In September 2022, a teenager broke into one of the world’s most valuable tech companies without writing a single line of exploit code. He bought stolen credentials on the dark web, flooded a contractor’s phone with authentication requests for over an hour, then sent a WhatsApp message pretending to be IT support. That was enough. Once inside Uber’s network, he found admin credentials sitting in a PowerShell script on a shared drive — and from there, he had access to everything: AWS, Google Workspace, Slack, bug bounty reports, and internal dashboards. He announced his success by posting on the company’s own Slack channel. This is the story of the 2022 Uber breach, MFA fatigue, and what it means that a phone call is still one of the most effective hacking tools ever invented.

Support the show

What if your AI assistant could be turned against you by an email you never read? In 2024, Anthropic released the Model Context Protocol - a universal standard for connecting AI assistants to email, code repositories, databases, and cloud infrastructure. Within months, researchers began finding something alarming: AI agents with this kind of access could be hijacked by hidden instructions embedded in the very content they were asked to process. No stolen credentials. No exploit code. Just words that the AI read and obeyed. This episode explores the emerging security frontier of AI agents and MCP servers - the real CVEs, the documented incidents, and why the security community is paying very close attention.

Anthropic described its own upcoming model as posing unprecedented cybersecurity risks - then accidentally leaked that description. Cole Drayden sits down with former federal threat intelligence analyst Marcus Hale to work through what Mythos actually is, what it can do, and what happens when that capability reaches the wrong hands.