Chrome users were caught off guard by a 4-GB Google AI model baked into Chrome, sparking privacy concerns. The good news: You can easily uninstall it. The bad? You might not want to.
There’s a lot to security that isn’t necessarily “cyber.” It’s not all hackers or complex network attacks.
Alongside traditional cyberattacks that deploy malware or exploit known software vulnerabilities, there are also less technical—yet equally devastating—forms of theft.
This doesn’t mean that well-known cybersecurity best practices don’t apply. Every small business owner should still use unique passwords for every account, turn on multi-factor authentication, keep their software and operating systems updated, and run always-on cybersecurity software.
But for the everyday small business owner juggling dozens of accounts, networks, devices, and the reams of data being created, stored, and shared across text messages, emails, and online portals, this advice is for you.
For National Small Business Week in the US, here are three ways to protect your business that require little technical prowess.
Don’t use your Social Security Number as your tax ID
In the US, the Internal Revenue Service (IRS) allows small business owners to use their personal Social Security Number (SSN) as the Federal Tax ID. It’s a small grace meant to simplify annual record-keeping for sole proprietors and owner-employees, but for cybercriminals, it’s a basic oversight they’d like every small business to make.
Using your Social Security Number as your Federal Tax ID means putting your Social Security Number in an ever-increasing number of hands. That’s because small business taxes are different from taxes for everyday salaried employees.
Whenever a small business takes on a new client or a contractor who pays for services costing at least $600, that small business has to share and receive what is called a W-9 form. This exact form isn’t filed with the IRS, but it is used to track payments for later filings.
What’s more important, though, is that this form asks for an owner’s name, address, and tax ID number.
This means that as a small business grows, its vulnerability to identity theft increases in tandem. Every W-9 filed that uses an owner’s SSN as their tax ID number is another opportunity for that SSN to be stolen. After just one year of operation, a small business owner’s SSN could end up in the inboxes, filing cabinets, and cloud drives of a dozen different people and companies.
This is exactly what cybercriminals want.
Equipped with a W-9 form about your business, a cybercriminal could impersonate you or your business. They could open a business credit line, file fraudulent returns that claim your small business income, or scam your clients.
How to stay safe:
Apply for a free Employer Identification Number (EIN) at IRS.gov. It’s quick to do and it separates your business tax identity from your personal tax identity. After that, put the EIN on W-9s, 1099s, and all other business paperwork instead of your SSN.
Keep your personal cloud storage personal
The most popular cloud storage for most small business owners is the cloud storage they already have—their personal Google Drive or iCloud.
Built to make memory archival as easy as possible, these tools can automatically back up and secure nearly every single moment that happens through your device, from the vacation photos you snapped last summer, to your kid’s first steps recorded on video, to the texts you sent, the notes you made, and the calendar appointments you managed.
But this type of automatic archival poses a threat to any non-personal information that you view, send, markup, or sign when using your personal smartphone. Suddenly, and often without thinking about it, your cloud storage has backups of signed contracts, tax returns, client intake forms, invoices, business financial statements, and photos of physical paperwork.
Above, we warned about using your SSN as your tax ID because it creates a risk if anyone in your business network is breached. But storing client information in your personal cloud storage creates a different problem: it puts that risk directly on you.
Compounding the threat here is the fact that many personal cloud storage accounts are shared with family members. More people accessing the same account means more exposure and more chances for mistakes, even if everyone has good intentions.
How to stay safe:
Go through the cloud backup settings on both your phone and your computer and manage what data is being synced. Move sensitive business files to a dedicated business storage account with proper access controls, sharing permissions, and audit logs—something that can tell you who opened a file and when.
If anything business-related has to live in a personal cloud account, give that account a strong, unique password, turn on multi-factor authentication, and don’t share access with anyone who isn’t you.
