Category: Security & Privacy

TikTok users in the U.S. have expressed concerns over the app’s updated privacy policy, particularly the mention of collecting sensitive information like ‘citizenship or immigration status.’ However, legal experts clarify that this disclosure is primarily to adhere to state privacy regulations rather than invasive data collection practices.

The apprehension stems from a recent notification within TikTok regarding the revised privacy policy following changes in ownership. The policy outlines the types of data TikTok may gather, including potentially sensitive details about users, such as their ‘sexual life or sexual orientation, status as transgender or nonbinary, citizenship or immigration status.’

Despite the user concerns, this language is not new and is largely intended to comply with state laws like California’s Consumer Privacy Act, which requires companies to disclose the collection of ‘sensitive information’ to consumers. Similar clauses can be found in the privacy policies of other social media platforms.

Considering the current legal landscape and regulatory requirements, TikTok’s privacy policy reflects the complex interplay between technology companies, regulatory obligations, and user expectations. The context of heightened immigration enforcement and societal concerns amplifies the significance of data protection measures in tech services.

Source: TechCrunch

Recent reports reveal that Russian government hackers attempted to disrupt Poland’s energy infrastructure using destructive malware, identified as DynoWiper. The cyberattack targeted heat and power plants, as well as communication links to renewable installations, potentially impacting power supply to half a million homes. Security researchers link this attack to the notorious Sandworm hacking group, known for similar power outages in Ukraine, highlighting the ongoing threat to critical infrastructure.

This incident underscores the growing concern over state-sponsored cyber threats and the need for robust cybersecurity measures to protect essential services. The use of wiper malware to cause irreparable damage to computer systems poses a significant risk to national security and public safety. As technology advances, adversaries can leverage sophisticated tools to disrupt vital utilities, emphasizing the importance of constant vigilance and proactive defense strategies.

Source: TechCrunch

Microsoft recently complied with an FBI warrant, providing encryption recovery keys to unlock data on suspects’ laptops involved in a fraud case in Guam. The laptops were encrypted using BitLocker, a default full-disk encryption feature on Windows computers. While BitLocker is designed to secure data from unauthorized access, the keys are stored in Microsoft’s cloud, allowing the company and law enforcement access to decrypt drives when necessary.

The case highlights the privacy concerns associated with tech companies holding recovery keys. Security experts, including Johns Hopkins professor Matthew Green, caution against potential risks if hackers compromise Microsoft’s cloud infrastructure, gaining access to these keys. Despite Microsoft receiving around 20 similar requests annually, questions persist regarding the security of customer data and the implications of third-party access to encryption keys.

Source: TechCrunch

Ring, the Amazon-owned device maker, has unveiled a new video authenticity feature called Ring Verify. This technology aims to detect any alterations in video content, even minute changes, making it harder to fake or manipulate Ring camera footage. The feature will enable users to verify the authenticity of shared videos, ensuring that the content remains unaltered from its original form. This development addresses concerns around video integrity, particularly in situations involving shared videos, potentially enhancing trust and reliability in video content.

Ring’s new feature compares the verification process to a tamper-evident seal on a medicine bottle, emphasizing that any modifications, such as trimming or adjusting brightness, will break the verification seal. Scheduled to be automatically activated on videos recorded with Ring devices from December 2025 onwards, the verification process will identify alterations like cropping and filters, even on shared or uploaded videos.

In cases where verification fails, recipients can request access to the unedited video, offering transparency and ensuring the preservation of original footage. This feature could prove beneficial for scenarios like insurance claims, where unaltered video evidence holds significant value.

While the content verification feature will be integrated into videos accessed from Ring’s cloud, it will not be applicable to recordings secured with end-to-end encryption, which will display as ‘not verified’. This distinction underscores Ring’s commitment to maintaining data integrity and authenticity across its platform.

Source: TechCrunch

Under Armour, a prominent clothing and fitness data company, is currently investigating claims of a significant data breach that has exposed millions of customer records. The breach, reportedly linked to a November cyberattack, led to the exposure of sensitive customer information including names, email addresses, dates of birth, and approximate geographic locations. The stolen data, which included details about purchases, was recently circulated on a hacker forum, raising concerns about the security of customer information.

News of the breach surfaced when breach notification site Have I Been Pwned detected the compromised data and alerted approximately 72 million individuals whose information was impacted. The dataset disclosed by the cybercriminal contains a range of personal details, including genders, postal codes, and purchase-related information. Under Armour has acknowledged the breach and is working with cybersecurity experts to address the issue. The company has reassured that their main systems for processing payments and storing customer passwords were not affected by the breach.

While the company claims that only a small percentage of affected customers had sensitive information exposed, the full extent of the breach and the potential risks to customers remain under investigation. This incident underscores the critical importance of robust cybersecurity measures to safeguard customer data in an increasingly digitized world.

Source: TechCrunch

Snapchat has unveiled a set of new parental control features aimed at providing parents with more insights into their teens’ activities on the platform. The new ‘Family Center’ tool allows parents to monitor their teen’s screen time on Snapchat, including details about new friends added.

Following a lawsuit alleging Snapchat’s role in social media addiction and mental health issues, these controls come as Snap’s response to concerns over safety and screen time regulation. Parents can now track their teen’s daily usage, breakdown of activities on the app, and view the friends list with added context on new connections.

By enhancing transparency, Snap aims to address regulatory and parental concerns about the platform’s commitment to user safety. The tool provides crucial information for parents to understand their teen’s interactions and ensures that new connections are familiar or have mutual associations.

