Silent Mode Cafe
Welcome to Silent Mode Cafe, the podcast where we translate the digital realm into plain English. From data privacy and basic internet security to smart home gadgets and the latest AI developments, we serve up tech insights with a side of caffeine.
Silent Mode Cafe
PayPal Leak, Phishing Kits, And You
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Headlines about PayPal data exposure, a sprawling third‑party breach at Conduent, and a new phishing kit called Starkiller can feel like distant noise—until your details show up in a letter you did not expect. We pull the curtain back on how back‑office processors, data brokers, and AI‑powered tools create real‑world risk, then map out the habits that keep your identity and money one step ahead of the mess.
We start with the PayPal working capital loan app bug that exposed sensitive data, including Social Security numbers, and the Conduent breach affecting at least 25 million people tied to payroll and benefits systems. From there, we zoom out to the broker ecosystem: why lawmakers are connecting billions in identity theft losses to broker breaches and how opt‑outs are often buried by design. You’ll hear a practical checklist for shrinking your data surface—state privacy portals, quarterly broker sweeps, real‑time bank alerts, and SIM PINs that blunt port‑out attacks.
Phishing has also leveled up. Starkiller can mirror real login flows and siphon session tokens, making “spot the typo” advice obsolete. We walk through a three‑step workflow that works even when the page looks perfect: start at the app yourself, require passkeys or an authenticator, and verify alerts by switching channels. We also unpack the risk of ambitious AI agents and connectors like the widely discussed “OpenClaw” idea—why least‑privilege access, dummy data, and clear data boundaries matter before you hand over your inbox, calendar, and cards.
The throughline is simple: trust but verify. Bugs happen, vendors get breached, and scammers adapt. Your routine decides the outcome. Freeze your credit if you have not already, turn on MFA for email and banking, and add instant alerts for money movement. Then tell a friend. If this conversation helped, follow the show, leave a quick rating, and share your one action for the week so others can copy it.
Opening And Weekly Headlines
SPEAKER_02Hello everyone. Welcome back to Stylin Mode Cafe, your weekly coffee about privacy and security. Minus the Doom. I know we've been doing it.
SPEAKER_00Minus the Doom. Yes. We don't want the Doom to. There's enough of that happening right now. The dooms and the booms. Lots of booms. Um, so this week there's a lot going on, Vivek. Uh PayPal bug that exposed a lot of sensitive information. So if you're a user of PayPal, listen in. Massive, huge Vivek. Uh, third-party breach impacting millions of people. A new era. Look at that. We're in the age of AI. A new era fishing kit that can fool even careful people. And that's an interesting one. And why data brokers are back in the spotlight? Let's get into it.
PayPal Loan App Data Exposure
SPEAKER_00So new era. A new era. It's an interesting one. So let's kick that off with PayPal. Uh working capital loan app exposure. So there's a software error exposed personal data, including social security numbers, for months.
SPEAKER_02This was a PayPal working capital loan application. Yeah.
SPEAKER_00So it's part of PayPal. Associated with PayPal or a function of PayPal.
SPEAKER_02Conduit reported that there was a breach. And the report site at least 25 million subscribers are affected across states tied to the back office service provider. They process things like payroll, et cetera.
SPEAKER_00Conduit. So another one, the data brokers. So, folks, if you remember what data brokers are, these are the companies that collect data and and sell data about you in particular. Lawmakers connect identity theft losses to major broker breaches and call out opt-out obstacles, meaning it's really difficult for you and I right now to opt out from being uh a part of the data brokers' collections, right? Um, and there's an estimated of 20.9 billion of people's data exposed.
SPEAKER_02And there's a new fishing kit called Star Killer. When I read it, I was like, is this related to you know Starship or something from SpaceX? No.
SPEAKER_01Yeah, no.
SPEAKER_02Completely different. So this is a Star Killer fishing kit, which mimics real websites so well that you know it makes scams harder to stop, uh harder to spot.
SPEAKER_00So uh so you just mimic actual websites that we use on a day-to-day on a daily basis. Interesting.
SPEAKER_02And steal your credentials, and it's really tough to find out if it's real or fake. It's a whole kick. Apparently.
SPEAKER_00So, folks, if you go to Vegas um and you stayed at the wind, there's good news your data's fine. But the wind resorts employees have had a data theft. The company confirmed that employee had taken some data, we they don't know what yet, after an extortion threat. So really interesting there. There's a lot of stuff going on with Vegas, pickpocketing, you know, these things that they've set up, these mass organizations that they've set up called casinos to take your money, and now your personal data as well.
