Booking.com confirmed Monday that hackers may have accessed customers’ personal data, including names, emails, physical addresses, phone numbers, and booking details. The global travel and hotel reservation giant notified customers this past week of the breach, according to several online posts.
“We’re writing to inform you that unauthorized third parties may have been able to access certain booking information associated with your reservation,” read the notificaiton to customers, according to one user’s post on Reddit. Several other Reddit users replying to the post said they received the same notification. The message from the company included the aforementioned types of compromised data, as well as “anything that you may have shared with the accommodation.”
The user who posted the notification on Reddit told TechCrunch that they received a phishing message via WhatsApp two weeks ago that included “booking details and personal information.” That suggests hackers are leveraging the stolen information to target Booking.com customers.
Booking.com spokesperson Courtney Camp told TechCrunch that the company “noticed some suspicious activity involving unauthorized third parties being able to access some of our guests’ booking information. Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests.”
The spokesperson declined to answer TechCrunch’s specific questions, including how many customers were affected by this incident and then notified.
The company told The Guardian that “financial information was not accessed”.
In 2024, TechCrunch reported that hackers had infected several hotels’ computers with consumer-grade spyware, or stalkerware. In one case, a victim was logged into their Booking.com administration portal when the PcTattleTale stalkerware took a screenshot of their screen.
Techcrunch event
San Francisco, CA | October 13-15, 2026
According to the company’s website, 6.8 billion customers have booked hotel rooms and homes since 2010.
As US PresidentDonald Trump threatens wholesale demolition of Iran’s infrastructure in the midst of an escalating war, Iran now appears to have already reciprocated with its own form of infrastructure sabotage: A hacking campaign hitting industrial control systems across the United States, including energy and water utilities, that US agencies say has had disruptive and costly effects.
In a joint advisory published Tuesday, a group of US agencies including the FBI, the National Security Agency, the Department of Energy, and the Cybersecurity and Infrastructure Security Agency warned that a group of hackers affiliated with the Iranian government has targeted industrial control devices used in a series of critical infrastructure targets including in the energy sector, water and wastewater utilities, and unspecified “government facilities.” According to the agencies, the hackers have targeted programmable logic controllers (PLCs)—a type of device designed to allow digital control of physical machinery—in those facilities, including those sold by industrial tech firm Rockwell Automation, with the apparent intention of sabotaging their systems.
By compromising those PLCs, the advisory warns, the hackers sought to change information on the displays of industrial control systems, which can in some scenarios cause system downtime, damage, or even dangerous conditions. “In a few cases, this activity has resulted in operational disruption and financial loss,” it reads.
When WIRED reached out to Rockwell Automation, a company spokesperson responded in a statement that it “takes seriously the security of its products and solutions and has been closely coordinating with government agencies in connection with” Tuesday’s advisory, and pointed to documents it has published for customers on how to better secure their PLCs.
Though the advisory doesn’t specify a particular group responsible for the hacking campaign, it notes that the attacks are similar to those carried out in by the Iran-linked group known as CyberAv3ngers, or the Shahid Kaveh Group, starting in late 2023. That team of hackers, believed to work in the service of the Iranian Revolutionary Guard Corps, inflicted several waves of attacks against Israeli and US targets in recent years, including gaining access to more than a hundred devices sold by industrial control system technology firm Unitronics and most commonly used in water and wastewater utilities.
This is a developing story, please check back for updates.
Your Strava runs might feel private, but a new Strava military data leak shows how easily that information can reveal more than your workout. In the latest case, activity logs have been linked to more than 500 UK military personnel, connecting everyday exercise to sensitive locations.
This goes beyond visible routes. Shared histories and account details can be combined to identify people and map where they live and work. Known locations become more revealing once behavior is layered on top.
A recent incident showed how a single tracked session revealed the position of a naval vessel. Routine posts can carry real consequences. The issue comes down to visibility and how much is left open by default.
Public runs tied to real people
The investigation uncovered shared routes connected to personnel across several UK bases, including Northwood, Faslane, and North Yorkshire. These weren’t abstract traces. Account histories made it possible to link sessions to specific individuals.
