- Cyber Safety
- Posts
- Looks Legit, Isn’t: Fake MFA, Wiki Leaks & PII in Pixels
Looks Legit, Isn’t: Fake MFA, Wiki Leaks & PII in Pixels
In partnership with
Typing is a thing of the past
Typeless turns your raw, unfiltered voice into beautifully polished writing - in real time.
It works like magic, feels like cheating, and allows your thoughts to flow more freely than ever before.
With Typeless, you become more creative. More inspired. And more in-tune with your own ideas.
Your voice is your strength. Typeless turns it into a superpower.
Fake Status Badges Are Replacing Real MFA
Attackers are inserting static MFA success indicators (like “✓ Verified” badges) into spoofed login portals—tricking users into thinking 2FA passed before credential capture.
Only trust browser-native auth flows. Train users to spot MFA cues tied to device or app, not page visuals.
Public websites with customer portals often leak names, emails, or ticket data into search bar URLs—where Google Analytics, Facebook Pixel, or Hotjar can scrape it.
Scrub PII from query strings. Use POST instead of GET for search where possible, and review tag payloads regularly.
Company Wikis Are Still Exposing Draft Pages
Internal knowledge bases (Confluence, Notion, Guru) often contain open or mis-permissioned drafts—discussing sensitive policies, layoffs, or vulnerabilities.
Scan wikis for indexed or shared draft links. Require team-based publishing workflows and disable public workspace views.
Used by Execs at Google and OpenAI
Join 400,000+ professionals who rely on The AI Report to work smarter with AI.
Delivered daily, it breaks down tools, prompts, and real use cases—so you can implement AI without wasting time.
If they’re reading it, why aren’t you?
Compliance Scans Are Missing Low-Traffic Endpoints
Automated security scans and pentests often focus on high-traffic APIs and skip rarely used routes—where backdoors, staging logic, or debug consoles hide.
Randomize scan targets. Prioritize by permission tier, not traffic, and audit logs for stale endpoint hits.
Disgruntled Users Are Exporting Data via Legit API Calls
Privileged insiders are pulling customer lists, invoices, or code snippets via APIs with valid keys—making the breach “invisible” to traditional detection.
Set API rate alerts per user. Monitor time-of-day access and alert on behavior shifts during offboarding or HR issues.
Email Auto-Replies Are Revealing Org Structure
Out-of-office messages often disclose team names, project scopes, reporting lines, and office hours—creating useful intel for phishing and targeting.
Enforce OOO templates. Remove sensitive role context and limit headers exposed in bouncebacks.
The best marketing ideas come from marketers who live it. That’s what The Marketing Millennials delivers: real insights, fresh takes, and no fluff. Written by Daniel Murray, a marketer who knows what works, this newsletter cuts through the noise so you can stop guessing and start winning. Subscribe and level up your marketing game.