The IT Nerd

Cybernews researchers analyzed a data sample allegedly stolen from dating app Bumble after the ShinyHunters cybercrime group claimed responsibility for a breach involving internal company systems.

ShinyHunters added Bumble to its dark web leak site on January 29, claiming it exfiltrated approximately 30GB of data from the company’s Google Drive and Slack channels. According to the attackers, the data was obtained by compromising a contractor’s account through phishing. The gang claims to possess “thousands of internal documents” belonging to the company.

Bumble confirmed to Cybernews that a contractor’s account with limited privileges was compromised in a phishing incident. The company stated that the intrusion was detected and contained quickly.

“Our InfoSec team rapidly eliminated the access, and the incident is contained. We have engaged external cybersecurity experts and notified law enforcement. Importantly, there was no access to our member database, member accounts, the Bumble application, or member direct messages or profiles,” a Bumble spokesperson told Cybernews.

Bumble is a widely used dating platform with over 40 million active users and hundreds of millions of downloads globally. The app is operated by Bumble Inc., which also owns Badoo and Bumble For Friends (BFF).

Following the attackers’ claims, the Cybernews research team analyzed the data sample attached to the ShinyHunters dark web post. Researchers say the exposed files appear legitimate, but the dataset shared by the attackers is limited, making it unclear whether it represents the full scope of the allegedly stolen data or only a partial sample.

Based on the analysis, the majority of the exposed material consists of internal corporate information rather than user-facing data. The files include internal company documents such as contracts with partner companies, invoices, policy reviews, onboarding guides, internal reports, and CVs containing candidate employment history and personally identifiable information (PII).

While Bumble stated that no user accounts or messages were accessed, the Cybernews team noted that the sample contains some technical data, including user IDs, session IDs, and authentication cookies. In theory, such data could be abused by sophisticated attackers to attempt account takeover via session hijacking, although no evidence suggests this has occurred.

The dataset also includes information related to a limited number of Bumble in-app groups, known as Hives. While no group members were exposed, some group names, descriptions, welcome messages, rules, and change logs were present in the sample.

ShinyHunters is currently running a broader campaign targeting dating platforms and technology companies. Last week, Cybernews researchers analyzed a leaked Hinge data sample and found it contains user dating profile information, such as names and bios, as well as Hinge subscription data, including transaction IDs and amounts paid.

Cybernews continues to monitor the situation and analyze new information as it becomes available.

You can find a full technical breakdown of the Bumble data sample, the attackers’ claims, and expert analysis on potential risks in the complete investigation published on the Cybernews website here.  

The Cybernews research team has analyzed 1.8 million Android apps on the Google Play Store and found that most AI apps leak an average of five secrets. Analyzed apps are leaking hardcoded secrets and cloud endpoints, putting users at risk or, in some cases, even potentially allowing attackers to empty their digital wallets.

Key research takeaways:

• 72% of analyzed Android AI apps contained at least one hardcoded secret.
• On average, an AI app leaks 5.1 secrets, and 81.14% of the detected secrets were related to Google Cloud Project identifiers, endpoints, and API keys.
• 68% of the hardcoded secrets pertained to Google Cloud Project Identifiers and API Keys.
• LLM API Keys were mostly secured, with mainly low-risk LLM API Keys found hardcoded.
• An investigation found that hundreds of AI apps had already been breached. 
• Leaky instances of Firebase and Google Cloud Storage have already exposed over 200 million files, totaling nearly 730TB of user data.
• Android AI apps exhibit similar dangerous tendencies to hardcoded secrets found in iOS apps, as Cybernews investigated in 2025.

Secrets already exploited

Cybernews researchers identified 285 Firebase instances missing authentication entirely, leaving them openly accessible to anyone. Collectively, these databases leaked 1.1GB of user data.

The team is sure that the instances were already compromised. In 42% of cases, the researchers found a table explicitly named “poc,” shorthand for “proof of concept.”

