Most of us understand that companies track our activities around the web. They’d love to track our activities in the real world too, if we let them. But what we don’t expect is our operating systems to track us, and for the companies that make those operating systems to provide that information to law enforcement (or anyone else, for that matter). Which is why this week’s news that your Windows PC has a unique “Global Device ID” that Microsoft can use for, well, whatever it wants, took many people by surprise.
The reveal came as part of a story about Microsoft helping law enforcement find and arrest a 19-year-old hacker who was part of the Scattered Spider hacking group, which has been responsible for several high-profile attacks. Putting that aside, learning how closely Microsoft can keep tabs on your Windows PC is a bit unnerving, especially since there’s no way to opt out of the tracking.
Make no mistake, the unique device ID part isn’t the unusual thing. Your PC has many unique identifiers at the software and hardware levels that, if obtained, could link you to it. What’s unusual is that Microsoft was able to obtain fairly detailed information about what the teenage hacker was doing on his PC, such as the websites he visited, and provided it to law enforcement when they asked for it. The fact that Microsoft could connect a user’s device ID to their activity, and that any ID can be associated with third-party actions and their timings, even led one security researcher to claim that Windows itself is surveillance software.
Add this to the news that Windows’ market share has been dropping for the first time, and it’s not a great look for the company overall.
In other worrisome news, if you own a Tenda router, you might want to take notice: Researchers discovered a backdoor in the router’s firmware, and unfortunately, there’s no way to fix it. In short, there’s a hard-coded backdoor administrative password that, if you have remote management enabled, will grant anyone full access to your Wi-Fi network. Unfortunately, the researchers who uncovered the issue haven’t been able to reach the company to address it, so they recommend disabling remote access entirely or, better yet, buying a new router.
Let’s see what else is going on in the infosec world this week.
How the Reddit and Discord False Report Scam Steals Accounts
A good friend of mine, a content creator I admire, had his Discord account hijacked recently. I was bummed to see it, since all he could do after the fact was try to convince Discord support that he should have his account back—and while I don’t know exactly how it happened, it could have gone down like this trend of Reddit and Discord account hijacks, as reported on the MalwareBytes blog. In short, you get a message from a stranger, accusing you of having reported them, or telling you that they accidentally reported you—there’s no link, no malware or anything, because that’s not the point.
The real goal is just to engage you—to get you to respond and keep talking to them. Over the course of the conversation, they’ll either send you “proof” of the reporting, accidental or otherwise, complete with a fake ticket number or an emailed “investigation.” Meanwhile, the scammer tries to get into your account and claims that a moderator or support tech needs the “code” they just sent you, which is, conveniently, whatever second authentication factor the scammer needs from your inbox to log in under your credentials or to change your password. Either way, if you give them the authentication code, they get access to your account, change the password and email address, and that’s that: It’s gone.
In reality, neither service’s support team works this way, and no support technician will ever ask you for an authentication code or your credentials out of the blue, whether the service is Reddit, Discord, your bank, or anything else. It’s all part of a campaign that combines urgency with seemingly legitimate wording to confuse you. Think of it like a team of pickpockets, one of which walks up to ask you for directions while the other swipes your wallet. Remember: Never, ever give out authentication codes, passwords, or change account email addresses on request, especially out of the blue like this.
US Government Agency Paid $1M to Data Extortion Group Kairos
Remember a few months ago, right before final exams started, when the online learning platform Canvas suffered a major ransomware attack? And then remember how, even though conventional wisdom is not to pay ransomware attackers, they coughed up a good bit of money to decrypt the data and get back online? Well, it’s not just private companies opening their wallets when attackers strike; it’s also the US government, according to Security Affairs.
Apparently, Kairos, a group that’s focused less on ransomware specifically and more on data theft and extortion (such as stealing sensitive data and threatening to make it public, sell it, or share it with an adversary), claimed to have 2TB of data and more than 1.6 million files from a US government entity, all obtained through a brute force credential attack. It then pressured the entity to pay $1 million to ensure the data wouldn’t be misused, and the government paid up after negotiating a lower price (apparently, the group initially asked for $3 million).
Recommended by Our Editors
Researchers from Ransom-ISAC obtained a leaked negotiation transcript and could observe payment activity to multiple crypto wallets that seem to verify the story, and the report even notes that the “proof” that the group gave the government claiming the files were deleted was “not technically verifiable,” so there’s no real evidence that the government even got what it paid for. However, the group did state that it deleted the files, promised not to share the downloaded data with any third parties, and promised not to attack again, so there’s that. The full Ransom-ISAC report is a fascinating read, and even includes the conversation between representatives of the government agency and the Kairos attackers, so you can see how these attacks play out in real time.
Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments
You know, it was nice to not have an AI-related security story in the mix for a moment, but unfortunately, we’re back here again. This time, hackers have found a new use for the old prompt-injection attack: stealing your money, instead of your data.
According to this story from Security Week, security researchers from Zscaler Threatlabz uncovered two different campaigns that use malicious websites to embed prompt injection attacks that, when an AI agent loads the website, instruct it to make a payment for a “license key,” which is, of course, fake, to the attacker’s crypto wallets with any available payment information the user has in their browser. The attacker uses SEO poisoning to get the user to visit the site in the first place, and once the user lands there, the browser’s AI agent is informed that an error occurred during (a nonexistent) payment, prompting the agent to correct the issue by reattempting the payment.
The researchers tested the exploit against 26 different LLMs. Two of them miscategorized the fraudulent website as legitimate (Claude Sonnet 4.5 and OpenAI’s GPT-5.4), and four others actually paid up (Meta’s Llama 3.3 70B Instruct, Meta’s Llama 3.2 90B Vision Instruct, Google’s Gemini 3 Flash, and Google’s Gemini 2.5 Pro). We’ve sounded the alarm about prompt injection and AI-powered browsers before, and the threat remains very real. Even worse, the websites don’t just attack AI agents: The same message is displayed to visitors, just in case it might fool a human, too.
About Our Expert
Alan Henry
Managing Editor, Security
Experience
I’ve been writing and editing stories for almost two decades that help people use technology and productivity techniques to work better, live better, and protect their privacy and personal data. As managing editor of PCMag’s security team, it’s my responsibility to ensure that our product advice is evidence-based, lab-tested, and serves our readers.
I’ve been a technology journalist for close to 20 years, and I got my start freelancing here at PCMag before beginning a career that would lead me to become editor-in-chief of Lifehacker, a senior editor at The New York Times, and director of special projects at WIRED. I’m back at PCMag to lead our security team and renew my commitment to service journalism. I’m the author of Seen, Heard, and Paid: The New Work Rules for the Marginalized, a career and productivity book to help people of marginalized groups succeed in the workplace.
Read Full Bio
