Smashing Security podcast #450: From Instagram panic to Grok gone wild

But you know what Monica, they don't care.

I know and that's the problem, but we have to—

There's only one thing that they care about, profit. And therefore we should be putting pressure on the companies which advertise on these services and saying do you really want to be there? Smashing Security episode 450, from Instagram panic to grok gone wild, with Graham Cluley and special guest Monica Verma. Hello, hello and welcome to Smashing Security episode 450. My name is Graham Cluley and I'm Monica Verma. Hi, Monica. First time on the show. Thank you so much for joining us today. Monica, if there's anyone listening to Smashing Security who hasn't encountered you before, can you quickly sum up who you are and what you do?

Yeah, absolutely. I'm a former CISO. I've been in this industry for more than 20 years. I started my journey as a hacker and then went into risk management and then became a CISO. I am still a hacker because it's a mindset more than just, yeah, absolutely, yes. I truly believe that.

A good hacker, right? You're not one of those baddie hackers.

No, absolutely. A white hat hacker. A good hacker. Never actually hacked criminally because you can act illegally, but that's not what I do. I've been paid legally to hack. Products and systems and healthcare and trains and whatnot. And it's been really, really fun.

Hang on, you just said that you've hacked trains. What's that all about?

Because I used to work for Siemens and we were allowed to hack all our products. And then, you know, Siemens has these PLCs and logic boards that run trains. And so one of my colleagues and I, we were invited to actually hack trains to really hack the logic. So it was really, really fun.

Well, before we kick off, let's thank this week's wonderful sponsors, Mita and Vanta. We'll be hearing more about them later on in the podcast. This week on Smashing Security. We won't be talking about how pro-trans activists brought down a right-wing group's website and leaked the names of their donors. You'll hear no discussion of how a man has been charged after he was allegedly hired to hack the Snapchat account of female athletes. And we won't even mention how a hacker has leaked the database of well-known cybercrime forum Breach Forums, exposing the details of hundreds of thousands of people. So, Monica, what are you going to be talking about this week?

I'll be talking about unpredictability in the world of AI. I'll be talking about AI governance, a bit about guardrails.

And I'll be giving you 17 million reasons why you might be playing password reset roulette with your Instagram account. All this and much more coming up on this episode of Smashing Security. Well, let's take a moment now to thank one of this week's sponsors, Mita. Now, if you've ever worked in IT and especially networking, you'll know when the network's working, nobody notices. When it isn't, everybody notices. The problem is that most business networks are a mess of different providers, tools, dashboards, contracts, and crossed fingers. And somehow, despite all that complexity, they're expected to be fast, secure, reliable, and magically fix themselves. And that's where META comes in. META builds networks from the ground up. They deliver a complete, full-stack networking solution, wired, wireless, and cellular, all as one integrated service. And this is genuinely full-stack. META designs the hardware, writes the firmware, builds the software, manages the deployment, and runs the support. They even take care of things like ISP procurement, routing, switching, firewalls, VPNs, DNS security, SD-WAN, and multi-site networking. In other words, fewer vendors, fewer dashboards, fewer who owns this problem conversations, and far fewer late-night panic attacks. Meters approaches about real control, proper visibility, and networks that behave themselves. And for IT leadership, it means something almost mythical in networking, predictability. If you're responsible for keeping the business online, you really should check out Meta. So go to meta.com slash smashing to book a demo now. That's M-E-T-E-R dot com slash smashing. And thanks to Meta for supporting the show. Now chums, in recent days we have witnessed a masterclass in corporate communications. And by masterclass what I really mean of course is a complete and utter shambles. So we've seen some shambles before of course. Way back in mid 2024 CrowdStrike, they pushed out a dodgy update didn't they, caused millions of Windows computers to blue screen of death. Flights were cancelled, hospitals not able to look up their records. It caused mayhem, didn't it?