Google secrets were leaked the most

More than 81% of all detected secrets were related to Google Cloud projects. In total, researchers identified 197,092 unique secrets, averaging 5.1 per app, of which just 0.96 were not connected to Google.

The second most common category of embedded identifiers belonged to Facebook, primarily app IDs and client tokens, which are frequently hardcoded for analytics, login, and advertising integrations.

Please find the full Cybernews research article here.

Cybernews analyzed AI incidents and found that 37 AI incidents involving violent and unsafe content were reported in 2025, some of which resulted in loss of life. As more people turn to AI chatbots for advice and emotional support, there have been multiple cases in which these chatbots provided dangerous, life-threatening advice.

Examples from reported incidents:

• One widely reported case involved 16-year-old Adam Raine, who died by suicide after ChatGPT allegedly encouraged his suicidal thoughts instead of urging him to get support.
• An IT professional tested a chatbot called Nomi and found that, when prompted, it can encourage users to commit murder, providing detailed instructions on how to commit the act.

Recent Cybernews research has shown that popular LLMs do, in fact, provide self-harm advice if prompted correctly, indicating that current guardrails in popular chatbots are far from enough. 

For more information, you can find the full research here. 

By Jurgita Lapienytė, Editor-in-Chief at Cybernews 

The Pentagon is adopting Elon Musk’s GrokAI chatbot, and it creates real risks. One of them is humans blindly following its flawed advice into disaster, not robots rebelling.

However, the Pentagon integrating Grok still carries real risks, just to mention a few.

Every new AI access point plugged into defence networks is another door for attackers to try to trick, poison or break. 

Note that xAI’s safety team is small compared to its competitors, meaning there are simply fewer resources to deal with the immense attack perimeter that every AI application represents these days.

Now, imagine officials feeding Grok military information for analysis. What might seem like a way to make processes more effective at first might turn into a cybersecurity nightmare. Statesmen should be trained on how to handle sensitive information and digital tools, but after the Signal scandal, when the Trump administration accidentally texted a journalist its war plans, we aren’t that naive anymore, are we?

Threat actors, including nation-state hackers, knowing that the Pentagon is actively using Grok, might be only more eager to break it via hacks, prompt injections, or supply chain flaws. It might be turned into a giant surveillance tool of the Pentagon.

What is more, Grok, as many other large language models (LLMs), can produce factually incorrect answers with confidence. The tool has already produced hateful and plainly wrong replies in public, spewing out racist content, promoting posts glorifying Hitler, let alone the undressing scandal with minors allegedly involved.

Is that really the tool that can be trusted by the Pentagon? At least the way it works now?

ABOUT THE AUTHOR 

Jurgita Lapienytė is the Editor-in-Chief at Cybernews, where she leads a team of journalists and security experts dedicated to uncovering cyber threats through research, testing, and data-driven reporting. With a career spanning over 15 years, she has reported on major global events, including the 2008 financial crisis and the 2015 Paris terror attacks, and has driven transparency through investigative journalism. A passionate advocate for cybersecurity awareness and women in tech, Jurgita has interviewed leading cybersecurity figures and amplifies underrepresented voices in the industry. Recognized as the Cybersecurity Journalist of the Year and featured in Top Cyber News Magazine’s 40 Under 40 in Cybersecurity, she is a thought leader shaping the conversation around cybersecurity. Jurgita has been quoted internationally – by Metro UK,  The Epoch Times, Extra Bladet, Computer Bild, and more. Her team reports on proprietary research highlighted in such outlets as the BBC, Forbes, TechRadar, Daily Mail, Fox News, Yahoo, and much more.

ABOUT CYBERNEWS

Cybernews is a globally recognized independent media outlet where journalists and security experts debunk cyber by research, testing, and data. Founded in 2019 in response to rising concerns about online security, the site covers breaking news, conducts original investigations, and offers unique perspectives on the evolving digital security landscape. Through white-hat investigative techniques, Cybernews research team identifies and safely discloses cybersecurity threats and vulnerabilities, while the editorial team provides cybersecurity-related news, analysis, and opinions by industry insiders with complete independence. 

