December 4, 2025 • 12 mins
A week where the lawful intercept backdoor became the front door, a supply chain hop hit 200+ companies, a bargain app faced a malware lawsuit, and a university breach turned into a donor-targeting roadmap. We share simple moves to lower risk fast and set guardrails that actually hold.
• Salt Typhoon abusing CALEA at major US telecoms
• Negligence, unpatched routers and weak passwords
• Why SMS is transparent and how to switch to Signal
• Kill SMS 2FA and use authenticators or YubiKey
• Gainsight-to-Salesforce island hopping at scale
• Audit connected apps and revoke stale API keys
• Arizona AG lawsuit calling Timu malware
• Shop via browser sandbox and use masked payments
• UPenn donor data leak and Oracle exploit
• Whaling protections with voice verification and data scrubbing
• Practical recap: trust nothing, verify everything
Please follow us or subscribe on your podcast app, and watch the video on our YouTube or at theproblemlounge.com. If you have topics or guest ideas, we would love to hear from you
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (01:29):
Alrighty then, ladies and gentlemen, welcome
back to another episode ofPrivacy Please.
I am your host, Cameron Ivey,and this week, I got some new uh
new updates for you.
The theme?
The red line.
Now, before we dig into today'sepisode, a quick reminder that
(01:54):
we are building a community herededicated to navigating these
complex and digital issues.
If you are listening on apodcast app, please take a
second, go follow us, subscribe,please.
It uh it does so much to helpget us out to more listeners.
And for the video version ofthis discussion, head on over to
our YouTube channel or ourwebsite, the problemlounge.com,
(02:19):
to find all our links.
With that being said, let's getinto it.
We finally learn that Chinesehackers didn't just break into
our phone networks, they turnedour own law enforcement tools
against us.
We also have the ArizonaAttorney General officially
calling a popular shopping appmalware, a supply chain attack
(02:41):
that island hopped into 200major companies and a university
breach nightmare that just won'tend.
Trust absolutely nothing thisweek, people.
Let's get into the chaos, shallwe?
Alright.
First, we have to start with oneof the most critical stories of
(03:02):
the year.
We've heard whispers about salttyphoon for weeks now, but on
Tuesday, the Senate finally torethe lid off during a hearing,
and it is worse than any of usthought.
It's confirmed that this Chinesestate-sponsored group
successfully penetrated at leastnine major US telecom providers.
(03:25):
We're talking like all the bigones ATT, Verizon, Lumen, etc.
They didn't just steal customerdata, they accessed the CA LEA
systems.
That's the system telecomcompanies are legally required
to build so police can conductcourt-ordered wiretaps.
(03:46):
The impact here, well, thehackers turned this system
around and used it to track thereal-time location of millions
of Americans, record phonecalls, and read text messages.
They essentially used our ownbackdoor against us.
Let's talk about the pizzamoment here.
If you want to know how thishappened, it wasn't some mission
(04:06):
impossible hacking, it wasnegligence.
Investigators found routers thathadn't been patched in seven
years.
They found weak passwordsprotecting critical
infrastructure.
Deb Jordan, a former FCCofficial, dropped the mic during
the hearing.
She said, ordering a pizzasometimes requires two-factor
(04:27):
authentication.
Why are our providers notimplementing these basic hygiene
practices?
Now, here's the part that shouldmake you a little angry.
A little bit.
Despite losing our private callsto a foreign adversary, the
telecom industry used thehearing to fight against new
regulations.
They argued that voluntarymeasures are enough.
(04:49):
Think about that.
If a bank lost all of yourmoney, we'd regulate them.
But when telecom loses theprivacy of the entire nation,
they want to self-regulate.
So what can you actually do whena carrier is compromised?
First of all, stop trusting SMStext messages.
(05:11):
Salt Typhoon proved that SMStext messages are transparent to
hackers.
Move your sensitive chats toend-to-end encrypted apps, like
Signal.
Second, kill SMS two-factor.
If your bank sends you a codevia text, a hacker monitoring
your line can see it.
Switch to an authenticator applike Google or YubiKey
(05:33):
immediately.
It bypasses the phone networkentirely.
Moving on to the corporateworld, if you work in sales or
customer success, listen up.