Since the launch of Family Center in 2022, Snap has continuously expanded its monitoring capabilities in compliance with evolving regulatory demands. The recent updates signal Snap’s proactive approach to addressing parental concerns and aligning with industry standards.

Source: TechCrunch

UStrive, an online mentoring platform, recently experienced a security lapse that exposed the personal information of its users, including minors. The breach allowed any logged-in user to access sensitive data such as full names, email addresses, phone numbers, and other non-public details.

According to a report by TechCrunch, the security flaw was identified by an anonymous source who discovered that user data could be accessed by examining network traffic. The breach was attributed to a vulnerable Amazon-hosted GraphQL endpoint, providing unauthorized access to a significant number of user records. The exposed information varied from user to user, with some records containing additional details like gender and date of birth.

UStrive, formerly known as Strive for College, offers mentorship services to high school and college students through its platform. Despite fixing the issue, the nonprofit has not confirmed if affected individuals will be notified about the breach. This incident raises concerns about data privacy and security measures on online educational platforms that handle sensitive information, especially for minors.

Following TechCrunch’s notification, UStrive’s legal representation mentioned ongoing litigation with a former software engineer, limiting the organization’s response capabilities. The exposure of private user data underscores the importance of robust cybersecurity protocols for organizations handling sensitive information.

Source: TechCrunch

Court documents have revealed that members of the Department of Government Efficiency (DOGE), a government agency associated with Elon Musk, may have mishandled Americans’ Social Security numbers, potentially for political purposes. According to Politico, the disclosure is part of a series of corrections related to DOGE’s access to Social Security Administration data.

In March 2025, an advocacy group approached two DOGE team members at the Social Security Administration, requesting an analysis of state voter rolls to investigate alleged voter fraud and potentially influence election outcomes. Subsequently, one DOGE member signed a ‘Voter Data Agreement’ with the advocacy group, leading to potential access to private information that was restricted by court orders at the time. The data was reportedly shared on unauthorized servers.

This incident underscores the importance of stringent data security measures, especially when sensitive personal information is involved. It highlights the need for robust protocols to prevent unauthorized access and misuse of data, particularly in government agencies handling critical citizen information.

Source: TechCrunch

A 24-year-old hacker from Springfield, Tennessee, named Nicholas Moore, has pleaded guilty to illegally accessing and sharing sensitive information from various U.S. government agencies, including the Supreme Court, AmeriCorps, and the Department of Veterans Affairs. Moore’s actions highlight the vulnerabilities in government systems and the critical need for enhanced cybersecurity measures.

According to the investigation, Moore hacked into these agencies’ networks using stolen user credentials. Once inside, he extracted personal data of individuals authorized to access the systems and posted it on his Instagram account, @ihackthegovernment. The disclosed information included the name and electronic filing records of a Supreme Court victim, personal details of an AmeriCorps victim such as name, date of birth, contact information, citizenship status, and partial social security number, as well as identifiable health information of a Department of Veterans Affairs victim.

As a consequence of his actions, Moore faces a potential sentence of up to one year in prison and a fine of $100,000. This case underscores the ongoing battle against cyber threats and the importance of robust cybersecurity practices across government agencies to safeguard sensitive information from malicious actors.

Source: TechCrunch

California Attorney General Rob Bonta has taken action against xAI, a startup known for its chatbot Grok, over the creation of nonconsensual sexual imagery and child sexual abuse material (CSAM). Following reports of xAI’s involvement in generating deepfake content without consent, the AG’s office issued a cease-and-desist letter demanding an immediate halt to these activities.

The controversy revolves around xAI’s ‘spicy’ mode feature embedded in Grok, designed to produce explicit content. This has triggered investigations not only in California but also in Japan, Canada, Britain, Malaysia, and Indonesia. Despite xAI implementing restrictions on its image-editing capabilities, regulatory bodies continue to scrutinize the startup’s practices.

Emphasizing a ‘zero tolerance’ policy towards CSAM, California’s actions send a clear message regarding the legal consequences of creating and distributing such illicit material. The AG’s office expects xAI to demonstrate proactive measures within five days to address these serious concerns.

The fallout from this situation highlights the ethical challenges posed by AI technologies, particularly in the context of deepfakes and nonconsensual content creation. As the regulatory landscape evolves to combat misuse, tech companies face increasing pressure to ensure responsible deployment of AI-driven features.

Source: TechCrunch

A recent discovery has revealed a sophisticated phishing campaign targeting high-profile users across the Middle East, including a U.K.-based Iranian activist, a Lebanese cabinet minister, and at least one journalist. The campaign utilized WhatsApp messages containing phishing links to steal credentials and compromise accounts, shedding light on the evolving tactics of cyber attackers targeting individuals involved in sensitive activities.

According to TechCrunch’s analysis, the phishing campaign aimed to extract Gmail and other online credentials, compromise WhatsApp accounts, and conduct surveillance by accessing location data, photos, and audio recordings. While the exact identity of the hackers remains uncertain, the impact on the victims was significant, with exposed data including responses from various individuals such as a Middle Eastern academic in national security studies, the head of an Israeli drone manufacturer, a senior Lebanese cabinet minister, and individuals with U.S. connections.

This incident underscores the importance of vigilance and awareness among high-profile individuals to safeguard their digital assets and personal information from malicious actors as cybersecurity threats continue to evolve.

Source: TechCrunch