Cybernews has released an eye-opening experiment in which security researcher Sam Curry and automotive hacker BusesCanFly demonstrate how easy it is for cybercriminals to take control of any car. Not only are personal vehicles in danger, but ambulances, police cars, and large commercial fleets, with implications that could possibly cause life-threatening harm. 

Modern cars are no longer just machines. They’re more like computers on wheels, and the video shows how easy it is to use a custom-built app to track and unlock vehicles with minimal data, even remotely.

Car data reveals routes, relationships, and allows vehicle hijacking 

According to Curry, alongside improving overall connectivity, the risk of exploiting vulnerabilities grows, including easily accessible personal information, not only from the vehicles, but hacking the car dealerships themselves. 

The documentary shows that with just a VIN (Vehicle Identification Number), it is possible to remotely track where a vehicle was driving and where it is going now. And this can be utilized beyond personal reseasons, reaching political intimidation. 

You can find more information here or see the released video below:

By Stefanie Schappert

AI health assistants are here to stay, and they may provide real value in helping people interpret complicated medical information, but consumers should understand exactly what that means before inviting those tools into their most sensitive digital lives. What are the data risks consumers need to know before plunging headfirst into this new era of healthcare?

ChatGPT Health: Insight vs Exposure in AI-Driven Healthcare

Health data is already among the most sensitive personal information people have, and with the introduction of ChatGPT Health last week, users will undoubtedly be pouring their medical data into the AI chatbot with the same verve they have since ChatGPT was first launched in November 2022. 

But should they? 

The amount of sensitive information users freely and regularly post into ChatGPT (and other popular AI chatbots) is astounding.  

A study last January found that nearly one in ten workers regularly exposed their own companies’ sensitive data when using AI. 

And when thousands of ChatGPT conversations were leaked via search engines last August, the conclusion was that people pretty much share everything with AI, literally. 

So when OpenAI introduced its ChatGPT Health to the public, tech and health experts began sounding the warning bells about privacy and security issues, as well as the limits of AI’s accuracy.  

This makes it crucial to understand where information is going and how it’s being used, especially when the data in question includes deeply sensitive details such as medical history or chronic conditions.

“Designed to Support, Not Replace, Medical Care”

OpenAI touts ChatGPT Health as a “dedicated experience” intended to help people understand lab results, prepare for doctor visits, track fitness and wellness trends, or compare insurance options, marking a significant shift in how consumers interact with AI. 

“Health is already one of the most common ways people use ChatGPT,” OpenAI said in the announcement, noting that 230 million people worldwide ask the bot health and wellness questions every week.

Users can now upload and connect Health not only to medical records, but also to wellness apps – such as Apple Health, Function, and MyFitnessPal – creating a complete individual health profile, the likes of which we have never seen before. 

Traditionally, health data has been scattered across many devices and platforms – a hospital portal here, a fitness tracker there, a PDF of bloodwork in your inbox. 

But now, health data will be woven together into new AI-generated interpretations and summaries, all stored within a single system.

Not just storing medical records, Health will aggregate and interpret them, creating narratives, patterns, and insights – a fundamental departure from how most people think about their medical data. 

This matters because the value of health data isn’t just in its raw form; it’s what can be inferred and contextualized from it. 

Derived insights, health trends over time, connections between symptoms and test results, and personalized explanations can prove more revealing than the “data points” themselves. 

People may also consent to sharing individual data points, for example, a symptom or lab result,  without understanding the new meaning that emerges once those data points are combined.

AI algorithms developed from aggregated data have already proven that, in the wrong hands,  could easily lead to AI biases, workplace, or societal discrimination, impacting such variables as individual treatment plans or health insurance premiums, among many others. 