Protect device and account access in the home
Devices have a funny way of moving around. Your smartphone goes into your spouse’s hands as they override your music choices in the car. Your tablet ends most nights in your kid’s bedroom as they watch TV. And your laptop gets tugged around from couch to counter to kitchen table—each time fully opened and logged in, a portal to the web.
You trust everyone in your home to act safely online, but the path to online safety is full of mistakes.
A single errant click on a fake ad, a malicious search result, or a disguised download is all it takes to compromise your device today, along with all your small business records.
Aside from the threat of malware, someone using your device could make purchases, accidentally delete files, and overwrite important documents.
Remember, an “insider threat” doesn’t need to be malicious to cause damage—they just need to be inside your network (which in this, is your home).
How to stay safe:
Treat your devices that you use for work as work devices. That means requiring a passcode or password for device entry, along with multi-factor authentication for important business accounts.
Also, to ensure that any wrong click doesn’t lead to a malicious PDF download or a wayward malware installation, use always-on antimalware protection software, like Malwarebytes for Teams.
Secure your success
It’s easy to get overwhelmed with modern cybersecurity advice. Every week there are new vulnerabilities to patch, emerging scams to avoid, and novel viruses and pieces of malware that can seemingly take over your device, your data, and your business.
Thankfully, there are important steps you can take today that don’t require you to fiddle with internal settings or take a class on network engineering. Some of the most effective protections are simple: Limit how widely you share sensitive information, keep business and personal data separate, and control who can access your devices.
For everything else, try Malwarebytes for Teams to receive 24/7, always-on antimalware protection to shut out viruses, block malware attacks, and keep hackers out of your business.
Jerry’s Store, a card-checking service used by cybercriminals, exposed 345,000 stolen payment cards after leaving its server open, revealing sensitive data.
A cybercriminal operation known as Jerry’s Store has reportedly exposed a large cache of stolen payment card data after leaving its own infrastructure accessible online. The service appears to have been used to test whether stolen credit and debit card details were still valid, effectively acting as a verification tool for fraudsters before the data was resold or abused.
“Jerry’s Store marketplace leaked 345,000 stolen credit card details through an exposed, insecurely configured server created using AI assistance.” reads the report published by CyberNews.
“The leak occurred after Cursor AI generated flawed code without authentication, exposing credit card numbers, names, addresses, and security codes.”
Researchers found that the exposed server contained information linked to roughly 345,000 payment cards. Of those, nearly 200,000 cards had been marked as invalid by the service, while more than 145,000 records were identified as valid. The leaked records reportedly included highly sensitive cardholder data such as card numbers, expiration dates, security codes, names, and billing addresses. Cybernews
The incident is notable not only because of the volume of exposed data, but also because it shows how organized and automated parts of the carding economy have become. Instead of manually checking stolen cards one by one, criminal marketplaces and fraud services increasingly rely on infrastructure that can validate payment data at scale. Once a card is confirmed as active, it becomes more valuable for resale, fraud attempts, or account takeover activity.
Cybernews estimated that valid stolen card records typically sell for around $7 to $18 on dark web markets. Using that range, the valid card data exposed through Jerry’s Store could be worth between $1 million and $2.6 million. The true value of the broader operation may be higher, since the platform reportedly handled more than just the leaked payment-card records.
CyberNews researchers found that Jerry’s Store operators used Cursor, an AI coding tool by Anysphere, to build their server and admin dashboards. However, flawed guidance from the AI likely led to misconfigurations, leaving the system exposed and causing the data leak.
“We were able to confirm that the leak originated from the user asking to create a statistics dashboard, and Cursor created an unauthenticated open web directory to serve the webpage, ignoring the need to set up authentication or ensure that only the intended dashboard would be accessible,” CyberNews team explained.
Source CyberNews: Jerry’s Store data leakSource CyberNews: Jerry’s Store data leak
The case is ironic: a cybercriminal service built to profit from stolen card data exposed itself due to poor security. This failure creates added risk for victims, as data already circulating in underground markets can spread further, reaching new attackers who did not originally steal it.