We have a massive supply chainattack unraveling.
Hackers compromised a companycalled GainSite.
GainSite is a tool that plugsdirectly into Salesforce.
(05:56):
We're all pretty familiar withSalesforce.
Yes, moving on.
It has deep privileged access.
Now, the attack is basicallymade by breaking into GainSight.
Hackers use that connection toIsland hop into the Salesforce
instances of over 200 majorcompanies.
Now, here's where it gets alittle juicy.
(06:16):
This is the nightmare scenariowe always talk about.
These companies locked theirfront doors, but they gave the
key to the side door or the backdoor to a third-party vendor.
Surprise.
Look, if you run if you run abusiness and you're listening to
this, you need to audit yourconnected apps.
(06:38):
Go into your settings and lookfor old vendors you don't use
anymore that still have APIaccess.
Revoke them immediately.
Treat those connectors like keysto your front door.
If you change the locks, youhave to get the keys back.
Next up, a story for anyone wholoves a bargain, I would say.
(06:59):
The Attorney General of Arizona,Chris Mays, dropped a bombshell
lawsuit this week against Timu.
You know, Timu.
Can we still joke about Timuafter something like this?
I think so, absolutely, yes.
So, anyways, the accusation isthat she isn't just saying they
have bad privacy policies, sheis effectively calling the app
(07:20):
malware.
So the claims are that thelawsuit alleges the app is
designed to bypass your phonesecurity settings.
It accuses Timu of accessingyour microphone, camera, and the
location, even when you thinkyou've restricted it.
That's a big red flag.
Huge.
The AG said it can detecteverywhere you go, to the
(07:42):
doctor's office, to a publiclibrary.
The scope of this invasion ofprivacy is endless.
So here's a few tips.
Delete that app now.
Number one.
But if you must shop there forcheap stuff, use the browser
instead.
Don't use the app.
Don't install the app.
Use the website on your browser.
(08:03):
Something safe like Safari orDuckDuckGo or the Duck Duck One,
I think it's DuckDuckGo.
We're not sponsored, but uh youknow.
We're here.
So what it does is it sandboxesTimu so it can't touch your
other apps or contacts.
Also, use a burner card.
Never give them your real debitcard number.
(08:24):
Use a service like privacy.comor Apple Pay to mask your
financial info.
And finally, we have an updateon the nightmare at the
University of Pennsylvania.
And folks, it's a double whammy.
That's with a big H.
A whammy.
So a few weeks ago, UPenn gothit by a phishing attack that
(08:46):
exposed their donor database.
Donor database.
This leaked wealth screenings.
These are estimates of donors'net worth, property values, and
even demographic info likereligion.
The new breach, as if thatwasn't enough, UPen confirmed
this week they were hit again,this time by a vulnerability in
(09:07):
Oracle E business suite.
So here's the reality, guys, andgals.
Attackers now have a roadmap ofhigh net worth targets.
They know who you are, how muchyou're worth, and likely your
email address.
Ooh, everybody has everybody'semail address today.
But here's some tips.
(09:28):
So if you are rich as all, andyou're listening to this
podcast, hey, thanks for yourtime.
And donations are welcome.
Seriously.
Anything to help.
So, anyways, tips.
(09:50):
This creates a specific threatcalled whaling.
So fishing, fishing that targetswealthy individuals, not just
elderly.
If you are a high net worthindividual listening, or you
know someone, tell your family,office, or bank that no wire
transfer leaves the accountwithout verbal voice
(10:10):
confirmation from you.
No emails, no text, scrub yourdata.
Use a data removal service likeDeleteMe or Optory, not
sponsored again, but just thankone couple that just popped off
my head.
If hackers know you're rich, youwant to make sure it is hard it
is as hard as possible for themto find your home address and
(10:32):
cell phone um and cell phonenumber online or whatever.
So to recap, the phone companyhasn't patched its router since
2018.
Your shopping app might bemalware, and your vendor just
let hackers into yourSalesforce.
Trust nothing, verify absolutelyeverything.
(10:53):
Um real quick uh episode.
This this was just uh um a funone for me, but if you guys have
topics, anything you want me tocover, any stories you want me
to dig into, would love to hearfrom you, any guest ideas.