SPEAKER_02Therefore, always use cash and use your nom de gore.
SPEAKER_00Yeah, yeah. Go to go to Vegas and just use cash. Yeah.
SPEAKER_02Your name is Bond. Or what's the new one? I don't know what the new uh fintech figure, the name of the company figure. There's a breach of 900,000 emails, which was the data was posted online. Company says it stemmed from social engineering.
SPEAKER_00Goodness, someone called, and I wonder what kind of social and phishing attack. That'll be interesting. We'll have to dig into that one. That's interesting. Yeah, but figure is a very small organization, FinTech. So 900k emails, that's like their entire base.
SPEAKER_02I'm surprised, like socially engineering someone to give me 900,000 emails.
SPEAKER_00I wonder if AI was involved. So optimizely breach um after a voice phishing attack. So attackers tricked someone. Speaking of uh social engineering, an attacker tricked someone over the phone to get access to some back-end systems, apparently.
SPEAKER_02And then the good old thing about FTC, the Federal Trade Commission and age verification, there's been a shift in policy and there's some debate about it in terms of safety versus privacy handoffs. I'm assuming the FTC is losing some regulations that's causing this uh this foreign uh you know debate.
SPEAKER_00So about age verification, yeah, that's interesting. Look, I'll tell you, man, people need to understand balancing security and privacy is a very, very, very interesting world. So check this out, Vivek. AI agent tool vulnerability, claw jacked. Have you heard of Clawjacked?
SPEAKER_02Yeah, it's uh what is that AI tool that's become really popular right now? Claw something. I'm forgetting what it's called, right? It's skipping my mind.
SPEAKER_00Mulbot? No. No. They it man the thing went through open claw. Open claw, yes. Yeah, yeah, yeah. The way I remember that is they got they first they started with ClaudeBot, and Claude went after them and said, you can't use our name. So they went to Moltbot, and no one knew what the hell a Moltbot was. So they ended up with both OpenAI and Claude in their name, and they just called it OpenClaw.
SPEAKER_02OpenClaw. They call it OpenClaw.
SPEAKER_00They dropped the D. But we all know what they were doing. Yeah.
SPEAKER_02So they're just it's rife at security issues. OpenClaw. Horrible.
SPEAKER_00It's finally been exposed. People are onto the fact that, hey, this is dangerous. You shouldn't give this thing access to your entire life. We should take a minute and just explain to people what that is in case they're not familiar with it.
SPEAKER_02Open claw is this agent that you can build which can connect all your applications together and provide you a summary of what's going on in your life in the beginning of the day.
SPEAKER_00And it will book your your plane ticket and your and your hotel for you. Like it had some cool functionality.
SPEAKER_02But the issue is that it's full of security holes.
SPEAKER_00Yeah, you're giving it access to your whole life.
SPEAKER_02Because some of the quote unquote connectors and plugins that you're using are open source and people are really stealing your data while doing it.
SPEAKER_00Yeah.
SPEAKER_02So it's rife with security holes.
SPEAKER_00I just don't know how anyone is comfortable giving access to an application to their entire email inbox.
SPEAKER_02And they thought that was a good thing. Yeah. Email, Reddit, Discord, news, bank accounts, credit cards.
SPEAKER_00What are you thinking? Don't do that unless it comes from Silent Mode Cafe.
SPEAKER_02All right. Then hackers are adopting AI-powered attack tooling.
SPEAKER_00Surprise, surprise.
SPEAKER_02We just talked about OpenClaw and CloudJack.
SPEAKER_00They're using AI-powered attack tools, Vic. Tell me more. Well, OpenClaw and CloudJack is an example.
SPEAKER_02Cloud code makes it so easy to create.
SPEAKER_00So in the UK, jumping to our little jumping over the pond, so to speak, Angor was fined in the UK for handling children's uh data. That's really interesting. Go UK. Children's data is supposed to be off-limits. Like, you know, you don't want any of the applications that your school uses that are AI applications to store your kids' personal data. We talked about this in the past. That's not a good thing. And UK must have caught somehow. I I don't know exactly the details. We can look into it if you want. But Imgur was fine for handling children's data. Who knows what they did with it?
SPEAKER_02And in the last piece of news on the quick fire. While we'll stir while while we're quickfire, yes. NATO approves the use of iPhones and iPads for certain restricted restricted information. Yay, NATO. Welcome to 2026. Who were they using before?
