Stop the press - a company has actually said "sorry" after a data breach, and hotels are helping hackers phish their own guests. In episode 444 of "Smashing Security" we examine a refreshingly honest breach response (and why legacy systems are still going to ruin your week), dig into a nasty hotel-booking malware campaign that abuses trust in apps and CAPTCHAs, and chat about autonomous pen testing, AI-turbocharged cybercrime, and what CISOs should really be asking on Monday morning. And lost Do...
Nov 20, 2025•55 min•Ep. 444
Tinder has got a plan to rummage through your camera roll, and Warren Buffett keeps popping up in convincing deepfakes dishing "number one investment tips." Meanwhile, will agentic AI replace your co-hosts before you can say "EDR for robots"? and why you should still read books. All this, plus Lily Allen's new album and Claude Code come up for discussion in episode 443 of the "Smashing Security" podcast, with special guest Ron Eddings. EPISODE LINKS: ‘Landfall’ spyware abused zero-day to hack Sa...
Nov 13, 2025•38 min•Ep. 443
Time itself comes under attack as a state-backed hacking gang spends two years tunnelling toward a nation’s master clock — with chaos potentially only a tick away. Plus when ransomware negotiators turn to the dark side, what could possibly go wrong? All this and more is discussed in episode 442 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Dave Bittner. EPISODE LINKS: Alleged Meduza Stealer malware admins arrested after hacking Russian org - Bleep...
Nov 06, 2025•39 min•Ep. 442
Basketball stars have allegedly joined forces with the mafia to fleece high-rollers in a poker scam involving hacked shufflers, covert cameras, and an X-ray card table. Meanwhile, researchers have found they could poke around an FIA driver portal to pull up the personal details of Formula 1 megastars. Plus: Graham’s “Pick of the Week” turns CAPTCHA hell into a delightfully deranged browser game that will make you question vegetables, geometry, and your life choices, while Danny takes a trip to a...
Oct 30, 2025•41 min•Ep. 441
A literal insider threat: we head to a Romanian prison where “self-service” web kiosks allowed inmates to run wild. Then we head to the checkout aisle to ask why JavaScript on payment pages went feral, and how new PCI DSS rules are finally muzzling Magecart-style skimmers. Plus: Graham reveals his new-found superpower with Keyboard Maestro, and Scott describes a slick new way to whip up beautiful how-to videos with Screen Studio. All this and more is discussed in episode 440 of "Smashing Securit...
Oct 22, 2025•44 min•Ep. 440
A critical infrastructure hack hits the headlines - involving default passwords, boasts on Telegram, and a finale that will make a few cyber-crooks wish the ground would swallow them whole. Meanwhile we dig into the bit we don't talk about enough: the human cost of defending companies from hackers - stress, burnout, and how better leadership culture can help make security teams safer and saner. Plus we say a heartfelt "la di dah" to Diane Keaton, and tune in to a freshly re-released slice of pre...
Oct 15, 2025•45 min•Ep. 439
Your computer's mouse might not be as innocent as it looks - and one ransomware crew has a crisis of conscience that nobody saw coming. We talk about how something as ordinary as a web page could turn your mouse into a surprisingly nosey neighbour, and why ransomware gangs need to think carefully about their reputation. Meanwhile, Graham reveals a baked potato hack that might just change your life, and we take an unexpected detour to South America for a bit of literary adventure involving inflat...
Oct 08, 2025•42 min•Ep. 438
Researchers uncovered a security flaw in Salesforce’s shiny new Agentforce. The vulnerability, dubbed "ForcedLeak", let them smuggle AI-read instructions in via humble Web-to-Lead form... and ended up spilling data for the low, low price of five dollars. And we discuss why data breach communications still default to "we take security seriously" while quietly implying "assume no breach" - until the inevitable walk-back. Plus, we take a look at ITV's phone-hacking drama with David Tennant, and tak...
Oct 01, 2025•43 min•Ep. 437
Ransomware doesn’t just freeze computers - it can silence alarms too. And when the Natural History Museum in Paris went dark, thieves helped themselves to €600,000 worth of gold in a daring late-night heist. Meanwhile, developers have a new headache: a worm dubbed “Shai Hulud” has wriggled its way through more than 180 npm packages, quietly stealing secrets. But it’s not all doom and gloom - unless you count your kitchen appliances turning into ad billboards. All this and more is discussed in ep...
Sep 24, 2025•39 min•Ep. 436
When "bad actors" stop being hackers and start being... actual actors. This week, Graham and special guest Jenny Radcliffe play “Hacker or Ham?” (yes, Steven Seagal, we’re looking at you), before diving into a campaign which saw an Iranian gang luring Israeli performers with fake casting calls for a serious film. We unpack why positive lures can short-circuit scepticism just as effectively as fear. Plus, the UK's ICO says students are increasingly hacking their own schools. Meanwhile, Graham hea...