It did. It absolutely did. And one of the craziest things that happened in that incident, there was not just an uproar, nothing was working, flights were cancelled, people were stranded. But people were debating whether it's an IT incident or should be classified as a security incident. Should we be even talking about it in cybersecurity industry or not? Which to me was very interesting. I'm like, what do you mean? IT is a part of security. You know, you talk about people, tech and processes. Tech is one third of that. So why would we not be talking about it?

So that was an utter shambles. I remember another shambles which happened at Facebook. They accidentally disconnected their data center from the internet in October 21, causing mayhem not only to Facebook, but also to Instagram. And that meant that employees also couldn't get into their buildings to fix it because apparently the door access systems ran on Facebook's own network. And they had to go and grab some angle grinders to get into the building to go and sort out their systems. So there are huge shambles, huge cock-ups which happen. And this week, well, it's not an omni-shambles of such epic proportions, but still far from ideal. So let me tell you what's been happening in the last few days. And it all started when antivirus outfit Malwarebytes posted on Blue Sky that cybercriminals had stolen sensitive data related to 17.5 million Instagram accounts. We're talking usernames, addresses, phone numbers, the full caboodle. 17 million? That's crazy. 17 million. That's pretty bad, isn't it? And what they said, Malwarebytes in their post up on Blue Sky, is this data is available for sale on the dark web and can be abused by cyber criminals. And that was it. That was their whole post. It was alongside an image of an email from Instagram claiming to be a password reset request. So there were no details about when the breach had happened or how it happened or where the researchers at Malwarebytes had found out about this. Just 17 and a half million accounts compromised, data for sale. Good luck, everybody. And at the same time as this was going on, people were flooding onto Reddit wondering why they had received a barrage of Instagram password reset emails that they had not requested. You wonder why. Yeah, exactly. It's well, duh, maybe there's a reason, maybe there's a connection here. One person said, is someone trying to hack me? Well, Instagram, of course, had to respond to this. And so they hopped onto Twitter. Not Instagram, not threads.

Wait, Instagram hopped onto Twitter? Yes. That's interesting.

Isn't it? They went to a platform owned by their direct competitor. They didn't post. Unbelievable. Maybe they're thinking if people are locked out of their accounts, they're not going to see this post on Instagram. So we'll try on Twitter instead. But they announced that they had fixed an issue that let an external party request password reset emails for some people. And they gave some advice. Instagram said, you can ignore those emails. Wow. Sorry for any confusion. So nothing to see here. Move along, please. Because that's what you want, isn't it? Someone saying, oh, don't worry about that. So imagine you're on a jumbo jet and the pilot comes over the tannoy and he cheerily says, oh, just ignore that wing falling off. Sorry for any confusion. You can ignore that. People obviously are going to panic. They're thinking, well, what do you mean? What do you mean? What's happened? Right? You would understandably, wouldn't you? No, absolutely. Now, according to some media reports, someone is trying to flog a data set of some 17 million Instagram records. They're doing it on, effectively, it's an underground coffee shop. It's a cyber criminal site. We've talked about it many times on this podcast. Breach forums is the marketplace where this data is apparently being sold. That person who's selling the data claims the data comes from an API leak back in 2024. Now, some observers reckon that Malwarebytes mentioned this 2024 connection in an email to their paying customers, but it wasn't in their public blue sky post. So we've got breadcrumbs of information scattered across multiple sources. We've got Reddit. We've got private emails from Malwarebytes to their customers. We've got public posts from Malwarebytes. We've got Instagram's Twitter post as well. All of these things, none of which are quite matching up. Because Instagram is saying there hasn't been a breach. But if you notice the careful wording they use, they say there was no breach of our systems. They're not saying there has never been a breach of our systems or this data isn't legitimate. They're just saying this specific incident with the password reset emails wasn't a breach. And that rather conveniently sidesteps the question of whether there was a breach, say, back in 2024.

