
Privacy Roundup: Week 13 of Year 2025
This is a news item roundup of privacy or privacy-related news items for 23 MAR 2025 - 29 MAR 2025. Information and summaries provided here are as-is for warranty purposes.
Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.
Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.
Privacy Tip of the Week
Using a private search engine is a good way to begin improving your privacy. Private search engines generally avoid connecting users to their searches.
Surveillance Tech in the News
This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.
Madison Square Garden’s surveillance system banned this fan over his T-shirt design
The Verge
This pretty much boils down to a company leveraging data aggregation (whether first-party or third-party, but likely both) to ban a guy for life from its venues. In other words, based on data they had on this individual, they determined they do not want him on its properties - even though he himself had never "did anything" on their properties.
Privacy Tools and Services
Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com
Privacy Tools
“MyTerms” wants to become the new way we dictate our privacy on the web
ArsTechnica
"MyTerms" (draft standard IEEE P7012) is a proposed standard for machine readable personal privacy terms. Generally speaking, you as the user could preset a "contract" for web properties you visit that inform the website which information you will and will not offer for access to content/services. The website will presumable being able to 1) work with that contract, 2) modify (or serve up and alternate version) of itself to meet the user terms, and/or 3) tell you it can't meet the terms of the contract.
This is a large departure from things like Do Not Track (DNT) - DNT is a request sent via HTTP header that the website does not have to follow or even acknowledge. MyTerms is designed to be a demand versus a request.
Privacy Without Compromise: Proton VPN is Now Built Into Vivaldi
Vivaldi
Vivaldi integrates ProtonVPN natively into its desktop version of its browser.
A smarter VPN experience: Introducing the Mozilla VPN extension for Windows
Mozilla
Mozilla releases a VPN extension for its VPN service that supposedly lets users choose which websites to enable/disable VPN or choose a different VPN server location. As of writing this extension is for Firefox (or Gecko-based) installations on Windows.
Organic Maps update improves user navigation experience
AlternativeTo
Organic Maps, an alternative to Apple Maps and Google Maps, has introduced split screen mode, enhanced routing algorithms for cyclists, individual track sharing, and flexible route planning.
Messaging editing, deletion and saving now available
Deltachat blog
Deltachat has rolled out the ability for users to:
- forward messages
- edit and delete messages
- sync messages across devices
- save messages
Pale Moon browser now accessible via Microsoft Store
AlternativeTo
The Pale Moon browser is now available on the Microsoft Store. The browser also recently released version 33.6.1, which focuses on security and bug fixes.
Privacy Services
ente blog
Ente has released version 1.0 of its photos app.
Proton Drive and Docs now support collaboration with users without Proton accounts
Proton
Proton users can now collaborate on documents with anyone -- including those without Proton accounts.
Successful security assessment of our Android app
Mullvad
Mullvad's Android app has successfully passed the Mobile Application Security Assessment (MASA), conducted by NCC Group.
Multihop now available on Android
Mullvad
Mullvad has introduced its server multihop feature to its Android client.
DAITA version 2 now available on all platforms
Mullvad
Mullvad has rolled out version of their "Defense Against AI-guided Traffic Analysis" (DAITA) model. Version 2 reduces traffic overhead and introduces dynamic configurations varying VPN tunnel characteristics.
Vulnerabilities and Malware
Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.
This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.
Vulnerabilities
Google Chrome Zero-day Vulnerability Exploited in the Wild (CVE-2025-2783)
Qualys
Researchers at Qualys have discovered an actively exploited zero-day in Chromium. Tracked as CVE-2025-2783, this vulnerability, when exploited, could allow attackers to bypass Chromium's sandbox. Google has addressed this vulnerability in version 134.0.6998.177/.178 for Windows.
This vulnerability is not just limited to Chrome - it affects all Chromium-based browsers. Users running a Chromium fork (which includes popular browsers such as Brave, Vivaldi, among others.)
Mozilla patches Firefox bug ‘exploited in the wild,’ similar to bug attacking Chrome
TechCrunch
Firefox version 136.0.4 fixes a vulnerability, tracked as CVE-2025-2857, that when exploited could lead to a sandbox escape. This vulnerability was exploited in the wild and only affects Firefox on Windows.
Note: This vulnerability is similar to a sandbox escape (CVE-2025-2783) for Chrome.
New Ubuntu Linux security bypasses require manual mitigations
Bleeping Computer
Three security bypass vulnerabilities have been discovered in Ubuntu's unprivileged user namespace restrictions. A local unprivileged user can create user namespaces with full administrative privileges. The local attacker could then exploit vulnerabilities in various kernel components.
Malware
Microsoft Trusted Signing service abused to code-sign malware
Bleeping Computer
Threat actors are abusing the Microsoft cloud service Trusted Signing to code-sign malware executables. Executables that are code-signed with this service are more likely to be ignored or otherwise "trusted" by endpoint protection software.