Once identified, an account can reveal habits, frequent routes, and social connections through shared features. That expands the scope quickly and makes tracking easier over time.
In one case, a run label hinted the user understood the risk, yet it stayed accessible. That gap between awareness and action is part of the problem. Analysts warn that small fragments of information can still be combined into something far more detailed.
Small details build a bigger picture
The real danger builds over time. Repeated uploads create a trackable footprint that becomes easier to follow with each new entry.
Even if locations aren’t secret, surrounding behavior adds meaning. Movement between sites, timing, and consistency can all be inferred. For an outside observer, that’s enough to map routines and spot patterns.
At a submarine base, shared logs helped identify personnel and even family members through linked accounts. That kind of exposure extends beyond the original user and makes the data more valuable.
One setting can reduce the risk
The fix is already available, but many users skip it. Strava includes privacy controls that limit who can view your sessions and routes. Leaving those settings unchanged keeps your activity visible by default.
Switching activities to private reduces exposure right away. It limits how easily routes can be traced and makes long-term patterns harder to build. Or you can check out other fitness apps.
The bigger takeaway applies to any fitness app that shares location data. If you use Strava, it’s worth checking your settings now and locking down what others can see. A small change can keep your routine from becoming a signal.
Decentralized finance company Drift says it has suspended withdrawals and deposits after confirming a security incident.
The crypto platform said in a post on X that it was “experiencing an active attack,” and that it was working to “contain the incident.”
Security researchers and public blockchain data suggest the losses could be significant. Blockchain security firm CertiK said on X that hackers may have stolen around $136 million, while crypto analytics firm Arkham put the figure at around $285 million stolen.
If confirmed, this would make the Drift hack the largest crypto theft of the year, according to the Rekt leaderboard, a site that tracks crypto thefts by size.
It’s not clear who is behind the attack, and a spokesperson for Drift did not immediately respond to a request for comment.
Security firms say North Korea was behind the most crypto thefts last year, netting at least $2 billion in stolen cryptocurrency, funds the regime is believed to use to finance its nuclear weapons program and skirt international sanctions that restrict its access to the global financial system.
Autonomous agents mark a new inflection point in AI. Systems are no longer limited to generating responses or reasoning through tasks. They can take action: Agents can read files, use tools, write and run code, and execute workflows across enterprise systems, all while expanding their own capabilities.
Application-layer risk grows exponentially when agents continuously improve and evolve. The NVIDIA OpenShell runtime is being built to address this.
Part of NVIDIA Agent Toolkit, OpenShell is an open source, secure-by-design runtime for running autonomous agents such as claws. It works by ensuring each agent runs inside its own sandbox, separating application-layer operations from infrastructure-layer policy enforcement.
This means security policies are out of reach of the agent — they’re applied at the system level. Instead of relying on behavioral prompts, OpenShell enforces constraints on the environment the agent runs in — meaning the agent cannot override policies, or leak credentials or private data, even if compromised.
With OpenShell, enterprises can separate agent behavior, policy definition and policy enforcement. Organizations gain a single, unified policy layer to define and monitor how autonomous systems operate. Coding agents, research assistants and agentic workflows all run under the same runtime policies regardless of host operating system, simplifying compliance and operational oversight.
This is the “browser tab” model applied to agents: Sessions are isolated, resources are controlled and permissions are verified by the runtime before any action takes place.
Securing autonomous systems requires an integrated ecosystem. OpenShell is designed to add privacy and security controls for AI agents. NVIDIA is collaborating with security partners, including Cisco, CrowdStrike, Google Cloud, Microsoft Securityand TrendAI, to align runtime policy management and enforcement for agents across the enterprise stack.
OpenShell Provides an Enterprise-Grade Sandbox for Building Personal AI Assistants
NVIDIA NemoClaw is an open source reference stack that simplifies installing OpenClaw always-on assistants with the OpenShell runtime and NVIDIA Nemotron models in a single command.