What's interesting about this is, Graham, when I'm talking about cybercrime, I give a lot of keynotes. And I'm mentioning that the organized crime in the dark web has become a bigger and bigger corporation, an underworld corporation than ever before, right?

Yes, it's properly organized. It's properly organized. This is an industry. It's an industry,

exactly. And I remember saying that they're the entrepreneurs that have gone to the dark side. They are finding always clever ways of not just making the buck. And in all the studies that I've seen over the last, 20 years, I may say, almost always financial gain is the number one motivation, followed usually by political reasons, so hacktivism. So I feel it's important for us to understand not only what data is being leaked, but what it's being used for. And we know most of the time it's financial gain. But do you know if Malwarebytes did any kind of information on that? Because I know attribution is very difficult, but motivation usually.

In their public post on Blue Sky, it's just a couple of sentences. It doesn't put it in any context. And this is frustrating, obviously, but I'm also frustrated by Instagram's response as well. Yeah, that's just crazy. They're not explaining how these password reset messages got sent. They're not explaining how an external party gained the ability to spam password resets to random users. They're just saying, well, it wasn't a breach. Well, it's like, well, sounds like it was some kind of security breach. If someone was able to gain that ability, it may not have been that data was exfiltrated as a result of this. We don't know. But all they're saying is, your accounts are secure now. It's a bit saying, I'm not burgling your house while you're carrying a TV set down the drive, right? It's technically accurate. Yes, you're not burgling the house. You're not anymore. But it's not exactly reassuring, is it? So I would hope for both the initial reporting of an incident to be more thorough and also for the response from the organisation, which is trying to explain what happened, to properly represent what occurred.

The onus definitely lies with Instagram more than it lies with anybody else, right? I mean, Malwarebytes should have given more information and definitely not put it behind the paywall. That's sad for something so important.

I mean, I guess their social media manager got excited and it's oh, here's a thing that we're telling our customers about. We need to put together some quick snappy post, which is going to go viral. We'll add an image to it as well. We'll chuck it out there.

But the onus really lies with Instagram, right? For them to come out, I think this is where most organizations really fall on their faces. Communication is such a crucial part. People talk a lot about setting up the war room, setting up the bridge, all the technical stuff that needs to happen, all the analysis, the forensics, and all of that is true. All of that has to happen. But anytime an incident this happens, anytime there is a breach, and I say that from experience, having been responsible for communication from organization's perspective to our customers when things go wrong? Gosh, it is so important. Whenever you have something that, you got to give them context. What actually happened? What actually happened? How did we get here? That's the first thing I ought to tell them. How did we get here? What does it mean for you? That's another thing, by the way, because there's one thing of what it means for general public information of whatever happened, whatever hackers are doing or whatever, right? But what does it precisely mean for you now? What are the steps that they, as a customer, need to take now in order to help? And how are you helping them take those steps, right? So I think this clarity of communication is necessary. For something so crucial as a 17 million data breach, I think it's so underplayed. It is so bizarre.

And I think it's not just the message which you decide to put out there, because obviously you want to be quite clear as to if you need to debunk a story about there being a data breach, you need to explain why that isn't. The whole

Idea is to help them, right? To help them secure it. This sounds to me an ostrich law. You are an ostrich and just because you don't want to face that, you just put your head in the sand. That's basically what they're saying the customers to do.

And also, let's go back to it. Why is Instagram choosing to issue its nothing to see here statement on Twitter? That's Burger King announcing a food safety update via a press release stapled to a McDonald's drive-thru menu. How weird is the hat?

Is that very weird? Yeah.