Sep 17, 2025•43 min•Ep. 435
Ever wondered what would happen if Burger King left the keys to the kingdom lying around for anyone to use? Ethical hackers did - and uncovered drive-thru recordings, hard-coded passwords, and even the power to open a Whopper outlet on the moon. Meanwhile, over in Silicon Valley, one AI wunderkind managed to turn a $7 million payday into a career-ending lawsuit by allegedly walking trade secrets straight out the door as he jumped ship for a rival. All this and much more is discussed in episode 4...
Sep 10, 2025•45 min•Ep. 434
Your AI reads the small print, and that's a problem. This week in episode 433 of "Smashing Security" we dig into LegalPwn - malicious instructions tucked into code comments and disclaimers that sweet-talks AI into rubber-stamping dangerous payloads (or even pretending they’re a harmless calculator). Meanwhile, new research from Anthropic reveals that hackers have already used AI agents to break into networks, steal passwords, sift through stolen data, and even write custom ransom notes. In other...
Sep 03, 2025•45 min•Ep. 433
We unpack how some password managers can be tricked into coughing up your secrets, with a clickjacking sleight-of-hand, what website owners can do to prevent it, and how to lock down your personal password vault. Then we time-hop to the post-quantum scramble: "harvest-now, decrypt later", Microsoft's 2033 quantum-safe pledge, and whether your printer will survive the update apocalypse. All this, plus a gloriously dodgy URL “shadyfier,” and turning the iconic iMac G4 into a modern media hub. All ...
Aug 27, 2025•35 min•Ep. 432
In episode 431 of the "Smashing Security" podcast, a self-proclaimed crypto-influencer calling himself CP3O thought he had found a shortcut to riches — by racking up millions in unpaid cloud bills. Meanwhile, we look at the growing threat of EDR-killer tools that can quietly switch off your endpoint protection before an attack even begins. And for something a little different, we peek into the Internet Archive’s dystopian Wayforward Machine and take a detour to Mary Shelley’s resting place in Bo...
Aug 20, 2025•34 min•Ep. 431
A poisoned Google Calendar invite that can hijack your smart home, a man is hospitalised after ChatGPT told him to season his food with… pesticide, and some thoughts on Superman’s latest cinematic outing. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley, joined this week by special guest Dave Bittner from The Cyberwire. Warning: This podcast may contain nuts, adult themes, and rude language. Episode links: Invitation ...
Aug 13, 2025•33 min•Ep. 430
Those of you who tuned in to last week's episode (#428) will have heard the big news from my podcast pal Carole that she's decided to move on from her co-hosting duties on the show. There have been some lovely messages of support sent through for Carole, and indeed for me too. Thank you very much to all of you - it's really heatywarming to hear how much the last 428 episodes have meant to you all, and how much you want the show to go on. And so - as I said last week - it will carry on. Next week...
Aug 06, 2025•28 min•Ep. 429
The viral women-only dating safety app Tea, built to flag red flags, gets flagged itself - after leaking over 70,000 private images and chat logs. We are talking full-on selfies, ID docs, private DMs, and a dash of 4chan creepiness. Yikes. Plus, Carole takes us down memory lane as she hangs up her co-host mic after 428 glorious episodes. Expect tea, tears, and Tom Lehrer. All this is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Ca...
Jul 30, 2025•40 min•Ep. 428
In this episode, Graham warns why it is high time we said goodbye to 2G - the outdated mobile network being exploited by cybercriminals with suitcase-sized SMS blasters. From New Zealand to London, scammers are driving around cities like dodgy Uber drivers, spewing phishing texts to thousands at once. Meanwhile, Carole unpacks a painfully awkward tale of amour fou, as a 76-year-old Belgian man drives 476 miles to meet his dream woman... only to be greeted by her very-much-still-husband at the ga...
Jul 23, 2025•34 min•Ep. 427
In episode 426 of the "Smashing Security" podcast, Graham reveals how you can hijack a train’s brakes from 150 miles away using kit cheaper than a second-hand PlayStation. Meanwhile, Carole investigates how Grok went berserk, which didn't stop the Department of Defense signing a contract with Elon’s AI chatbot. So who is responsible when your chatbot becomes a bigot? Plus: Email headaches, SPF rage, and a glowing review for... Taskmaster SuperMax Plus? All this and more is discussed in the lates...
Jul 16, 2025•37 min•Ep. 426
In episode 425 of "Smashing Security", Graham reveals how "Call of Duty: WWII" has been weaponised - allowing hackers to hijack your entire PC during online matches, thanks to ancient code and Microsoft’s Game Pass. Meanwhile, Carole digs into a con targeting the recently incarcerated, with scammers impersonating bail bond agents to fleece desperate families. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole...