SPEAKER_00So they're trusting mobile security. That's the that's what they're saying.
SPEAKER_02I was so I was giving a cynical answer. I guess they were using Nokia's before.
unknownYeah.
SPEAKER_02Huawei. Oh, that's a low one. I don't think NATO approves that comment. Yeah. They'll be very unhappy with us.
SPEAKER_00So check this out. So PayPal's loan app bug exposed sensitive data, right? Yes. So there's a software error in PayPal's working capital loan application that exposed sensitive customer information, such as your social security number. Clearly, you need that for a loan. For a long window in 2025, undisclosed window, but a few months, and customers
Third‑Party Breach At Conduent
SPEAKER_00are now beginning to get notification. So I probably should open up my life lock because I just got dinged 20 times this week. And this isn't your basic, your password was leaked info, unfortunately. This is the kind of stuff that data scammers use to pretend to be you. That data was exposed. So here's what you should do: turn on account alerts, email, and add push notifications for logins and any kind of money movement. Like if you have the ability to freeze your credit right now, freeze your credit. If you don't have the ability to freeze your credit and you use PayPal, sign up for an application that allows you to freeze your credit. I think there's many out there, some paid, some free. I think Experian gives you the option to do it for free. I know Lifelock, um, and there are a few others that allow you to do it for free.
SPEAKER_02I think they all do now, Equifax.
SPEAKER_00They all do it, give you an option. Equifax, Experian, TransUnion, all of them.
SPEAKER_02They do. I think by law they have to now.
SPEAKER_00Yeah, that's uh that's massive, folks.
SPEAKER_02And you might not not might not have heard of Conduit, but they do a lot of the back office work, like think of benefits. Healthcare administration, like FSAs, HSAs, toll systems, HR systems, they got breached, impacting at least 25 million plus people. It's ballooning. And I did get a letter from Conduit, and I like, what? Who are these guys? And then I had to go back. So uh you if you've been affected, you'll get a letter, you'll be one of the 25 million unfortunate ones, such as myself. So what can you do? Well, to Salah's previous uh previous uh suggestion, uh please monitor your credit. Please treat mailed breach notices seriously, even if you've never heard of the company, which is exactly what happened to me. And then put extra protection around your social security numbers, date of birth, please freeze your credit, tighten bank alerts, set up two-factor authentication, and be skeptical of phone calls claiming to be someone that you might know trying to extract more cash from you because your data is out there.
SPEAKER_00So that's crazy. So many people, Vivek, they never use these applications.
SPEAKER_02No, they're like a third, yeah. It's someone else, yeah. So they're just a processor in the back end. Interesting.
Why Data Brokers Matter Again
SPEAKER_00Speaking of processors in the back end, let's talk about data brokers. So the lawmakers tie breaches to 20.9 billion in identity theft losses. Um a joint economic committee, economic committee minority report estimated over 20 billion in consumer losses tied to identity theft from four major data broker breaches, following reports about brokers making opt-out tools harder to find. That's absolutely true. Look, folks, um, data brokers are the background radiation of modern life, right? Everything that you do on the internet, on your phones, it's all being quietly collected. I'll go a step further. Everything that you're saying and doing around your phone and your Alexa is also being collected. The organizations collecting this data are called data brokers. So when they get breached, it's not just one app, right? It's a lot of information. It's our entire profile. It's it's everything. Yeah, you're right. It's your whole profile. So what do you do about that? Well, if your state offers a data broker opt-out tool portal, use it. And I believe California has one through California Consumer Privacy Act, CCPA.
SPEAKER_02CCPA does it.
SPEAKER_00Right. So look that up, look for data broker opt-out, and you could use it. There's some services out there that actually just clear your data that's online. Uh, those are all paid for. Do a top five broker sweep quarterly. Like remove your data everywhere that you can. These applications, you could do it manually. You can pay for an application to just clean your data, right? Make your phone number harder to sim swap. Like add a pin to your phone number. That actually really helps. So everything around just tightening down yourself is is really helpful here if you don't want your data to be collected and tracked.
unknownWow.
SPEAKER_02That's huge.
SPEAKER_00That's a big one.
SPEAKER_02It's about $21 billion worth of identity theft losses.
SPEAKER_00Yeah, $21 billion. I at first I mistook that to $1 billion people's identity. I was like, that's the whole world, plus some plus some aliens.