Um, we're hoping to have so manybig things coming to you in
2026.
So, again, I know there's a lotof podcasts out there.
(11:15):
Thank you so much for listeningto this one.
Seriously, it means a lot.
I've been doing this for a longtime and I really enjoy this, so
I hope you do too.
Um, so again, thank you forlistening to Privacy Please, and
please stay safe out there andhave a wonderful holiday season,
everyone.
We'll see you guys in the nextone.
Cameron Ivey.
Over now.
Alrighty then, ladies and gentlemen, welcome
back to another episode ofPrivacy Please.
I am your host, Cameron Ivey,and this week, I got some new uh
new updates for you.
The theme?
The red line.
Now, before we dig into today'sepisode, a quick reminder that
(01:54):
we are building a community herededicated to navigating these
complex and digital issues.
If you are listening on apodcast app, please take a
second, go follow us, subscribe,please.
It uh it does so much to helpget us out to more listeners.
And for the video version ofthis discussion, head on over to
our YouTube channel or ourwebsite, the problemlounge.com,
(02:19):
to find all our links.
With that being said, let's getinto it.
We finally learn that Chinesehackers didn't just break into
our phone networks, they turnedour own law enforcement tools
against us.
We also have the ArizonaAttorney General officially
calling a popular shopping appmalware, a supply chain attack
(02:41):
that island hopped into 200major companies and a university
breach nightmare that just won'tend.
Trust absolutely nothing thisweek, people.
Let's get into the chaos, shallwe?
Alright.
First, we have to start with oneof the most critical stories of
(03:02):
the year.
We've heard whispers about salttyphoon for weeks now, but on
Tuesday, the Senate finally torethe lid off during a hearing,
and it is worse than any of usthought.
It's confirmed that this Chinesestate-sponsored group
successfully penetrated at leastnine major US telecom providers.
(03:25):
We're talking like all the bigones ATT, Verizon, Lumen, etc.
They didn't just steal customerdata, they accessed the CA LEA
systems.
That's the system telecomcompanies are legally required
to build so police can conductcourt-ordered wiretaps.
(03:46):
The impact here, well, thehackers turned this system
around and used it to track thereal-time location of millions
of Americans, record phonecalls, and read text messages.
They essentially used our ownbackdoor against us.
Let's talk about the pizzamoment here.
If you want to know how thishappened, it wasn't some mission
(04:06):
impossible hacking, it wasnegligence.
Investigators found routers thathadn't been patched in seven
years.
They found weak passwordsprotecting critical
infrastructure.
Deb Jordan, a former FCCofficial, dropped the mic during
the hearing.
She said, ordering a pizzasometimes requires two-factor
(04:27):
authentication.
Why are our providers notimplementing these basic hygiene
practices?
Now, here's the part that shouldmake you a little angry.
A little bit.
Despite losing our private callsto a foreign adversary, the
telecom industry used thehearing to fight against new
regulations.
They argued that voluntarymeasures are enough.
(04:49):
Think about that.
If a bank lost all of yourmoney, we'd regulate them.
But when telecom loses theprivacy of the entire nation,
they want to self-regulate.
So what can you actually do whena carrier is compromised?
First of all, stop trusting SMStext messages.
(05:11):
Salt Typhoon proved that SMStext messages are transparent to
hackers.
Move your sensitive chats toend-to-end encrypted apps, like
Signal.
Second, kill SMS two-factor.
If your bank sends you a codevia text, a hacker monitoring
your line can see it.
Switch to an authenticator applike Google or YubiKey
(05:33):
immediately.
It bypasses the phone networkentirely.
Moving on to the corporateworld, if you work in sales or
customer success, listen up.
We have a massive supply chainattack unraveling.
Hackers compromised a companycalled GainSite.
GainSite is a tool that plugsdirectly into Salesforce.
(05:56):
We're all pretty familiar withSalesforce.
Yes, moving on.
It has deep privileged access.
Now, the attack is basicallymade by breaking into GainSight.
Hackers use that connection toIsland hop into the Salesforce
instances of over 200 majorcompanies.
Now, here's where it gets alittle juicy.
(06:16):
This is the nightmare scenariowe always talk about.