Here's what gets me. Instagram is saying you can ignore password reset emails. That's the actual wording that they used in their eventual Twitter post. So the normal advice is that if you receive an unexpected password reset request, ignore it. It's probably someone either phishing you or trying their luck to break into your account. But if you ignore it, you should be all right. But Instagram users, they're now playing a game of password reset roulette. So they'll be asking themselves, is this email a legitimate reset that they requested? Is it a legitimate reset that Instagram systems accidentally sent because of an issue? Or is it an actual phishing attempt from cybercriminals who bought all your details off the dark web? Three possibilities, identical appearance to you in your inbox. No way to tell them apart. Instagram's official guidance is just, ignore them all. I don't know about you in all your years as a CISO and so forth, Monica. I don't know if you have an inflatable cricket bat, but I think it's an essential part of the cybersecurity arsenal. You need an inflatable cricket bat, which you can bop people over the back of the head with. So I would give Malwarebytes a bop on the back of the head for their social media post, because shame on them for dropping a cybersecurity bombshell with zero context. But also, naughty old Instagram, bop for issuing a terse denial that technically answered nothing. And meanwhile we've got 17 million users data allegedly for sale, Reddit threads full of confused people wondering if they've been hacked, if they are being hacked, and everyone's telling slightly different versions of this story. It's a mess, it's a mess. Okay, before we go any further, I need to share a quick word with you about one of our sponsors today, Vanta. You know how everyone's got an AI assistant these days? Well, imagine one that doesn't just write haikus about zero day vulnerabilities, but actually does your audit work for you. That is Vanta. It connects to all of your tools, gathers evidence, tracks compliance, and quietly helps you prove that, yes, you do take security seriously. Vanta automates all of that. It pulls everything together, keeps an eye on your systems and basically make sure you're ready for an audit at any time, which means no last-minute panic for screenshots and policies. It also plugs into the tools you're already using and flags up issues before they become a right old mess. So if that sounds like something that might save you from a few sleepless nights, check out vanta.com slash smashing. And if you use that link, you'll get a thousand dollars off so don't forget vanta.com slash smashing and thanks to Vanta for sponsoring this week's episode. On with the show. Monica, what have you got for us this week?

Well craziness just continues I guess. So I have been talking a lot about and I've been working a lot with deepfakes. I remember doing a keynote a couple of months ago when the deepfake of Catherine Connolly came out who ran for the presidential election for Ireland, and that happened just two days before the presidential election right? I was talking about this study that showed while financial gain is the number one motivation behind deepfakes, the second in the top three is electioneering, changing elections. But I think deepfake goes even further. So over the last weeks there have been investigations from the Australian authorities against Grok because it seems that Grok has been really great and sadly so, really great at creating nude images and sexualized images of women just because they were prompted by some users. So this is not consented by those women, but also of kids. I was reading about this and obviously this is not the only story that has happened since deepfake has come into existence, but the fact that you can just prompt a very powerful AI, so XAI or Grok on the platform of X publicly to just immediately get sexualized nude images of people. That is just insanity. And what's interesting is when this happened, Grok itself, the AI, released a statement. This is not a human being, mind it. It is Grok. It apologizes for creating sexual and nude images of the women and kids. Well, it has—

To do that because if you contact Elon Musk's company, if you try and contact his PR department with a question as a journalist, what you get returned to you is a poop emoji. That's the way they handle the press. So, of course, Grok has to be the thing which actually responds to complaints. But it doesn't even—

End there. But that's the whole point, Graham. So first, Grok came out apologizing. The important thing that I want to highlight here for the audience and for the people listening to this is that Grok has no apologetic feelings, right? It's not sentient. So it's not really apologizing, right? That's something we have to understand. First, differentiate the intent versus the actuality, right? The words versus actually the intention behind it. There is no intention of actually apologizing because it doesn't feel apologetic because it's a fucking machine. Oh, sorry about the F word.

No, no, that's all right. Don't worry about that. And then add to that, journalists and newspaper and media asked actually Elon about his response. And his response is, well, people are just making too much fuss. This is just an excuse for censorship. This is what he comes back with. And I also read a report that Elon Musk had actually posted an image of the British Prime Minister Keir Starmer in a bikini using the tool. So it feels like Elon Musk is much more amused about it than maybe everybody else is. I mean, some awful things have happened. As you say, there have been sexualized images which have been posted of both women and children.

