will Detect People Wearing Smart Glasses Near You - Lifehacker.Patients listed as dead after major NZ health app MediMap hacked - 1News.Why fake AI videos of UK urban decline are taking over social media - BBC News.FBI orders domain registrar to reveal who runs mysterious Archive.is site - Ars Technica.Archive.today CAPTCHA page executes DDoS; Wikipedia considers banning site - Ars Technica.Archive.today is directing a DDOS attack against my blog - Gyrovague.Critical buffer overflow bug - in ESXi ransomware - SolCyber.Yoga with Adriene - YouTube.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Coreview - Download "Total Tenant Takeover", a white paper about the Microsoft 365 Disaster No One Is Ready For.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!ThreatLocker - Start your free trial and book a demo of ThreatLocker today to see how you can implement Zero Trust in your environment.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• Face off: Meta’s Glasses and America’s internet kill switch 19.02.2026 44min

  Could America turn off Europe's internet?That’s one of the questions that Graham and special guest James Ball will be exploring as they discuss tech sovereignty. Could Gmail, cloud services, and critical infrastructure really become geopolitical leverage? And is anyone actually building a Plan B?Plus we explore if Meta is quietly plotting to turn its smart glasses into face-recognising surveillance specs? With reports of internal memos suggesting they plan to launch controversial features while everyone’s distracted by political chaos, we ask: is this innovation really wanted by the public... or something far creepier?All of this, and much more, in episode 455 of the award-winning "Smashing Security" podcast with cybersecurity veteran Graham Cluley, joined this week by journalist and author James Ball.EPISODE LINKS:IcedID malware developer fakes his own death to escape the FBI - Risky Business.Sex toys maker Tenga says hacker stole customer information - TechCrunch.Dutch police arrest man for "hacking" after accidentally sending him confidential files - Hot for Security.Meta Plans to Add Facial Recognition Technology to Its Smart Glasses - New York Times.Trading Sovereignty for Scale? The Costs of the US - UK Tech Prosperity Deal - Just Security.Just Mercy - Wikipedia.Just Mercy trailer - YouTube.Bryan Stevenson’s TED talk: We need to talk about an injustice - YouTube.The Residence - Netflix.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Passwork - a reliable secrets manager and password management solution.Adaptive Security - request a custom demo featuring a real CEO deepfake simulation.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• AI was not plotting humanity’s demise. Humans were 12.02.2026 40min

  AI bots are having existential crises, inventing religions, and allegedly plotting against humanity... or so the internet would have you believe.We dig into Moltbook, the “AI-only” social network that sent Twitter into a meltdown, attracted breathless talk of the singularity, and turned out to be far less Terminator and far more humans role-playing as bots.Plus we discuss why "vibe coding" your app might be a catastrophically bad idea, when security researchers can easily peek inside rifle through your private messages, API keys, and databases.Also this week we learn that pro-Russian hackers are circling the Winter Olympics - or is it the Jamaican Bobsleigh team?All this and more is discussed in episode 454 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Iain Thomson.EPISODE LINKS:AI Agents Created Their Own Religion, Crustafarianism, On An Agent-Only Social Network - Forbes.I Infiltrated Moltbook, the AI-Only Social Network Where Humans Aren’t Allowed - Wired.'Moltbook' social media site for AI agents had big security hole, cyber firm Wiz says - Reuters.Italy blames Russia-linked hackers for cyberattacks ahead of Winter Olympics - The Record.Italy says railways hit by 'serious sabotage' as Winter Olympics begin - BBC News.EpsteIN - GitHub.Private Eye.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Meter - Network infrastructure for the enterprise. Get a free personalised demo.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Passwork - a reliable secrets manager and password management solution.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• The Epstein Files didn’t hide this hacker very well 05.02.2026 36min