NemoClaw provides enthusiasts with an open reference for building self-evolving personal AI agents, or claws. Since security needs vary, NemoClaw provides a reference example for policy-based privacy and security guardrails to give users more control over their agents’ behavior and data-handling. Users can customize it for their specific use cases — much like adjusting security preferences for applications on a phone.
NemoClaw includes an example configuration of OpenShell that defines how the agent should interact with systems. NemoClaw uses open source models like NVIDIA Nemotron alongside OpenShell.
Both OpenShell and NemoClaw are in early preview. NVIDIA is building in the open with the community and its partners to enable enterprises to scale self-evolving, long-running autonomous agents safely, confidently and in compliance with global security standards.
Get started with NVIDIA OpenShell and launch a ready‑to‑use environment on NVIDIA Brev, or explore the open source project on GitHub.
A senior Democratic lawmaker with knowledge of some of the U.S. government’s most secretive operations has said he has “deep concerns” about certain activities by the Central Intelligence Agency.
The two-line letter written by Sen. Ron Wyden, the longest serving member of the Senate Intelligence Committee, does not disclose the nature of the CIA’s activities or the senator’s specific concerns. But the letter follows a pattern in recent years in which Wyden has publicly hinted at wrongdoing or illegality within the federal government, sometimes referred to as the “Wyden siren.”
In a statement (via WSJ’s Dustin Volz), the CIA said it was “ironic but unsurprising that Senator Wyden is unhappy,” calling it a “badge of honor.”
When reached by TechCrunch, a spokesperson for Wyden’s staff was unable to comment as the matter was classified.
Tasked with oversight of the intelligence community, Wyden is one of a few lawmakers who is allowed to read highly classified information about ongoing government surveillance, including cyber and other intelligence operations. But as the programs are highly secretive, Wyden is barred from sharing details of what he knows with anyone else, including most other lawmakers, except for a handful of Senate staff with security clearance.
As such, Wyden, a known privacy hawk, has become one of the few key members of Congress whose rare but outspoken words on intelligence and surveillance matters are closely watched by civil liberties groups.
Over the past few years, Wyden has subtly sounded the alarm on several occasions in which he has construed a secret ruling or intelligence gathering method as unlawful or unconstitutional.
In 2011, Wyden said that the U.S. government was relying on a secret interpretation of the Patriot Act, which he said — without disclosing the nature of his concerns — created a “gap between what the public thinks the law says and what the American government secretly thinks the law says.”
Two years later, then-NSA contractor Edward Snowden revealed that the National Security Agency was relying on its secret interpretation of the Patriot Act to force U.S. phone companies, including Verizon, to turn over the call records of hundreds of millions of Americans on an ongoing basis.
As noted by Techdirt’s Mike Masnick, we may not know yet for what reason Wyden sounded the siren about the CIA’s activities, but that every time Wyden has warned, he has also been vindicated.
It’s the end of the year. That means it’s time for us to celebrate the best cybersecurity stories we didn’t publish. Since 2023, TechCrunch has looked back at the best stories across the board from the year in cybersecurity.
If you’re not familiar, the idea is simple. There are now dozens of journalists who cover cybersecurity in the English language. There are a lot of stories about cybersecurity, privacy, and surveillance that are published every week. And a lot of them are great, and you should read them. We’re here to recommend the ones we liked the most, so keep in mind that it’s a very subjective and, at the end of the day, incomplete list.
Anyway, let’s get into it. — Lorenzo Franceschi-Bicchierai.
Every once in a while, there’s a hacker story that as soon as you start reading, you think it could be a movie or a TV show. This is the case with Shane Harris’ very personal tale of his months-long correspondence with a top Iranian hacker.
In 2016, The Atlantic’s journalist made contact with a person claiming to work as a hacker for Iran’s intelligence, where he claimed to have worked on major operations, such as the downing of an American drone and the now-infamous hack against oil giant Saudi Aramco, where Iranian hackers wiped the company’s computers. Harris was rightly skeptical, but as he kept talking to the hacker, who eventually revealed his real name to him, Harris started to believe him. When the hacker died, Harris was able to piece together the real story, which somehow turned out to be more incredible than the hacker had led Harris to believe.