Understanding the Privacy Tradeoffs

On the technical side, OpenAI says ChatGPT Health builds on its existing security architecture with additional, layered protections, including purpose-built encryption and isolation to keep health conversations protected and compartmentalized.

Users can also enable multi-factor authentication, review or delete Health memories, and revoke access to connected apps at any time, according to OpenAI.

With layered, end-to-end encryption, health conversations are isolated and not used to train models, the company further states.

Still, privacy critics have pointed out that when users upload medical records into an AI service – even one with promises of encryption and compartmentalization – they may effectively remove traditional privacy protections that would otherwise apply in regulated healthcare settings.

One expert recently told The Record that giving an AI access to electronic medical records can strip those records of the legal safeguards they enjoy under rules like HIPAA, which lays out how Protected Health Information (PHI) is processed, stored, transmitted, and secured.

“ChatGPT is only bound by its own disclosures and promises, so without any meaningful limitation on that, like regulation or a law, ChatGPT can change the terms of its service at any time,” explained Sara Geoghegan, senior counsel at the Electronic Privacy Information Center.

Because health data remains among the most valuable targets for hackers, any system that aggregates medical records, wellness data, and AI-generated health insights – especially on a single platform – can significantly increase the amount of data exposed in the event of a breach.

From a cybersecurity perspective, aggregation also concentrates value, making AI health platforms especially attractive targets for attackers seeking high-impact data rather than isolated records.

The tradeoff – insight versus exposure – is destined to be the burning question we face moving forward.

One thing is certain: weighing insight vs. exposure is no longer theoretical – it is now the defining moment of AI-driven healthcare.

ABOUT THE AUTHOR

Stefanie Schappert, a senior journalist at Cybernews, is an accomplished writer with an M.S. in cybersecurity, immersed in the security world since 2019.  She has a decade-plus experience in America’s #1 news market working for Fox News, Gannett, Blaze Media, Verizon Fios1, and NY1 News.  With a strong focus on national security, data breaches, trending threats, hacker groups, global issues, and women in tech, she is also a commentator for live panels, podcasts, radio, and TV. Earned the ISC2 Certified in Cybersecurity (CC) certification as part of the initial CC pilot program, participated in numerous Capture-the-Flag (CTF) competitions, and took 3rd place in Temple University’s International Social Engineering Pen Testing Competition, sponsored by Google.  Member of Women’s Society of Cyberjutsu (WSC), Upsilon Pi Epsilon (UPE) International Honor Society for Computing and Information Disciplines. 

Cybernews has discovered an unprotected 16TB database leaking 4.3 billion lead-generation records. The data included professional and corporate intelligence data such as LinkedIn URLs. The leak has now been closed, but it is unclear how long the data was exposed before Cybernews discovered it.

Key findings:

• Nine collections of data were uncovered inside the leaked dataset, containing a total of 4.3 billion records. 
• At least three collections included personally identifiable information (PII), such as full names, emails, phone numbers, LinkedIn data, location, and social media accounts.
• The leak most likely stemmed from a common mistake where databases are left exposed without proper authentication due to human error.
• The data may have been collected within the last two years, spanning multiple regions worldwide.

The dataset likely belongs to a specific lead-generation company that helps 700 million professionals connect with each other. After researchers notified the company about the potential data leak, the exposed instance was closed the next day. However, there is a chance another party is at fault, which is why we have refrained from naming the company.

For more information on this, here’s the full report: https://cybernews.com/security/database-exposes-billions-records-linkedin-data/ 

UPDATE: I have some commentary on this news:

Noelle Murata, Sr. Security Engineer, Xcape, Inc.:

   “This data leak is shocking, not just because of its sheer size, over 4 billion records and 16 terabytes, but because it’s meticulously organized. It’s LinkedIn-sourced information, mapping individuals, their employers, and company connections, which is exactly what attackers need for sophisticated phishing and business email compromise (BEC) attacks. The unique data collections and intent suggest a curated enrichment process, transforming scraped data into a ready-to-use targeting tool.