Jul 09, 2025•35 min•Ep. 425
A Mexican drug cartel spies on the FBI using traffic cameras and spyware — because "ubiquitous technical surveillance” is no longer just for dystopian thrillers. Graham digs into a chilling new US Justice Department report that shows how surveillance tech was weaponised to deadly effect. Meanwhile, Carole checks the rear-view mirror on the driverless car industry. Whatever happened to those million Tesla robotaxis Elon Musk promised by 2020? Spoiler: they’re here — sort of — but they sometimes d...
Jul 02, 2025•34 min•Ep. 424
In this episode, Graham unravels Operation Endgame - the surprisingly stylish police crackdown that is seizing botnets, mocking malware authors with anime videos, and taunting cybercriminals via Telegram. Meanwhile, Carole exposes the AI-generated remote hiring threat. Could your next coworker be a North Korean hacker with a perfect LinkedIn? And BBC cyber correspondent Joe Tidy joins us to talk about "Ctrl-Alt-Chaos", his new book diving into the murky world of teenage hackers, ransomware gangs...
Jun 25, 2025•55 min•Ep. 423
A GCHQ intern forgets the golden rule of spy school — don’t take the secrets home with you — and finds himself swapping Cheltenham for a cell. Meanwhile, an Australian hacker flies too close to the sun, hacks his way into a US indictment, and somehow walks free... only to get booted back Down Under. Plus: flow states, Bob Mortimer, and the joys of pretending to carry an owl around on a cushion. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecuri...
Jun 18, 2025•32 min•Ep. 422
What do a sleazy nightclub carpet, Google’s gaping privacy hole, and an international student conned by fake ICE agents have in common? This week’s episode of the "Smashing Security" podcast obviously. Graham explains how a Singaporean bug-hunter cracked Google’s defences and could brute-force your full phone number. Meanwhile, Carole dives into a chilling scam where ICE impersonators used fear, spoofed numbers, and... Apple gift cards to extort terrified migrants. Plus: Nazis, door safety, and ...
Jun 11, 2025•36 min•Ep. 421
A bizarre case of political impersonation, where Trump’s top aide Susie Wiles is cloned (digitally, not biologically — we think), and high-ranking Republicans start getting invitations to link up with "her" on Telegram to share their Trump pardon wishlists. Was it a deepfake? Or just someone with a halfway decent impression and access to a shady data broker? Meanwhile, we take a worryingly familiar journey into the mental health crisis in the UK — and how TikTok is stepping in with advice like “...
Jun 04, 2025•34 min•Ep. 420
Why is a cute Star Wars fan website now redirecting to the CIA? How come Cambodia has become the world's hotspot for scam call centres? And can a WhatsApp image really drain your bank account with a single download, or is it just a load of hacker hokum? All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Allan Liska. Warning: This podcast may contain nuts, ...
May 28, 2025•48 min•Ep. 419
In this week’s episode, Graham investigates the mysterious Iberian Peninsula blackout (aliens? toaster? cyberattack?), Carole dives in the UK legal aid hack that exposed deeply personal data of society's most vulnerable, and Dinah Davis recounts how Instagram scammers hijacked her daughter’s account - and how a parental control accidentally saved the day. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole The...
May 21, 2025•48 min•Ep. 418
Don't get duped, doxxed, or drained! In this episode of "Smashing Security" we dive into the creepy world of sextortion scams, and investigate how crypto wallet firm Ledger's Discord server was hijacked in an attempt to phish for cryptocurrency recovery phrases. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault. Plus! Don't miss our featured interview with Drata's Matt Hillary. Warning: This podcas...
May 14, 2025•51 min•Ep. 417
Brits face empty shelves and suspended meal deals as cybercriminals hit major high street retailers, and a terminated Disney employee gets revenge with a little help with Wingdings. Plus Graham challenges Carole to a game of "Malware or metal?", and we wonder just happens when you have sex on top of a piano? All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault. Plus! Don't miss our featured interview ...
May 07, 2025•49 min•Ep. 416
He's not a pop star, but Jeffrey Bowie is alleged to have toured staff areas of a hospital in Oklahoma, hunting for computers he could install spyware on. We dive into the bizarre case of the man accused of hacking medical networks and then sharing how he did it on LinkedIn. Plus! Move over Nigerian princes — the WASPI scams are here. Fraudsters are now targeting UK women born in the 1950s, exploiting pension injustice for phishing gain. All this and more is discussed in the latest edition of th...
Apr 30, 2025•31 min•Ep. 415