These companies locked theirfront doors, but they gave the
key to the side door or the backdoor to a third-party vendor.
Surprise.
Look, if you run if you run abusiness and you're listening to
this, you need to audit yourconnected apps.
(06:38):
Go into your settings and lookfor old vendors you don't use
anymore that still have APIaccess.
Revoke them immediately.
Treat those connectors like keysto your front door.
If you change the locks, youhave to get the keys back.
Next up, a story for anyone wholoves a bargain, I would say.
(06:59):
The Attorney General of Arizona,Chris Mays, dropped a bombshell
lawsuit this week against Timu.
You know, Timu.
Can we still joke about Timuafter something like this?
I think so, absolutely, yes.
So, anyways, the accusation isthat she isn't just saying they
have bad privacy policies, sheis effectively calling the app
(07:20):
malware.
So the claims are that thelawsuit alleges the app is
designed to bypass your phonesecurity settings.
It accuses Timu of accessingyour microphone, camera, and the
location, even when you thinkyou've restricted it.
That's a big red flag.
Huge.
The AG said it can detecteverywhere you go, to the
(07:42):
doctor's office, to a publiclibrary.
The scope of this invasion ofprivacy is endless.
So here's a few tips.
Delete that app now.
Number one.
But if you must shop there forcheap stuff, use the browser
instead.
Don't use the app.
Don't install the app.
Use the website on your browser.
(08:03):
Something safe like Safari orDuckDuckGo or the Duck Duck One,
I think it's DuckDuckGo.
We're not sponsored, but uh youknow.
We're here.
So what it does is it sandboxesTimu so it can't touch your
other apps or contacts.
Also, use a burner card.
Never give them your real debitcard number.
(08:24):
Use a service like privacy.comor Apple Pay to mask your
financial info.
And finally, we have an updateon the nightmare at the
University of Pennsylvania.
And folks, it's a double whammy.
That's with a big H.
A whammy.
So a few weeks ago, UPenn gothit by a phishing attack that
(08:46):
exposed their donor database.
Donor database.
This leaked wealth screenings.
These are estimates of donors'net worth, property values, and
even demographic info likereligion.
The new breach, as if thatwasn't enough, UPen confirmed
this week they were hit again,this time by a vulnerability in
(09:07):
Oracle E business suite.
So here's the reality, guys, andgals.
Attackers now have a roadmap ofhigh net worth targets.
They know who you are, how muchyou're worth, and likely your
email address.
Ooh, everybody has everybody'semail address today.
But here's some tips.
(09:28):
So if you are rich as all, andyou're listening to this
podcast, hey, thanks for yourtime.
And donations are welcome.
Seriously.
Anything to help.
So, anyways, tips.
(09:50):
This creates a specific threatcalled whaling.
So fishing, fishing that targetswealthy individuals, not just
elderly.
If you are a high net worthindividual listening, or you
know someone, tell your family,office, or bank that no wire
transfer leaves the accountwithout verbal voice
(10:10):
confirmation from you.
No emails, no text, scrub yourdata.
Use a data removal service likeDeleteMe or Optory, not
sponsored again, but just thankone couple that just popped off
my head.
If hackers know you're rich, youwant to make sure it is hard it
is as hard as possible for themto find your home address and
(10:32):
cell phone um and cell phonenumber online or whatever.
So to recap, the phone companyhasn't patched its router since
2018.
Your shopping app might bemalware, and your vendor just
let hackers into yourSalesforce.
Trust nothing, verify absolutelyeverything.
(10:53):
Um real quick uh episode.
This this was just uh um a funone for me, but if you guys have
topics, anything you want me tocover, any stories you want me
to dig into, would love to hearfrom you, any guest ideas.
Um, we're hoping to have so manybig things coming to you in
2026.
So, again, I know there's a lotof podcasts out there.
(11:15):
Thank you so much for listeningto this one.
Seriously, it means a lot.
I've been doing this for a longtime and I really enjoy this, so
I hope you do too.
Um, so again, thank you forlistening to Privacy Please, and
please stay safe out there andhave a wonderful holiday season,
everyone.
We'll see you guys in the nextone.
Cameron Ivey.
Over now.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!