   “Leaving a MongoDB instance unprotected is a basic error, yet the ramifications are significant: years of employment histories, contact networks, and social connections, all difficult to change or mitigate. With the owner still unidentified, victims can’t even hold anyone accountable or demand fixes, a concerning trend in large-scale data breaches.

   “This isn’t a hack, but a blatant oversight: a simple misconfiguration exposed a huge amount of sensitive corporate relationship data for an unknown period. The unknown owner now faces immense liability, essentially providing bad actors with an unauthorized, pre-built resource.”

   “When security posture management is ignored, a single misconfigured database becomes a multi-billion-dollar master key for global corporate espionage.”  

Aaron Colclough, VP of Operations, Suzu Labs:

   “This isn’t the first time we’ve seen MongoDB misconfigurations expose millions of data points, and it likely won’t be the last. The ‘secure by default’ principle still isn’t being followed leaving these databases often deployed with authentication disabled for convenience during development, then pushed to production without remediation.

   “4.3 billion records with 16 terabytes of enriched professional data represents one of the largest exposures of business intelligence data we’ve seen. It’s complete professional dossiers including employment history, education, certifications, and behavioral intent data. This is a social engineering goldmine. The ‘intent’ collection with over 2 billion documents is particularly concerning. Combined with the profile data, this enables highly targeted spear-phishing campaigns that reference specific professional interests or recent activities.

   “Most professionals don’t realize that their LinkedIn profile, employment history, and even behavioral patterns are being aggregated, enriched, and sold by platforms they’ve never heard of. When these data brokers fail to secure their databases, the professionals whose data they’ve collected suffer the consequences, but have no contractual relationship to seek damages.”

Hom Bahmanyar, Global Enablement Officer, Ridge Security Technology Inc.:

   “The widespread misconception that detection of weak credentials across an organization’s assets requires specialized GPUs and scheduled downtime has unfortunately led to inaction on the part of many organizations.

   “Brute-force detection of weak credentials is an easy win that’s often ignored. It can serve as a practical interim measure and later be expanded into more sophisticated solutions.

   “Security Validation platforms generally provide credential dictionaries for various applications, databases, and protocols to support brute-force weak credential detection. Incidents like the unsecured MongoDB breach could have been easily avoided with such measures.”

By Stefanie Schappert

While most Americans were focused on family and Turkey dinners last week, the online property management platform RealPage was filing a major lawsuit against New York over the state’s upcoming ban on the company’s AI price-fixing software (set to take effect December 15th). 

From apartment rentals, luxury goods, concert tickets, and even your Uber ride, the first-of-its-kind lawsuit is expected to upend how the average consumer pays for goods and services in their everyday life – and determine whether AI pricing algorithms are here to stay. 

The AI Algorithm That Raises Your Rent

Algorithms aren’t just a tool for convenience, but can quietly control markets and manipulate people’s lives. 

The RealPage vs NY lawsuit makes that crystal clear. The company, which provides software to 80% of landlords across the US, has been at the center of a Department of Justice (DOJ) antitrust case accusing RealPage of aggregating data scraped by its AI software to set market rental rates at the expense of consumers. 

Tenant advocates say the software, which is used by a majority of landlords from the same regions, effectively fixes prices, driving rents higher and leaving renters with few options. 

Last week, the DOJ settled its 2024 case against RealPage, requiring the company to make significant changes to how it handles data, including preventing it from collecting and sharing competitively sensitive information.

The initial DOJ case and a similar suit brought by Tennessee against RealPage on behalf of nearly 30 renters (they won $142 million in damages) prompted nearly a dozen cities and states to begin enacting their own bans on AI rent-setting software in 2025.

Now, RealPage is fighting back, seeking to block New York’s ban, claiming it violates the company’s First Amendment rights. 

From a cybersecurity perspective, this is more than just a legal battle; it’s a warning about the risks of opaque AI systems. 

