This is a news item roundup of privacy or privacy-related news items for 9 MAR 2025 - 15 MAR 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.

Privacy Tip of the Week

Clear your browser cookies regularly.

Surveillance Tech in the News

This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

Data Broker Brags About Having Highly Detailed Personal Information on Nearly All Internet Users

Gizmodo

An owner of a data broker business brags and showcases his company's ability to deliver "personalized messaging at scale." Of course, personalized in this context means leveraging extensive amounts of data collected on people. The CEO claims that thanks to their "CoreAI" product/service/feature, they can leverage extreme personalized (and prediction) advertising for 91 percent of adults around the world.

The 200+ Sites an ICE Surveillance Contractor is Monitoring

404media

A contractor for ICE (and other US government agencies) has built a tool that facilitates pulling a target's publicly available data from various sources - which include social media networks, apps, and services. Most notably these include Bluesky, OnlyFans, Roblox, and various platforms owned/controlled by Meta (Instagram, Facebook). It can also reportedly pull data from sites geared towards specific demographics; for example, Black Planet, a social network for Black people.

More information on what sites this tool can pull from can be found on a Google Docs spreadsheet uploaded by 404media.

US lawmakers urge UK spy court to hold Apple ‘backdoor’ secret hearing in public

TechCrunch

This is yet another addition to the Apple vs secret order by the UK government saga. Various groups have called for Apple's official appeal to the UK order to be completed publicly, with US lawmakers now joining the chorus.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Services

Tuta Mail & Tuta Calendar Updates (+ What’s coming next)

Tuta

Tuta announces updates to Tuta Calendar; specifically, the introduction of advanced repeat rules and a three-day view. Tuta also shares planned updates "coming soon" to Tuta Mail.

Kagi Search introduces Privacy Pass authentication

AlternativeTo

Kagi officially rolls out Privacy Pass support for its Android app.

Telegram introduces Star Messages, cheaper user verification, Chromecast support, and more

AlternativeTo

Telegram introduces enhanced privacy controls for content creators and public figures. Telegram also implemented a detailed info page for users receiving a first-time message from outside their contacts list.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Vulnerabilities

Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)

Tenable

This week included Microsoft Patch Tuesday for March 2025. It included seven zero-day flaws, with six of them being exploited in the wild. Likely the most notable CVEs exploited in the wild for majority of users includes:

• CVE-2025-24985, a remote code execution vulnerability in the Windows Fast FAT File System Driver. Has been exploited in the wild; requires the attacker to trick the user into mounting a specially crafted virtual hard disk.
• CVE-2025-26633, a security feature bypass in Microsoft Management Console. Confirmed exploited in the wild as a zero-day; requires a user to open a malicious file.

Apple discloses zero-day vulnerability, releases emergency patches

Cyberscoop

CVE-2025-24201. On March Patch Tuesday, Apple released emergency updates addressing an out-of-bounds write zero-day in WebKit. Maliciously crafted web content may be able to exploit this vulnerability to escape the Web Content sandbox and potentially take unauthorized actions on the affected device.

Apple disclosed this vulnerability was exploited in attacks on "specific targeted individuals" and described it as "extremely sophisticated."

The ESP32 Bluetooth Backdoor That Wasn’t

HACKADAY

This post stems from Tarlogic's claim of finding a "backdoor" (which is strong language) in ESP32, a bluetooth chip used in approximately 1 billion (and more) devices. The reality is, the original findings found undocumented commands - that were likely manufacturer debugging tools - shipped in the final, consumer-facing products. In theory, these could be abused for malicious actions.

Tarlogic received backlash for the panic induced from using "backdoor" in their findings and has since modified their reporting.

Research on iOS apps shows widespread exposure of secrets

MalwareBytes

Out of 156,000 examined iOS apps, more than 815,000 secrets were hard-coded into. These sensitive secrets included keys to cloud storage, APIs, and keys to payment processors. According to the researchers, "the average app's code exposed 5.1 and 71% of apps leak at least one secret."