  Supposedly redacted Jeffrey Epstein files can still reveal exactly who they’re talking about - especially when AI, LinkedIn, and a few biographical breadcrumbs do the heavy lifting.Sloppy redaction leads to explosive claims, and difficult reputational consequences for cybersecurity vendors, and we learn how trust - once cracked - can be almost impossible to fully restore.Elsewhere, the spotlight turns to insider threat in the age of AI, after a senior US cybersecurity official uploads sensitive government material into the public version of ChatGPT. Oops.All this, and much more, in episode 453 of Smashing Security with cybersecurity veteran Graham Cluley and special guest Tricia Howard.EPISODE LINKS:Notepad++ hijacked to serve malware in targeted attacks - Notepad++.Porn-quitting app caught leaking users’ sexual habits - 404 Media.MicroWorld Technologies’ eScan anti-virus update turned into a malware delivery system - Morphisec.Jmail.World.Informant told FBI that Jeffrey Epstein had a ‘personal hacker’ - Techcrunch.Confidential informant statement given to FBI - US Department of Justice.Post by Graham Cluley - LinkedIn.Trump’s acting cyber chief uploaded sensitive files into a public version of ChatGPT - Politico.We are Lady Parts - Channel 4.We are Lady Parts trailer - YouTube.“Bashir with a good beard” by We are Lady Parts - YouTube.“Voldermort under my headscarf” by We are Lady Parts - YouTube.Doctor Who: The Shakespeare Notebooks - Penguin.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Passwork - a reliable secrets manager and password management solution.Meter - Network infrastructure for the enterprise. Get a free personalised demo.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• The dark web's worst assassins, and Pegasus in the dock 29.01.2026 45min

  In episode 452, a London-based YouTuber wins a landmark court case against Saudi Arabia after his phone was hacked with Pegasus spyware — exposing how a single, seemingly harmless text message can turn a smartphone into a round-the-clock surveillance device.Plus, we go looking for professional hitmen online - only to uncover uncomfortable questions about why some crimes attract customers but very few complaints.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veteran Graham Cluley, joined this week by special guest Joe Tidy.EPISODE LINKS:Sorry Dave, I’m afraid I can’t do that! PCs refuse to shut down after Microsoft patch - The Register.Russian state hackers likely behind wiper malware attack on Poland’s power grid - The Record.US charges 31 more suspects linked to ATM malware attacks - Bleeping Computer.Dark web arrests in Romania linked to portal which offered services including murder - ROCU.Romanian scammers ran fake hitman-for-hire site, lured desperate perpetrators as 'incompetent assassins' - Fox News.This Fake Hitman Site Is the Most Elaborate, Twisted Dark Web Scam Yet - VICE.Unlikely Assassin, The Murder of Amy Allwine - Rooster.Saudi dissident awarded $4.1 million by UK court for hacking, assault 'by Saudi Arabia' - Reuters.Stalkerware: The software that spies on your partner - BBC News.Using 'stalkerware' to spy on a colleague's phone - YouTube.“Polite Society” trailer - YouTube.Elegoo Saturn 3 3D printer - Elegoo.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Passwork - a reliable secrets manager and password management solution.Coreview - Download "Total Tenant Takeover", a white paper about the Microsoft 365 Disaster No One Is Ready For.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy
• I hacked the government, and your headphones are next 22.01.2026 45min

  In episode 451 of "Smashing Security," we meet the cybercriminal who hacked the US Supreme Court, Veterans Affairs, and more - and then helpfully posted screenshots (and even someone’s blood type) on an account called "I hacked the government."Plus we discuss how researchers uncovered a creepy flaw that lets attackers hijack wireless headphones, listen in on calls, inject audio, and even turn your earbuds into a stalking device - all without you noticing.All this, and much more, in this episode of the "Smashing Security" podcast with Graham Cluley, and special guest Ray [REDACTED]EPISODE LINKS:Tennessee Man Pleads in Hacking U.S. Supreme Court, AmeriCorps, and VA Health System - US Department of Justice.Paris Hilton’s hacker sentenced to 57 months in prison - Graham Cluley.WhisperPair.One Tap To Hijack Them All - A Security Analysis of the Google Fast Pair Protocol - YouTube.Hundreds of Millions of Audio Devices Need a Patch to Prevent Wireless Hacking and Tracking - Wired.Line of Duty - Wikipedia.Line of Duty - BBC iPlayer.Forgive the haters - YouTube.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!ThreatLocker - Start your free trial and book a demo of ThreatLocker today to see how you can implement Zero Trust in your environment.Adaptive Security - request a custom demo featuring a real CEO deepfake simulation today from adaptivesecurity.com.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.Privacy & Opt-Out: https://redcircle.com/privacy