Even though I’ve already built a pretty solid open-source graphics stack at this point, I’m always on the lookout for new tools or hidden gems. That’s exactly how I discovered some of my favorites, like Photopea and PhotoDemon. Recently, I came across a tool called miniPaint. It’s a free, open-source, lightweight image and graphics editor that runs in your browser, and it’s self-hostable too.

Although it’s not a match for Photoshop's capabilities, it’s a great option for anyone who needs a lightweight option with a bit more data control. And it covers most of the use cases I used to rely on Photoshop for, anyway, so it can almost be a full replacement.

What exactly is miniPaint?
It’s not just a painting tool, but an image editor too



Despite having the word “paint” in its name, miniPaint by Viliusle is both a painting and image editing tool. It’s a free, open-source editor that runs entirely in your browser, and unlike many online editors that require accounts or cloud storage, miniPaint doesn’t send your data out - everything is processed directly in the browser. While you need a connection to load the app initially, you can actually use it offline because it uses service workers to cache data and assets in your browser, allowing you to keep working. This is already a major win in my books because both web access and offline functionality makes a tool more accessible.

miniPaint was created as a lightweight alternative to heavier desktop editors like Photoshop, using layers, brushes, filters, and typical image manipulation tools that most graphics workflows require. It supports a broad range of popular raster formats, including PNG, JPG, BMP, WebP, and TIFF, letting you save and export in multiple formats. It even lets you export layer data in JSON for future edits.

Overall, miniPaint strikes a good balance between simplicity and depth. It has essential features like layer-based non-destructive editing, color adjustments, brushes, text, effects, and more, but without overwhelming giant toolsets you rarely use. It’s ideal for creators who need a capable image editor that’s accessible from anywhere, works offline, and doesn’t require your information for an account or subscription. The app gives you everything you need for quick edits, mockups, social media graphics, banners, and everyday graphics work. Plus, you can self-host it.

How it can replace Photoshop
It’s more capable than it looks on the surface



The first tools I wanted to play around with were the Brush and Pencil. They’re pretty stripped-down compared to Photoshop in terms of the adjustable properties. You can select the color, size, opacity, and pressure, but that’s it. This is still decent given many free editors don’t even have a brush tool - you’d be able to paint some masks onto your images or do creative drawings in miniPaint.

The Fill and Gradient tools also caught my eye because I generally like using them for creating overlays on my images. You can get very precise with the color values and gradient placement. Both of them also have adjustable properties like radial strength and opacity. I also quite like the Blur tool - since the wall behind my PC is textured, I like softening it with some type of blur tool or mask if the lighting exaggerates the texture too much, and miniPaint does a good job.

It also comes with a Color Correction tool which I really like - it’s a simple kit but effective, letting me adjust the hues and tones with a preview. The filter selection is more plentiful than I expected. You will find things like box blur, denoise, oil painting, solarize, and there are also Instagram-specific filters. Lastly, there’s a very capable text tool with options for fonts, size, color, stroke, format, kerning, and leading.

miniPaint can’t do everything Photoshop does
It’s a “mini” tool, after all



The biggest Photoshop-like feature I’m missing in miniPaint is proper selection tools. You only get a Rectangle selection tool that you have to manually adjust. And the masking system isn’t very smooth either - you can’t right-click to add a mask from selection and have to navigate to the menu bar instead. There’s also no Lasso selection tool for finer selections, which is a major component of creating things like composites.

Being a lighter-weight tool, I didn’t expect it to have smart objects, but it is a nice-to-have for more complex edits, so I’m missing it a bit. It also lacks more advanced typography and is more on par with tools like Canva in terms of the text offerings. Plus, there’s no perspective editing.

Less software, similar results

miniPaint isn’t a complete replacement for Photoshop, especially considering its lack of proper selection tools. However, it steps up in most other areas. I can create stylish overlays, draw sketches, add unique effects, color correct and color grade, do some basic graphics work with shapes and text, and create design assets. Plus, it’s accessible from any operating system or device with a browser.



source

Google is providing updates on the issue on its Google Workspace Status Dashboard (Getty/iStock)

• Google has confirmed an issue with its email service after Gmail users complained that their mailbox wasn’t working properly.

• Gmail users have reported that promotional emails that are normally sent to a separate folder are flooding their inbox, along with a banner warning them to “be careful with this message.”

• Google addressed the issue in a blog post, writing, “We are experiencing an issue with Gmail beginning on Saturday, 2026-01-24 05:02 US/Pacific. We are aware that some Gmail users are experiencing misclassification of emails in their inbox and additional spam warnings.”