RealPage’s software doesn’t just calculate prices; it analyzes massive amounts of personal and financial data, turning it into leverage against the more than 110 million renters across the US. 

Imagine the algorithm reading your income, rental history, neighborhood demographics, and even past payment patterns, and then deciding exactly how much to charge you. 

That’s not just automation – it’s a system that can exploit people in ways most of us can’t see or challenge. And this is far from an isolated example. 

Airlines like Delta have been actively experimenting with AI to adjust ticket prices in real time and have announced plans to install their “AI dynamic pricing model” across the entire ticketing system next year. 

You’ve probably already noticed that flights jump in price depending on when and what time you search or book. Hotels, rideshares, and online retailers do the same, constantly tweaking prices based on demand, your location, or even your browsing behavior. 

On the surface, it’s about efficiency. But underneath, these systems are quietly turning data into power, often benefiting companies at the expense of consumers, who rarely understand how these algorithms actually work. 

The RealPage case is particularly striking because housing is a basic human need. Unlike a plane ticket or hotel stay, your rent affects your stability, your budget, and even your ability to save for the future. 

When algorithms are allowed to exploit personal data in this way, the consequences can be serious and immediate. 

AI systems are not neutral. Every dataset they consume carries the potential to harm, and without oversight, these invisible systems can silently manipulate markets, impacting people’s lives.

For anyone paying rent, booking flights, or shopping online, this is a wake-up call. 

The DOJ settlement is a step toward accountability, but it’s also a broader signal: the algorithms shaping our daily lives need scrutiny, regulation, and transparency. 

The RealPage lawsuit against New York State underscores the tension between innovation, corporate freedom, and public accountability. It is also expected to set a legal precedent for how companies will be allowed to use AI pricing algorithms moving forward.  

If RealPage succeeds, it may open the door for corporations in other industries to challenge state-level AI restrictions, from hospitality to car insurance. 

AI can make life easier, but without careful oversight, it can also turn data into a weapon against ordinary people.

As stated by then-US Deputy Attorney General Lisa Monaco last year, “Training a machine to break the law is still breaking the law.”

ABOUT THE AUTHOR

Stefanie Schappert, MSCY, CC, Senior Journalist at Cybernews, is an accomplished writer with an M.S. in cybersecurity, immersed in the security world since 2019.  She has a decade-plus experience in America’s #1 news market working for Fox News, Gannett, Blaze Media, Verizon Fios1, and NY1 News.  With a strong focus on national security, data breaches, trending threats, hacker groups, global issues, and women in tech, she is also a commentator for live panels, podcasts, radio, and TV. Earned the ISC2 Certified in Cybersecurity (CC) certification as part of the initial CC pilot program, participated in numerous Capture-the-Flag (CTF) competitions, and took 3rd place in Temple University’s International Social Engineering Pen Testing Competition, sponsored by Google.  Member of Women’s Society of Cyberjutsu (WSC), Upsilon Pi Epsilon (UPE) International Honor Society for Computing and Information Disciplines. 

Cybernews has published new research evaluating popular LLMs. The findings show that Gemini 2.5 Pro was the most compliant when prompted to provide animal abuse methods, advice on stalking, and other questionable content.

Key points from the study:

• Gemini 2.5 Pro performed worst on stereotypes, hate speech, animal abuse, cruelty, and stalking.
• In the stereotypes category, fifty questions were asked and Gemini 2.5 Pro scored a total of 48 points; the second-worst performer, OpenAI’s GPT-5, scored five.
• Gemini 2.5 Pro was the most easily tricked into engaging in what Cybernews researchers defined as hateful speech.
• The model produced the highest number of unsafe outputs on animal abuse and generated graphic and violent scenarios in the cruelty category.
• Gemini 2.5 Pro was the most vulnerable model in terms of producing unsafe output related to stalking.

Curiously, Gemini 2.5 Flash performed significantly better across many of the same categories.

For more information, here’s the full research: https://cybernews.com/security/google-gemini-pro-safety-problem/