Typically, threat actors seek to obtain Extended Validation code-signing certificates, but the process requires a more strict verification process... but the certificates for code-signing produced by Microsoft Trusted Signing work decent enough.
Infostealer campaign compromises 10 npm packages, targets devs
Bleeping Computer
At least ten npm cryptocurrency-related packages were updated to include malicious code designed to steal sensitive data from developers' systems.
Phishing and Scams
Covers popular phishing schemes affecting end users - smishing, vishing, and any new scam/phish tactics for deceiving end users. May overlap some with malware, but focuses more on the phishing tactics than details on a malware delivery/campaign information.
Phishing
Evilginx Tool (Still) Bypasses MFA
darkreading
Evilginx, a malicious version of the NGINX web server, can be used in machine-in-the-middle (MiTM) attacks to steal credentials and tokens. In practice, threat actors would deploy malicious web pages leveraging Evilginx and use legitimate and legitimate-looking forms and images from reputable brands to steal user information -- which includes session cookies.
'Lucid' Phishing-as-a-Service Exploits Faults in iMessage, Android RCS
darkreading
Lucid is a Chinese-based phishing-as-a-service platform. Prodaft researchers tracked Lucid impersonating at least 169 organizations and sending messages to targets spanning at least 88 different countries. Lucid's primary goal seems to be stealing credit card information.
Phishing-as-a-service operation uses DNS-over-HTTPS for evasion
Bleeping Computer
On top of offering a centralized SMTP infrastructure to send spam emails, the ability to impersonate over 114 service providers, multi-language capabilities, and spoofing sender names/addresses, this service leveraged DNS-over-HTTPS (DoH) to evade detection. DoH provides DNS resolution via HTTPS requests, which can aid in bypassing DNS monitoring (standard queries are conducted in plain-text).
Service Providers' Privacy Practices
This section is dedicated to notable changes or developments in popular/large service provider's privacy practices.
Service providers listed here are not necessarily "privacy-focused," but may have privacy practice changes positively (ex: adopting end-to-end encryption for messaging or) or negatively (ex: increased sharing of data with affiliates) affecting a large amount of users.
Discord is bringing video ads to mobile users in two months
AlternativeTo
There's not an explicit privacy change here, but worth noting considering how privacy invasive ads tend to be. Discord has announced it will now rollout video ads ("Video Quests") to its mobile apps in JUN 2025. Discord claims the mobile ads will be "non-intrusive."
Exclusive: Google will develop the Android OS fully in private, and here's why
Android Authority
There is no specific privacy change for end users here, but this is something worth paying attention to. Google is shifting Android (including) AOSP to its own internal development branch. This does not mean Android is going "closed-source," but Google's development will be internal (non-visible to the public) until they publish the source code of the new branches.
Legislation/Regulations/Lawsuits
Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here.
Lawsuits
T-Mobile Coughed Up $33 Million in SIM Swap Lawsuit
SecurityWeek
In this lawsuit, T-Mobile was sued on the basis its lackluster security permitted threat actors to socially engineer T-Mobile employees to transfer phone numbers to a sim card the threat actor controls. THis particular attack targeted a user that held over $38 million worth of Bitcoin and Bitcoin Cash.
Legislation and Regulation
Texans Might Soon Have to Show Photo ID to Buy a Dildo Online
404media
This pretty much boils down to Texas legislature considering passing a law that forces merchants to demand ID from users attempting to buy "questionable objects" online. However, it seems the law is written vague enough it could extend beyond just sex toys.
This is a development of age verification laws, which are anti-user privacy - and in some cases, security, because many services or third parties mishandle the data given/used to verify user age.
Data Breaches and Leaks
Generally covers large data breaches (or data leaks) exposing sensitive information of users - typically the focus is on US companies and on data breaches affecting primarily US citizens, though some exceptions are made depending on potential impact and scale.
Will not cover every data breach, naturally, due to frequency and scale.
Data leaks
DNA of 15 Million People for Sale in 23andMe Bankruptcy
404media
This is another development in the now years-long saga including (and since) 23andMe's data breach in 2023, where the personal information (ethnic and profile information) of nearly 7 million users were exposed.
23andMe filed for bankruptcy on 23 MAR 2025. While we can say "good riddance," the main issue with this is... what will happen to user genetic information? If purchased in a firesale, it is presumed the purchasing party would have access to the immutable user genetic data stored/held by 23andMe. This development highlights the issues with data transfer between companies - especially sensitive data.
mint
A member of the current administration sent classified information to a Signal group chat - which contained a reporter. This is a prime example of the importance of OpSec even when using end-to-end encrypted messaging tools.