SPEAKER_02Sprinkle some aliens.
SPEAKER_00Tell
Starkiller Phishing Kit Explained
SPEAKER_00me more.
SPEAKER_02Oh, there is Starkiller, which is a phishing kit with a P, not with an F. It's the scam emails have just got have become more convincing. So researchers have found a fishing kit that can show you a real login page while secretly capturing session access. So even people who check spelling and branding can get tricked. This is wild. So this is the looks legitimate era of phishing. Now your best defense is process, not eyeballing. So things just got more complicated. So don't log in from links. Got it. If you didn't start at the app site yourself, don't enter credentials. Turn on pass keys where available or an authenticator app. So two-factor authentication. And if you get a security alert, open the app directly and check there. So coming to the first point, don't log in from links.
SPEAKER_00Much like the feedback that we gave everyone about how to tell if it is a scam or not. If UPS sends you a link, says track your order, go directly to the UPS site and put in that order number versus clicking that link. This is along the same lines. Yeah. Interesting. Let's dive in to a topic here. The phishing proof your life, Vivic, just to keep that going. Let's make this easy. Phishing isn't a tech problem. Like you were just saying, it's a workflow problem.
SPEAKER_01And there's three steps.
SPEAKER_00It's a pro or a process problem, right? Scammers want speed. They don't want you to slow down. They want you to use their links. They want you to use everything they provided you because that's the path they're trying to take you to get your data, right? So switch channels. As Vivek said, jump directly to the app. Um, maybe if you got a text, call the number on the back of your card. So if you get a text from your favorite bank or credit card, call them. See if it's real. Lock the doors, right? So imagine your house, your digital house is where all your crown jewels are. So lock those doors. Add multi-factor authentication, plus alerts, use a password manager. All these things matter because as Vivek was saying, if they give you a link and it looks like the legitimate Bank of America website, which now they can do in seconds and make it look incredibly efficient with all the click-throughs. The one thing that they can't do is tie it back to your pass key, right? So your multi-factor. They can't spoof a multi-factor push. So you have to turn these things on. That stops them in their tracks and it helps you avoid these phishing attacks.
SPEAKER_02So we have some questions, I guess.
SPEAKER_00Yes, yes, Vivek. How about I ask them, you answer them. All right.
SPEAKER_02You answer, you answer. I'll do one, you do one. How about that?
SPEAKER_00We'll see. We'll see. You're better at answering these. If my social security number was exposed, is
Vegas, Wynn, And Insider Theft
SPEAKER_00it doom and gloom?
SPEAKER_02No, it's not doom and gloom, but do the boring, powerful things. Uh like you said earlier, freeze your credit, have account alerts for suspicious activity, and be skeptical of calls and texts using personal details. So please continue being vigilant, whether we like it or not. I think all our social security information is out there one way or the other. So if you haven't frozen your credit yet, please do that. Please set up account alerts.
SPEAKER_00Yeah, that's fair.
SPEAKER_02The second question, uh, Salah, is how do I tell if a message is real?
SPEAKER_00Yeah, look, there's ways you can tell if a message is real. Sometimes the messages themselves, they just look fishy. But we're we're uh as Vivek mentioned earlier, we're in this world where everything looks real now. And simply trying to look for a misspelled website or or a poor navigated website isn't the way to do it. The best way to do it, so let's say you receive a text from UPS or Bank of America or whatever airline you travel with, go directly to their website. And if whatever information they sent you to say your flight is late, your bank information has changed, whatever, go directly to that website, login, hopefully use multi-factor, and you will find that data there, or you won't, and it's not real.
SPEAKER_02So some key takeaways as we end this uh this part this podcast. The theme this week was based on trust but verify. It's the good old Ronald Reagan saying, which is still applicable from the 80s, which was last century
Fintech Email Leaks And Vishing
SPEAKER_02for some people.
SPEAKER_00Zero trust, my friend.
SPEAKER_02So trust but verify. Bugs happen, vendors get breached, and scams evolve. Yes. But your habits can stay one step ahead.
SPEAKER_00Look, I know this stuff sounds like a lot to do, but just pick one thing today. Just if you haven't done anything for security, pick one at one of these things. Figure out how to freeze your credit. Do that. If you've already done that, fantastic. Turn on multi factor on maybe three of your most important accounts your email, your bank, whatever it may be, right? Just just pick one thing to do once a week and just get it done, and you'll be fine. Thanks, David. Thanks for listening.