The problem really is the mindset behind all of this, right? We have known this now over months and years that Elon wants anti-woke AI that actually doesn't shy away from politically incorrect answers, including things creating sexualized images of women or kids without their consent. And in the response, he did not just say that this was just an excuse for censorship. He put the tool that creates images behind paywall, which doesn't solve the problem at all. Now you're basically providing a premium service, basically, is what he's doing.

So what I think has happened is at the time of recording, it is still possible to access this functionality without paying. You can't do it via Twitter or X, as he calls it. But you can go to the Grok website and use the app, I believe, to still do this, even if you aren't paying customer. But you're absolutely right. In some ways, this is now being used really as an encouragement for people to pay for a premium service. Here's one of the features we can offer you is the ability to create illegal images or sexualized images of people without their consent. And so, of course, all this brouhaha in the press, and quite rightly, people have been up in arms about this, in some ways will have fed the demand for this kind of functionality. Because people who want that kind of thing will now know where to go and they know to pay Elon Musk to access it. And I cannot understand how if anyone else were creating illegal content, the police would be going around and arresting them and saying you can't do this. But when it's an AI owned by a billionaire who has the ear of the American president, it seems everyone is being much, much more cautious.

You know that he just reignited his friendship with the portis and the floaters, right? He just had dinner with them in Mar-a-Lago, which is very sad.

So I hear the latest is that Ofcom, which is the regulator here in the UK, they are investigating and they have the power to fine Elon Musk's companies for this and potentially a significant amount of money. Some countries, including Malaysia and Indonesia, already blocking access to the tools, which is great. And maybe we'll see more countries doing that temporarily, at least in the future.

Ofcom definitely needs to get into the nitty-gritty details of what happened, why is it happening, the fine that is appropriate for what the impact has been. But I also feel we need to ask three questions. Three questions that we should be asking and holding Elon Musk to them. One is guardrails. This has been constantly a problem with AI prompts and AI in general, but especially with Grok. This was an example that I remember talking about in one of the keynotes I did a couple of months ago, where he had actually intentionally changed Grok's newest version that allowed it to provide politically incorrect answers. And because of that, Grok started praising Hitler and called it Mecca Hitler. And I think these are not one-off incidents, right? My question is, why have we not learned who is ultimately responsible for doing that? So first question is the guardrails that we need. We absolutely need those guardrails. My biggest problem is when people talk about guardrails they mean regulations. And I'm no, I'm not talking about regulations to stop innovation. What I'm talking about is actual guardrails to innovate safely in a way that it doesn't harm humanity. We absolutely need guardrails. Second question we need to be asking them is accountability because the buck doesn't stop with the robot. I don't care if Grok actually apologizes because if the buck stops there, then actually nobody is held accountable. Third is consent. Consent has been such a big question in our community, in our society, in general. Now, especially with digital tools these, how are we making sure of that consent? And all of these questions have to be asked to these big corporations that are now holding the entire power to what AI is doing, how it is being built, what guardrails are in place.

But you know what, Monica? They don't care.

