Spring Cleaning Your Digital Life: APT Threats, Third-Party Breaches, and Chat Risks
In this episode of Breaking Badness, we dive into the cybersecurity headlines making waves in 2025. We discuss the U.S. Treasury breach, allegedly orchestrated by Chinese hackers using third-party access. Learn about how lingering chat histories can expose sensitive data and the importance of digital spring cleaning.
APT for Two: Third-Party Breaches and the U.S. Treasury Hack
The first segment dives into the U.S. Treasury breach, where Chinese hackers reportedly accessed sensitive documents via a third-party service. As Tim Helming puts it, “It’s not just your own attack surface you need to worry about, but any entity with privileged access to your organization.”
- Extended Attack Surface: Third-party providers, from software vendors to tech support services, can introduce vulnerabilities. As noted during the discussion, “Supply chain attacks like SolarWinds remain a significant risk.”
- Attribution is Hard: Determining responsibility in cyberattacks isn’t always straightforward. The group discusses the challenges of attribution, with Taylor Wilkes Pierce humorously observing, “If someone stole your friend’s phone, everything you said 10 years ago could come back with no context!”
- Best Practices: Regular audits of third-party access and implementing zero-trust principles can mitigate risks.
Resource Recommendation: Read more about supply chain attacks in SentinelOne’s blog here.
Spring Cleaning: Why Your Chat History Could Haunt You
In the second segment, the team unpacks the risks of retaining old chat histories and how they could expose sensitive data.
- Lingering Risks: Chats stored on platforms like Google Chat and Slack may seem harmless but can become a liability if accessed by malicious actors. As Taylor warns, “Those old G-chats from 2004 might still be lurking in your Gmail inbox.”
- Data Privacy Concerns: Some messaging platforms use stored chats to train AI models.
- Actionable Steps:
- Use platforms with end-to-end encryption like Signal.
- Set auto-delete features for older messages.
- Regularly review your privacy settings on messaging platforms.
Practical Tip: Consider encrypting and storing essential conversations locally instead of relying on third-party servers.
Gold, Guidance, and Grievances: Cyber Lessons for 2025
The final segment brings a mix of advice, warnings, and optimism. Here’s what stood out:
- Grievance: Apple’s Siri was found to have “accidentally” recorded conversations, which led to a fine of $95 million. Tim expressed frustration, “Siri, don’t do that anymore, please.”
- Guidance: Check your Chrome extensions for vulnerabilities. As Tim suggested, “Some popular Chrome extensions have been backdoored—if you’re a fan of extensions, make sure to review the list of compromised ones.” Resource: View the updated list of compromised Chrome extensions here.
- Gold: Firefighting drones are now being explored as a lifesaving innovation. Tim marveled at their potential, saying, “When robots are doing things like fighting fires, I’m all for it.”
Watch on YouTube
That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