The gripping story is also a great behind-the-scenes look at the challenges cybersecurity reporters face when dealing with sources claiming to have great stories to share.
In January, the U.K. government secretly issued Apple with a court order demanding that the company must build a backdoor so police can access iCloud data of any customer in the world. Due to a worldwide gag order, it was only because The Washington Post broke news that we learned the order existed to begin with. The demand was the first of its kind, and — if successful — would be a major defeat for tech giants who have spent the past decade locking themselves out of their users’ own data so they can’t be compelled to provide it to governments.
Apple subsequently stopped offering its opt-in end-to-end encrypted cloud storage to its customers in the U.K. in response to the demand. But by breaking the news, the secret order was thrust into the public eye and allowed both Apple and critics to scrutinize U.K. surveillance powers in a way that hasn’t been tested in public before. The story sparked a months-long diplomatic row between the U.K. and the United States, prompting Downing Street to drop the request — only to try again several months later.
This story was the sort of fly-on-the-wall access that some reporters would dream of, but The Atlantic’s editor-in-chief got to play out in real-time after he was unwittingly added to a Signal group of senior U.S. government officials by a senior U.S. government official discussing war plans from their cell phones.
‘We are currently clean on OPSEC,” said Secretary of Defense Pete Hegseth. they were not. Image Credit: The Atlantic (Screenshot)
Reading the discussion about where U.S. military forces should drop bombs — and then seeing news reports of missiles hitting the ground on the other side of the world — was confirmation that Jeffrey Goldberg needed to know that he was, as he suspected, in a real chat with real Trump administration officials, and this was all on-the-record and reportable.
And so he did, paving the way for a months-long investigation (and critique) of the government’s operational security practices, in what was called the biggest government opsec mistake in history. The unraveling of the situation ultimately exposed security lapses involving the use of a knock-off Signal clone that further jeopardized the government’s ostensibly secure communications.
Brian Krebs is one of the more veteran cybersecurity reporters out there, and for years he has specialized in following online breadcrumbs that lead to him revealing the identity of notorious cybercriminals. In this case, Krebs was able to find the real identity behind a hacker’s online handle Rey, who is part of the notorious advanced persistent teenagers‘ cybercrime group that calls itself Scattered LAPSUS$ Hunters.
Krebs’ quest was so successful that he was able to talk to a person very close to the hacker — we won’t spoil the whole article here — and then the hacker himself, who confessed to his crimes and claimed he was trying to escape the cybercriminal life.
Independent media outlet 404 Media has accomplished more impact journalism this year than most mainstream outlets with vastly more resources. One of its biggest wins was exposing and effectively shuttering a massive air travel surveillance system tapped by federal agencies and operating in plain sight.
404 Media reported that a little-known data broker set up by the airline industry called the Airlines Reporting Corporation was selling access to five billion plane tickets and travel itineraries, including names and financial details of ordinary Americans, allowing government agencies like ICE, the State Department, and the IRS to track people without a warrant.
ARC, owned by United, American, Delta, Southwest, JetBlue, and other airlines, said it would shut down the warrantless data program following 404 Media’s months-long reporting and intense pressure from lawmakers.
The killing of UnitedHealthcare CEO Brian Thompson in December 2024 was one of the biggest stories of the year. Luigi Mangione, the chief suspect in the killing, was soon after arrested and indicted on charges of using a “ghost gun,” a 3D-printed firearm that had no serial numbers and built in private without a background check — effectively a gun that the government has no idea exists.
Wired, using its past reporting experience on 3D-printed weaponry, sought to test how easy it would be to build a 3D-printed gun, while navigating the patchwork legal (and ethical) landscape. The reporting process was exquisitally told, and the video that goes along with the story is both excellent and chilling.
DOGE, or the Department of Government Efficiency, was one of the biggest running stories of the year, as the gang of Elon Musk’s lackeys ripped through the federal government, tearing down security protocols and red tape, as part of the mass-grab of citizens’ data. NPR had some of the best investigative reporting uncovering the resistance movement of federal workers trying to prevent the pilfering of the government’s most sensitive data.