• The statement continued, “We are actively working to resolve the issue. As always, we encourage users to follow standard best practices when engaging with messages from unknown senders.”

• Google said it would provide updates on the issue, which one user labeled “e-mail armageddon.” The glitch came hours after Gmail users were warned about a password breach affecting up to 48 million logins.

source

Including Financial Accounts, Instagram, Facebook, Roblox, Dating Sites, and More.

Cybersecurity Researcher Jeremiah Fowler uncovered a data leak of 149 million logins and passwords, and shared his findings with ExpressVPN. We are publishing his report to help the public stay informed and protected as part of our ongoing effort to highlight important security risks.

The publicly exposed database was not password-protected or encrypted. It contained 149,404,754 unique logins and passwords, totaling a massive 96 GB of raw credential data. In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts. This is not the first dataset of this kind I have discovered and it only highlights the global threat posed by credential-stealing malware. When data is collected, stolen, or harvested it must be stored somewhere and a cloud based repository is usually the best solution. This discovery also shows that even cybercriminals are not immune to data breaches. The database was publicly accessible, allowing anyone who discovered it to potentially access the credentials of millions of individuals.

The exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable. These ranged from social media platforms such as Facebook, Instagram, Tiktok and X (formerly Twitter), as well as dating sites or apps, and OnlyFans accounts indicating login paths of both creators and customers. I also saw a large number of streaming and entertainment accounts, including Netflix, HBOmax, DisneyPlus, Roblox, and more. Financial services accounts, crypto wallets or trading accounts, banking and credit card logins also appeared in the limited sample of records I reviewed.

One serious concern was the presence of credentials associated with .gov domains from numerous countries. While not every government-linked account grants access to sensitive systems, even limited access could have serious implications depending on the role and permissions of the compromised user. Exposed government credentials could be potentially used for targeted spear-phishing, impersonation, or as an entry point into government networks. This increases the potential of .gov credentials posing national security and public safety risks.

The database had no associated ownership information so I reported it directly to the hosting provider via their online report abuse form. I received a reply several days later stating that they do not host the IP and it is a subsidiary that operates independently while still using the parent organization's name. It took nearly a month and multiple attempts before action was finally taken and the hosting was suspended and millions of stolen login credentials were no longer accessible. The hosting provider would not disclose any additional information regarding who managed the database, it is not known if the database was used for criminal activity or if this information was gathered for legitimate research purposes or how or why the database was publicly exposed. It is not known how long the database was exposed before I discovered and reported it or others may have gained access to it. One disturbing fact is that the number of records increased from the time I discovered the database until it was restricted and no longer available.

Breakdown of Email Providers (estimated)

   ○ 48M - Gmail

   ○ 4M - Yahoo

   ○ 1.5M - Outlook

   ○ 900k - iCloud

   ○ 1.4M - .edu

Other notable accounts included:

   ○ 17M - FaceBook

   ○ 6.5M - Instagram

   ○ 780k - TikTok

   ○ 3.4M - Netflix

   ○ 100k - OnlyFans

   ○ 420k - Binance



This screenshot shows the total count of records and size of the exposed infostealer database.



This image shows screenshots of accounts and credentials including Instagram, Google accounts, and OnlyFans.



This image shows screenshots of accounts and credentials including Facebook, a government account from Brazil, and a WordPress administrative login.



This screenshot shows how the index was searchable using nothing more than a web browser.

The database appeared to store keylogging and “infostealer” malware, a type of malicious software designed to silently harvest credentials from infected devices. These files were different from previous infostealer malware datasets that I have seen because it logged additional information. The records also included the “host_reversed path” formatted as (com.example.user.machine). This structure is used to create an easily indexable way to organize the stolen data by victim and source. Reversing the hostname can also help avoid directory conflicts or as an attempt to bypass basic detection rules that look for standard domain formats. The system used a line hash as the document ID to ensure one unique record per unique log line. In a limited search of these hash and document IDs it was identified that they were indeed unique and returned no duplicates.

Potential Risks of Exposed Credentials

The exposure of such a large number of unique logins and passwords presents a potentially serious security risk to a large number of individuals who may not know their information was stolen or exposed. Because the data includes emails, usernames, passwords, and the exact login URLs, criminals could potentially automate credential-stuffing attacks against exposed accounts including email, financial services, social networks, enterprise systems, and more. This dramatically increases the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns that could appear legitimate because they reference real accounts and services.