The story also highlights a wider trend in cybercrime: illicit services are becoming more productized. Carding shops, validation tools, automated fraud services, and dark web marketplaces increasingly resemble commercial platforms, with pricing models, customer interfaces, and backend infrastructure. Rapid7 has described this broader ecosystem as “carding-as-a-service,” where stolen cards and fraud tooling are packaged for easier use by criminals with varying levels of technical skill.
A similar pattern has been seen in other carding-related incidents. BidenCash, a carding-focused marketplace, became known for releasing large batches of stolen payment-card data as a promotional tactic to attract users and vendors.
Law enforcement has also targeted related ecosystems. In a case involving B1ack’s Stash, authorities seized domains tied to underground vendors trafficking stolen financial data, including payment-card records. That case underlines how carding markets remain a priority for investigators because they support a chain of downstream crimes, from unauthorized purchases to identity theft and money laundering.
Consumers should closely monitor accounts, enable alerts, use virtual cards, and replace compromised ones. Banks must strengthen fraud detection, quickly block stolen cards, and monitor underground markets.
The Jerry’s Store leak shows that even cybercriminal platforms can have weak security. When they fail, the impact still hits ordinary users, whose stolen card data may spread further and be reused, traded, and exploited across the fraud ecosystem.
Booking.com's breach exposed names, phone numbers, and booking details now being used in targeted WhatsApp phishing. Constella explains how the PII-to-smishing pipeline works and what to do about it.
Operation PowerOFF shut down 53 DDoS-for-hire domains, arrested four suspects, and exposed data on over 3 million criminal user accounts.
Operation PowerOFF is an international law enforcement action that dismantled 53 domains linked to DDoS-for-hire services used by over 75,000 cybercriminals. Authorities arrested four suspects, seized infrastructure, and gained access to databases containing more than 3 million user accounts. They are now warning identified users, while continuing investigations with multiple search warrants.
DDoS-for-hire services, or “booters,” are illegal platforms that let users pay to launch DDoS attacks that flood websites or servers with traffic, causing outages. They are used for harassment, extortion, or disruption and can lead to serious legal consequences for users.
“On 13 April 2026, 21 countries joined forces in a coordinated action week that focused on enforcement and prevention measures against over 75 000 criminal users engaging in distributed denial-of-service (DDoS)-for-hire services.” reads the press release published by EUROPOL. “With over 75 000 warning emails and letters being sent to identified criminal users and 4 arrests, the action week also led to the takedown of 53 domains and the issuing of 25 search warrants.”
21 countries participated in the law enforcement operation PowerOFF: Australia, Austria, Belgium, Brazil, Bulgaria, Denmark, Estonia, Finland, Germany, Japan, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Sweden, Thailand, the U.K., and the U.S.
Authorities disrupted booter services by seizing servers and infrastructure used to launch attacks, limiting further harm. Access to seized databases with over 3 million user accounts enabled coordinated global actions against cybercriminals and raised awareness about the illegality of these services.
Operation PowerOFF continues with a strong prevention phase to stop future DDoS attacks. Authorities launched campaigns targeting users, including ads warning young people searching for attack tools, removal of over 100 malicious URLs, and warning messages sent via blockchains used for payments. They also updated the official website to highlight ongoing actions and raise awareness about the risks and illegality of DDoS-for-hire services.
Authorities continue dismantling global DDoS-for-hire networks under Operation PowerOFF. In August 2025, the U.S. also took down the RapperBot botnet, used for large-scale attacks across more than 80 countries since 2021.
In December 2024, law enforcement agencies operating under Operation PowerOFF disrupted 27 of the most popular platforms (including zdstresser.net, orbitalstress.net, and starkstresser.net) to launch Distributed Denial-of-Service (DDoS) attacks. The authorities also arrested three administrators of these platforms in France and Germany, and identified over 300 users.
Entrar