In one story detailing a whistleblower’s official disclosure as shared with members of Congress, a senior IT employee in the National Labor Relations Board told lawmakers that as he was seeking help investigating DOGE’s activity, he “found a printed letter in an envelope taped to his door, which included threatening language, sensitive personal information and overhead pictures of him walking his dog, according to the cover letter attached to his official disclosure.”
Any story that starts with a journalist saying they found something that made them “feel like shitting my pants,” you know it’s going to be a fun read. Gabriel Geiger found a dataset from a mysterious surveillance company called First Wap, which contained records on thousands of people from around the world whose phone locations had been tracked.
The dataset, spanning 2007 through 2015, allowed Geiger to identify dozens of high profile people whose phones were tracked, including a former Syrian first lady, the head of a private military contractor, a Hollywood actor, and an enemy of the Vatican. This story explored the shadowy world of phone surveillance by exploiting Signalling System No. 7, or SS7, an obscurely named protocol long known to allow malicious tracking.
Swatting has been a problem for years. What started as a bad joke has become a real threat, which has resulted in at least one death. Swatting is a type of hoax where someone — often a hacker — calls the emergency services and tricks the authorities into sending an armed SWAT team to the home of the hoaxer’s target, often pretending to be the target themselves, and pretending they are about to commit a violent crime.
In this feature, Wired’s Andy Greenberg put a face on the many characters who are part of these stories such as the call operators who have to deal with this problem. And he also profiled a prolific swatter, known as Torswats, who for months tormented the operators and schools all over the country with fake — but extremely believable — threats of violence, as well as a hacker who took it upon himself to track Torswats down.
South Korea is world-famous for its blazing-fast internet, near-universal broadband coverage, and as a leader in digital innovation, hosting global tech brands like Hyundai, LG, and Samsung. But this very success has made the country a prime target for hackers and exposed how fragile its cybersecurity defenses remain.
The country is reeling from a string of high-profile hacks, affecting credit card companies, telecoms, tech startups, and government agencies, impacting vast swathes of the South Korean population. In each case, ministries and regulators appeared to scramble in parallel, sometimes deferring to one another rather than moving in unison.
Critics argue that South Korea’s cyber defenses are hindered by a fragmented system of government ministries and agencies, often resulting in slow and uncoordinated responses, per local media reports.
“The government’s approach to cybersecurity remains largely reactive, treating it as a crisis management issue rather than as critical national infrastructure,” Brian Pak, the chief executive of Seoul-based cybersecurity firm Theori, told TechCrunch.
Pak, who also serves as an advisor to SK Telecom’s parent company’s special committee on cybersecurity innovations, told TechCrunch that because government agencies tasked with cybersecurity work in silos, developing digital defenses and training skilled workers often get overlooked.
The country is also facing a severe shortage of skilled cybersecurity experts.
“[That’s] mainly because the current approach has held back workforce development. This lack of talent creates a vicious cycle. Without enough expertise, it’s impossible to build and maintain the proactive defenses needed to stay ahead of threats,” Pak continued.
Political deadlock has fostered a habit of seeking quick, obvious “quick fixes” after each crisis, said Pak, all the while the more challenging, long-term work of building digital resilience continues to be sidelined.
This year alone, there has been a major cybersecurity incident in South Korea almost every month, further mounting concerns over the resilience of South Korea’s digital infrastructure.
January 2025
GS Retail, the operator of convenience stores and grocery markets across South Korea, confirmed a data breach that exposed the personal details of about 90,000 customers after its website was attacked between December 27 and January 4. The stolen information included names, birth dates, contact details, addresses, and email addresses.
February 2025
April and May 2025
South Korea’s part-time job platform Albamon was hit by a hacking attack on April 30. The breach exposed the resumes of more than 20,000 users, including names, phone numbers, and email addresses.
In April, South Korea’s telecom giant SK Telecom was hit by a major cyberattack. Hackers stole the personal data of about 23 million customers — nearly half the country’s population. Much of the aftermath of the cyberattack lasted through May, in which millions of customers were offered a new SIM card following the breach.