How to Protect Your Accounts, Credentials, and Privacy

By now most of us are aware that malware can be spread through a range of different methods including malicious email attachments, fake software updates, compromised browser extensions, and even deceptive advertisements. Once the device is infected the malware can run undetected and harvest and transmit credentials. If the device is infected with malware simply changing passwords does no good because the new password will also be captured. Having antivirus software installed on your device is a good first line of defense and your best bet in identifying and removing malware. A report published in October identified that only an estimated 66 percent of U.S. adults used antivirus software in 2025. This means there are a large segment of users with unprotected and potentially vulnerable devices to this type of infostealer malware.

Anyone who suspects their device may be infected with malware should take immediate action. On a mobile device, I recommend updating the operating system and security software (if installed). If you don’t have security software, install it and scan the device to remove anything that is identified as malicious or flagged as suspicious. Updating the operating system can patch known vulnerabilities and having the latest versions of security software can also improve detection methods. Additionally, review app permissions, keyboard settings, accessibility, and device admin access. As a general rule, only install apps from official app stores. On a computer Windows/macOS/Linux etc, even non-technical users can conduct a deeper review of programs, browser extensions, and running processes to identify unknown or suspicious activity and software.

Using a password manager can reduce some of the risks from basic infostealer malware and keyloggers. Most password managers store passwords and often auto fill credentials and while this can prevent simple keystroke loggers from capturing typed passwords it is not immune from other more advanced malware. Password managers encrypt data and ensure MFA, while this helps to improve overall account security they do not protect against fully compromised systems. There are additional ways infostealer malware can collect or harvest data. This includes capturing clipboard contents, scraping browser memory, stealing session cookies and tokens, or intercepting form data before it is encrypted. Password managers have many positive benefits and do help improve security against password reuse and basic keylogging, but they cannot defend against all variants of advanced malware. When combined with a good antivirus, endpoint security, and regular OS updates it is a safer option than nothing.

From a privacy perspective, the breach of exposed email addresses and account associations could allow criminals to build detailed profiles of individuals. Knowing where they have accounts, what services they use, and potentially their professional or personal affiliations could hypothetically increase the success rate of social engineering or phishing attempts. Most people keep sensitive documents and communications in their email history without realizing how big of a risk it could be if someone gained unauthorized access. An account takeover could have serious privacy implications depending on the type of the account or service. Unauthorized access to images and chat histories from dating profiles or adult entertainment accounts could potentially create risks years after the incident, including harassment or extortion attempts.

After any data breach or even as a preventative measure it is a good idea to review and update account security measures. This includes enabling two-factor authentication or biometric protections when they are available. Although extra steps are not always convenient, adding an additional verification step can help prevent unauthorized access of accounts by criminals using compromised passwords. It is also a good idea to review login history, login locations, devices, and any failed login attempts. As a general rule never reuse passwords across different sites, applications, or services. Taking these basic steps can help protect against or prevent an account compromise.

While it may seem ironic that cybercriminals themselves would leave such a valuable cache of stolen data unsecured, researchers note that this is not uncommon. Criminal operations often prioritize speed and scale over operational security, storing data in misconfigured cloud servers or databases that can be discovered through routine internet scanning. Once exposed, such datasets are frequently copied and redistributed, making the damage difficult to reverse.

The discovery of this unprotected database serves as another reminder that credential theft has become a large-scale business that will only continue to be a threat. As criminals continue to refine their tools, technology, and methods it is more important now than ever to use antivirus software, strong authentication, unique passwords, and basic cyber hygiene. For hosting providers I would recommend providing effective abuse reporting channels that are reviewed by humans. Failure to respond to responsible disclosure reports of clear violations of terms of service such as hosting malware or stolen credentials only enables malicious infrastructure to remain active, exposing individuals to serious potential risks.

I make no allegations or claims of wrongdoing by the hosting provider or IP owner, nor against any of their staff, representatives, partners, affiliates, or associated entities. I am not asserting that internal systems or user information were ever in immediate danger. Any potential data-exposure scenarios discussed in this report are purely hypothetical and presented solely for educational and informational purposes; they should not be interpreted as evidence of, or implications about, an actual breach or loss of data integrity. Nothing in this report should be taken as an assessment or critique of any organization’s specific security controls, infrastructure, or operational practices.

As an ethical security researcher, I do not download or retain exposed data. My interaction is limited to capturing a minimal number of screenshots strictly necessary to confirm and document the issue. While the database was exposed it was possible to run search queries using only a web browser. I take no actions beyond identifying the vulnerability and responsibly notifying the appropriate parties. I expressly disclaim responsibility for any actions taken by others in response to this disclosure. The publication of these findings is intended only to promote awareness around data protection and privacy risks, with the goal of encouraging organizations to adopt proactive safeguards to prevent unauthorized access to sensitive information.

source

Well friends and true believers, the day is finally here. A new Windows phone has arrived. Thanks to Nex Computing and its NexPhone, a new smartphone is coming to market that dual boots Windows and Android, and it can even run desktop Linux when it's docked.

