Smashing Security

A 23-year-old radio enthusiast spent £300 on a piece of kit from the internet, and used it to bring four packed high-speed trains to a screeching halt. His defence in court? Possibly the most creative excuse we've heard all year.

Meanwhile, owners of $4,000 robot lawnmowers are discovering that their gadget can be hijacked over the internet, redirected at journalists who foolishly lie down in front of it, and used to harvest Wi-...

Welcome to the largest educational data breach in history - affecting nearly 9,000 institutions, every Ivy League university, and 30 million students mid-finals. When Canvas's parent company refused to pay and announced they had deployed "security patches" instead, the hackers were less than impressed. So they came back through the cat flap.

Meanwhile, a famous finance expert's face has been showing up on Facebook ad...

Meta's smart glasses promise privacy "designed for you" - but everything they record was being beamed off to workers in Nairobi to label by hand. When those workers blew the whistle, Meta sacked all 1,108 of them.

Meanwhile, the IT press is in a frenzy over a new Linux bug called "Copy Fail" - complete with logo, dedicated website, and a marketing-friendly name. But is it really the disaster everyone's making...

A developer at an AI startup wanted to cheat at Roblox. They downloaded a dodgy script on their work laptop. That one decision triggered a cascade of failures that ended with a $2 million data breach affecting hundreds of thousands of organisations. All for some free in-game currency.

Meanwhile, there's a 1980s phone protocol called SS7 that lets shadowy surveillance companies track anyone, anywhere, via their mobile phone. Gove...

A company that ran anonymous tip lines for 35,000 American schools - handling reports of bullying, weapons, and self-harm - boasted on its website that it had suffered zero security breaches in over 20 years. A hacker called Internet Yiff Machine thought that sounded like a challenge, with predictable results...

Meanwhile, Rockstar Games gets hacked again - and the stolen data turns out to be less embarrassing than the financial sec...

A hacking group claims to have broken into the flood defence system protecting Venice's Piazza San Marco - and is offering to sell access to whoever wants it. The asking price? A frankly insulting $600.

Meanwhile, Anthropic accidentally leaked the source code for Claude Code via a basic packaging mistake. Oh, and by the way, they've also just revealed they've built an AI model called Mythos that can find and chain togeth...

LinkedIn has been secretly scanning your browser for over 6,000 installed extensions — on every single click you make. It can tell if you're job hunting, what religion you are, and whether you have ADHD. And none of this is mentioned anywhere in their privacy policy.

Meanwhile, California's crypto millionaires are learning that no amount of encryption can protect you from someone who knocks on your door pretending to deliver...

A cannabis-growing, beekeeping, gyrocopter-flying Irishman invested his drug money in Bitcoin back in 2011 - and now sits on a fortune worth $400 million. There's just one small problem: the access codes were tucked inside his fishing rod case, which has mysteriously vanished. Or has it? Because this week, one of his frozen wallets suddenly woke up and moved $35 million - and someone had to identify themselves to do it.

Meanwhil...

A disgruntled data analyst decides that the best response to losing his contract is to steal the entire company payroll database and demand $2.5 million in Bitcoin - signing his extortion emails from a company called "Loot."

Meanwhile, two people drive up to the entrance of the UK's nuclear submarine base at Faslane and politely ask if they can have a look around. Tourists? Spies? Something in between?

Plus: Female Muslim...

In episode 459 of Smashing Security, we dive into a chillingly clever account takeover attempt targeting WordPress co-founder Matt Mullenweg - involving MFA fatigue, real Apple alerts, a convincing support call, and a phishing page that oh-so-nearly worked. If a famous techie could have this happen to you, can you be sure you're immune?

Plus: would you donate your lifetime medical history to science if you were promised anonymit...

A Wikipedia security engineer accidentally wakes a dormant JavaScript worm that hadn't stirred since 2024 - and within minutes, giant woodpecker images are plastered across the internet's favourite encyclopaedia.

Meanwhile, a crypto contractor hired to help the US Marshals manage seized digital assets allegedly decides to help himself to $46 million of it - and then brags about it on a recorded Telegram call.

Plus: Graham cha...

When a top cybersecurity firm discovered it had a leak, you would expect the FBI to be called. Instead, the person put in charge of the investigation was the actual leaker... who promptly sent an innocent colleague into a career-ending ambush.

In this episode, we unravel the jaw-dropping tale of a defence contractor caught selling zero-day exploits to a Russia-linked broker.

Plus: are nation states quietly poisoning AI models to bend...

When the mysterious operator of an internet archiving-service decided to silence a curious Finnish blogger, they didn’t just send a stroppy email - they allegedly weaponised their own CAPTCHA page to launch a DDoS attack, threatened to invent an entirely new genre of AI porn, and tampered with parts of their own archive to smear the blogger's name.

In this episode, we unravel how a website designed to preserve history may have t...

Could America turn off Europe's internet?

That’s one of the questions that Graham and special guest James Ball will be exploring as they discuss tech sovereignty. Could Gmail, cloud services, and critical infrastructure really become geopolitical leverage? And is anyone actually building a Plan B?

Plus we explore if Meta is quietly plotting to turn its smart glasses into face-recognising surveillance specs? With reports of intern...

AI bots are having existential crises, inventing religions, and allegedly plotting against humanity... or so the internet would have you believe.

We dig into Moltbook, the “AI-only” social network that sent Twitter into a meltdown, attracted breathless talk of the singularity, and turned out to be far less Terminator and far more humans role-playing as bots.

Plus we discuss why "vibe coding" your app might be a catastrophical...

Supposedly redacted Jeffrey Epstein files can still reveal exactly who they’re talking about - especially when AI, LinkedIn, and a few biographical breadcrumbs do the heavy lifting.

Sloppy redaction leads to explosive claims, and difficult reputational consequences for cybersecurity vendors, and we learn how trust - once cracked - can be almost impossible to fully restore.

Elsewhere, the spotlight turns to insider threat in the age o...

In episode 452, a London-based YouTuber wins a landmark court case against Saudi Arabia after his phone was hacked with Pegasus spyware — exposing how a single, seemingly harmless text message can turn a smartphone into a round-the-clock surveillance device.

Plus, we go looking for professional hitmen online - only to uncover uncomfortable questions about why some crimes attract customers but very few complaints.

All this and more is...

In episode 451 of "Smashing Security," we meet the cybercriminal who hacked the US Supreme Court, Veterans Affairs, and more - and then helpfully posted screenshots (and even someone’s blood type) on an account called "I hacked the government."

Plus we discuss how researchers uncovered a creepy flaw that lets attackers hijack wireless headphones, listen in on calls, inject audio, and even turn your earbuds into a sta...

Confusion reigns after claims that data linked to 17.5 million Instagram accounts is up for sale - sparked by a vague post, contradictory statements, and a flood of password reset emails nobody asked for.

And we dig into Grok, Elon Musk’s AI chatbot, after it started generating sexualised images of women and children - raising uncomfortable questions about guardrails, accountability, and why playing the censorship card doesn’t make ...