June 2025
Yes24, South Korea’s online ticketing and retail platform, was hit by a ransomware attack on June 9, which knocked its services offline. The disruption lasted for about four days, with the company back online by mid-June.
A North Korea-backed hacking group, Kimsuky, used AI-generated deepfake images in a July spear-phishing attempt against a South Korean military organization, according to Genians Security Center. The group has also targeted other South Korean institutions.
Seoul Guarantee Insurance (SGI), a Korean financial institution, was hit by a ransomware attack around July 14, which disrupted its core systems. The incident knocked key services offline, including the issuing and verification of guarantees, leaving customers in limbo.
Hackers broke into South Korean financial services company Lotte Card, which issues credit and debit cards, between July 22 and August. The breach exposed around 200GB of data and is believed to have affected roughly 3 million customers. The breach remained unnoticed for approximately 17 days, until the company discovered it on August 31.
Welcome Financial: In August 2025, Welrix F&I, a lending arm of Welcome Financial Group, was hit by a ransomware attack. A Russian-linked hacking group claimed it stole over a terabyte of internal files, including sensitive customer data, and even leaked samples on the dark web.
North Korea-linked hackers, believed to be the Kimsuky group, have been spying on foreign embassies in South Korea for months by disguising their attacks as routine diplomatic emails. According to Trellix, the campaign has been active since March and has targeted at least 19 embassies and foreign ministries in South Korea.
September 2025
KT, one of South Korea’s biggest telecom operators, has reported a cyber breach that exposed subscriber data from more than 5,500 customers. The attack was linked to illegal “fake base stations” that tapped into KT’s network, enabling hackers to intercept mobile traffic, steal information like IMSI, IMEI, and phone numbers, and even make unauthorized micro-payments.
In September 2025, the National Security Office announced that it would implement “comprehensive” cyber measures through an interagency plan, led by the South Korean president’s office. Regulators also signaled a legal change giving the government power to launch probes at the first sign of hacking — even if companies haven’t filed a report. Both steps aim to address the lack of a first responder that has long hindered South Korea’s cyber defenses.
But South Korea’s fragmented system leaves accountability weak, placing all authority in a presidential “control tower” could risk “politicization” and overreach, according to Pak.
A better path may be balance: a central body to set strategy and coordinate crises, paired with independent oversight to keep power in check. In a hybrid model, expert agencies like KISA would still handle the technical work — just with more straightforward rules and accountability, Pak told TechCrunch.
When reached for comment, a spokesperson for the South Korea’s Ministry of Science in ICT said the ministry, with KISA and other relevant agencies, is “committed to addressing increasingly sophisticated and advanced cyber threats.”
“We continue to work diligently to minimize potential harm to Korean businesses and the general public,” the spokesperson added.
This article was originally published on September 30.
A security researcher said flaws in a carmaker’s online dealership portal exposed the private information and vehicle data of its customers, and could have allowed hackers to remotely break into any of its customers’ vehicles.
Eaton Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of an admin account that granted “unfettered access” to the unnamed carmaker’s centralized web portal.
With this access, a malicious hacker could have viewed the personal and financial data of the carmaker’s customers, track vehicles, and enroll customers in features that allow owners — or the hackers — control some of their car’s functions from anywhere.
Zveare said he doesn’t plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands.
In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zveare said the bugs put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information.
He said while the security flaws in the portal’s login system was a challenge to find, once he found it, the bugs let him bypass the login mechanism altogether by permitting him to create a new “national admin” account.
The flaws were problematic because the buggy code loaded in the user’s browser when opening the portal’s login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker.
When logged in, the account granted access to more than 1,000 of the carmakers’ dealers across the United States, he told TechCrunch.
“No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads,” said Zveare, in describing the access.
Zveare said one of the things he found inside the dealership portal was a national consumer lookup tool that allowed logged-in portal users to look-up the vehicle and driver data of that carmaker.
In one real-world example, Zveare took a vehicle’s unique identification number from the windshield of a car in a public parking lot and used the number to identify the car’s owner. Zveare said the tool could be used to look-up someone using only a customer’s first and last name.
With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their car’s functions from an app, such as unlocking their cars.