While easy to file away as the app publisher's problem, hard-coded secrets to APIs and cloud storage could result in data breaches, which naturally have a direct effect on user privacy.

Malware

North Korean government hackers snuck spyware on Android app store

TechCrunch

APT threat actors associated with the North Korean government uploaded spyware "KoSpy" to Google Play. According to Lookout, these nation-state threat actors also tricked some users into downloading KoSpy in likely targeted attacks.

KoSpy collects sensitive information including (but not necessarily limited to) text messages, call logs, device location data, files/folders on device, keystrokes, Wi-Fi network details, and installed apps. It can also record audio and take pictures (using the phone cameras) and screenshots.

Fake CAPTCHA websites hijack your clipboard to install information stealers

MalwareBytes

Malicious websites present fake CAPTCHAs that instruct visitors to copy and subsequently run a command on their systems to install malware -- specifically, information stealers.

Lazarus Group deceives developers with 6 new malicious npm packages

Cyberscoop

Based on researchers from Socket. The Lazarus Group - an APT group with known ties to the North Korean government - continues to place malicious npm packages on the npm registry, primarily targeting developers. These malicious packages install backdoors and steal credential information from the infected host.

MassJacker malware uses 778,000 wallets to steal cryptocurrency

Bleeping Computer

The "MassJacker" cryptojacking campaign uses approximately 778,531 cryptocurrency wallets to steal cryptocurrency from compromised hosts. MassJacker primarily relies on clipboard hijacking malware to monitor for copied cryptocurrency wallet addresses and then replace them with an address under the threat actor's control.

Phishing and Scams

Covers popular phishing schemes affecting end users - smishing, vishing, and any new scam/phish tactics for deceiving end users. May overlap some with malware, but focuses more on the phishing tactics than details on a malware delivery/campaign information.

Phishing

Threat Actor Impersonates Booking.com in Phishing Scheme

darkreading

Based on Microsoft research. A threat actor is using "ClickFix" in a sophisticated phishing campaign to download malware onto a target's machine. In ClickFix attacks, threat actors display fake errors on web pages or emails to entice users to copy and paste dubious commands into terminal windows on their devices.

In this particular campaign, the threat actor sent emails impersonating Booking.com to targets. The email contained a link or PDF pointing to a website with a fake captcha.

US cities warn of wave of unpaid parking phishing texts

Bleeping Computer

Threat actors widely using parking scams to coerce recipients into divulging personal information and payment information. This campaign is large-scale and primarily occurring via "smishing" (phishing over SMS text messages). Users receiving texts should avoid following any instructions to enable the links and should avoid following the links altogether.

Coinbase phishing email tricks users with fake wallet migration

Bleeping Computer

This is a large-scale phishing campaign where threat actors pose as Coinbase and attempt to get recipients into setting up a new wallet controlled by/accessible to attackers (the seed phrase is known by the threat actors). The ruse is users must participate in a "mandatory" wallet migration. While the email naturally claims to be from Coinbase, the email address is apparently sent from which is a legitimate Akamai SendGrid address.

Scams

New FTC Data Show a Big Jump in Reported Losses to Fraud to $12.5 Billion in 2024

FTC

This is not a description of any specific circulating scam. The US Federal Trade Commission (FTC) has put out data showing consumers lost approximately $12.5 billion in 2024 to fraud. Consumers lost the most ($5.7 billion) to investment scams, which is a 24% increase over 2023. The biggest growth in prevalence are job/employment scams.

Beware of DeepSeek Hype: It’s a Breeding Ground for Scammers

SecurityWeek

Threat actors and various phishers/scammers continue to leverage DeepSeek's brand and popularity to phish or scam users. They use many different vectors, such as fake websites, fake social media accounts, fake investment scams, and fake developer tools, to trick users into revealing personal and/or sensitive information.