I know. And that's the problem. But we have to. There's only one thing that they care about, which is profit. And therefore, we should be putting pressure on the companies which advertise on these services and saying, do you really want your ads appearing alongside sexualized images of women, of young children? Do you really want that? Oh, that's crazy. That's beautiful. He had to learn how to walk again and obviously serious medical problems. But he ended up going to a Coldplay concert, holding up a banner saying, your music got me out of a coma and Chris Martin got him up on stage. And you hear all of this happen during the course of the documentary. Killing Me Softly always gets it, no matter what it always does. It's amazing. Love that song. Yeah, wow, that's beautiful. Not the Fugees version. No, no. It's got to be... No, not for me anyway. So my recommendation, my pick of the week is Soul Music. You can find it on BBC Sounds or wherever you find your podcasts. You know, what's interesting is that I'm also a very softie. Despite a lot of ambitions and dreams and all the things that I get to do and I get the opportunity to do, my pick of the week is family and I'll tell you why. Over the last months literally I've been back-to-back traveling helping organizations all over the world. I think I traveled four continents, actually five, over the last four months from September, October, November, December doing maybe I don't know seven, ten gigs all on different topics of AI, cyber, whatever you name it. And I feel privileged and honored that I get to do that. And every now and then, I'm not a person who has to wait for a holiday to happen. But every now and then, I love to just take a break from a lot of these things and then just spend quality time with family. That, to me, is literally the pick of the week because I've been literally reminiscing that quite a lot. Before I even the new year started, I've been working on revamping my whole newsletter. It was softly, quietly relaunched, the updated, rebranded version, which I call the Predictability Factor. And I'm going to be announcing it to the world very soon. But yeah, if you are listening to this, go check it out, the Predictability Factor. It's about building resilience and becoming resilient in the unpredictable world of AI. But I love to take these times when I'm just offline where I'm off the grid and I'm just spending quality time with family. And it's just so soothing for the soul because ultimately at the end of the day, even in the world of AI that we're living in, I truly, truly believe human connection and human relationships are it. They are it. Nothing, no AI companion will ever come close to that. Go really spend time with the people that you love. There may be two, there may be five, they don't have to be a hundred, but it will literally continue upgrading your life forever.

I love what you say there, Monica, and I think it's very important what you said there, which is that go and spend it with the people who you like and love. Because sometimes with some people, of course, they don't have great relationships with their family or they may not have family members, but you can create your own family. Absolutely.

You decide who your family is. Yeah. And it could also be the people that you are not having great relationships, but you want to give it a try. You want to mend things because it's worth it. You get to decide. Ultimately, you get to choose to do that.

Well, who would have guessed we would have ended the podcast this week in such a soppy, sentimental, but very important fashion. Thank you so much, Monica, for joining us this week. It was a pleasure. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for them to do that?

Well, literally, as I said, one of the best ways right now is to subscribe to my newsletter, The Predictability Factor. I have remapped it. I have soft launched it. I'm going to be bringing so many amazing things there for everyone. How to become resilient in this unpredictable world of AI. Otherwise, reach me at monicatalkcyber.com. That's one place where I put everything together. So yeah, check it out.

And Smashing Security is on social media as well. You can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Blue Sky. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Pocket Casts. For episode show notes, sponsorship info, guest lists and the entire back catalogue of roundabout 450 episodes, check out smashingsecurity.com. Until next time, cheerio. Bye-bye. Take care.

You've been listening to Smashing Security with me Graham Cluley and thanks so much to Monica Verma for joining us this week and to this episode's sponsors Meter and Vanta and to the chums who signed up for Smashing Security Plus over on Patreon. They include Shree Kumar, Karen Reynolds, Daryl Green sounds like he should be narrating golf highlights, Vladimir Jirasek who must be absolutely ace at a game of Scrabble, Bashora who's definitely not here to cause trouble honest, Sean Puttick, Panda Bear still refusing to confirm their species, Matt H with his economy class spelling, Geoff A because one letter is all you really need, Alan Liska, Bobby Hendrix who absolutely has opinions about guitar solos and Billy just Billy. Would you like to hear your name read out from time to time at the end of the show? Well all you have to do is sign up for Smashing Security Plus for as little as five dollars a month. You can become part of our merry little band and get early access to episodes without the annoying ads. Just head over to smashingsecurity.com/plus for all of the details. Now I know not everyone can afford that and that's absolutely fine. There's no pressure to become a patron. You can do other things if you want to help support the show which don't cost you anything. For instance, you can leave us a lovely review or you can tell your friends and pals about the show. Simply spreading the word really does help and I really appreciate it. So thank you once again for tuning in and I hope you'll be tuning in again next week for the next episode of Smashing Security. Until then, cheerio bye. Thank you.