In this issue:

• Threat of the week: Getting spam from yourself?

• McDonald's exposed 64M hiring records

• Let me know if there’s a topic you want me to cover

Getting spam from yourself?

If you've ever received a spam email that looks like it came from your own email address, you're not alone and your email has not been hacked. Spammers often fake the "From" email address to trick people into opening them. This is called "email spoofing," and it's surprisingly easy for scammers to do. I get spoofed emails in my own Spam folder every day.

For example, I see spam emails where the From email address is Cassie Crossley. But of course I didn't send myself emails about Microsoft software renewals, McAfee virus scanner subscriptions, or PayPal payments. Sometimes I do send emails between my email accounts, but those usually end up in my Primary email folder and I remember sending them.

Your email inbox might show your own address as the sender, but fortunately that doesn’t mean the message actually came from you. It just means someone made it look that way. Think of it like writing someone else’s name as the return address on a letter — the post office doesn’t check if that name is really yours.

The good news is this doesn’t mean your email account was hacked. But it’s smart to check your Sent folder to be sure. If nothing odd is there, you’re safe.

To protect yourself, mark suspicious messages as spam as I mention in this previous article, and turn on multi-factor authentication for extra security.

So, don’t panic — but stay alert.

McDonald’s exposed 64M hiring records

"Would you like a side of fries with that data exposure?"

I want to bring attention to this data exposure (which is different than a data breach where data is stolen) to highlight that companies are often not properly testing systems with employee data and that puts you, your friends, and your families at risk.

In this case, McDonald's uses hiring software, more specifically an AI chatbot called "Olivia", to screen applicants. Cybersecurity researchers identified a default login and an unsecure password ("123456") to easily access McDonald's hiring software.

Luckily these researchers found the problems before a criminal. The researchers only accessed 6 employee records in their testing, but overall there were 64 million exposed hiring records, including applicants' names, email addresses, and phone numbers.

After confirming the problems in the hiring software, the researchers privately disclosed the data exposure to McDonalds and Paradox.ai (who created the hiring software). Paradox.ai quickly fixed the vulnerabilities in the software and confirmed that the researchers were the only ones to have discovered the hiring records.

Even though no criminals had used this vulnerability, the incident serves as a reminder: if companies don’t follow basic cybersecurity steps, personal info can be exposed. Not just large systems — even everyday tools can slip up.

Still, it's a timely reminder: check how you share personal info and always stay cautious online.

Do you have an idea for a future newsletter? Please reply to this email and let me know.

Thank you so much!

Sincerely,
Cassie Crossley
Founder, Cyber Safe Center
https://www.cybersafecenter.com