We are so back.

It runs full Windows on Arm, of course, since there's no actual mobile version of Windows 11. However, Nex designed a full skin to make it look like the Windows Phone UI that we all remember and love. Not only is it fit with transparent tiles, but it includes familiar actions like swiping left for an all apps list.

A phone that's designed to be used as a PC
It's meant to be your only computer





If you're an old Windows Phone fan like I am, you probably remember Nex Computing, or more specifically, the NexDock. It was a laptop-style device that you could plug a phone into and turn it into a PC, thanks to Windows 10 Mobile's Continuum feature.

In its announcement, founder and CEO Emre Kosmaz talks about how this was always the dream, one device that can be your only computer. You could probably say it's not even a phone, and more of an ultramobile PC that happens to include telephony.

He shared a concept video from 2012.


In a small meeting room in the Las Vegas Convention Center at CES 2026, or PC Hardware Segment Lead Rich Pinnock-Edmonds and I got to meet with Kosmaz, and he demoed the NexPhone for us. There's nothing on the market like it.

In fact, there isn't actually supposed to be anything on the market like it. Under the hood, there's a Qualcomm Dragonwing QCM6490 (a modified Snapdragon 778G), rather than a Snapdragon X2 Elite or something more mobile-friendly. The reason is because it's the only processor that supports Windows, Android, and Linux. It's not even meant for full desktop Windows



As you'd expect, it does what it says. When connected to a dock, you get a desktop environment. It can be Windows or Android, which you'll have to boot into, and you can launch Debian Linux from Android.

On mobile, Windows doesn't shine quite as much as it once did. While the mobile UI is fantastic, there isn't much that can be done for the fact that Windows apps simply do not have the responsive design to adapt to smaller screens like they once did under UWP. So, while the UI is familiar, launching an app on the phone isn't too pleasant.

The NexPhone is coming in Q3
And it's relatively inexpensive



I know what you're thinking. When will I be able to buy the first phone running Windows in nearly a decade? Sadly, you'll have to wait a while longer, as it's coming in Q3.

It'll set you back $549, which feels inexpensive given that Nex has developed a truly unique product with the NexPhone. You can reserve it starting today for $199 (refundable), with the other $350 due when it ships.

Other specs include a 6.58-inch 1080p LCD, 12GB RAM, 250GB storage with microSD expansion, a 5,000mAh battery, and dual rear cameras with a 64MP main sensor and a 13MP ultra-wide sensor



source

Almost exactly a year ago, Microsoft shared details regarding the hardening process of Domain Controllers (DCs) to protect them against a couple of security flaws in Kerberos. Now, it is kicking off yet another hardening phase to patch DCs against security issues recently reported via CVE-2026-20833.

Basically, there is a vulnerability in the Kerberos authentication protocol that allows an attacker to exploit weak and legacy encryption algorithms like RC4 and procure service tickets that enable them to steal credentials for service accounts. This exploit is tagged as CVE-2026-20833, and applies to DCs running the following SKUs of Windows Server:

   • Windows Server 2008 Premium Assurance

   • Windows Server 2008 R2 Premium Assurance

   • Windows Server 2012 ESU

   • Windows Server 2012 R2 ESU

   • Windows Server 2016

   • Windows Server 2019

   • Windows Server 2022

   • Windows Server 2025

To mitigate this issue, Microsoft has rolled out a few changes via the recent Patch Tuesday update. Right now, customers are in the "Initial Deployment Phase," during which the Redmond tech giant has released Windows updates that provide audit events for customers who might face compatibility issues due to the hardening process. It has also introduced an  RC4DefaultDisablementPhase registry value to proactively enable DCs to use the AES-SHA1 algorithm when it is safe to do so.

This phase will continue until April 2026, at which point we'll enter the "Second Deployment Phase" that empowers DCs to utilize AES-SHA1 for accounts that do not have an explicit msds-SupportedEncryptionTypes active directory attribute defined.

Finally, in July 2026, Microsoft will begin the "Enforcement Phase" that gets rid of the RC4DefaultDisablementPhase registry subkey.

In its dedicated support article, Microsoft has encouraged IT admins to apply January 2026's Patch Tuesday updates and begin actively monitoring audit events to see if they are ready to kick off the next phase of DC hardening. You can find out more details here.

source