The dark side of sports betting: How mirror sites help gambling scams thrive

MalwareBytes

Shady sports-betting companies clone their websites - creating mirror sites, hosted on a different domain - to remain accessible even if banned or "shut down" by regulators. Users may be phished or defrauded when interacting with these websites.

Service Providers' Privacy Practices

This section is dedicated to notable changes or developments in popular/large service provider's privacy practices.

Service providers listed here are not necessarily "privacy-focused," but may have privacy practice changes positively (ex: adopting end-to-end encryption for messaging or) or negatively (ex: increased sharing of data with affiliates) affecting a large amount of users.

Everything you say to your Echo will be sent to Amazon starting on March 28

ArsTechnica

Starting on 28 MAR 2025, users of Amazon Echo devices will no longer have the ability to process Alexa requests locally; voice recordings must be sent to Amazon's cloud.

Pinterest will train AI models on user data and content, regardless of when it was posted

AlternativeTo

In an update to its privacy policy, Pinterest will use user data and images for training generative AI models. This extends to any content shared on Pinterest since 2010. The new privacy policy will take effect on 30 APR 2025.

Saudi Arabia Buys Pokémon Go, and Probably All of Your Location Data

404media

The sale actually includes Pikmin Bloom, Monster Hunter Now, Campfire, and Wayfarer alongside Pokemon Go Niantic will sell these assets to a subsidiary (Scopely), which is wholly owned by Saudi Arabian company Savvy Games. Savvy Games is owned by the Saudi Arabian government's Public Investment Fund.

Niantic hasn't given much information about what will happen to player location data moving forward - or historic location data - beyond the standard, generic corporate language of "Protecting player privacy and data is of the utmost importance..."

Apple will soon support encrypted RCS messaging with Android users

The Verge

Apple has announced it will "soon" rollout updates to supporting encrypted RCS messaging with Android users. Traditionally, iPhone users texting Android users was via SMS (unlike iPhone to iPhone which defaults to Apple's E2E encrypted messaging service, iMessage), which is unencrypted.

Legislation/Regulations/Lawsuits

Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here.

Lawsuits

New York sues Allstate and subsidiaries for back-to-back data breaches

Cyberscoop

In a lawsuit filed on 10 MAR 2025, the New York State Attorney General accused Allstate and several of its subsidiaries of "poor security practices" that allegedly led to data breaches in 2020 and 2021.

Legislation and Regulation

EFF Sends Letter to the Senate Judiciary Committee Opposing the STOP CSAM Act

EFF

EFF opposes the STOP CSAM Act, which is set to receive a committee hearing. This bill aims to backdoor end-to-end encryption - specifically for messaging.

AI Can Rip You Off. Here's How California Lawmakers Want to Stop Price Discrimination

The Markup

So, you've likely already heard of tracking technologies collecting enough data to "decide" whether to show users (you) a higher price or not. However, businesses can leverage AI to do so as well, by primarily "evaluating" (however flawed the evaluation may be) your personal history and perceived desires. Allegedly, Amazon, ride-sharing apps, travel companies, and retail giants have engaged in this practice. California lawmakers want to eliminate using personal information to change the price of goods sold in retail stores.

Data Breaches and Leaks

Generally covers large data breaches (or data leaks) exposing sensitive information of users - typically the focus is on US companies and on data breaches affecting primarily US citizens, though some exceptions are made depending on potential impact and scale.

Will not cover every data breach, naturally, due to frequency and scale.

Data breaches

Amazon is still hosting spyware victims’ data weeks after breach alert

TechCrunch

This is not a new data breach nor is it a breach with any AWS service. This is an update to the Cocospy, Spyic, and Spyzie data leak/breach saga.

The infrastructure for these spyware services/apps were hosted on AWS. However, at time of writing, AWS is still actively hosting the leaked data of users/targets of these phone surveillance apps.