Zveare said he tried this out in a real-world example using a friend’s account and with their consent. In transferring ownership to an account controlled by Zveare, he said the portal requires only an attestation — effectively a pinky promise — that the user performing the account transfer is legitimate.
“For my purposes, I just got a friend who consented to me taking over their car, and I ran with that,” Zveare told TechCrunch. “But [the portal] could basically do that to anyone just by knowing their name — which kind-of freaks me out a bit — or I could just look up a car in the parking lots.”
Zveare said he did not test whether he could drive away, but said the exploit could be abused by thieves to break into and steal items from vehicles, for example.
Another key problem with access to this carmaker’s portal was that it was possible to access other dealer’s systems linked to the same portal through single sign-on, a feature that allows users to login into multiple systems or applications with just one set of login credentials. Zveare said the carmaker’s systems for dealers are all interconnected so it’s easy to jump from one system to another.
With this, he said, the portal also had a feature that allowed admins, such as the user account he created, to “impersonate” other users, effectively allowing access to other dealer systems as if they were that user without needing their logins. Zveare said this was similar to a feature found in a Toyota dealer portal discovered in 2023.
“They’re just security nightmares waiting to happen,” said Zveare, speaking of the user-impersonation feature.
Once in the portal Zveare found personally identifiable customer data, some financial information, and telematics systems that allowed the real-time location tracking of rental or courtesy cars, as well as cars being shipped across the country, and the option to cancel them — though, Zveare didn’t try.
Zveare said the bugs took about a week to fix in February 2025 soon after his disclosure to the carmaker.
“The takeaway is that only two simple API vulnerabilities blasted the doors open, and it’s always related to authentication,” said Zveare. “If you’re going to get those wrong, then everything just falls down.”
Hi, thanks as always for reading TechCrunch. We want to talk with you quickly about something important.
We’ve discovered that scammers are impersonating TechCrunch reporters and event leads and reaching out to companies, pretending to be our staff when they absolutely are not. These bad actors are using our name and reputation to try to dupe unsuspecting businesses. It drives us crazy and infuriates us on your behalf.
Anecdotally, this isn’t just happening to us; fraudsters are exploiting the trust that comes with established news brands to get their foot in the door with companies across the media industry.
Here’s an example of the most common scheme we’ve been tracking: Impostors impersonating our reporters to extract sensitive business information from unsuspecting targets. In several cases we know about, scammers have adopted the identity of actual staff members, crafting what looks like a standard media inquiry about a company’s products and requesting an introductory call.
Sharp-eyed recipients sometimes catch discrepancies in email addresses that don’t match our real employees’ credentials. But these schemes evolve quickly; bad actors keep refining their tactics, mimicking reporters’ writing styles and referencing startup trends to make their pitches increasingly convincing. Equally troubling, victims who agree to phone interviews tell us the fraudsters use those exchanges to dig for even more proprietary details. (A PR rep told Axios that someone posing as a TechCrunch reporter raised suspicions when they shared a scheduling link.)
Why are they doing this? We don’t know, though a reasonable guess is that these are groups looking for initial access to a network or other sensitive information.
As for what to do about it, if someone reaches out claiming to be from TechCrunch and you have even the slightest doubt about whether they’re legitimate, please don’t just take their word for it. We’ve made it easy for you to verify.
Start by checking our TechCrunch staff page. It’s the quickest way to see if the person contacting you actually works here. If the individual’s name isn’t on our roster, you’ve got your answer right there.
If you do see someone’s name on our staff page, but our employee’s job description doesn’t square with the request you are receiving (i.e., a TechCrunch copy editor is suddenly very interested in learning about your business!), a bad actor may be trying to con you.
If it sounds like a legitimate request but you want to make doubly certain, you should also feel free to contact us directly and just ask. You can learn how to reach each writer, editor, sales executive, marketing guru, and events team member in our bios.
We know it’s frustrating to have to double-check media inquiries, but these groups are counting on you not taking that extra step. By being vigilant about verification, you’re not just protecting your own company — you’re helping preserve the trust that legitimate journalists depend on to do their jobs.
